I am working with access to an api with access control using Oauth2. I use DotNetOpenAuth
server.AuthorizationEndpoint = new Uri("https://api.xxxxxx.com/oauth/authorize");
var client = new DotNetOpenAuth.OAuth2.WebServerClient(server, client_id, client_secret);
client.GetClientAccessToken();
Which results in..
AuthenticationException: The remote certificate is invalid according to the validation procedure.
They have certificate errors, that won't be solved before....well...before the project is actually released, but I need to work on it now.....
DotNetOpenAuth will not allow the auth. url without HTTP
How can I make the code either accept the invalid certificate OR make DotNetOpenAuth accept a HTTP auth. url?
I have tried fiddling with the web.config settings, and to see if the trick with a "forgiving" servicePointManager could be used, but I don't know where to attach that
Found it... in web.config:
<dotNetOpenAuth>
<messaging relaxSslRequirements="true"/>
This made it ignore the fact that the provider of the webservice had an invalid certificate on their test server
Related
I have an application with multiple services. One of them is the auth service that takes care of creating the jwt after checking that the client id (i.e. browser or app) is valid and provided username/password is also valid.
I have another service (gateway) that redirect to other services any requests from the users using the jwt token for authentication.
All this works and has been working for a few years. It is based on Spring Boot using Spring Security (starter v2.1.5). It is soon time to renew our certificate and at the same time move to our new domain. The new certificate has been applied to the Google Cloud Platform load balancer.
The call for health check using the Spring Actuator is responding with the proper "UP" (in json) response. When I try to make the call from same Postman request (with new domain name used) I get the following response with a 401 code:
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
I do have the proper clientid and password/secrete encoded using base64 (hey it worked before and nothing else was changed).
I tried to debug setting #EnableWebSecurity(debug = true), but it generates zero logs from the request.
If I switch back the certificate to old one (and old domain), it works again without any other changes. This has been driving me a bit on the crazy side to say the least. Any help, suggestion, ideas would be appreciated.
It ended up being an error on my part. When I added a A class resources during the copy paste of Load Balancer IP, I put the same IP for both of my services (i.e. one of the copy didn't stick). Ending up in calling security on the gateway service when asking for the auth token.
Thanks for the comment #Boris-Treukhov
I need help regarding Identity Server on the following:
Do reference tokens use Signing Certificate?
On http://localhost application is working fine, on binding to a public URL with https, the login call returns a token, but consecutive WebApi(client) calls return "401 - Authorization has been denied for this request". Is it because of SSL certificate or due to NLB (two different Identity servers are deployed on the backend) - I am using Entity framework for storing the reference tokens. Do multi domain SSL certificate (SAN) work fine for Identity Server?
Do I need to add machine keys on both Identity server config files to sync or is this requirement only for JWT approach?
Thanks.
I currently have an asp.net web api 2 site hosted in IIS secured with windows authentication. A requirement has now come in for us to support client certificate authentication in addition to windows, and I'm struggling to find out:
- if this is possible at all
- if there are any working examples available
I thought might be able to add an additional owin middleware or messagehandler or filter, but can't see any existing ones that do this specifically for windows rather than just relying on IIS. I know thinktecture identitymodel can do client cert, but not sure if the two can be combined?
Example of forms +win that i thought might be similar is here https://techblog.dorogin.com/mixed-windows-forms-authentication-for-ajax-single-page-application-e4aaaac0424a
Right so I managed to figure it out. Thankfully, if a controller returns a 401, IIS automatically adds the negotiate/ntlm headers, so if a user is on a windows browser, it will then automatically authenticate as usual. So with that in mind, to keep windows auth working, I:
updated the site in both IIS and VS to allow anonymous AND windows auth
added the [AuthorizeAttribute] as a global action filter (which causes the 401 to be returned if the user is not authenticated by the time they hit the filter)
To get client certificate auth working, I used the magnificent Thinktecture.IdentityModel library, which allowed me to add only one line to my Startup.cs file (we're using OWIN so this was easy)
app.UseClientCertificateAuthentication();
See https://github.com/IdentityModel/Thinktecture.IdentityModel/blob/master/samples/OWIN/AuthenticationTansformation/KatanaAuthentication/Startup.cs for an example
I'm currently working on building a WCF web Service, I was asked to use Basic Authentication over HTTPS and also to validate whether the user is present in an LDAP group for Authorization.
I searched in Internet and it is said that Active Directory Authentication is not available in IIS and we should use our own Custom Basic Authentication Module or UserNamePasswordValidator.
Link I used for coding Custom Authentication Module
I have hosted the WCF in local IIS with SSL and now it is running under https.
The question is, If I implement this one, I need to add the Authorization header manually it seems. Is there any other way I can get the User Name or Password entered in the Basic Authentication dialog which is showed when we open the service in a browser ?.
OR
could you please provide an advice on what are the things I need to do to implement the above said Security ?
I'm helpless and requesting your help on this !!!!. Thanks in Advance.
Background:
I also tried UserNamePasswordValidator, but it was doing at the Application level, I was able to view the wsdl file (Meta data of the web service without even providing credentials) so I did went with the Custom Basic Authentication Module.
With Custom Basic Authentication Module , it is asking for credentials before the svc is opened in browser. So I think this would best suite. Please provide your valuable suggestions.
Basic authentication works by the web server returning a 401.0 status code AND a WWW-Authenticate response header with the value 'Basic real="xxx"' where the realm is simply information shown to the user so that they understand what is asking for the authentication. When the browser receives this type of response, it displays a dialogue box to the user asking for a username/password. The browser then re-submits the originally requested URL, but also includes an 'Authorization' header whose value is a base64 encoded string which includes the username and password.
A custom authentication module for IIS basically has to handle this interaction. For each request that comes in, it needs to see if there is an 'Authorization' header, and if so, it extracts the username/password, authenticates them in whatever fashion it likes, and if successful sets up the Context.User. If there is no 'Authorization' header, or the username/password are not valid, then the module must set the response code to 401.0, and ensure that there is a WWW-Authenticate header (as described above).
In order to use the module, all other authentication modules in IIS must be disabled (although there seem to be some circumstances in which the anonymous authentication module should be enabled). Due to caching in IIS, don't be surprised if not all requests are passed to your authentication module.
Our project(web application C# ASP.NET MVC3) is hosted on IIS 7.5 and we use certificate authentication. So we have SSL-require configured IIS.
Now we have a business task to allow some users to use our system. And there is no way to provide client certificates for them. In that case we need to use some additional authentication model (user-password or ntdomain based).
I don't know how to realize such model:
User gets on our project url;
If he has valid client certificate - we let him iteract with our application;
If he hasn't cert we show him a login form with "user-password";
If we use SSL-required configured IIS users would not be able to iteract with application without valid certificate at all right? And how to authenticate with certificate if IIS is configured with SSL-Accept?
Maybe you can configure two sites on your IIS? One with SSL and another without it? Your url will point to the SSL enabled site, and when a user without a valid certificate arrives you use some backup code to send him to the SSL free site?
Just guessing actually... I think this probably deserves a more meditated answer...
The problem was not so large as i thought before. IIS provides a check box to require certificate even if combobox(in SSL options of web application) is set to Accept instead of require. In that case IIS tries to get certificate at first. And if there is no cert it lets the user to iteract with application. And we can make custom authentication on that level.
With MVC (v.3+) there is nice way to use IAuthorizationFilter in that case