Basically I have a web API written .NET Core. Having a GET API exposed, from that API I need to redirect to another URL with a custom header. I have tried the redirect method, however it is not forwarding the custom headers.
Related
Im using ASP.NET
I have two different application:
WEB API server on .NET Core
Client on .NET MVC with RazorPages
I have authorization with JWT + RefreshToken
I want to implement next thing:
If I call some endppoint with expired token, it should automaticaly redirect to the refrehToken endpoint and call previous called endpoint
I tried to think how to implement this. I found some stuff about interceptor but I didnt find it for RazorPages(only for Blazor)
We have a third party service that implemented single-sign-on on some route to it’s web-app.
In order to use this single-sign-on, we provided with a POST API, and we need to pass on that route some credentials- including an organization secret that we got from him (yes, we need to pass it in query params), and the user’s email address.
In order to not to expose credentials over the browser, we tried to mimic that request by creating our own backend endpoint, and return the same result as their enpoint (kind of a proxy) with redirection (status 307 with Location header) cause there API returns plain HTML.
It seems like when client send a post request with redirection he can’t add the authorization header (JWT) required by our backend to operate (backend return Authorization required). the request is been done to our server and the result is redirection to another server.
How can we bypass it? Or maybe we can secure it with different approach?
I know that the header is usually been removed for a good reason, who knows where I can be redirected to?
but can't I tell him somehow that I trust the redirection?
We tried to use phantom-form only to use from submit post. We tried to make our endpoint to be GET and making the redirection other way (react-router) but I think that natively js does not allow to attach Authorization header.
I thought it would be a common pattern, but I didn't find someone that talks about it exactly, since we are trying to query our backend and not some external redirection API.
I have an ASP .NET website which uses Forms authentication to secure certain parts of the site. The site has a module that uses custom Basic authentication.
I use Madam https://msdn.microsoft.com/en-us/library/aa479391.aspx to route specified request.url to Basic Authentication handler.
My Web.config specifies which requests go to basic authentication.
<madam>
<formsAuthenticationDisposition>
<discriminators all="true">
<discriminator
inputExpression="Request.Url"
pattern="/RouteMeToBasicAuthentication"
type="Madam.RegexDiscriminator" />
</discriminators>
</formsAuthenticationDisposition>
</madam>
As a result requests to ‘/RouteMeToBasicAuthentication’ are routed correctly to basic authentication.
I can log into my application using forms authentication.
The problem is that all .js and .css requests are routed to my Basic authentication module. These requested are originated from Forms authenticated .aspx pages. As a result all .js and .css requests are rejected as unauthorized
1. Request URL: http://myApplication/Scripts/jquery-ui.min.js
2. Request Method: GET
3. Status Code: 401 Unauthorized
I do not want .js and .css requests forwarded to the basic authentication module. How to do this? Why Madam routes these requests to the Basic Authentication?
Without Madam IIS assumes that resources such as .js, .jpg, etc, are all static resources, and thus doesn't need to pass them through the ASP.NET engine. I do not also want .js request to go to the ASP.NET engine since it has negative effect on the application performance.
A dirty workaround would be that I white list my css and js folders in the custom basic authentication module. I do not want to do that. I would like to have the problem fixed in the right place. How to do that?
Some web sites are sending request to https url adress. I am entering http:/somesite.com but it is going to https:/somesite.com
I am plannig to get an SSL sertificate and use https for my site. I am using asp.net mvc web api.
I want to redirect to https page my users. Should I do it with a handler, or HttpMessageHandler or directly from IIS?
trailmax has a pretty good solution for your problem in his blog. He even has some nice unit tests:)
http://tech.trailmax.info/2014/02/implemnting-https-everywhere-in-asp-net-mvc-application/
I am successfully using bearer token authentication for asp.net web API as is demonstrated in the default single page application template. But now I want to use the same web API from a different site (a different url).
When I make a request to web API AuthorizeEndpoint(by default /api/Account/ExternalLogin) from different site, I get error: invalid_request. I guess the problem is in the redirect_uri value, since changing that to value of site running on same domain as web api resolves the problem.
ValidateClientRedirectUri method in application OAuthAuthorizationServerProvider doesn't get fired. So based on my search in Katana source the error origin is in OAuthAuthorizationServerHandler.InvokeAuthorizeEndpointAsync.
Does anyone else have the same problems or am I doing something wrong?
The Katana OAuth middleware is not designed to be cross application - it is mainly for "embedding" an OAuth authorization server into the business resource.
If you want a proper (free) authorization server - have a look here:
https://github.com/thinktecture/Thinktecture.AuthorizationServer/wiki
The bearer token appears to be a hash into an claims hash, which is local to your application.
We are using a jwt token with a separate validate handler. Works cross application.
Still looking for a better way but for now it works.