I have setup Identity server 4 for one of my project using .net core as web api and angular as front-end technology. I have two servers (SRV1 and SRV2) where i hosted Identity server and they are under load balancer.
If I stop the one of the identity hosted server and do authentication, it works perfectly fine either or. But when I enabled both the server and generate token from first call that does not authenticate on another server.
To confirm it, I shut off one server (i.e. SRV1) and made authentication call to another server (ie SRV2) through load balancer and it returned me valid Token. when i used this generated token to access protected resources of SRV2, it works perfectly fine. after I used same token to get SRV1 protected resources, it throws unauthorized error.
Appreciate quick help.
You need to make sure that the signing tokens and the Data Protection keys are the same between the two servers. If you don't define them, they will be automatically created on each server (not the same) and that results in tokens/cookies from one server is not accepted by the other one.
Do see this article as well.
Related
I'm working with a client that has a very strange network setup. Basically, they have multiple small segmented networks with their own clusters of servers because of several acquisitions, mergers, etc. It's a nightmare.
I've setup the authorization servers correctly and they're all running the same code but when I try to take my laptop from location to the other, I get logged out and have to log back in again. A lot of the employees travel between sites so getting logged out all the time is causing some grumbles.
The each instance of the APIs and Authorization servers are able to use the same database, but each site has it's own Authorization and Resource server.
What I've noticed is this:
If I stay in one place, my access/refresh token setup works great with no problems
If a travel to another site, the new sites authority server doesn't seem to be able to validate the access token and logs me out
There is one site with a load balancer that will log me out randomly as well as if I'm traveling between sites.
The app is built on .NET Core 2.2 and OpenIDDict 2.0. For budgetary reasons, upgrading either is not an option.
Is there anyway to configure a shared certificate or key so that all of the servers can decode the access tokens? Basically multiple authorization servers able to decode the access tokens generated by any of the other authorization servers?
I was able to figure it out. I had to change this:
services.AddDataProtection()
.PersistKeysToDbContext<DbContext>();
to this:
services.AddDataProtection()
.SetApplicationName("appName")
.ProtectKeysWithCertificate(MyX509Certificate2)
.PersistKeysToDbContext<DbContext>();
On server I have Identity Server 3 Identity Server. On client side, I have UseOpenIdConnectAuthentication. This is working great. But suddenly after some times when user successfully logged in at my identity server, the redirection starts looping until I get error maximum request size for everyone using the client application. Then I re-start the pool of client application, everything become working again. Is there some caching stuff in OpenIdConnectAuthentication middleware that has this result? This affects just the client app.
We have an ASP.NET Core application which has the default authentication system and is hosted on Azure.
Recently, we created a new AppService and routed the users to that service while maintaining connection to the same database.
However, when users use the new server, we get continuous crashes with the following error:
The key {xxx-xxx-xxx-xxx} was not found in the key ring.
of type
System.Security.Cryptography.CryptographicException
and method
Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String
serializedToken)
Our understanding is that the server is trying to decrypt the token but since it was received from a different server, our server just crashes.
We would so much appreciate if you can suggest a way to solve this issue temporarily until we change the DataProtection provider.
We want a way that wouldn't let our server crash.
Thank you so much
Update: I'm surprised now that this error happens in: POST Account/Login and POST Account/Register while these methods do not require authorization, however these methods are decorated with:
[ValidateAntiForgeryToken]
Both Get Account/Login and Post Account/Login happen on the same server.
Make sure you have machine key same across the farm. You should set it at the application level, meaning, different apps have different keys but the same app has the same key on all server of the farm.
The machine mey is responsible for encrypting some internals of selected features of the engine, including the antiforgery tokens. A different key on different servers causes the exact issue you describe.
https://blogs.msdn.microsoft.com/amb/2012/07/31/easiest-way-to-generate-machinekey/
https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx
In my case.
This error happened as I was using two or more instances for the identity server.
So,
Login goes fine but checking the token cause errors.
As the login was done by an instance and checking was done using other instance.
The easiest way to solve this is to make sure that your identity server or API is using only one instance.
I have an ASP.net 4.5.2 app using the token authentication and authorization. This works as expected.
However, I now want to use two servers. So the user could get switched from one server to the other. The issue with this is that when the user is switched, the new server sends a 401 Unauthorized response until the user log in again.
Is there a way to make both servers accept the token?
The main purpose of this is for failover. If server 1 goes down, I can route the traffic to the second one. I have tested this and it works, except the user is forced to log in again.
The machine key must be the same for all servers serving the app.
Here is how to create the machine key in IIS.
Then copy that same key to the other servers.
I'm trying to consume a Java Web Service from third party, so i dont have any control over it. I have a pfx file which is password protected, and i installed it in my development box.
This is the code i'm using:
var proxy = new MyServiceReference.WsaaServerBeanService();
var result = proxy.login("test");
I'm getting System.Net.Sockets.SocketError.TimedOut exception when invoking the login web method. The first thing that come to my mind is an authentication issue. Apart from installing the pfx, do i need to send some other info to the web server to authenticate?
System.Net.Sockets.SocketError.TimedOut
Does not indicate an authentication issue, it indicates that you either are not able to contact the remote web service endpoint, or you are and the service is taking too long to respond. Make sure you can actually hit the endpoint from your machine via telnet, a web browser etc...
Authentication failures will usually return immediately.