I am following introduction to single page authentication tutorial from Microsoft.
This tutorial uses IdentityServerJwt authentication
services.AddAuthentication()
.AddIdentityServerJwt();
I haven't tested yet but as the tutorial says this application works fine in the local environment without doing any configuration for JSON web tokens.
this is how appsettings.Development.json file looks like:
"IdentityServer": {
"Key": {
"Type": "Development"
}
}
On deploy to production section it shows how to configure azure web service, add certificate to azure and app.settings.json file for that configuration.
app.settings.json:
"IdentityServer": {
"Key": {
"Type": "Store",
"StoreName": "My",
"StoreLocation": "CurrentUser",
"Name": "CN=MyApplication"
}
}
So my question is how can I configure my Linux server(ubuntu), how can I add the certificate to validate JSON web tokens and how should I configure my app.settings.json file for my Linux environment. I haven't seen any tutorial which shows that step by step.
Related
I'm implementing a gateway to work on Azure Portal. The problem is my Ocelot which works perfectly fine on localhost, but on Azure it always gives 500 Internal Error.
My Ocelot:
{
"Routes": [
{
"DownstreamPathTemplate": "/api/AuthApi",
"DownstreamScheme": "https",
"DownstreamHostAndPorts": [
{
"Host": https://myazurenameapp.azurewebsites.net
}
],
"UpstreamPathTemplate": "/gateway/token",
"UpstreamHttpMethod": [ "Post" ]
}
],
"GlobalConfiguration": {
"Baseurl": https://mygatewayazureapp.azurewebsites.net
}
}
Is there anything I need on Azure Portal?
Thanks for your feedback
Before publishing a microservice application in azure. We need to create a separate app service for each service and API gateway.
As normal, Publish it directly from the VS 2019.
Change the endpoints from the local host to Azure endpoints in ocelot.json before publishing the operation.
Try to check the below things to avoid errors in azure:
In the Azure app service, enable https, if you enabled https in your project.
Kindly set a startup project as multiple projects and choose all projects in the list as start.
I am using microsoft.Identity.Web package on my .netcore API project which calls Graph API to get the directory objects of the user.
In the appsettings file the downstream api settings are provided as below,
"DownstreamApi": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "Directory.Read.All"
},
The relevant permission(Directory.Read.All) is setup in the app registration.
But even if I leave the "Scope" parameter blank the API is giving me the directory objects.
So if the settings is of the format below it still works. Then what is the need of this scope parameter?
"DownstreamApi": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": ""
},
The scope claim might not had reflected in the token and so you might not seeing any difference with scope assigned.
user_impersonation is the default delegated permission /scope that exists initially for every Web app or API in Azure AD.
Please make sure to add the required delegated permissions or application permission in portal.And grant consent if required.
In your case add directory.read.all Application permission
ex:I added user.read
Appsettings:
"DownstreamApi": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "user.read"
},
In startUp.cs
Public void ConfigureServices(IServiceCollection services)
{
string[] initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration)
// acquire a token to call a protected web API
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
//
//othercode
...
}
And in controller we need to specify scopes and send to request headers to get access token for required scopes.
References:
call Microsoft Graph | Microsoft Docs
(OR) active-directory-aspnetcore-webapp-openidconnect-v2 (github.com)
How can I create a new Azure App Registration without the user_impersonation OAuth2Permission? - Stack Overflow
If client_credentials is the grant type you may need to use https://graph.microsoft.com/.default for scope in the application settings which will give you the permissions defined for your app.
"DownstreamApi": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "https://graph.microsoft.com/.default"
}
Try to use /token endpoint in request and not common
Please see:
ASP.NET Core - Call Graph API Using Azure Ad Access Token - Stack Overflow-Reference
I've read other similar answers but they either use IIS, talk about self-signed certificates or don't fill the purpose at all.
I'm trying to create a simple web API that will be hosted in a Windows machine with SQL Express using .NET 5.
I'm able to create a self-signed certificate and use that during development, but this will be hosted in a client's machine and they probably have a SSL certificate. In the past, with web applications that run only in localhost I did something like this:
public static IHostBuilder CreateHostBuilder ( string [] args ) =>
Host.CreateDefaultBuilder( args )
.ConfigureWebHostDefaults( builder =>
{
builder.UseStartup<Startup>();
builder.UseKestrel(options => {
if ( ServerConfiguration.ShouldUseHttps() )
{
options.Listen( IPAddress.Any, 6050, listenOptions =>
{
listenOptions.UseHttps( Path.Combine( "Certificates", "cert.pfx" ), CertificatePassword );
} );
}
else
{
options.Listen( IPAddress.Any, 6050 );
}
} );
} );
Where cert.pfx is my self-signed certificate. I would ship that certificate with the software, and tell the client to install it, then they can use HTTPS and the browser would trust the certificate. Probably enough for a localhost application, but not for an exposed API.
So let's say the client has bought an SSL certificate and I want my .NET application to use that certificate, that will be installed on the same machine as my application. How can I accomplish that?
Right now, I've just deployed my application in another computer, without any certificates or anything else, but of course I get errors of type "The SSL certificate can't be trusted" (in postman for example).
If the client doesn't buy an SSL certificate, can we use a self-signed certificate?
Thank you very much.
Don't configure your endpoints in code. Instead, configure them in your appsettings.json file, as described in the Kestrel documentation. You can configure just one endpoint, or multiple.
Here's an example configuration that has an HTTP and HTTPS endpoint, with the certificate from a pfx file with a password:
{
"Kestrel": {
"Endpoints": {
"Http": {
"Url": "http://localhost:5000"
},
"HttpsInlineCertFile": {
"Url": "https://localhost:5001",
"Certificate": {
"Path": "<path to .pfx file>",
"Password": "<certificate password>"
}
}
}
}
}
The documentation shows different configurations for the certificate, like a .pem and key file (like you get from Let's Encrypt, for example) or using the Windows certificate store.
This way, if the client gets their own cert, it's just a matter of updating the appsettings.json.
In my BlazorWebAssembly + ASP.NET Core Identity test site (.NET 5.0 RC1), I'm getting the following error when trying to log in.
There was an error trying to log you in: 'Network Error'
I have already set appsettings OIDC to be the following:
{
"SiteName": "MyProject",
"oidc": {
"Authority": "https://167.172.118.170/",
"ClientId": "MyProject",
"DefaultScopes": [
"openid",
"profile"
],
"PostLogoutRedirectUri": "/",
"RedirectUri": "https://167.172.118.170/authentication/login-callback",
"ResponseType": "code"
}
}
Why is it not able to connect?
Test site is at http://167.172.118.170/ and the code can be found in https://github.com/jonasarcangel/BlazorLoginNetworkErrorIssue
It is clear by now that Blazor uses the internal url http://localhost:5008 as the authority instead of the external url http://167.172.118.170/
When the client attempts to connect to http://localhost:5008/.well-known/openid-configuration, an error occurs: connection refused...
As a matter of fact the client should use this url: http://167.172.118.170/.well-known/openid-configuration, but it does not as the value of the authority is determined by Blazor.
If you type the url http://167.172.118.170/.well-known/openid-configuration in the browser's address bar, you'll see all the configuration information about the Identity Provider. Indeed, http://167.172.118.170/ is the authority. But as you've seen setting the Authority to this url in the appsettings.json file was simply ignored, and the internal url was used instead.
How to solve this ? We should tell Blazor not to use the internal url but the external one...
Attempts suggested:
In the web server project's Startup class's ConfigureService change this code:
services.AddIdentityServer()
.AddApiAuthorization<ApplicationUser, ApplicationIdentityDbContext>
();
To
services.AddIdentityServer(options =>
{
options.IssuerUri = "https://167.172.118.170/";
})
.AddApiAuthorization<ApplicationUser,
ApplicationIdentityDbContext>();
Use the ForwardedHeaders middleware. See this sample as to how to do it.
Stick to the above... The issue is here, and not somewhere else.
Good luck...
I just test and the url http://167.172.118.170/_configuration/BlazorWorld.Web.Client returns
{
"authority": "http://localhost:5008",
"client_id": "BlazorWorld.Web.Client",
"redirect_uri": "http://localhost:5008/authentication/login-callback",
"post_logout_redirect_uri": "http://localhost:5008/authentication/logout-callback",
"response_type": "code",
"scope": "BlazorWorld.Web.ServerAPI openid profile"
}
Then the app try to connect to http://localhost:5008/.well-known/openid-configuration :
So the deployed appsettings is probably not the good one.
I'm deploying an ASP .NET Core web application that uses a SQL Server database to Microsoft Azure. I've created an "app service" with a SQL Server instance on Azure. When I deploy the application from Visual Studio to Azure, the deployment ends up opening a browser window with the message
"An error occurred while starting the application". In the application log I find the error "System.Data.SqlClient.SqlException: Login failed for user 'null'."
The connect string used to configure the deployment is the one I copied from the Azure management console. If I use the same connection string with Microsoft SQL Server Management Studio running on my notebook, I successfuly connect to the database. When run locally, using the local database, the application runs fine.
These are the files deployed on the Azure (in the code "my_" is replacing sensitive data):
appsettings.json
{
"ConnectionStrings": {
"DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=my_database;Trusted_Connection=True;MultipleActiveResultSets=true"
},
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Debug",
"System": "Information",
"Microsoft": "Information"
}
}
}
appsettings.Production.json
{
"ConnectionStrings": {
"DefaultConnection": "Server=tcp:my_server.database.windows.net,1433;Initial Catalog=my_db;Persist Security Info=False;User Id=my_user_id;Password=my_password;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"
}
}
Azure it super particular about its connection string. Mostly around the User ID field.
Below is a template version of my connection string that I use to connect to an Azure DB.
"Server=tcp:MyDatabaseServer.database.windows.net;Database=MyDatabaseName;User ID= MyDatabaseName#MyDatabaseServer.database.windows.net; Password=MyPassword;Trusted_Connection=False;Encrypt=True;MultipleActiveResultSets=true"
What i found is that I was getting errors when I didn't include the #MyDatabaseServer.database.windows.net
Maybe try subbing your information into this and seeing what happens. I am sure you already know how to get the DB servers host name and the local username for the DB. If you don't let me know and I can do some screen shots.