IdentityServer4 well known configuration generates invalid url schemas with double backslashes - .net-core

My IdentityServer4 instance returns deformed schema for the urls in the reponse of the well-known configs. Here is the response that I get from
http://www.server.meetcorepoint.com/.well-known/openid-configuration
{"issuer":"http://\\www.server.meetcorepoint.com","jwks_uri":"http://\\www.server.meetcorepoint.com/.well-known/openid-configuration/jwks","authorization_endpoint":"http://\\www.server.meetcorepoint.com/connect/authorize","token_endpoint":"http://\\www.server.meetcorepoint.com/connect/token","userinfo_endpoint":"http://\\www.server.meetcorepoint.com/connect/userinfo","end_session_endpoint":"http://\\www.server.meetcorepoint.com/connect/endsession","check_session_iframe":"http://\\www.server.meetcorepoint.com/connect/checksession","revocation_endpoint":"http://\\www.server.meetcorepoint.com/connect/revocation","introspection_endpoint":"http://\\www.server.meetcorepoint.com/connect/introspect","frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"scopes_supported":["openid","profile","api1","offline_access"],"claims_supported":["sub","name","family_name","given_name","middle_name","nickname","preferred_username","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at"],"grant_types_supported":["authorization_code","client_credentials","refresh_token","implicit","password"],"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],"response_modes_supported":["form_post","query","fragment"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"code_challenge_methods_supported":["plain","S256"]}
Here is the mvc client http://www.mvc.meetcorepoint.com and when I click to authenticate with the idsr4 the client throws exception Unable to parse host name and fails to do authentication because it can't parse the urls.
Note the \\ appended to the schema in each url of the response. All urls are invalid. Both the idsr4 and the mvc client are hosted on Amazon Linux. The two projects that I use are both from the official sample projects on GitHub https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Quickstarts/5_HybridFlowAuthenticationWithApiAccess
I am using version 2.0.4 of dotnet core.
On localhost the idsr4 works as expected and returns the appropriate response without additional double backslashes.
What is causing the wrong url schemas and how to fix this ? Feel free to test the identity server yourself on the live servers.

Related

ASP.NET capture DNS from HttpReuest.CurentContext with https

I am working in one of the applications running on .NET Framework 4.6.1, where I am trying to get dns name (on server) and on local, both having 'https' protocols.
Locally I am accessing my application with https://localost:44301/ however request object is showing me http://127.0.0.1
On Server I am accessing with https://dns.com/ however logs are showing me http://127.0.0.1 - running instances behind ALB.
Code:
var host = System.Web.HttpContext.Current.Request.Url;
I am calling this on Startup.cs class.
I see my browser has and showing https://localhost:44301, however code is showing http://127.0.0.1 as mentioned above.
My code is running on .NET Framework 4.6.1 and unable to find anything more with HttpRequest object.
Question - How can I get correct DNS name or localhost:44301 from request object or using some other mechanism.

WooCommerce - Auto generating API keys using our Application Authentication Endpoint give 401 Invalid URL error

I'm attempting to use the REST API provided by WooCommerce to generate the Customer Secret and Customer Key values so that it could be used to invoke other WooCommerce REST APIs. I referred the documentation about generating the key values and managed to get it working using a mock endpoint in Postman used for the call_back URL in the API as mentioned in the document.
I created a POST service in my backend server and managed to setup a SSL certificate in the local environment with a domain mapped in hosts file in /etc directory. I ran the backend service and invoked the callback url through Postman and it worked. Then I used that as the call_back URL in the actual WooCommerce Auth endpoint to programatically generate the keys and save it in my DB. But I'm getting
"Access Denied" - Error: A valid URL was not provided..
When I checked the browser through devtools -> network noticed that there is a 401 Unauthorize error.
Here is the sample GET URL that is uesd for WooCommerce API key generation
http://localhost/woocommerce/wc-auth/v1/authorize?app_name=<SOME_NAME>&scope=read_write&user_id=36&return_url=http://localhost/woocommerce/&callback_url=https://foo.bar.dev:44329/api/services/app/woo_commerce_auth/6/callback
callback_url = https://foo.bar.dev:44329/api/services/app/woo_commerce_auth/6/callback
When the callback_url is a mock url generated using Postman it works fine
callback_url = https://513ca6ab-db16-4635-8d0b-9159e3b1e187.mock.pstmn.io/api/services/app/woo_commerce_auth/6/callback
Any clue why this happens, I could not find a way to troubleshoot this issue. Appreciate the help.
Hi posting this for future reference, and hope it would help others who face this problem as well.
Things to keep in mind when setting the callback_url,
Non HTTPS URL endpoint are not allowed.
URL should not be a localhost url (e.g localhost/callback would give an invalid URL error)
URL should not contain port number (e.g localhost:4320/callback or foo.bar.dev:4892/callback are invalid)
Callback URL should be a POST url
If an error such as Error: An error occurred in the request and at the time were unable to send the consumer data. is given after checking all the above check the backend service code related to the callback_url (I had a 500 server error which triggered this, it was not a WooCommerce issue)
Also a tool such as ngrok would be really helpful to setup an HTTPS endpoint in your local environment to test this.

Microsoft application - Redirect URI allows 'localhost' but not '127.0.0.1'

I have developed an application that allows MSA (Microsoft Account) authentication. I have registered my app here: https://apps.dev.microsoft.com.
When testing my app locally, I can access my app with no problem at my SSL URL of https://localhost:44300, and MSA works fine. When I registered my app, I used https://localhost:44300/signin-microsoft as the Redirect URI.
Problem: I can also access my app at https://127.0.0.1:44300, as one would expect. However, MSA here doesn't work. The error page says, We're unable to complete your request.
Microsoft account is experiencing technical problems. Please try again later. And the URL of the error page reveals that the error is with a mismatch in the Redirect URI: https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.
In the Microsoft Apps page, when I try to update the Redirect URI from https://localhost:44300/signin-microsoft to https://127.0.0.1:44300/signin-microsoft, it doesn't allow me to save my change and it shows me this error: Your URL can't contain a query string or invalid special characters, and it provides a 'Learn More' link: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-v2-limitations#restrictions-on-redirect-uris
After reading the info in this link, I see nowhere that a URI like mine (https://127.0.0.1:44300/signin-microsoft) would be an unacceptable URL, as I'm not breaking any of their rules: I have no invalid characters, no query strings, etc.
My research: Looking online, people are getting the Your URL can't contain a query string or invalid special characters because they are actually using a query string or invalid special characters, such as in this link: https://social.msdn.microsoft.com/Forums/en-US/4f638860-ea57-4f0e-85e0-b28e1e357fe2/office-365-app-authorization-redirect-uri-issue?forum=WindowsAzureAD. I couldn't find a case where someone has entered a valid URI and they weren't allowed to save it.
Why I need 127.0.0.1 to work: I need to expose this website, which is running on my local box. In order to have the website running without having an instance of Visual Studio opened all the time, I'm using csrun to host my website in Azure local fabric (by the way, my app is an Azure Cloud Service, with a ASP.NET MVC 5 app as a web role). I followed this instruction for csrun: http://www.bardev.com/2013/03/12/how-to-deploy-application-to-windows-azure-compute-emulator-with-csrun/. Using csrun, it allowed me to host my website in https://127.0.0.1:444 (but, as with https://127.0.0.1:44300, MSA doesn't work). My end goal is to expose this website with a public URL using ngrok (https://www.sitepoint.com/use-ngrok-test-local-site/), so that anyone can access my site.
Therefore, my main question is: how can I have the Redirect URI be https://127.0.0.1:44300/signin-microsoft instead of https://localhost:44300/signin-microsoft?
Make sure you access this portal through https://identity.microsoft.com as this is the only way the steps below will work.
You can get around this error right now by adding the reply URL through the manifest. Login to the portal, select the app you want to configure, and scroll down and hit the Edit Application Manifest button. Then you can add your https://127.0.0.1:44300/ to the replyUrls field.
There's some funny behavior that will only allow this right now if you only register other localhost reply Urls. If this is the only reply URL you need then it shouldn't be a problem.

Web Api Route Attributes not matching on remote server

We have an API, routed with Attributes, and registered first in our start up method with config.MapHttpAttributeRoutes();
This works fine locally.
However on the test environment the Api routes are not matching a request, and instead are tried to be matched via the default MVC router. The default MVC route is registered at the end of our start up method.
I've triple checked the config transforms, even the deployed web.config to ensure there are no url rewrites getting in the way.
The requests are simple JSON requests.
Anyone have any pointers as to anything else that could cause the Api routes to be ignored on remote environments only?
Thanks
Turns out it was due to old libraries in the bin folder on the remote server.
The lesson here is to make sure deleted files are also deleted in the build process, or to manually delete them.

empty parameterbag object on request

I am running a json restapi service on ubuntu with symfony2 framework.
Everything was working fine but for security and performance reasons we moved to amazon ec2 with rds.
Now i am facing a strange problem if i call the api with curl it works ok until i use some characters on the body parameters like accents (´).
i copy and paste the /etc/php5 and /etc/apache2 config folder from the old server to the new server, still not working.
i also match the locale on both server. debugging the symfony2 request object i realize that the parameterbag object when using an special character like (á) is empty for all the parameters.

Resources