I have my SAML2 enpoint in Azure and tried to integrate with Kentor Sample Mvc application. Everything went fine, Even I can see the SAMLRESPONSE with claims(attributes) in it. But I am getting a certificate error like "The signature verified correctly with the key contained in the signature, but that key is not trusted.' occurred in Kentor.AuthServices.dll" . Could anyone please help me on this?
This means that you've configured the wrong signing key with AuthServices. Since you're using Azure you should be aware that they roll over (i.e. change) keys regularly so you can't just configure the key. You have to configure AuthServices to load the Azure metadata automatically. Set the MetadataLocation property of the IdentityProvider to the metadata address of your Azure tenant.
Related
I am using .NET Core 2.0 and ASP.NET Core 2.0 for application development. The "test" application is a .NET Core Console application. The core code I am writing is a class library. Once proper testing. I choose to do this since I won't be putting this to use for awhile (it's replacing older ASPNET code).
Anyway, since I have to work with a LOT of API keys for various services I decided to use Microsoft Azure Key Vault for storing the keys. I have this all setup and understand how this works. The test application uses a test Azure account so it's not critical. And since this is replacing legacy code and it's in the infancy, I am the sole developer.
Basically, I'm running into this issue. There's not too much information on Azure Key Vault from what I can see. A lot of examples are storing the Client ID and Secret in a plain text json file (for example: https://www.humankode.com/asp-net-core/how-to-store-secrets-in-azure-key-vault-using-net-core). I really don't understand how this can be secure. If someone were to get those keys they could easily access stored information Azure, right?
The Microsoft MSDN has a powershell command that grants access (I lost the original link, this is closest I can find: https://www.red-gate.com/simple-talk/cloud/platform-as-a-service/setting-up-and-configuring-an-azure-key-vault/) My development operating system is Windows 10 and my primary server operating system is Debian.
How would I approach this?
Yes, you are right, the plain text config file could be used only during development, not for production purpose. And in general, available options depend on where and how you host an App.
If you have an Azure Web App, you have at least next built-in options (from the documentation):
add the ClientId and ClientSecret values for the AppSettings in the Azure portal. By doing this, the actual values will not be in the web.config but protected via the Portal where you have separate access control capabilities. These values will be substituted for the values that you entered in your web.config. Make sure that the names are the same.
authenticate an Azure AD application is by using a Client ID and a Certificate instead of a Client ID and Client Secret. Following are the steps to use a Certificate in an Azure Web App:
Get or Create a Certificate
Associate the Certificate with an Azure AD application
Add code to your Web App to use the Certificate
Add a Certificate to your Web App
You may also find an approach that uses env variables to store credentials. This may be OK only if you can guarantee that it's not possible to do a snapshot of env variable on prod machine. Look into Environment Variables Considered Harmful for Your Secrets for more details.
And the last one thing: there is also a technic that based on the idea, that you need to store/pass only a ClientSecret value while ClientId should be constructed based on machine/container details where the App is hosted (e.g. docker container id). I have found an example for Hashicorp Vault and an App hosted on AWS, but the general idea is the same: Secret management with Vault
In addition to the first answer, with the context of running applications on Azure VM, instead of using client_secret to authenticate, you can use client certificate authentication as explained in this documentation: Authenticate with a Certificate instead of a Client Secret.
In the picture above:
Application is authenticating to AAD by proving that it has the private key of the certificate (which is basically stored in CNG if you are using Windows).
Application get back the access_token and then use it to access the Key Vault.
The developer does not need to know the private key value of the certificate in order for their app to be successfully authenticated. Instead, they only need to know the location of the imported pfx (a container for private key and its certificate) in the Certificate Store.
At least on Windows, you as secret administrator can convert the private key and the certificate into pfx format which is password protected, and then deploy it into the Windows Certificate store. This way no one could know the private key unless they know the password of the pfx file.
The other approach specifics for Azure Compute, is to use Azure Managed Service Identity. Using Azure MSI, Azure will automatically assign your resources such as VM with an identity / Service Principal, and you can fire requests at a specific endpoint that are only accessible by your resource to get the access_token. But be wary that Azure MSI are still under public preview, so please review the known issues before using it.
The picture above explain how Azure Resource Manager assign a Service Principal identity to your VM.
When you enable MSI in a VM, Azure will create a service principal in your AAD.
Azure will then deploy a new MSI VM extension to your VM. This provides an endpoint at http://localhost:50432/oauth2/token to be used to get the access_token for the service principal.
You can then use the access_token to access the resources such as Key Vault which authorize the service principal access.
We have an ASP.NET Core application which has the default authentication system and is hosted on Azure.
Recently, we created a new AppService and routed the users to that service while maintaining connection to the same database.
However, when users use the new server, we get continuous crashes with the following error:
The key {xxx-xxx-xxx-xxx} was not found in the key ring.
of type
System.Security.Cryptography.CryptographicException
and method
Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String
serializedToken)
Our understanding is that the server is trying to decrypt the token but since it was received from a different server, our server just crashes.
We would so much appreciate if you can suggest a way to solve this issue temporarily until we change the DataProtection provider.
We want a way that wouldn't let our server crash.
Thank you so much
Update: I'm surprised now that this error happens in: POST Account/Login and POST Account/Register while these methods do not require authorization, however these methods are decorated with:
[ValidateAntiForgeryToken]
Both Get Account/Login and Post Account/Login happen on the same server.
Make sure you have machine key same across the farm. You should set it at the application level, meaning, different apps have different keys but the same app has the same key on all server of the farm.
The machine mey is responsible for encrypting some internals of selected features of the engine, including the antiforgery tokens. A different key on different servers causes the exact issue you describe.
https://blogs.msdn.microsoft.com/amb/2012/07/31/easiest-way-to-generate-machinekey/
https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx
In my case.
This error happened as I was using two or more instances for the identity server.
So,
Login goes fine but checking the token cause errors.
As the login was done by an instance and checking was done using other instance.
The easiest way to solve this is to make sure that your identity server or API is using only one instance.
I'd like to use Google Identity Toolkit API to identify the user of a web site.
I made the example program without problems, but when trying to push it on a remote web server it does not work.
I made a new project (so I have new credentials for server, client and apikey).
I made all the modification to the PHP and JSON file but when I try to login I get : There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed
I don't understand where referer are specified because the aipkey is auto generated when you change the API configuration and in API configuration there are not referers or ip indication.
Where am I doing wrong?
Go to google developers console.
Select the project you previously created and then go to Credentials option in the APIs & auth menu on the left.
Under API keys, select browser key. You can configure the browser key referrer there.
Under api key there was only one key automatically created by the api configuration.
This key had no name and i can't find a way to modify or view it.
I tried to delete it several times, but every time was created without name.
I tried to add a new key by myself, but that key wasn't accepted.
I had to delete the auto generated key, create a new one, and then go modifying the api config.
Then it worked....
I have published an orchestration as a WCF web service using WCF_WSHttp bindings. I think we about the SSL certificate working. It will be open to the internet, thus anyone who knows the URL could call it and pass data; so we want to add user/pass authentication. We simply one the one client/vendor to have the ability to call this webservice, no one else.
I've been reading everywhere, and cannot find any specific steps.
I think I want something like Scenario #4 here: https://seroter.wordpress.com/biztalk-and-wcf-part-ii-security-patterns/, but I cannot see how he got the "Client Credentials" box to pop-up in BT-2010.
Best I can tell is I have to:
1) In BizTalk Admin Console - set Security Mode to TransportWithMessageCredential.
2) From here: https://msdn.microsoft.com/en-us/library/bb226482.aspx, I'm a little confused about the difference between Windows and Username. An outside vendor is calling our webservice, so they are not on our domain. Do I need to set up a service account? Or can I just make up a username and insert it here somewhere?
3) Do I have to make corresponding changes to the WCF web.config that was created by the BT-2010 "WCF Servcie Publishing Wizard"
It seems like your're looking for just Basic authentication on the transport layer? All you then have to do is to create an AD user or a local user on the BizTalk machine and set the Transport client credential type to Basic.
Hi
I am developing an application on android(3.0) and trying to use the Evernot API. I downloaded Evernote API with sample and trying to play with it.
I working with evernote sample application name "HelloEDAM" , when i run the application following error displays at screen
"Error initializing Evernote API".. i have the API consumer secret and consumer Key which is send by Evernote to me and also providing the right username and password. Any idea what could be the problem?
many thanks !!
That error is shown if we're unable to authenticate to Evernote. Common causes of this are:
Your application doesn't have internet permissions
Your consumer key and consumer secret are incorrect
You requested a web service API key, which must authenticate using OAuth, but are attempting to authenticate using username & password
You are using an Evernote username and password from our production service but are attempting to authenticate against our sandbox server
We also log a message that contains the exception that caused the error.