I have a service A and B. I am running up keycloak service in the same container with service A.
So, configs for service A are the following:
[app]
PageSize = 10
JwtSecret = 233
PrefixUrl = http://127.0.0.1:8000
[sso]
Host = http://127.0.0.1:8080
AdminLogin = some_admin
AdminPassword = some_password
Realm = master
ClientID = my_client
ClientSecret = XXX
I set up a middleware that validates JWT (gotten by keycloak) in service A and it successfully works out.
I run service B in another container with this config:
[app]
PageSize = 10
JwtSecret = 233
PrefixUrl = http://127.0.0.1:8002
[sso]
Host = http://172.18.0.1:8080
AdminLogin = some_admin
AdminPassword = some_password
Realm = master
ClientID = my_client
ClientSecret = XXX
You have noticed that I couldn't use 127.0.0.1 in B's config because it cannot dial this address (because keycloak is running with A in the same container).
I use the same JWT in the request header for service B. After that it goes to keycloak and gets:
{
"code": "ERROR_AUTH_CHECK_TOKEN_FAIL",
"context": {
"code": 401,
"message": "401 Unauthorized: invalid_token: Token verification failed",
"type": "unknown"
}
}
Am I right that keycloak detects the proxing somehow and the error is thrown because of that?
Should I use separate clients for keycloak for both services? And if it is so, how do I verify JWT gotten from service A in the B service?
I solved my problem. Ticket that I got from A had the issuer host http://127.0.0.1:8080 and B sent a header with the host http://172.18.0.1:8080 that failed token validation. Briefly, these hosts must be the same
Related
hi i am new to identity server 4. recently i made simple small project using identity server 4. solution has 3 projects of 1.identityserver4 2.api resource 3.client razor. every thing fine in localhost. but when i try the same project in docker i got problem with identityserver 4. this is the repository of the test project here
Problem
when web app client is started it should redirect to identity server 4 login page which happens with local host. but here i ran into the problem.
NOTE: until now according to searching i reach there may be certificate problem OR networking and DNS issue and i tried some suggested approaches but it wont work or maybe i doing it wrong
1st i tried set the authority address to the container name with port like http://identityserver4:9001 (also for client address which is port 5001) which throws the errors as
SocketException: Connection refused
System.Net.Sockets.Socket+AwaitableSocketAsyncEventArgs.ThrowException(SocketError
error, CancellationToken cancellationToken)
HttpRequestException: Connection refused (identityserver4:9001)
System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(string host,
int port, HttpRequestMessage initialRequest, bool async,
CancellationToken cancellationToken)
IOException: IDX20804: Unable to retrieve document from:
'http://identityserver4:9001/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string
address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration
from: 'http://identityserver4:9001/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsync(CancellationToken
cancel)
In this case the error came from client app.
When i shutdown the identityserver4 service and try the client it throws the same error. so it seems totally it could not reach identity server.
i tried the defined bridge network in docker-compose as well and i got the same result
also i tried http request to http://identityserver4:9001/.well-known/openid-configuration from client (i removed the client authorization & authentication stuff for test this) which throws the Connection refused error in response.
2nd i tried set the authority address to http://identityserver4:80. in this case the client app redirect to identity server 4 identityserver4/connect/authorize but the browser throws
dial tcp: lookup identityserver4 on 127.0.0.11:53: no such host
in this case the client passed and redirect to identity server 4
http request to http://identityserver4:80/.well-known/openid-configuration from client (i removed the client authorization & authentication stuff for test this) gives the correct response.
i linked the github repository above but for ease i also added mu configuration as below.
i try some approaches but this is the BASE CODE from the first attempt.
docker-compose.override.yml
version: '3.4'
services:
identityserver4:
container_name: identityserver4
environment:
- ASPNETCORE_ENVIRONMENT=Development
ports:
- "9001:80"
networks:
- mynet
clientapp:
container_name: clientapp
environment:
- ASPNETCORE_ENVIRONMENT=Development
ports:
- "5001:80"
depends_on:
- identityserver4
networks:
- mynet
apiresource:
container_name: apiresource
environment:
- ASPNETCORE_ENVIRONMENT=Development
ports:
- "8001:80"
networks:
- mynet
networks:
mynet:
external: true
Identity Server
client configuration in Config.cs
new Client
{
ClientId = "razorClient",
ClientName = "RAZOR Client App",
AllowedGrantTypes= GrantTypes.Hybrid,
RequirePkce = false,
AllowRememberConsent = false,
RedirectUris = new List<string>()
{
"http://clientapp:80/signin-oidc"
},
PostLogoutRedirectUris = new List<string>()
{
"http://clientapp:80/signout-callback-oidc"
},
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
AllowedScopes = new List<string>()
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"MYAPI"
},
AllowAccessTokensViaBrowser = true,
}
program.cs
using IdentityServer;
var builder = WebApplication.CreateBuilder(args);
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
builder.Services.AddControllersWithViews();
builder.Services.AddIdentityServer(options =>
{
options.IssuerUri = "http://identityserver4:80";
})
.AddInMemoryClients(Config.Clients)
.AddInMemoryIdentityResources(Config.IdentityResources)
//.AddInMemoryApiResources(Config.ApiResources)
.AddInMemoryApiScopes(Config.ApiScopes)
.AddTestUsers(Config.TestUsers)
.AddDeveloperSigningCredential();
var app = builder.Build();
if (!app.Environment.IsDevelopment())
{
app.UseHttpsRedirection();
}
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
});
app.Run();
Client APP
program.cs
using ClientApp.Data;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Web;
using Microsoft.AspNetCore.Mvc.Authorization;
var builder = WebApplication.CreateBuilder(args);
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
builder.Services.AddHttpClient();
// Add services to the container.
builder.Services.AddRazorPages();
builder.Services.AddServerSideBlazor();
builder.Services.AddSingleton<WeatherForecastService>();
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.Authority = "http://identityserver4:80";
options.MetadataAddress = "http://identityserver4:80/.well-known/openid-configuration";
//options.BackchannelHttpHandler = new HttpClientHandler
//{
// ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true
//};
options.RequireHttpsMetadata = false;
options.ClientId = "razorClient";
options.ClientSecret = "secret";
options.ResponseType = "code id_token";
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("MYAPI");
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
});
builder.Services.AddMvcCore(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
app.UseHttpsRedirection();
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.MapBlazorHub();
app.MapFallbackToPage("/_Host");
app.Run();
i got the solution
Description
the problem is the container communication. when running the project on localhost (not on docker) every thing is set to localhost:port address including authority address of is4. the app is authorized or redirect to login page simply. but in docker env the authority have to addressed based on docker inter-communication address ( local host is unknown here which leads to connection refused ) which is known by docker containers network but not machine localhost. so in that case the authority of is4 works but when it comes to redirect to login page ( identity server 4 UI ) based on authority address that address is unknown by local machine so it throws DNS error. so according to #Dimitris Maragkos answer i set the base addresses to local machine Ip address like
options.Authority= "http://192.168.8.202:9001"
including the client and api relevant required addresses.
I've looked through the list of possible solutions, but I don't see this problem, here it is.
I had been using smtp for years for my crontab entry to provide status updates via email. Then it quit this week, and I was unable to fix it. Then I saw that it had become orphaned, and the suggestion was to move to msmtp. So I downloaded and installed it on my Ubuntu 18.10 system.
I'm trying to send email to my myaccount#gmail.com account.
It appears that I'm communicating properly with the gmail smtp server, as the debug below show. But it always gets a TLS Timeout.
I also don't understand why I have multiple EHLO entries. My system does not have a DNS domain name, so that I'm not sure what to put here; localhost seems to be working OK. Also, my Thunderbird emailer is working correctly with gmail.
Here's the debug output:
echo "Hello there" | msmtp --debug myaccount#gmail.com >/tmp/msmtpOut.txt
ignoring system configuration file /etc/msmtprc: No such file or directory
loaded user configuration file /home/myhome/.msmtprc
falling back to default account
using account default from /home/myhome/.msmtprc
host = smtp.gmail.com
port = 587
proxy host = (not set)
proxy port = 0
timeout = off
protocol = smtp
domain = localhost
auth = choose
user = myaccount
password = *
passwordeval = (not set)
ntlmdomain = (not set)
tls = on
tls_starttls = on
tls_trust_file = /etc/ssl/certs/ca-certificates.crt
tls_crl_file = (not set)
tls_fingerprint = (not set)
tls_key_file = (not set)
tls_cert_file = (not set)
tls_certcheck = on
tls_min_dh_prime_bits = (not set)
tls_priorities = (not set)
auto_from = off
maildomain = (not set)
from = myaccount#gmail.com
add_missing_from_header = on
dsn_notify = (not set)
dsn_return = (not set)
logfile = (not set)
syslog = (not set)
aliases = (not set)
reading recipients from the command line
<-- 220 smtp.gmail.com ESMTP 4sm116524ywc.22 - gsmtp
--> EHLO localhost
<-- 250-smtp.gmail.com at your service, [71.56.87.81]
<-- 250-SIZE 35882577
<-- 250-8BITMIME
<-- 250-STARTTLS
<-- 250-ENHANCEDSTATUSCODES
<-- 250-PIPELINING
<-- 250-CHUNKING
<-- 250 SMTPUTF8
--> STARTTLS
<-- 220 2.0.0 Ready to start TLS
TLS certificate information:
Owner:
Common Name: smtp.gmail.com
Organization: Google LLC
Locality: Mountain View
State or Province: California
Country: US
Issuer:
Common Name: Google Internet Authority G3
Organization: Google Trust Services
Country: US
Validity:
Activation time: Tue 21 May 2019 04:48:45 PM EDT
Expiration time: Tue 13 Aug 2019 04:32:00 PM EDT
Fingerprints:
SHA256: C7:78:B6:D6:4E:3E:2B:2F:08:6D:A4:84:E6:1D:87:8E:A1:DF:54:D2:AB:79:AC:A6:BB:50:E5:5D:EC:B4:20:4C
SHA1 (deprecated): 39:C5:E5:40:64:37:17:25:17:7F:E8:BA:20:F4:70:F4:FE:22:70:22
--> EHLO localhost
msmtp: cannot read from TLS connection: the operation timed out
msmtp: could not send mail (account default from /home/myhome/.msmtprc)
Build msmtp using --with-tls=openssl to solve the problem.
As regards as the EHLO command sent twice the RFC3207 states:
The server MUST discard any knowledge
obtained from the client, such as the argument to the EHLO command,
which was not obtained from the TLS negotiation itself. The client
MUST discard any knowledge obtained from the server, such as the list
of SMTP service extensions, which was not obtained from the TLS
negotiation itself. The client SHOULD send an EHLO command as the
first command after a successful TLS negotiation.
So that is the normal behaviour.
I am new to emqtt. I am trying to use emq_auth_http but it is not working.
I have these 3 requests to console some data and send data back with status 200.
app.post('/mqtt/auth', function(req, res) {
console.log('This is body ', req.body);
res.status(200).send(req.body);
});
app.post('/mqtt/superuser', function(req, res) {
console.log('This is body in superuser ', req.body);
res.status(200).send(req.body);
});
app.get('/mqtt/acl', function(req, res) {
console.log('This is params in acl ', req.params);
res.status(200).send(req.body);
});
Requests are working fine on postman.
I have configured my emqtt on windows with docker. I have placed my config file in /etc/plugins/emq_auth_http.conf.
This is my config file
## Variables: %u = username, %c = clientid, %a = ipaddress, %P = password, %t = topic
auth.http.auth_req = http://127.0.0.1:3000/mqtt/auth
auth.http.auth_req.method = post
auth.http.auth_req.params = clientid=%c,username=%u,password=%P
auth.http.super_req = http://127.0.0.1:3000/mqtt/superuser
auth.http.super_req.method = post
auth.http.super_req.params = clientid=%c,username=%u
## 'access' parameter: sub = 1, pub = 2
auth.http.acl_req = http://127.0.0.1:3000/mqtt/acl
auth.http.acl_req.method = get
auth.http.acl_req.params =
access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t
Then I enabled emq_auth_http from dashboard
Now when I tried to connect my mqtt client to my server it is not calling the api. It logs
09:28:29.642 [error] Unexpected HTTP Request: POST /mqtt/auth
09:28:29.644 [error] Client(19645050-9d1b-4c50-acf9-
c1fe7e69eea8#172.17.0.1:60968): Username 'username' login failed for 404
Is there anything I missed? Why it is not working?
Thanks
127.0.0.1 in a container refers to the container itself and not the host machine. you should set the host machine ip,you can obtain the host machine ip from a container by issuing the command /sbin/ip route|awk '/default/ { print $3 }' which could be found here
ps: this way you can get the ip of docker machine and not the host ,if your service is served by windows you can reach the ip of host machine from the container which is 10.0.75.1. you can find it in
How to connect to docker host from container on Windows 10 (Docker for Windows)
I'm getting an authentication error when trying to connect ssh host.
The goal is to connect to the host using local forwarding. The command below is an example using drop bear ssh client to connect to host with local forwarding.
dbclient -N -i /opt/private-key-rsa.dropbear -L 2002:1.2.3.4:2006 -p 2002 -l
test_user 11.22.33.44
I have this code so far which returns empty connection
ip = "11.22.33.44"
user = "test_user"
port = 2002
ssh_config = [
user_interaction: false,
silently_accept_hosts: true,
user: String.to_charlist(user),
user_dir: String.to_charlist("/opt/")
]
# returns aunthentication error
{:ok, conn} = :ssh.connect(String.to_charlist(ip), port, ssh_config)
This is the error Im seeing
Server: 'SSH-2.0-OpenSSH_5.2'
Disconnects with code = 14 [RFC4253 11.1]: Unable to connect using the available authentication methods
State = {userauth,client}
Module = ssh_connection_handler, Line = 893.
Details:
User auth failed for: "test_user"
I'm a newbie to elixir and have been reading this erlang ssh document for 2 days. I did not find any examples in the documentation which makes it difficult to understand.
You are using non-default key name, private-key-rsa.dropbear. Erlang by default looks for this set of names:
From ssh module docs:
Optional: one or more User's private key(s) in case of publickey authorization. The default files are
id_dsa and id_dsa.pub
id_rsa and id_rsa.pub
id_ecdsa and id_ecdsa.pub`
To verify this is a reason, try renaming private-key-rsa.dropbear to id_rsa. If this works, the next step would be to add a key_cb callback to the ssh_config which should return the correct key file name.
One example implementation of a similar feature is labzero/ssh_client_key_api.
The solution was to convert dropbear key to ssh key. I have used this link as reference.
Here is the command to convert dropbear key to ssh key
/usr/lib/dropbear/dropbearconvert dropbear openssh /opt/private-key-rsa.dropbear /opt/id_rsa
I am using CKAN 2.7.2.
I have added the following configurations in my development.ini file of ckan:
ckan.oauth2.authorization_endpoint = https://wso2IP/oauth2/authorize
ckan.oauth2.token_endpoint = https://wso2IP/oauth2/token
ckan.oauth2.profile_api_url = https://wso2IP/userinfo
ckan.oauth2.client_id = *client-id*
ckan.oauth2.client_secret = *clientsecret*
ckan.oauth2.profile_api_user_field = abc
ckan.oauth2.profile_api_mail_field = abc#gmail.com
Also, have exported the following while running ckan using paster serve :
export OAUTHLIB_INSECURE_TRANSPORT=True
Also, I have added an application (ckan provider) in WSO2 Identity Server also with callback URL = (http://ckan-url:5000/oauth2/callback) where the CKAN instance is running (i.e a private IP of 172.30.66.XX type running on port 5000).
So, what configuration need to be done in WSO2 Identity Server and ckan development.ini file?
Also, configuring on both sides, I get the error Client authentication Failed in CKAN GUI.
I am using Ckan 2.7.2 , WSO2-IS 5.1 and ckanext-oauth2 (oauthlib==0.8.0)
will it be giving a problem in authentication process??Can it be a version dependency issue??
I have followed the given steps. Kindly correct if I am missing or doing something wrong:
I have used API store and published ckan application.
Entered the ckan callback url as http://oauth2/callback
Entered the generated client ID and client secret from step 1 in ckan configuration.
Also, made the given changes mentioned by you regarding claim configurations and ckanext-oauth2 configurations.
Now, it gives above error.or sometimes Invalid Client (Client Authentication Failed)
Inbound settings:
enter image description here
Error Logs :
[2018-07-25 19:29:25,432] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2018-07-25 19:29:25,431+0530]
[2018-07-25 21:55:15,930] INFO {org.wso2.carbon.identity.application.authentication.framework.store.OperationCleanUpService} - Session Operation Data cleanup task is running successfully for removing expired Operation Data
[2018-07-25 23:40:15,929] INFO {org.wso2.carbon.identity.application.authentication.framework.store.SessionCleanUpService} - Session Data cleanup task is running successfully for removing expired Data
[2018-07-26 09:21:18,948] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2018-07-26 09:21:18,948+0530]
[2018-07-26 09:21:39,307] INFO {org.wso2.carbon.core.services.authentication.AuthenticationAdmin} - 'admin#carbon.super [-1234]' logged out at [2018-07-26 09:21:39,0306]
[2018-07-26 09:55:15,975] INFO {org.wso2.carbon.identity.application.authentication.framework.store.OperationCleanUpService} - Session Operation Data cleanup task is running successfully for removing expired Operation Data
After configuring the settings I receive the following Message:
Your application settings at WSO2-IS seems to be correct. The only thing to take into consideration, it is that ckanext-oauth2 is only able to use the Code and, the Refresh Token grant types, so only those types need to be allowed.
Using this configuration for ckanext-oauth2:
ckan.oauth2.authorization_endpoint = https://wso2IP/oauth2/authorize
ckan.oauth2.token_endpoint = https://wso2IP/oauth2/token
ckan.oauth2.profile_api_url = https://wso2IP/userinfo
ckan.oauth2.client_id = *** OAuth Client Key from the Inbound Authentication Configuration at WSO2 ***
ckan.oauth2.client_secret = *** OAuth Client Secret from the Inbound Authentication Configuration at WSO2 ***
ckan.oauth2.scope = all_info openid
ckan.oauth2.profile_api_user_field = email
ckan.oauth2.profile_api_fullname_field = name
ckan.oauth2.profile_api_mail_field = email
and using your claim mapping configuration (http://wso2.org/claims/fullname and http://wso2.org/claims/emailaddress); I was able to sign in into CKAN. I have tested using CKAN v2.7.4, v2.8.0 and v2.8.1; ckanext-oauth2 v0.6.1 and WSO2-IS v5.5.0 (although it should work using WSO2-IS v5.1).