I have configured .net core 2.2 API to use windows and JWT authentication both:
"windowsAuthentication": true,
"anonymousAuthentication": true,
The application has angular as an SPA on the UI. Now the application works perfectly fine with chrome, however on edge, it keeps showing the credential popup and I am not able to remove it.
I have configured site also on the security tab for internet options as *.abc.com so that all such URLs are trusted.
The failed network call shows that edge removes the bearer token and replaces it with negotiate, which causes the 401 and then popup.
what will I be missing ?
To anyone who has faced the same issue, in the end I have split the project in two projects, one with windows authentication, and other with JWT authentication only.
Only this solved the problem.
Related
I have created an app using ASP.NET Core 6 MVC application. I am using the Microsoft.Identity platform for authentication (Azure AD authentication). It worked fine locally. User is able to sign-in and sign-out and able to navigate. When signing in with wrong password or username then user getting an error.
But when hosted the same code on Azure App Service and when accessing the app the 401 error occured. HOw I fix that issue. As I mentioned everything works fine locally so no issue with registration clientId or any other registration level info.
WebConfig file
AppService configuration
As mentioned in the question, if you enabled Azure Active Directory, there is no need to you to login and logout explicitly. As you are trying to do those operations locally, it must be they are not configured perfectly locally also. The same error it is causing while moving and accessing in Azure App Service.
Kindly check the following things in configuration:
1. Configuration of IIS before deployment
2. Configuration of AAD
These two steps could solve the issue.
[SOLVED READ COMMENTS ]
I got a problem with the asp.net core hosted Blazor app.
locally it works like charm, when it is deployed there is a problem related to the cookies, that I don't know how to fix, I did my best, now seeking help :)
The problem is: once the user comes to the login page he gets this message in the console:
Here I found those cookies in response
There is no way to fix this issue in this scenario, I have tried everything, only one thing will work that is SSL certificate.
Chrome version 80 or higher will block all third-party cookies by default. If you use the api using HTTPS, switch the protocol to the HTTPS and check whether the Set-Cookie in the response header contains SameSite=None and Secure.
If it doesn't use HTTPS, Chrome 80 will intercept the login function under the http protocol, causing the entire local deployment service to be unavailable. For this situation, open chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure in chrome, set it to be Disabled.
I'm using the MSAL framework in an iOS app. It's all works well when I authenticate against our inside ADFS server that only needs username/password. The public facing server requires a client certificate. From the public Internet, when I hit the Graph API without a token, I get redirected to a page that says a certificate is required and to select one to use. There is nothing to select and I can't do anything other than exit at that point. I see the same behavior with MacOS and Safari. Am I missing something or should this work?
I have modified sample code that connects to OneDrive and allows user to upload/download images to OneDrive. I have deployed MVC5 app here. Below is key piece of javascript code
$(document).ready(function () {
var client_id = "61029bc2-373d-46d6-935b-ab34b325ef3a",
scope = ["wl.signin", "wl.basic", "wl.skydrive", "wl.skydrive_update"],
//redirect_uri = "http://localhost:61727/home/callback"; //when redirect_uri is configured as localhost everything works find
redirect_uri = "http://onedriveuploaddemo.azurewebsites.net/home/callback"; //When I deploy application to azure get error saying invalid redirect_uri
WL.Event.subscribe("auth.login", onLogin);
WL.Event.subscribe("auth.sessionChange", onSessionChange);
WL.init({ client_id: client_id, redirect_uri: redirect_uri, response_type: "token", scope: scope });
WL.ui({ name: "signin", element: "signin" });
});
Please see below configuration of app
When I configure 'redirect_uri' as local host i.e. (http://localhost:61727/home/callback). Application works as expected. When I click on login button it redirect me to windows live login screen, then I can enter my username/password and I am redirected back to 'redirect_url'
But trouble starts when I change 'redirect_uri' that is pointing to page thats hosted in azure. I have hosted the MVC app here . When I click on 'SignIn' button it opens up dialog and closes it immediately. I am not able to grab error message. But it seems to be an issue with 'redirect_uri'
Do I need to enable any setting in Azure in order to get this done?
Note: While configuring 'redirect_uri' I am changing it at both the places i.e. in MVC app and in 'Application Registration Portal' and both are identical.
Using Fiddler4, I was able to catch the error message, which is:
The provided value for the input parameter 'redirect_uri' is not valid. The scope 'wl.signin wl.basic wl.skydrive wl.skydrive_update' requires that the request must be sent over a secure connection using SSL.
Microsoft now requires that the redirect URI use SSL for all authentication redirects. Localhost is exempt, which is why it worked there. If you want to allow login using Microsoft Account, you need to have SSL support on your site.
Also: it looks like you are using the very old LiveSDK for JavaScript, which isn't recommended any more since it doesn't support the newer OneDrive API. While there isn't a OneDrive SDK for JavaScript, you may find the sample code in OneDrive-Explorer-JS helpful to handle authentication without using the LiveSDK code. In particular, odauth.js should do pretty much everything you need.
I have an interesting problem. We have set up the Thinktecture Authorization Server from the trusty Identity Server 2 and gotten it to work a few months back. It is configured as a relying party for an already existing corporate identity server, so when we use the Code Flow example, click the "Start authorization handshake" we bounce over to the identity server, supply our credentials and get bounced back to the callback of the code flow with an access code, click the Get Token, and are granted with this fine jwt token. All seems fine.
However,
When we try this either from, for instance, postman, or our app development team from their development devices (android and iphone), it starts fine but when we call the token endpoint with our newly minted access code we get an "Anonymous client" response.
Looking at the web example from the CodeFlow example I see it posts basic authentication including a base64 value of the secret wich is missing from postman and our app team. I see no reference to this in the CodeFlow example so I have no idea where this comes from. If I hard code the Authorization BASIC [including the Base64 secret I snatched from the previous example] it does not change anything.
We'be been stuck for several days on this so any help would be gratefully appreciated. Any Ideas?
After a lot of recearch and hair pulling it seems the Postman client we are using does not support Code Flow and therefore does not include the Authorisation header we are missing. After capturing the traffic from Postman with Fiddler we manually added the basic authorization header with the client name and secret and got everything working. So as of now, postman does not work.
I hope postman does add support for codeflow in the future.
Atli