We are running a few aspnet core APIs in a docker swarm with nginx as the reverse proxy server.
We have been running this set up for a while without any issue. However recently we added an SSL certificate that we got from letsencrypt. Since then we notice that after we hit the /api/TokenAuth/Authenticate endpoint and get assign a Bearer token if we try and make a subsequent call using the token that was just assigned, the call sometimes fail and we get a 302 (it works about 40% of the time). It seems that if we try using that same token again after some time has passed than the call works.
It's strange that this only seems to be an issue if we have ssl(https) on.
I cannot replicate the issue locally. It seems to only show up when the api is deployed to our docker swarm (which is running nginx and the api as containers, nginx handles the ssl cert).
Does anyone have any idea what the issue might be? Has anyone experienced something like this before that could point me in the right direction?
There are two console below: The top one is an example of it working and I got the expected results back. The bottom is the response when it fails.
I found the issue. We have 3 instances/replica of api that is set to issue the Token. The server time on each server seems to be off by seconds. Therefore if the server that issues the token is ahead of the server that processes the subsequent request, then the token is not valid yet.
Related
I have been struggling for a long while trying to determine the correct approach to use the omniauth-facebook gem.
I am running my API on port 3001 while my frontend (in my case coded on ReactJS) is running on port 3000. As per what I have been researching, this is a common issue but there is not a clear answer nor documentation here. I am not expecting to use any additional SDK as I understand that this gem should handle all I need to simply login through FB.
When manually running on the browser http://localhost:3001/auth/facebook, I can see on Rails console that route is being hit and things are moving forward as expected; also, I am seeing that callback route is hit and I am getting back a JSON with UID, client and auth_token.
However, when trying to reach this through my react app, I am getting a CORS error. I am simply making an AXIOS.get(/auth/facebook) which gets routed into my API as I have configured the proxy to pass calls received on my frontend into the API. My console seems to be hit by my request as I am seeing the following:
However, on the Chrome console, I am seeing a CORS issue as per the following image:
For sure, I have already tried adding the following code snippet and still getting the same error:
Having said this, could someone answer me the following questions:
which is the expected way to trigger the initial call into /auth/facebook route? Kindly do not FW me to read the main repo doc as it does not say this solution there.
has someone solved the present issue on a way which is not by adding a link into http://localhost:3001/auth/facebook? Would this be a correct approach? It sounds weird to me.
I am trying to create an OData model in SAP UI5 this way:
new sap.ui.model.odata.ODataModel("http://services.odata.org/Northwind/Northwind.svc/");
but I am getting a 501 not implemented error!
could you please check what's wrong?
Thanks
As far as I can see it, the service is not really CORS-enabled. I have the same problem with my own examples here, as soon as I am not using some kind of proxy, I get this error.
The reason behind it is that when you send a complex request to the service, you'll autmatically have a so-called preflight request sent by your browser (before the actual GET) which is not a GET-Request, but an HTTP OPTIONS request.
All the odata.org sample services return a 501 error at the moment for such requests.
You can e.g. use the simpleProxyServlet which is shipped with UI5, or of course any other proxy which would solve this.
You are getting this error as your browser will refuse this request due to same Origin Policy. Here is what you should do:
Deploy the app on the same server or domain as the service that you want to call, so that both resources are in the same origin (if possible)
Disable the same-origin policy in the browser for local testing. Run Chrome by running Chrome with the following command:
[your-path-to-chrome-installation-dir]\chrome.exe
--disable-web-security --user-data-dir. Make sure that all instances of Chrome are closed before you run the command. This allows all web
sites to break out of the same-origin policy and connect to the
remote service directly.
-> Don't do this in your productive app as it imposes a security risk.
Using a proxy
The following documentation should help you understand this more and implement:
Conncting with oData Service
Request failing due to Same-Origin Policy sharing(CORS)
Please use "proxy/http/services.odata.org/Northwind/Northwind.svc", I think it's solve your problem!
We currently have a set up with a load balancer carrying out SSL offloading, an http server and a websphere app server. Having got over the initial hurdle of the offloading preventing CAS from thinking it was running under https (which we got around by using the httpsIndicatorHeader variable), we now have another issue. Despite the fact we can see CAS redirecting to the target application, the 'handshake' seems to fail, showing a loop of tickets being generated and tried, but never actually validating, and the target application is never reached. There do not seem to be any errors being generated however.
Has anyone experienced anything similar before?
Cheers,
Rob
After investigation, the problem was that the application redirect url set up in websphere was pointing to the original url, rather than suffixing /j_spring_cas_security_check. This caused the circular loop to occur without any attempt to validate the ticket.
For the past several days I've been working tirelessly to setup a test environment for development with WIF & ADFS 2.0. One of the problems that I am up against is my home environment only has one IP address and I wasn't about to stick ADFS on my main server. Therefore, I've created a dedicated virtual machine for FS (idp.yyy.local).
For the sake of not having direct links back to my site, 'yyy' refers to 'dgdev'. (image below)
The strange thing is, it's partially working. Here is an image detailing my infrastructure.
What's odd is that I can browse 'idp.yyy.net' in both normal HTTP and HTTPS just fine. I can also view the WS-Federation Metadata perfectly. Now, I'm quite new to ADFS, but I expect that when going to http://idp.yyy.net/adfs/services/trust it would redirect me to a Windows SSL login. Instead all I'm receiving is:
Service Unavailable
HTTP Error 503. The service is unavailable.
I am using the same SSL certificate on the FS Proxy and FS. Its subject is my main domain name yyy.net. It has several Subject Alternative Names so that I can host multiple IIS web sites with SSL with my single IP:Port.
CN = yyy.net
DNS Name=www.yyy.net
DNS Name=idp.yyy.net
DNS Name=idp.yyy.local
...
IP Address=192.168.1.2
IP Address=192.168.1.3
IP Address=192.168.1.4
...
Does anyone have any idea of why I'm seeing 503 Service Unavailable errors. Nothing is showing up in Event Viewer as an error. (except annoying things with AppFabric, but that's another issue I've yet to touch)
Thanks in advance! Actually many many thanks. I've exhausted every avenue and idea I could come up with, why this might be "broken"?
If anyone has an idea how I can debug this issue I'd certainly except that as a solution. I've tried IIS Failed Request Logging but nothing is being generated. Where/What is hosting the ADFS Services?
Things I've already looked at:
All AppPools are running.
The old ADFS 1.0 web service (asmx) is accessible just fine.
I can access issuer endpoints directly ... or at least 'windowstransport'
Well turns out everything has been working all along!
I spent a couple hours ensuring the certificate was created properly. Then after still seeing 503 & 403 errors, I realized that my proxy server AppPool for the \Default Web Site was running under "ApplicationPoolIdentity" - which is really the user:
IIS AppPool\DefaultAppPool.
I never gave that user read privileges to the ADFS certificate private key. Hence the reason I saw a 403 Forbidden instead of 503. After switching the AppPool over to Network Service ... voila!, 503 Service Unavailable.
So now I was sure my proxy server and ADFS server were talking just fine. Now why was I still seeing 503 Service Unavailable?!?
I told myself to create a test application anyway. In visual studio, I setup a new MVC 3 Web App. Added my existing STS-Reference. Setup a dummy claim and updated the application's FederationMetadata. Added the new Relying Party to ADFS.
Opened my browser to the web app and instant success!
> GET) https://mywebapp/
> Response-Redirect) Location header kicks me to my IdP (ADFS)
https://idp.yyy.net/adfs/ls/?wa=wsignin1.0&wtrealm.........
> I sign-in with proper credentials
> POST) https://mywebapp/login << AWESOME!
I have a Node JS Server where I am using Socket.IO to stream content to the browser. It works great for about 45 minutes or so of streaming, then it will usually cut out. There are no "errors" reported in the terminal and the Node server acts like it is in, however the page I am serving clearly stops working.
What are my options for trying to get to the bottom of this? Could this be a configuration issue with Node/Socket.IO? is there any basic error logging you would recommend I setup?
Hard to say without seeing your code, but Socket.IO for NodeJS requires a heartbeat to maintain connection. It could be a bug in the client code for sending the heartbeat.