Thinktecture.Identity SAML token unauthorized - wif

I am using the Thinktecture.IdentityModel 4.0 samples for WebApiSecurity. I've modified the AdfsSamlClient to use our ADFS Server. I am able to get a SAML token from out ADFS Server using
var channel = factory.CreateChannel();
var token = channel.Issue(rst) as GenericXmlSecurityToken;
Then I try to make the service call
var client = new HttpClient { BaseAddress = _baseAddress };
client.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("AdfsSaml", saml);
var response = client.GetAsync("identity").Result;
And get a 401 - Not Authorized call.
I am not sure how to debug this. I have tracing for Microsoft.IdentityModel, but it is only information level trace, no errors or warnings, and nothing I am able to use to debug.
The interesting part of the service trace:
1.
Description OnEndRequest is redirection to IdentityProvider '/WebHost/api/identity'
2.
Description CreateSignInRequest
BaseUri https://[ADFS...]/adfs/ls/
wa wsignin1.0
wtrealm https://[WorkStation...]/WebHost/
wctx rm=0&id=passive&ru=%2fWebHost%2fapi%2fidentity
3.
Description Redirecting to IdentityProvider: 'https://[ADFS...]/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2f[WorkStation...]%2fWebHost%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fWebHost%252fapi%252fidentity&wct=2013-09-30T17%3a35%3a04Z'
Thanks for any insight.

Main thing that springs to mind is to make sure the server knows how to handle the "AdfsSaml" scheme that you're using, so you'll want to make sure that your mapping is correct to your token handler.
One thing I tried was to create my own token handler, and mapped that as the token handler for the header. If you want, you can start with Thinktecture's own HttpSamlSecurityTokenHandler, and debug your way through that. Obviously, if it never hits it, then you've got a mapping issue somewhere.
I also found that if an exception was thrown in the ClaimsAuthenticationManager, it would report as unauthorized - even though the exception being thrown was something completely unrelated (in my case, an InvalidCastException). That stumped me for a while, because I hadn't realise that authentication had gotten so far down the pipeline and that validation of the token had actually been successful - I was just checking the HTTP response, which kept saying unauthorised - so make sure you're not being misled by anything trivial like that.

Related

Spring OpenFeign getting FeignException while I set followRedirect as false

I recently found that I can set the follow redirects as folase so that I can get to Location in the 302 response. But It goes to the fallBackFactory with exception feign.FeignException: [302 Found].
I read from another blog that if you want to stick with the 302 status code, you can change your Feign client definition to return a feign.Response
Can someone advise how do do this or any reference?
As mentioned I tried to set follow redirect as false it is still returning exception so I am struck how to overcome this
I Found the answer very straight forward.
import feign.Response;
#RequestMapping(method = RequestMethod.GET, value = "endpoint", consumes = "application/json")
Response apimethodname(#RequestParam String param1);
This way it does not go to FallBack and we have complete control to check the status.

Auth0 OAuth2.0 redirect 500

Is it ever expected to see a "500" status response during the final redirect from an OAuth2 provider?
server_error: Unable to issue redirect for OAuth 2.0 transaction
I'm trying to determine if this is ultimately the provider Auth0's error (it seems to be) or mine. If it were mine I'd expect a 400 series error. It is possible to have hooks or rules, could these result in 500-series errors in a scenario like this? I would also anticipate a more specific 500-error not 500 but another available number like 599 for lack of a better example.
My more specific case has something like:
new auth0.WebAuth({
domain: '....auth0.com'
,clientID: 'theid...'
,callbackUri: 'http://localhost:8080/'
,audience: 'http...',
,responseType: 'token id_token'
,scope: 'openid profile'
,leeway: 60
});
success then 500 for /login/callback?state=... on return
I misspelled the callback field, it should be redirectUri (not callbackUri above)! Auth0 tech support was kind enough to point this out.
I also asked about changing the error from 500 internal server error to 400 "Bad Request" to indicate a missing client-provided detail per my read of the details
https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
details for 400 (and the rest) https://www.rfc-editor.org/rfc/rfc7231#section-6.5.1

502 Bad Gateway on POST/PUT Web API Calls from ASP.NET Core MVC

I'm getting strange errors in ASP.NET Core when calling Web API that I have created for the application. GET requests go through fine and return all of the data that they should, but my POST/PUT commands all return a 502, specifically from the MVC application. I can call the API's from Postman and get a proper response and the object is created in the database.
502 - Web server received an invalid response while acting as a
gateway or proxy server. There is a problem with the page you are
looking for, and it cannot be displayed. When the Web server (while
acting as a gateway or proxy) contacted the upstream content server,
it received an invalid response from the content server.
I am impersonating an Integrated Windows Login with the following code for all web requests to the API:
async Task Action()
{
response = await _service.CreateIncident(model);
}
await WindowsIdentity.RunImpersonated(identity.AccessToken, Action);
CreateIncident(model):
using (var client = new HttpClient(new HttpClientHandler { UseDefaultCredentials = true }))
{
var newIncident = new StringContent(JsonConvert.SerializeObject(model), Encoding.UTF8, "application/json");
var response = await client.PostAsync(hostUri, newIncident);
return response;
}
There is also one GET Request that I make through Ajax to get an incremented ID to display to the user before they create their new Incident that returns a 502 Bad Gateway as well. Is this an IIS Setting that is incorrect?
If you use WindowsIdentity.RunImpersonated and an asynchronous function, it will not work. You must be synchronous when doing non-GET requests. I have updated my GitHub issue, I'm hoping to get this bug addressed. If you are a future visitor to this topic, you can see where this ended up here.
I think it also depends on the size of the data. Smaller packages work, larger ones don't.

ServiceStack request giving 500 for large request

I am using ServiceStack with MVC4 and getting 500 error when request parameters are long. I am posting ProductIds seperated by commas to controller via AJAX. In controller I have following call to servicestack API to retrieve data.
ResponseDTO res = restClient.Get(new RequestDTO { ProductIDs = ids});
//ResponseDTO res = restClient.Get(new RequestDTO { ProductIDs = "1234,1235,1236"});
If i submit small parameters in above, it works fine with no error. But when parameter string is in range of 1800 characters, it simply fails on above line and gives 500 Internal Server Error:
NetworkError: 500 Internal Server Error - http://localhost/Products/GetProducts
Exception Details: ServiceStack.ServiceClient.Web.WebServiceException: Not Found
is there a limit on GET method for posting large parameter request? Why does it fail for large request when for small parameters it successfully calls API, retrieves data via SQL procedure and sends to view correctly. What can I look into to solve this? Thank you!
p.s. when i debug via VS2012, i see exception details I see Message:Not Found and StatusCode: 404.
As Scott mentioned above, we tried POST for all methods and it fixed issue. I knew GET had limit on browser URL length but didnt think it matters as we had ServiceStack framework and all of their examples were using GET. Thanks again Scott.

Grails Rest Client Builder POST Return Error/Exception

I've been working with the grails plugin: 'grails-rest-client-builder:2.0.1'
https://github.com/grails-plugins/grails-rest-client-builder/
I'm experiencing an odd issue when I POST some data to a web service, a 500 Exception, even though the POST indeed is working successfully.
Class
java.lang.NoClassDefFoundError
Message
org/springframework/util/StreamUtils
Around line 195 of PageFragmentCachingFilter.java
if (CollectionUtils.isEmpty(cacheOperations)) {
log.debug("No cacheable annotation found for {}:{} {}"
new Object[] { request.getMethod(), request.getRequestURI(), getContext() });
chain.doFilter(request, response);
return;
}
The response that is coming back from the web service should look like this:
{"id":"9999","key":"IX-2247","self":"https://jira.xxxx.com/rest/api/latest/issue/9999"}
Again, the web service is correctly getting the values that I pass into it, and I verified this by checking the application that I'm posting to and I do see what I expect. Not only that, but I also receive an email from the system that I am POSTing to, and the email contains the correct values from the Grails application.
Here's the POST that I'm using:
def rest = new grails.plugins.rest.client.RestBuilder()
def resp = rest.post("https://jira.xxxx.com/rest/api/latest/issue/"){
auth "Basic xxxx"
contentType "application/json"
json builder.toPrettyString()
}
My hypothesis is that perhaps the issue is that the rest-client-builder is having some kind of issue with the response that is being returned from the web service.
Has anyone encountered anything like this before, where the service is working, but Grails throws a 500 error, even on a successful POST?
Please let me know if I need to provide additional information.
Thanks in advance!
Thank you all for the replies. I ended up upgrading my Grails application to 2.3.5, from 2.2.3 and now the code (above) works perfectly. The 500 error disappeared completely.

Resources