I have everything set up and tried this example:
https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-b2c-dotnetcore-webapp/an-aspnet-core-web-app-with-azure-ad-b2c/
When i run it with the default fabrikam setup, it allows me to sign in and everything is fine. When i change the details to match my setup (which is working on my mobile app) it stops working. As soon as I click on Sign in on the example page, i get an error404
n unhandled exception occurred while processing the request.
HttpRequestException: Response status code does not indicate success: 404 (Not Found).
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel) in HttpDocumentRetriever.cs, line 96
InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel) in ConfigurationManager.cs, line 202
I am not really sure whats happening. Is this something wrong in my B2C setup?
Is this because my API that its targetting (the REST api app which is protected by B2C) is using framework 3.1 and this app is on 2.2? does that matter?
If it is because of that, does anyone have a working example of how to do this on net 3.1? I started off with that, but I was never able to get anything working - i just hit endless errors, and couldnt find a working example on 3.1 so I just used this one from MS docs and stuck with 2.2
All i want here is to be able to get an access token from B2C that i can pass to the headers of an HttpClient so i can make requests to my REST api. SO if there is a different way to go about this im open to that too.
note I didnt post code, as the link above is the exact code im using, other than my tenant info being subbed out.
Thanks!
I solved my issue... somehow I missed updating the file AzureADB2COptions
public AzureAdB2COptions()
{
AzureAdB2CInstance = "https://<tenant>.b2clogin.com/tfp";
}
I didn't update this to my tenant
Related
When I try to add a swagger endpoint from my logic app it fails even though it successfully fetches the content.
Failed to fetch swagger with error message: Invalid response: {"openapi":"3.0.1","info":{"title":"My Swagger API"
...
...
...} Ensure you have CORS enabled on the endpoint and are calling a valid HTTPS endpoint.
I tried trouble-shooting CORS in every possible way, but in the end what got it working was forcing version 2.0 of swagger:
app.UseSwagger(o => o.SerializeAsV2 = true);
Has anyone gotten swagger 3.x to work with Logic Apps?
Okay, I have replicated the issue on my end and I have observed the same issue with the my open API.
The key word to notice here is "OpenAPI" specification. This is not a swagger specification. I found the official document which clearly says Swagger(not OpenAPI). Please refer Call REST endpoints by using Azure Logic Apps
You can try work around for this by creating custom connector
I have successfully created Office 365 Group, added members and owners and now I am trying to provision a Team for this group. How am I supposed to provision it using MS Graph in .NET Console App?
I tried the following code but I am not getting my Team.
var team = new Team
{
GuestSettings = new TeamGuestSettings
{
AllowCreateUpdateChannels = false,
AllowDeleteChannels = false
}
};
await graphServiceClient.Groups[groupID].Team.Request().CreateAsync(team);
Response from the above code
Message: No HTTP resource was found that matches the request URI 'https://api.teams.skype.com/v1.0/groups('da87fc59-403b-4b0f-973f-f812d41143aa')/team'.
Inner error
Error Screenshot
Edit: I am using latest NUGET package for MS Graph extensions.
Edit 2: Tried to do following instead.
await graphServiceClient.Groups[groupID].Team.Request().PutAsync(team);
Got this:
Code: UnauthorizedAccess
Message: Failed to execute Aad backend request GetTenantSubscribedSkusRequest. Request Url: https://graph.windows.net/dc7b2a82-XXXX-XXXX-XXXX-46122279d033/subscribedSkus?api-version=1.6, Request Method: GET, Response Status Code: Unauthorized, Response Headers: ocp-aad-diagnostics-server-name: HmmXXX+7Su9HNJVjwqsmVjPsrXXXXXXXX/iNwuI3H74=
request-id: 9257706c-XXXX-XXXX-XXXX-bbf33b98da7d
client-request-id: f263695b-XXXX-XXXX-XXXX-9fdf185fXXXX
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Wed, 19 Jun 2019 13:20:18 GMT
Any suggestions?
Microsoft document says
If the group was created less than 15 minutes ago, it's possible for
the Create team call to fail with a 404 error code due to replication
delays. The recommended pattern is to retry the Create team call three
times, with a 10 second delay between calls.
I faced this issue and after the retry logic as suggested above it works fine all the time
Make sure you are using a Delegated authentication context (a user must be signed in) with the permission Group.ReadWrite.All
Make sure you have consented to the application permissions (from the API permissions screen of the application registration, you'll find a Grant Consent button all the way down)
Use the PutAsync method (today, as you mentioned, you must create the Office 365 group first and then enable Teams)
Can you confirm that the group actually gets created? "No HTTP resource was found that matches the request URI" often means that the graphServiceClient.Groups[groupID] doesn't work. Which is likely around permissions.
I noticed I have the same problem with application permissions. The one thing I have found that will unblock the code to work again is to create a team through the Graph Explorer and then I am good for a couple days.
Then the error comes back again and I create another team through the explorer and I can start creating like before. This tells me it is not a code problem but an issue on the Teams graph connection somewhere.
It was a service bug. Works now.
Link to service bug on GitHub
I am trying to setup a social login for my site.
Here is what I did:
I created credentials on google and have both ClientID and Secret
In default MVC app, in App_Start Startup.Auth.cs I uncommented
app.UseGoogleAuthentication()* method, so it looks like this:
Build solution!
Made sure authorized JavaScript origins and Redirect url are correct. And other things that are needed on console.cloud.google.com are done. Including activation of Google+ API
Eventually Google authentication button should appear in _ExternalLoginsListPartial partial view. But as I can see I have 0 login providers still. And not sure why, and what can I do about it?
var loginProviders = Context.GetOwinContext().Authentication.GetExternalAuthenticationTypes();
//loginProviders.Count() here returns 0
Tried researching, but most are saying that you forgot to build, or restart the server. Tried that but nothing changed.
As last resort, I tried following a tutorial https://youtu.be/WsRyvWvo4EI?t=9m47s
I did everything as shown there, I should be able to reach api/Account/ExternalLogins?returnUrl=%2F&generateState=true url, and receive callback URL from Google.
But I got stuck with same HTTP404 error at 9:50
To answer my question, everything turns out to be fine.
All I had to do was just to give it some time.
After couple of hours, Google provider appeared on the page.
For future readers - if met with 404 in this case, another possibility is an active filtering rule against query strings in IIS. One of the commonly copy-pasted rules aiming to block SQL injection requests scans the query string for open (to catch OPEN cursor). Your OAuth request probably contains this word in the scopes section (data you want to pull from the Google profile)
IIS -> Request Filtering
Switch to the tab "Rules"
Inspect and remove any suspicious active filters there
Recently I developed a asp.net core 2.0 web app in my company and in debug mode works perfect, however when I deployed in our testing server into IIS and we try to execute from a client machine it ran into a problem:
An unhandled exception occurred while processing the request.
CryptographicException: The key {0851ad3b-df33-4cf7-8c3a-5c637adaa713} was not found in the key ring.
Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, bool allowOperationsOnRevokedKeys, out UnprotectStatus status)
InvalidOperationException: The antiforgery token could not be decrypted.
Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(string serializedToken)
The problem starts when I submmit login page. I investigated links with same problems here and other blogs, but I found that has to be with ValidateAntiForgeryToken and solution is related with Microsoft.AspNetCore.DataProtection. I added nuget package Microsoft.AspNetCore.DataProtection.Redis to my project and I added in ConfigureServices of startup class following code:
var redis = ConnectionMultiplexer.Connect("192.168.10.151:80");
services.AddDataProtection().PersistKeysToRedis(redis, "DataProtection-Keys");
services.AddOptions();
Our testing server ip is 192.168.10.151, however app throws following exception:
RedisConnectionException: It was not possible to connect to the redis server(s); to create a disconnected multiplexer, disable AbortOnConnectFail. InternalFailure on PING
¿Why it doesn't connect since is resolving in the same web app server?
¿Where is DataProtection-Keys database located?
as a workaround, I changed method by using PersistKeysToFileSystem as follows:
services.AddDataProtection()
.SetApplicationName("myapp-portal")
.PersistKeysToFileSystem(new System.IO.DirectoryInfo (#"c:\ProgramData\dpkeys"));
However running app in test server 192.168.10.151, when login form is submitted, goes back to login page. Checking stdout log file, only shows:
Hosting environment: Production
Content root path: C:\inetpub\wwwroot\OmniPays
Now listening on: http://localhost:30064
Application started. Press Ctrl+C to shut down.
Checking network messages by chrome's developers tools I noticed something:
Request URL: http://192.168.10.151/OmniPays/Account/Login
Request Method: POST
Status Code: 302 Found
Remote Address: 192.168.10.151:80
Referrer Policy: no-referrer-when-downgrade
and then ...
Request URL: http://192.168.10.151/OmniPays/Home/Main
Request Method: GET
Status Code: 302 Found
Remote Address: 192.168.10.151:80
Referrer Policy: no-referrer-when-downgrade
AccountController's Login action redirect request to HomeController's Main action only if authentication succeded, and Main action has [Authorize] attribute. For some reasons I can't achieve understand, Main action fails and return to Login page. URL in chrome shows: http://192.168.10.151/OmniPays/Account/Login?ReturnUrl=%2FOmniPays%2FHome%2FMain
I'm using Microsoft Identity. In debug mode works fine and if I deploy app in my local PC on IIS also works fine. ¿Maybe any SDK is missing in the server?
Please need help!!
Solution was found! the cause of problem was not in IIS neither the Server, connection to the server is using http rather than https, no certifies involved to validate secure connection, however testing in differents servers app works ok, so I felt really disappointed. Solution was to remove cookies an any data related with this URL pointing to Development Server (failing) in all browsers, data that was previously stored, and voila!!, now app works perfect. By default, as bhmahler comments data protection is made in memory and I left configuration by default, I mean, not explicitly persistence in redis nor PersistKeysToFileSystem and works fine, however is important to set DataProtection to strong data sensitive protection.
I'm newbie about these topics and It's unbelievable such a simple thing caused on me that waste of time. Thanks to all!.
I am trying to wade my way through learning IdentityServer so that I can implement single sign-on at my workplace. I have a POC service running locally and when I request the configuration, this is the configuration that displays:
{"issuer":"https://localhost:44345/core","jwks_uri":"https://localhost:44345/core/.well-known/jwks","authorization_endpoint":"https://localhost:44345/core/connect/authorize","token_endpoint":"https://localhost:44345/core/connect/token","userinfo_endpoint":"https://localhost:44345/core/connect/userinfo","end_session_endpoint":"https://localhost:44345/core/connect/endsession","check_session_iframe":"https://localhost:44345/core/connect/checksession","revocation_endpoint":"https://localhost:44345/core/connect/revocation","introspection_endpoint":"https://localhost:44345/core/connect/introspect","frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"scopes_supported":["openid","profile","email","roles","offline_access"],"claims_supported":["sub","name","family_name","given_name","middle_name","nickname","preferred_username","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at","email","email_verified","role"],"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],"response_modes_supported":["form_post","query","fragment"],"grant_types_supported":["authorization_code","client_credentials","password","refresh_token","implicit"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"code_challenge_methods_supported":["plain","S256"],"token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"]}
As part of this, you can see:
"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"]
However, when I send a request to the service, with responseType=id_token in the url, I get the error message:
The authorization server does not support the requested response type.
I have tried other responseType values but still get this error message.
I am basically a beginner at web security and IdentityServer, so I am sure I am missing something very basic.
This is pretty stupid. All of the examples online I have looked at for IdentityServer show the parameter as responseTypes (camel case). I think these examples must have all been done against an older version of the platform.
The correct parameter name to send is response_types.
The list of possible parameters that you can send to the authorization endpoint are listed on the following websites :
OpenId RFC : http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Identity server doc : https://identityserver.github.io/Documentation/docsv2/endpoints/authorization.html
The correct parameter is "response_type" and not "response_types" :)