I have Asp.Net 4.6 webAPI application workking with JWT. I am using the Okta authorization code flow/token exchange to get the token. I then use the token in all my requests. Everything works fine when using my Okta dev endpoint, but when I use our production Okta endpoint, authenticated requests fails. The authorization, and code/token exchange works fine, but when I request data to my WebApi controller with the [Authorize] attribute, the request doesn't seem to return anything, even an error. In fact the request in chrome shows that the request never finishes. (Though the preflight OPTIONS request does get a 200). I can also see the request in Wireshark, and that a response is never sent.
The most obvious answer is that there is something I have a configuration issue either in my code, or or on the production Okta endpoint which is causing the Authorize attribute to silently fail. But my main concern is that I can't seem to find a way to debug it. I tried inheriting from the Authorize attribute, and overriding all the methods to see if I can determine anything by putting breakpoints in those methods, but the methods OnAuthorization, IsAuthorized, HandleUnauthorizedRequest, etc seem to never get called.
Which is the best way to debug there? Is there an Asp.Net event I can hook into to see what is being sent/returned to Okta to validate the incoming token?
Why is it silently failing? This seems like an error that by design should bubble up.
This most probably is because your production does not have API access management. In your preview org. you have API AM for free thus it works. In your production org. you gotta buy the feature. To test on each org. go to Okta admin dashboard > security > API. You might see "authorization servers" tab for one but not the other.
Another issue might be, if your issue is your Org. URL then Okta does not give out the key to the token cannot be verified locally.
it is hard to say without looking at your configuration but the above two scenarios are very common
Related
I have an API developed in .NET 5.0 in which I implemented Swagger.
Right now I have a endpoint in which the user obtain a JWT Token with a user and password and this token is used to authorize into swagger like below:
Authorize
Everything works fine to this point.
But now I want to implement and endpoint in which the user has to introduce this token to authorize swagger in order to use the API.
It is possible have these two validation? I want the user authorize through the button if they use the website but if they use postman (or another API) have to use the authorize endpoint.
I have searched to try this implementation and I found IOperationFilter but I'm not sure if its what I need
I don't have a clear idea about this, but if I understand what you want to do correctly, you want to remove the security measures in requests made through the website.
While doing this, you can create a public token or define a guest or similar role and perform the transactions that occur on the website as if you are playing this guest role.
But finally, I must say that your request will cause a major security vulnerability. Also, keep in mind that every transaction performed on the website can be easily imitated by tools such as postman. This will completely override your other security measures.
We're developing an API and it uses authentication.
During development and debugging I'm constantly starting the api, sending requests with postman etc. But we also use Swagger and I would like to be able to just click on some GetMethods to free up my postman tabs a little.
I know this goes against what authentication is about, but can i set a default user or a default token? I know I can add authentication to swagger and paste in the token, but I would need to do this every time.
I would assume there'd be a simple option to set a default during debugging, but I cant find anything. Is it just not possible?
I also thought about simply not using Authentication when started in debug, but a lot of controller actions need the logged in user.
Context
I am trying to write some integration tests that verify correctness of my RESTful Web API service (.NET Core-based).
To make requests that mimic the user's browser requests I'd need to configure an HttpClient's headers to include Authorization: Bearer {test-user-1-bearer-token}.
Problem
My issue is that I can not find a way to programmatically retrieve the bearer token(s) for the test user(s) I created by hand.
What I tried
According to my research of the Auth0 Architecture Scenarios the only one that could work for me is called Server Application + API.
That scenario relies on retrieving an access token for the testing Application (not a bearer token for a user the code is trying to impersonate).
As far as I understand, this prevents me from having multiple test accounts, which I need to have to be able to test complex, multi-user interaction scenarios around my Web API.
Alternative approach
Instead of using a real production-ready Authentication middleware, I could use a custom middleware when running the service instance for testing.
An environment variable, for example, could drive the decision about which AuthN middleware to enable.
That custom middleware could rely on a non-JWT token source (e.g. custom HTTP Header) to bypass the Auth0 authentication. 🤔
It would be nice to be able to test with Auth0 playing its role, however.
Ugh
I suspect that my question is off-topic because I'm not providing code.
Hopefully, I at least get some answers or comments that give me a clue.
For integration tests you could check if your auth service supports Resource Owner Password Validation flow or Client Credentials flow - it would be easier to obtain access token.
If you still going to do it with Implicit flow - there's a similar question answered - https://devforum.okta.com/t/unit-testing-and-implicit-flow/1210/3. You would need to change from Okta auth service to yours.
P.s.
That scenario relies on retrieving an access token for the testing Application (not a bearer token for a user the code is trying to impersonate)
Bearer token is an access tokens. No matter who bears it, testing app or end user.
I've created a new Blazor app using the Visual Studio template adding B2C using the wizard during the project creation.
All works great with authentication. I can sign in using my favorite identity provider and receive the id_token. I don't know where I can get the id_token, but I can see the claims in my user identity.
What I need help with is how do I take the information in the claims to acquire the access token. I need this token to call my endpoints.
This seems like it should be straightforward and a common thing, but I can't seem to find any good examples.
In a normal MVC app, I can get this through the ConfidentialClientApplicationBuilder.AcquireTokenByAuthorizationCode but that doesn't work in Blazor (unless I'm doing something wrong).
I've tried this: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-access-tokens
I think it'll work. How do I get "code"(id_token) in my blazor app? It's what is decoded behind the scenes and all I can find are the claims resulting from decoding the "code".
I've used the azure's "Run user flow" to access an example id_token("code") and pasted it into my project and made the call in the link above and it seems to work. I'm running into permission issues, but it's at least a successful call.
Maybe if I can just get access to the id_token I can make it work from there?
This seems like a client side app, similar to a SPA. In which case you must use the implicit flow, where the response type is “id_token token”, and returns an id token and access token to the browser in one call. This isn’t an exact answer, but only our MSAL.js library can make this type of call, but Blazor seems to use C#, and msal .net does not do client side auth calls. acquireTokenByAuthCode() would work client side as long as you register the app as a native app, so a secret is not required.
There are 2 WebApi Projects on different servers. One of these servers (WebApi-A) has OAuth2 authentication workflow setup with Authorization Server and all.
The another WebApi project (WebApi-B) has an end point that I would like to Authenticate through [Authorize] attribute. I don't want have a new authorization server but to utilize (WebApi-A's) authentication process just to validate the token.
From what I understand if the machine-key is same across these server. We can essentially replicate the authentication process from WebApi-A in WebApi-B without having to call WebApi-A at all.
How do I achieve this?
You could, in theory, pass through the JWT token and if your OAuth setup uses the same client secret and data store it should just work. You would have to ensure that you add the JTW token when requesting and to use some distributed cache to verify.
I would rather ask whether or not you should rather create a gateway that can handle and authenticate the requests and delegate them to the separate APIs? This feels like an identity server (http://docs.identityserver.io/en/latest/topics/apis.html) would solve your problem. Anything you do other than moving the authentication from web api A would just be a stopgap.
Duplicating the setup could work but that will mean that you have to now maintain it in two places. So I agree that doing that is less than ideal.
This is a great article that may aid you:
https://www.scottbrady91.com/OAuth/Delegation-Patterns-for-OAuth-20
This will have a lengthy answer so I will just leave you this diagram showing multiple Resource Server, Client, and a separate Authorization Server
Taken from this article Single sign-on across multiple applications (part II) which I hope could get you started.
you can use your token when login in web api and then you add the token to the header "Authorization" with bearer "your token"