I'm trying to implement openid with okta using the okta widget. The documentation can be found here:
https://developer.okta.com/code/javascript/okta_sign-in_widget
I've got the widget rendering and I've modified the AccountController Login Method to return a Challenge Response.
if (!HttpContext.User.Identity.IsAuthenticated) { var properties = new AuthenticationProperties(); properties.Items.Add("sessionToken", sessionToken); properties.RedirectUri = "/app/dashboard"; return Challenge(properties, OktaDefaults.MvcAuthenticationScheme); } return RedirectToAction("Index", "Home");
I did this based on the okta example at https://github.com/oktadeveloper/okta-aspnetcore-mvc-example.
The okta sample works. But with my aspnetzero test project, I get a cors error after the challenge response.
Failed to load https://dev-586182.oktapreview.com/oauth2/default/v1/authorize?client_id=0oagaur4ukBFH91Od0h7&redirect_uri=http%3A%2F%2Flocalhost%3A62114%2Fauthorization-code%2Fcallback&response_type=code&scope=openid%20profile%20email&response_mode=form_post&nonce=636749499861104637.OWVjOGM2MzItODVhNS00MWU5LWI2NDQtZmE3YWEzMGMwZjIyZmQ2ODQwNTAtYjNiOC00ZTkwLThlYWYtOWFlNGRjOGE3YmIw&sessionToken=20111HIi49zni2fMgl9HsggpGhLnukMlTvIK2gVVWL_3c6bK7Ijq0e3&state=CfDJ8LRmRAoWNcxFrJRw5HHQysQzWhO-9Kwx2z8FNwUZylHUEde9SLy_fcsk3YAUaFtO4Maw_FxyHaTnpyc-HbXgmhjZwXgD5J8krSwBJWR83XmqGngBVCQqfboIKo5SmrFjv8g-tKqPFpwRKuSlD6yEWU2Q8lflrLrM5J5OAQep-beiBQqqaUThPKFdAw3v2w9MfRs95rXE4QUHFLrnw3L2SqLCzESVXpa3xiL_NwyhgsG7l69Anb-kTONGrtCREhbAljxfdPRosd1H0BQWbWsgoSlPeDwBDAdldkMntzJyTYtRtUw31jJRyKZCBlY_xkOXGqQNHIbJbqbCKGjgD3lh2B1saAbjvFwKoNxfi-CJxxBeoEEqoO24BFAGRN4Yl095VUeXHBEu0uCJ1RHyn3a4VsAOO0TsmeE1nqTEZuKHSpks&x-client-SKU=ID_NET451&x-client-ver=5.2.0.0: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:62114' is therefore not allowed access.
When I look at Fiddler to see what the differences are between the two, I see the following:
Okta Sample:
GET https://dev\-586182\.oktapreview\.com/oauth2/default/v1/authorize?client\_id=0oagavcxawHIwhL0v0h7&redirect\_uri=http%3A%2F%2Flocalhost%3A50336%2Fauthorization\-code%2Fcallback&response\_type=code&scope=openid%20profile%20email&response\_mode=form\_post&nonce=636749485315680253\.YWI5NmM0OTYtNmI5ZS00ZDdhLWI3YmQtZGRlODEyZDhlYTg1MmI3MWI0NDAtMzY5Ny00MmRkLTk0NTItN2NjNGM3MDk3OWMy&sessionToken=20111TZBaJj2UhRVDGyRC1ibEgwfPHi7BpH1FtjrqQdWKgQQcWeQAa5&state=CfDJ8LRmRAoWNcxFrJRw5HHQysT\_mCxdITM8LSpdFcyQylyYlrvf\_IULJTU1bxCNDrA4fwJTYirtf3BbBfx4hqb6R3nfp6aZLY6LltGFrllXW8AxP8oGhPSLZt\_dphp9MLFgnEiN2YbJwfoBfsclWolORc5l7o673dMOtOZm430zzDVQNybrio5Xl4e9NZKOCQ2UGvVR3T5T7NwbNG9jLbV\-Wl15qeh6tDZJvtv6yC8glj9SnIqMwDpa\-mGRE02NUG5UN8omJHDkqKu8xE8Da3P8lbeIZjTYKkEActLAmgZB1ZrtT6F\_e\_Jo2HJBmzZ61eP\-Nisp0cNiX7wGs\_axa5fjwR5KWyC4EWFyEPoDvDivFi46y9tz8citEr7u8F8K\-XoUqO\_pit1Tb6bDeGCr9peXXkxH5\_El9jYXUWq\_A4ZnEHkf&x\-client\-SKU=ID\_NETSTANDARD1\_4&x\-client\-ver=5\.2\.0\.0 200 OK (text/html)
AspNetZero Test:
OPTIONS https://dev\-586182\.oktapreview\.com/oauth2/default/v1/authorize?client\_id=0oagaur4ukBFH91Od0h7&redirect\_uri=http%3A%2F%2Flocalhost%3A62114%2Fauthorization\-code%2Fcallback&response\_type=code&scope=openid%20profile%20email&response\_mode=form\_post&nonce=636749484127536656\.NDc5OWM0MjAtNDExNy00NzAxLThkY2QtYjgyMTUyNDU4NDE0YzAyZDk5MzAtNTM3ZC00MDdiLThjYjctMjViYWNiNmRjYzVh&sessionToken=201115ITj3rXCMp473fVmULJCyQ4rpT3quS7wFqm9CYFVjSsWcMdLnH&state=CfDJ8LRmRAoWNcxFrJRw5HHQysSOL69ljb\_XmubbdQRu6u5yvUlhVRVcs9GnQDv4GZzwhPviVtZcBZWfu5cu746suqp2hGeW4wMy9qUzH9lIpzQaR3fHe4h9jRLCmS4YG48VUy5jBcCaz7oOhmRBD2FqmqyMcd3\_3gDRwU89UO9Acd5WEI\-0CQ\_mHy0GX24a9iVXNnCqftdPlPg8t\-4x501UiOtIfTo7J0HRk5cI\-WkX5R\_gJa5rp5lHG\-gMlQeEmKpBpBOmGFrEGBAJui0I\-RercQP0rAnFYg2s\_P5Oa1VrAC0U1sJ3TbMrbA9VYLBkiUM7K7rzueYh7os6uTsUeMDVv4qV3\_67oQM1BmjbKyzL7hw2iLSjVcuaaS5BbgxWyb\_QvgouezEHTsSbZcac0X1HrMu\-CZ01YnUMlaMfdJMHzbum&x\-client\-SKU=ID\_NET451&x\-client\-ver=5\.2\.0\.0 200 OK ()
I think the difference is that for some reason the Okta sample results in a get whereas the AspNetZero response results in an Options that I think is then failing because of cors.
Any thoughts? I know this one is tricky. I can send you both projects so that you can try it yourself.
Thanks, Craig
'm running it locally through the visual studio. In the output window, I see the following. Not sure why the user is "null".
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:44077/Home/Secure Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Dev.Message","time":"2018-09-24T12:46:38.6354277Z","tags":{"ai.operation.parentId":"|1cf896f5-44eb375068b6ca69.","ai.operation.name":"GET /Home/Secure","ai.operation.id":"1cf896f5-44eb375068b6ca69","ai.internal.nodeName":"CTHOMPSON0C3C","ai.internal.sdkVersion":"aspnet5c:2.1.1","ai.application.ver":"1.0.0.0","ai.location.ip":"127.0.0.1","ai.cloud.roleInstance":"CTHOMPSON0C3C"},"data":{"baseType":"MessageData","baseData":{"ver":2,"message":"Request starting HTTP/1.1 GET http://localhost:44077/Home/Secure","severityLevel":"Information","properties":{"AspNetCoreEnvironment":"Production","DeveloperMode":"true","Method":"GET","Path":"/Home/Secure","Protocol":"HTTP/1.1","Scheme":"http","Host":"localhost:44077","CategoryName":"Microsoft.AspNetCore.Hosting.Internal.WebHost"}}}} Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization failed for user: (null).
I didn't work for me, but I honestly haven't had a ton of time to keep researching. The problem that I've got is that I want to add an ActionFilter that will use eTags so that clients will cache some API results and those components have dependencies on the MVC dlls. As an example, this is one that I was going to try.
https://gist.github.com/madskristensen/36357b1df9ddbfd123162cd4201124c4
Is there anything built into ABP that would accomplish the same thing? Any advice?
Thanks, Craig
Trying to do a proof of concept that allows a third party application to use the embedded IdentityServer for single sign on. I can see that the IdentityServer is running because when I request http://localhost:62114/.well-known/openid-configuration, I get:
{{
"issuer": "http://localhost:62114",
"jwks_uri": "http://localhost:62114/.well-known/openid-configuration/jwks",
"authorization_endpoint": "http://localhost:62114/connect/authorize",
"token_endpoint": "http://localhost:62114/connect/token",
"userinfo_endpoint": "http://localhost:62114/connect/userinfo",
"end_session_endpoint": "http://localhost:62114/connect/endsession",
"check_session_iframe": "http://localhost:62114/connect/checksession",
"revocation_endpoint": "http://localhost:62114/connect/revocation",
"introspection_endpoint": "http://localhost:62114/connect/introspect",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": [
"openid",
"profile",
"email",
"phone",
"default-api",
"offline_access"
],
"claims_supported": [
"sub",
"name",
"family_name",
"given_name",
"middle_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at",
"email",
"email_verified",
"phone_number",
"phone_number_verified"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password"
],
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"response_modes_supported": [
"form_post",
"query",
"fragment"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"plain",
"S256"
]
}}
The problem is that when I make a request to http://localhost:62114/connect/authorize, I get an error:
Full request:
http://localhost:62114/connect/authorize?client_id=implicit&redirect_uri=http%3A%2F%2Flocalhost%3A44077%2Fsignin-oidc&response_type=id_token&scope=openid%20profile%20email&response_mode=form_post&nonce=636731393554871981.ODg5OGYzOTYtNWVlMy00MWNmLWE1Y2MtY2ViNmVlNzBmZTZhNTcwNTM0NzktNzhkNC00ZGYzLThjYzgtMWRkZGM4OGVlNzk2&state=CfDJ8LRmRAoWNcxFrJRw5HHQysTVsGMPTIG8jR0PvpWOtlmzv6mv1PSS1SmG6ZeRprtHTf37KjojOFDAteGgRtkvVFZh94XUjvLpVPKCtkqDFTw5LyH3w0PxbJIZ08SX4t2c7HQhmfoou4zCOfevPq6bNgmW-mvUIEEDn1GQmleMrUz48gPlaa2Sp-pN87E7kMyfVcdQ7dnzsCPKevbT7qvdpZwwEFtjXXqj5fhxGXawezOAKTpaIlLPY1Z0MahhwIJELdO5Fm773h4-RYft9gr6730xR221nsp1Ma66kZrIklbVZutERJcPyoIJktOJJMvBJ32UVzrasdqPLV4lK4mQzn0&x-client-SKU=ID_NET&x-client-ver=2.1.4.0
And the error:
HTTP/1.1 302 Found
Location: http://localhost:62114/home/error?errorId=CfDJ8LRmRAoWNcxFrJRw5HHQysSZzqNP2t0VE4h3EjoX9QLFs3G52aKE59RK1G27QDS4sMCpbWilnW9Tuucwl6HBTORZN7BG6pKpB1MfsqBJiQ-jD9mvVj1pABzybvQt2m0gTHFA7F-ZqD5nW-HHFGgfmt238snkhwI5Qw_dXOfjJWiij30JBg8S40174f7wlAi3b1uhIGpcicw6tj-UpWSBh-gI83-eNbKRvpZBDKPQZYadzNfKUNBSHvTSz4uzGTJvDCBIGdu-GZWfnZwhDtLuXi5_oxOhcMvh2wRed45l4pnHS6ADllB-pXwPF2LnkwvCwQ
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcY3Rob21wc29uLkdPU01DUEFSVE5FUlNcRG9jdW1lbnRzXFZpc3VhbCBTdHVkaW8gMjAxN1xQcm9qZWN0c1xBc3BOZXRaZXJvVGVzdFxUZXN0Q2FjaGVcVGVzdFxUZXN0XHNyY1xTbWMuVGVzdC5XZWIuTXZjXGNvbm5lY3RcYXV0aG9yaXpl?=
Date: Fri, 21 Sep 2018 15:09:15 GMT
Content-Length: 0
Thoughts on what I'm doing wrong?
We're trying to add a new action filter to our application services. We're running the CORE/jQuery version (v5.3) of AspNetZero. The filter needs to inherit from IActionFilter which requires a reference to Microsoft.AspNetCore.Mvc. The current Application project in AspNetZero does not have that reference so we're not sure which is the best project to put the new filter. We've thought about just adding a new project to the solution but we are not confident that is the best approach.
The second question is how do we register the new filter so that it can be used by a service. In this link [https://forum.aspnetboilerplate.com/viewtopic.php?f=5&t=10803&p=27013&hilit=action+filter+api#p27013]), the is a reference to adding it in the startup class in Web.Host project but that project doesn't exist anymore in newer versions of AspNetZero. Can you point us in the right direction for that as well?
Thanks, Craig
Is there a easy way to send a calendar invitation? Ran across some examples here [https://esausilva.com/2016/11/17/create-ical-ics-files-in-c-asp-net-mvc-several-methods/]) but wondering if there is a better way using ABP.
Thanks, Craig
Thanks!
I got it to work. My issue was that the walkthrough instructions were a little confusing. [https://aspnetzero.com/Documents/Development-Guide-Xamarin])
The walkthrough says that "You can use either Web.Mvc or Web.Host to feed the Xamarin app." My issue was that the Web.Mvc app is configured to run on 62114 (host is 22742). I thought I'd be smart and switch the DefaultHostUrl to use 62114 as well and I'd be set. That worked for the host but for the tenants it makes a call back to the server to get the url for the tenant and comes back with port 22742. Hence my error.
Long story short. To avoid this, leave all the ports alone but run from the Host directory and not the Mvc directory.
I'm playing with the PhoneBook Core Xamarin demo application ([https://github.com/aspnetzero/aspnet-zero-samples/tree/master/PhoneBook-Core]). The app starts and I can login as the host no problem. If I try to switch to the default tenant and login, I get an error. I haven't been able to track down the error in the code. I've tried setting a breakpoint in the LogException method, but it never gets hit.
I'm trying to determine which keys/secrets in appsettings.config need to change for the purposes of securing our site.
There are a couple places in the default config file where there appear to be keys that should change. Specifically here:
"Clients": [
{
"ClientId": "client",
"AllowedGrantTypes": [ "password" ],
"ClientSecrets": [
{
"Value": "def2edf7-5d42-4edc-a84a-30136c340e13"
}
],
"AllowedScopes": [ "default-api" ]
},
And here:
"JwtBearer": {
"IsEnabled": "true",
"SecurityKey": "AbpZeroTemplate_8CFB2EC534E14D56",
"Issuer": "AbpZeroTemplate",
"Audience": "AbpZeroTemplate"
},
Can these these two secrets be safely changed? Is the JwtBearer section necessary?
Thanks, Craig