I have an application in azure cloud with active and passive mode that automatically switches when one is down, another becomes active. Now I am trying to implement azure application gateway, in front of the application for High Availability and failover check that does the health check probe and upon returning 200 response code it is able to identify the active node and routes the request to healthy node as expected , However when the application is using Basic Auth, then it throws 401 error, I want to find a way to fix this within application gateway.I don't want to use any proxy services like Nginx or Haproxy to achieve this. Any help or suggestions is appreciated ?
I assume it throws 401 until you authenticate again.
What it probably happens is that the browser is getting a token to authenticate to App1, and then you are trying to use that token to authenticate to App2.
Even when both App Services has the same code, for AAD those might be different applications.
To fix that, you need to make sure you are using the same Service Principal. When you setup easy auth, go to the Advanced tab and make sure that both app services has the exact same values everywhere:
Related
The app
I have a web application on Microsoft Azure. The client is written in Vue.js and hosted via a Windows App Service. The server is built using Azure Functions, and hosted via a Linux Azure Functions App.
Both the client App Service and the server Function App use built-in authentication ("Easy Auth"), with Active Directory configured as the identity provider. I am able to log into each, separately, via AD.
Until recently, I was also able to make authenticated requests from the client to the server. The client has
"loginParameters": [
"response_type=code id_token",
"scope=openid offline_access api://<Application (client) ID>/user_impersonation"
]
in its authsettingsV2 and generated tokens' aud have the correct application ID. Passing the access_token from the client's /.auth/me response as a bearer token in requests to the server used to work.
The problem
I made a few configuration changes today, tested authentication, found that it was no longer working, and backed them out. Unfortunately, reverting those changes didn't fix the issue and generated tokens are no longer being accepted by Easy Auth on the server:
{
"code": 401,
"message": "IDX10205: Issuer validation failed. Issuer: '[PII is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]' or validationParameters.ValidIssuers: '[PII is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'."
}
Okay, so the issuer is not in the list of valid issuers. But Azure hides personally identifiable information in exceptions by default so I can't see the issuer or any of the valid issuers.
One option appears to be:
If you need to see the full information present in exceptions, please set IdentityModelEventSource.ShowPII to true
but this looks like a reference for configuring authentication myself using C#. I don't see any way to change this setting when using Easy Auth.
Maybe I can access raw logs. Let's see, I should be able to see this information by enabling application logging:
If you enable application logging, you will see authentication and authorization traces directly in your log files
To enable application logging for Linux apps or custom containers in the Azure portal, navigate to your app and select App Service logs.
But that option is not available:
A lot of the Function App documentation links to App Service documentation, so it would seem that Function Apps are a special kind of App Service App, but maybe not. The preceding quote is from App Service documentation, but I got there following links from Azure Function App documentation.
Alright, let's see if there's a way to enable application logging for Function Apps. Azure Monitor Logs look promising, but none of the generated logs appear to be about Easy Auth. I just see messages about the service starting. Maybe that's because, on Linux apps, Easy Auth runs in an isolated environment and therefore wouldn't be included in diagnostic logs:
The authentication and authorization module runs in a separate container, isolated from your application code.
So… how can I get more details about this error? Easy Auth is recommended as an option for authentication with Function Apps, and I'd hope that there's a way to get more information about what's happening.
I have seen Azure App Service Authentication / Authorization returns HTTP 401 IDX10205: Issuer validation failed and have already set accessTokenAcceptedVersion to null in the manifest. That Q&A helped me get the token passing working in the first place, and I have not changed that value.
We have a corporative KeyCloak server which sits on Azure Account “A”.
We are now developing an ASP.Net Core Application that is on Azure Account “B”. This application is behind an Azure WAG.
The users access the application from the internet through the WAG and hits the Azure WebApp:
"https://myexternaldomain.com" => "https://myinternalazuredomain.azuresites.net".
As expected the users is redirected to Keycloak corporate server ("https://sso.corporate.com"). Once the user is logged in, he is being redirected to the callback address "https://myexternaldomain.com/oauth/callback".
At this moment we get a exception “Correlation Failed”, “Unknown Location”.
Architecture and Exception below:
Architecture and Exception
We believe that the problem is related to the address the users is using ("https://myexternaldomain.com") being different from the actual address the server is on ("https://myinternalazuredomain.azuresites.net"). And this makes even more sense when we take into account that it was working fine before the addition of the WAG.
Can you guys give us some insight?
Thanks
Best Regards
Take Care
There were a couple things that needed to be done to get KeyCloak + AppService to work in this scenario.
We had to add the same Certs to Wag and AppService, so KeyCloak would understand it as the same request.
Also the network team misconfigured the WAG, and some of the headers were not being forwarded, and KeyCloak would not accept the given Auth Token as valid for the current request.
I want to design a SPA which will have Frontend (React) and Backend-Rest API (Node.js, Express, Mongo DB). I am planning to have Single Sign-On in my application where users would be authenticating using MS-Azure AD, where a call would go to Azure AD from Frontend and in return I will get a token for that User which will be stored locally. After that, I want to call my rest API, for multiple GET, POST, PUT operations in the context of current user logged in on UI. Planning to deploy both frontend and backend on different servers so here I have two questions about securing my REST API.
CORS Implementation
User-Authentication on BE
Given the above requirements is it enough to have just CORS implemented or Do I need to again authenticate the User on BE?
Can somebody provide some best practice or experiences? Is there a lack in my “architecture”?
While CORS is definitely a consideration, it isn't Authentication (AuthN) or Authorization (AuthZ) which you need.
Depending on the number of users your application will have, how the back end will scale you might want to look at OAuth2.0 or stick with simpler session based auth but you will need something.
CORS on your back end will limit if a browser running an app on a domain other than yours to call your web services (it wont stop API requests from other tools).
AuthN - Your not logged in - go get logged in and come back to
me.
AuthZ - Controls what your users can and cant do. You might want to
enforce this at the resource level but you absolutely need to within
your business logic.
Further reading https://auth0.com/docs/authorization/concepts/authz-and-authn
Philippe from Pramgmatic web security has a free online course to get you started: https://pragmaticwebsecurity.com/courses/introduction-oauth-oidc.html Its very well paced and should give you some foundational knowledge. (It might let you write off OAuth for this use case but give it a go)
CORS will not perform any user authentication. You need CORS only when your client code is served from another domain than the backend you are talking too. If it is the same server to host static client files and backends REST endpoint, you don't need CORS. If you are unsure, then don't consider CORS at all and see if it works.
But you need authentication to know which user is which.
I am using Azure Mobile Apps with deployment slots, with the service provider for login being Microsoft. I have some odd behaviour, during swapping and the users relogin.
Is the performance better/different for AD? [read that it was not for GA yet?]
I am developing in a developer slot with everything specifically configured for this environment, the test and updates are working. I upload the server to staging, now utilizing the same db and settings (except microsoft authentication). The server is again verified to be working both on client and server.
I then use swap to change the staging and production slots. The production slot has the microsoft account login settings.
Upon swap the login by users are continuing indefinitely (no timeout, i.e. several minutes running without any stop) if, the referesh token call is made, as per this link:
//retrieve user info
user = new MobileServiceUser(credential.UserName);
credential.RetrievePassword();
//refresh token
user.MobileServiceAuthenticationToken = credential.Password;
JObject refreshJson = (JObject)await ((App)Application.Current).MobileService.InvokeApiAsync(
"/.auth/refresh",
System.Net.Http.HttpMethod.Get,
null);
My initial question is therefore is it possible to insert a timeout e.g. 2 seconds on the call to force the user to re-enter their credentials?
Because it seems to work if the user logs out and then back in with normal login procedure:
user = await ((App)Application.Current).MobileService.LoginAsync(provider);
credential = new PasswordCredential(provider.ToString(), user.UserId, user.MobileServiceAuthenticationToken);
vault.Add(credential);
string newToken = refreshJson["authenticationToken"].Value<string>();
Question(s)
Is it possible to insert timeout on MobileServiceClient.invokeApiAsync calls?
Is there some setting that can be set so the swap mechanism does not introduce this issue?
Is there a way to improve the login/relogin flow, the users are complaining that the login is failing often. I cannot replicate it in other instances than during the swap. Can this be because of distance to the server?
Therefore would Traffic Manager be a solution? However, I cannot see how it should be enabled if I am using microsoft login. Since a service is bound to an application name for authentication. How should the Traffic Manager be used in this respect?
Is there some setting that can be set so the swap mechanism does not introduce this issue?
Not sure if this applies to your case, but there is a known issue where certain app settings can actually cause issues with swapping. Do you have any app settings defined that end with _EXTENSION_VERSION or that start with WEBSITE_AUTH_? If so, try removing them and see if that resolves the issues you're seeing.
Is there a way to improve the login/relogin flow, the users are complaining that the login is failing often. I cannot replicate it in other instances than during the swap. Can this be because of distance to the server?
I've never head of an issue like this. Anymore details on the failure you can provide, such as a status code? One thing you can do is enable Application Logging and you should be able to get detailed information about the refresh failures.
Therefore would Traffic Manager be a solution? However, I cannot see how it should be enabled if I am using microsoft login. Since a service is bound to an application name for authentication. How should the Traffic Manager be used in this respect?
I think the way to make this work is to use a single Microsoft account application for all mobile app backends that are being load-balanced by traffic manager. The redirect URL that gets configured needs to use the common host name that is registered with Traffic Manager.
Is it possible to insert timeout on MobileServiceClient.invokeApiAsync calls?
From the API, It seems we can not set timeout in this method, refer to https://msdn.microsoft.com/en-us/library/azure/mt691682%28v=azure.10%29.aspx?f=255&MSPPError=-2147217396 for more details.
I would like to secure my Azure WebApi with 3rd party providers (FB, G+... I basically just need a valid email). Was looking at Auth0 and seems like it will do the thing paired with Jwt middleware in web api project, but I was wondering if the same can be done using Azure only.
Azure Web App authentication confused me a bit - it does not seem to give anything to my Asp.Net web app. I still have to configure all the middleware in Startup.cs and the app still works fine if I completely turn authentication off.
I could do the same thing Auth0 does - issue my own Jwt tokens based on access tokens from FB or G+ - but would like to avoid that.
Could you please point me to the right direction?
You have a couple options:
App Service Authentication
Configure the authentication via middle ware
App Service Authentication
The App Service Authentication does not require any code inside your application because your App Service has a gateway that inspects request for authorization. Depending on the setting you can either secure the entire site or secure individual resources (by using the [Authorize] attribute on the endpoint in MVC/WebAPI).
With the latest release you can control authorization on a site by site basis including manually triggering the sign in by navigating the user to the <yoursiteurl>/.auth/login/<provider>. By defualt the token store is enabled so you can make a request to <yoursiteurl>/.auth/me and get back information from the provider.
Middleware Authentication
This is the default way authorization happens in the Single Page ASP.NET Template. The middleware authentication uses OAuth/OpenId to secure the resources. This option does it at the application layer instead of at the gateway. If you are using ASP.NET Identity (from the single page project template) the email from the persons log in will automatically be stored in the Users table. The tutorial in the link above gives lots of details on how to get it working.
Make sure you use the [Authorize] attribute to trigger the Authorization in either case.
Hope that helps you get started in the right direction.