Is there a way to debug OWIN middleware from extensions like WindowsAzureActiveDirectoryBearerAuthenticationOptions and see exactly why the request was rejected (e.g. no token, wrong resource id, invalid signature, …) ?
One thing you can do is enable logging in OWIN:
<configuration>
<system.diagnostics>
<switches>
<add name="Microsoft.Owin" value="Verbose" />
</switches>
</system.diagnostics>
</configuration>
I sent an expired token to my API and got this in the Output:
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware
Error: 0 : Authentication failed
System.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223:
Lifetime validation failed. The token is expired.
More info about configuring OWIN logging: http://www.tugberkugurlu.com/archive/logging-in-the-owin-world-with-microsoft-owin--introduction.
Related
I have an asp.net azure web api site, say myapi.azuresites.net, and my custom domain is myapi.mycompany.net.
In my web api, I use owin middleware to validate incoming token
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = Constants.AzureActiveDirectoryTenant,
TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = true,
// These values will be checked against what is received in the access token.
ValidAudiences = Constants.AzureActiveDirectoryValidAudiences
},
Provider = new OAuthBearerAuthenticationProviderEx()
});
I registered an app under azure AD and add some client secret in.
From postman, I can get an oauth2 token from Azure AD with the App id and the client secret.
I included this token in the header and sends to my azure web api.
My code uses owin middleware to validate the token
If I send the request to myapi.mycompany.net, the token validation works.
If I send the request to myapi.azuresites.net, the token validation fails.
I can't really figure out why the token validation fails when calling azure site directly. If I grab the azure site's web.config down to my local machine and it works there as well.
I suspected that my AD app didn't have the right redirect URLs, but verified that and can't see obvious issue.
So is there a way to log some information on why authentication fails? As it is a remote azure site, can I trap this failure as exception and throw some out?
Although not sure why my AD authentication works now, I did find a way to log owin failures for azure site.
Basically this will log owin information
<system.diagnostics>
<trace autoflush="true"/>
<sources>
<source name="Microsoft.Owin">
<listeners>
<add name="KatanaListener"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add name="KatanaListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="d:\home\logfiles\Katana.trace.log"
traceOutputOptions="ProcessId, DateTime"/>
</sharedListeners>
<switches>
<add name="Microsoft.Owin" value="Verbose"/>
</switches>
</system.diagnostics>
I have stumbled into an annoying azure wcf http relay issue, which i cant seem to be able to solve.
The issue arises when I set the security relayClientAuthenticationType to RelayAccessToken, which makes my endpoints unreachable due to a "Invalid authorization header: The request is missing WRAP authorization credentials" Error, whhich I Can't seem to solve.
If i set the security to "None", there are no issues.
I am currently using Postman to test the service.
Below areall the relevant details of the application(.net 4.6.2 console app), thanks in advance :)
App.config
<services>
<service name="XXXXX" behaviorConfiguration="servicebehavior">
<endpoint address="https://XXXXX.servicebus.windows.net/relayserver" binding="webHttpRelayBinding" contract="XXXXX" behaviorConfiguration="behavior" bindingConfiguration="default" />
</service>
</services>
<bindings>
<!-- Application Binding -->
<webHttpRelayBinding>
<binding name="default">
<security relayClientAuthenticationType="RelayAccessToken"/>
</binding>
</webHttpRelayBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="servicebehavior">
<serviceDebug httpHelpPageEnabled="false" httpsHelpPageEnabled="false" includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="behavior">
<transportClientEndpointBehavior>
<tokenProvider>
<sharedAccessSignature keyName="RootManageSharedAccessKey" key="XXXX" />
</tokenProvider>
</transportClientEndpointBehavior>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
<appSettings>
<!-- Service Bus specific app setings for messaging connections -->
<add key="Microsoft.ServiceBus.ConnectionString" value="Endpoint=https://XXXX.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=XXXX" />
</appSettings>
Opening the host
var host = new System.ServiceModel.Web.WebServiceHost(typeof(XXXXX));
host.Open();
Console.WriteLine("Press ENTER to close");
Console.ReadLine();
host.Close();
Azure Relay Firewall settings
Allow access from all networks
Testing the relay: test method (interface)
[OperationContract, WebGet(UriTemplate = "?id={id}&key={key}", ResponseFormat = WebMessageFormat.Json)]
FakeData GetFakeData(string id, string key);
Test Results
If I set relayClientAuthenticationType to None, i get a json response as expected.
<security relayClientAuthenticationType="None"/>
If I set relayClientAuthenticationType to RelayAccessToken, I get an unauthorized error.
<security relayClientAuthenticationType="RelayAccessToken"/>
<Error>
<Code>401</Code>
<Detail>MalformedToken: Invalid authorization header: The request is missing WRAP authorization credentials. TrackingId:..</Detail>
</Error>
Issue has been fixed : I had a typo in the access token i made: Created a new access token in c# using the following method: learn.microsoft.com/en-us/rest/api/eventhub/generate-sas-token
would you help me?
i've created a web api on azure and chose not to allow anonymous requests but to use azure active directory to authenticate the requests. the app beneath has "sign-in and read user profile" permissions set.
if the controller behind the web api accepts GET requests it works, while it gives me the error : "You do not have permission to view this directory or page."
before i call the web api i open a iframe on the page (sharepoint page) to implicitly get the token from the web api, which calls the basic GET action below:
[ActionName("Connect")]
[HttpGet]
public IHttpActionResult Connect()
{
return base.Content(HttpStatusCode.OK, "OK", new JsonMediaTypeFormatter(), "text/plain");
}
later on i call via jquery another action (POST)...
public IHttpActionResult PostPromote([FromBody] string request)
but at this point i receive the 403 (Forbidden) message.
the CORS for my webapi is set in the web.config file:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="https://mytenant.sharepoint.com" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
<add name="Access-Control-Allow-Credentials" value="true"/>
</customHeaders>
</httpProtocol>
if i switch the method to GET it works, as well as (of course) if i permit anonymous requests.
thank you a lot, that's making me crazy.
I created a web application and added an ELMAH module for error logging. It was working with my local development environment: when i access URL http://localhost:52584/elmah.axd it shows me a valid page:
When i testing it after uploading on azure portal it shows me an error page:
Is there any specific configuration i need to do for Azure platform?
Also i have done form authentication on my web application, so when I try elmah.axd it will redirect to login page and i need to login first. I would like to remove that form authentication, particularly for elmah.axd. How can i achieve this?
The nuget package does not add the following important lines to web.config resulting in 403 error.
<elmah>
<security allowRemoteAccess="1" />
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/app_data/elmah" />
</elmah>
This should fix the 403.
Also you may want to restrict the access to error logs by
<add name="Elmah" verb="POST,GET,HEAD" path="/admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />
I have added the following configuration section to my web.config file
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
But when I call the *.asmx web service, I still got the following error:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
I am using the IIS7.5 ASP.NET integrated mode.
Any clues? I just found the IIS Authenticatino is very poor and unstable.
Thanks!
It turns out that we need to grant NTFS permission to target folder for the Anonymous Authentication Authenticated As identity, besides enable Anonymous Authentication in IIS.
Windows Authentication happens in both IIS and NTFS file system. I always forget the latter one. I will cut my dummy brain.