I have a website running an ISAPI filter providing SSO functionality, as well as anonymous & basic authentication.
The ISAPI filter populates the "Authorization" header of each request with basic credentials e.g. basic base64EncodedString (username:password), which I can see using Fiddler.
Next I have an HTTP Module picking up the basic credentials from the "Authorization" header, decoding them and placing the username in a new header value. The new header is then picked up by Tridion and used by the inbuilt SSO module.
This solution works in IIS6, but not in IIS7.5; in IIS7.5 the "Authorization" header is not present in the request. I checked for the header both in the HTTP Module, and in a dummy ASPX page.
It sounds like your ISAPI filter is not being triggered in IIS 7.5 then. Make sure that you have enabled them as described here: http://forums.iis.net/t/1178302.aspx
Related
I'm implementing a webdav server. I have everything working fine for anonymous access, but now I want to require authentication.
When a user clicks on a link to open the word document (I'm using the ms-word: protocol), Word sends a couple of HTTTP OPTIONS requests, first with an empty Bearer value in the Authorization header, to which the server responds with a WWW-Authenticate header, and everything is working correctly (after the user authenticates with Word, word sends a follow-up HTTP OPTIONS request with a token value in the header).
However, when Word requests the file itself (using HTTP GET), there is no Authorization header. I've tried having the server respond with a 401 status, but when it does, Word simply gives up and informs the user the file can't be opened.
What's even more troubling is that, from what I can tell, Word sends the GET and OPTIONS requests in parallel, so at the time it sends the GET request, it has no idea that it will be authenticating with the OPTIONS request.
Not sure if this will always be the answer to the issues I described above, but I think it's a combination of problems I was running into. Here's the basics of how I got around the issues I was having.
Delete Office Webdav cache. Office caches information about Webdav servers pretty aggressively. The cache is found in the registry as this location: Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\X\Common\Internet\Server Cache where X is the current version of Office you have installed. Delete all subkeys that have your server's URL.
Do not use localhost or 127.0.0.1 for your Webdav. Office seems to behave differently if it knows that your server is local. This may mean needing to add entries into your hosts file to "trick" it into thinking your site is on a remote server.
If using some sort of federated auth (Azure AD, Google, Facebook, etc.) and you are using bearer tokens, Office needs to be told where to go to authenticate, this is done by responding to non-authenticated requests with a 401 status and the WWW-Authenticate header value being set to something like this (I can confirm this works for Azure AD):
Bearer authorization_uri="https://login.microsoftonline.com/[Tenant ID]/oauth2/authorize",trusted_issuers="https://login.microsoftonline.com/*/",client_id="[Azure AD App Client ID]"
Even with the client ID set, it seems like the Application ID URI in the app registration needs to match the server's base URL (protocol + host + port)
I have a problem configuring my Open Auth ID .net Core 2 application as an App Service behind a Web Application Firewall using a Path based routing.
My application is myapp.azurewebsites.net with a network restriction making it inaccessible from the public internet. I have deployed a WAF in the same VNET and allowed traffic between the WAF and App Service using a Path based route "/Admin*".
The effect is that https://myapp.azurewebsites.net is not internet accessible but https://myWAF/Admin is accessible and maps to the app service.
This setup works fine, but when I introduce Open ID auth to my .net core application the outgoing Location header includes its myapp.azurewebsites.net/signin-oidc as the reply URI.
This doesn't work because the host is not accessible from the internet. I have attempted several approaches;
I have added the WAF URL (https://myWAF/Admin/signin-oidc) in the application registration URL in Azure App Registrations to allow AAD to accept the modified URL (as legitimate
I have coded app.UseForwardedHeaders (forcing reuse of all X-Forwarded headers) in my startup.cs. This doesn't seem to have any affect on the Location header being sent by my App Service.I presume the WAF is sending X-Forwarded headers, but if it is, the Open Auth ID stack isn't using them.
I have coded a header rewrite in the WAF to replace the myapp.azurewebsites.net with the WAF URL. This does replace the URL correctly and allows the callback, but then fails with a Correllation Error (which seems to be a generic Open ID stack error meaning "the nonce does not match". Its possible that the nonce is predicated on the URL being called back to - which in my case changes due to the WAF redirection, but that's a guess).
It seems to me like I should be able to use the X-Forwarded headers in my app to get around the need to code up header re-writes in the WAF, but I can't find an example where this is used successfully to alter the Reply URI being sent out by Open ID.
My question it; is using the X-Forwarded header the correct approach to handling proxies in an OAuth context, or is header-rewriting in the WAF the correct approach ?
I have set
After much investigation I found the following;
WAF does not send the standard X-Forwarded-Host to App Services but sends X-Original-Host instead. Documented here https://feedback.azure.com/forums/217313-networking/suggestions/33657763-add-the-x-forwarded-host-header-to-application-gat
The ForwardedHeaderOptions that ASP.net Core 2 uses in its ForwardedHeaders middleware have an option to replace the expected and supported "X-Forwarded-Host" with an arbitrary other host header name. This behaviour can be triggered as follows to replace the use of the x-Forwarded-Host with the WAF specific X-Original-Host.
options.ForwardedHostHeaderName = "X-ORIGINAL-HOST";
WAF does not pass the Path of the Path Based Route down the Http Header stack as expected in the PathBase header. This must be added to the Request Headers either in the WAF via a Header Rewrite, or inside the app as follows (in this case the apps Path Route is /Admin);
app.Use((context, next) =>
{
context.Request.PathBase = new PathString("/Admin");
return next();
});
I am programming a command line tool (installedApp) that will need access to the Google Sheets of the user. For this I need to get an access token from the user.
I am following these guidelines OAuth2InstalledApp. So far I managed to get the authorization code by using the http://localhost type of redirect_uri. I specified http://localhost:7373/authorizationCode as the redirect_uri and I have a local server listening on port 7373.
But when I make the request to get the access token, I get an HTTP 400 Bad request response with a
redirect_uri_mismatch error
. When I make the request,the redirect_uri is defined as "The redirect URI you obtained from the Developers Console". Which is kind of wrong because when you create an Installed app you don't have the ability to specify a redirect uri (only with web apps). https://infinit.io/_/i48b2rM
So my question is what am I doing wrong?
When you create a client ID in the Google Developers Console, two redirect_uris are created for you: urn:ietf:wg:oauth:2.0:oob and http://localhost. Also you can consider urn:ietf:wg:oauth:2.0:oob:auto .The value your application uses determines how the authorization code is returned to your application. choose a redirect uri
We are implementing CA Site minder on external server for single sign on.
We did all necessary configuration on our server as well as on policy server.
When I hit my URL request get interrupted by ISAPI Filter and Site Minder Replace it with Log in Page Then I put credentials and click log in.
This request goes to policy server and after authenticating site minder redirect me to original url that I hit early on but somehow i am not getting SMSESSION Cookie.
I check FRT log and found that cookie is there in Request Header which mean site minder able to generate and pass the cookie to request but not set in Response header So its getting removed from response.
I tried to find why its getting removed or response not setting SMSESSION Cookie but not able to find any reason.
I am using Integrated pipeline mode and the same setup is working fine with classic mode but since my application is MVC I can't use that and i have to use integrated mode.
The SMSESSION cookie is not provided to the application from SiteMinder. It is initialized in the client browser after login and should be included when the authenticated request arrives back at your application.
I suggest monitoring the client side to ensure the SMSESSION is received after login and sent back out in the application request.
Running any of the sample REST API calls for O365 works fine with the sand-boxed URLs and authorization headers.
However, substituting these URLs with my own is no-go.
XMLHttpRequest cannot load https://****-my.sharepoint.com/_api/v1.0/me/files. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://****:44301' is therefore not allowed access. The response had HTTP status code 403.
Is the issue due to cross-domain scripting?
Extra authorization that must be done on a "real" O365 endpoint as opposed to the sandboxed sample?
Are these libraries used from web context ? It sounds like it from the problem description. Please note that these libraries will only work from Cordova app context for now. http://microsoft.response.lithium.com/portal/conversation/1003718