audience mismatch in development mode - browserid

Currently trying to develop a login/registration system based on browserid.
I have a server which local IP is 192.168.0.106 and that runs on "http://localhost"
The process works perfectly when doing it from a browser on the server machine by sending a verification with audience: "localhost"
The problem is when i try to identify from another machine on the same local network, which address is not localhost, but something like 192.168.0.101 : the verification process returns an "audience mismatch" failure because the client connects to 192.168.0.106 (the server's local address) and not localhost
Any ideas or suggestions ?

The audience-match check by the verifer is to ensure that the assertion you've been given is fresh, and hasn't been harvested from another site.
In 'production' you'd usually know the address which clients will connect to your site with, and hard-code that into your call to the verifier.
In development, there are 2 options which I've used:
1. add an explicit mapping to /etc/hosts files from the clients I'm testing with so all use the same address
2. use the value from the 'Host' header as the audience value (this is likely to be completely insecure depending on the middleware/intermediaries you're using, so it should only be done in development)

Related

IP address is not allowed for this token on API CALL

please bear with me, I am a newbie in integrating APIs and so I am encountering some issues that need help from experts. I am working on API that has only the server IP address whitelisted to access resources on it. However, I am working from my local PC in doing the integration. Now when I try accessing the API from the localhost, it tells me that my PC's IP address is not allowed for the token I am using. I have tried to do some google search on how to use the server's IP address from my PC and I have come across something called PORT FORWARDING. I have tried to figure out what it is but I am getting some difficulties setting it up on my PC. Could someone help me with any alternatives to making requests using my server's address from my PC? If not, I will appreciate it if someone could explain to me what port-forwarding is in layman's language and if possible through a reference. Thank you in advance. I am on Linux-mint
To make a request with your server's IP address, the request has to at least pass through your server. Setting up an temporary SSH "port forward" is the easiest way to do it. The following command opens an SSH session with your server machine, and for the duration of the session the ssh client will listen for connections on TCP port 8443 on your dev machine and the server will forward them to somewebsite.net:443.
ssh -L 8443:somewebsite.net:443 your.server.name
If you now send a request to https://localhost:8443 from Postman, SSH will tunnel the request to your server. The server will communicate with somewebsite.net on your behalf, and the request will have your server's IP address.
See longer discussion of this feature for example at:
https://www.ssh.com/ssh/tunneling/example
https://phoenixnap.com/kb/ssh-port-forwarding
This style of port forwarding is not without its problems though. You are using HTTPS, which includes protections against a "middle man" intercepting connections like this. You can get around this by disabling certificate verification. Another problem is that somewebsite.net may expect you to set the Host HTTP request header to "somewebsite.net", and it will be set to "your.server.name" instead.

OpenVPN, ProxyRADIUS MS-CHAP and Windows AD

Trying to set up VPN authentication against different realms/windows domains.
I'm using OpenVPN Access Server which directs all authentication requests (username in the form of user#domain) to FreeRADIUS server (3.0.15) with required proxy.conf and realms config so that forwards (proxies) the access-request to home server. The OpenVPN is configured to use MS-CHAPv2.
The home server is also a freeRADIUS, same version. Home server is a member of windows domain (samba 4.6) and its clients.conf file includes the proxyRADIUS server as "NAS'....etc.
No issues on home server, when it comes to samba/winbind checks, etc. As a matter of facts, if I send requests from OpenVPN directly to it (without proxy), using username = sAMAccountName, authentication and group membership checks via LDAP work as expected.
However, if the request is proxied, the mschap module in home server reports:
(0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: Logon failure (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(Outout above from radiusd in debug mode)
Just as a way of testing there was no issue with proxying the requests I enabled NPS on the domain controller and started proxying requests towards it and authentication worked with no issues, so, for whatever the reason, when home server tries to authenticate a proxied request the NT-Response (or at least as managed by mschap module) doesn't seem right.
I know there was a bug in an old version of samba about NT-Response, but I don't think that's the issue here, I think it got fixed a few years ago.
Has anyone come across a similar issue?
Thanks!
PS: Proxy and home RADIUS run in BSD 10.3
Fixed this. Realm definition in proxyRADIUS with "nostrip", so that user-stripped sent to home server includes user#domain. In home server, "proxy.conf" file, define the realm but with no server pool, so that the realm is treated as LOCAL but challenge is created using only the username (without #domain). That's it

How to get incoming request ip address using .net Core

I deployed my .NET CORE solution in AZURE environment (PAAS).I used following code snippet there to get client's ip address
dtoItem.LogIP = HttpContext.Connection.RemoteIpAddress.ToString();
I used standard .net core libraries and did necessary changes into Startup.cs as well
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
RequireHeaderSymmetry = false,
});
I believe I have implemented everything in correct manner. But still I haven't got accurate client IP address. I am always getting client's public IP instead of his private IP. Since this can be repeated (Same office 2 users have same public IP) I need client's private IP instead of his public IP.
Is it possible to get private IP address in PAAS solution. If it is not possible, is there a way to track client's PC information. (Such as IP Address, MAC address).
Is it possible to get private IP address in PAAS solution?
No it is not possible as shared in this SO post and this answer address this about MACAddress
On the client side javascript, there is no API exposed to get the IPAddress(obviously due to security consideration) .Then you can get the IPAddress on the server side but typically if you are accessing internet from your company,it would go through the corporate proxy and the Ipaddress seen by the server will never be the actual client IP but the proxy server's address. So this is limited on the server side as server only sees the proxy (public IP address).
If it is not possible, is there a way to track client's PC information. (Such as IP Address, MAC address) ?
What you can reliably track is the user agent. Breaking the user agent down, we get the some information about browser ,OS versions. But user agent can easily be spoofed with some browser extension .
If you are looking for browser finger printing or tracking ,have a
look at Panopticlick which shows some more information like
fonts > installed, screen resolution,plugins installed etc to track
any client. fingerprintjs2 javascript library helps to track
using 26 parameters as of today
There is no straight forward answer to this. The thread shared by Rob has some great insights. However, one needs to understand that a lot can happen to the request before it reaches the server. The intermediary networking devices can manipulate the TCP headers so it may not reflect the correct IP Address that you need.
From a solution perspective, this might be perfectly possible, if you develop your own client and log this information somewhere so that you can track it. Otherwise there is no reliable way to get this information.

node js send html to network rather than only localhost server

I'm using node js trying to send my web-page to my network, I successfully call localhost:port in my computer using express as server, the webpage loads fine trigger my webcam which I used to streaming in the webpage, and then im working to make a simple app in my phone to directly access my server, so my questions:
1.How do I able to access my server from different devices in the same wireless-network? by calling ip + port ?192.168.1.104:9001 ? cause i've tried and it didnt work.
2.I've found https with .pem something like that, is that the answer ? is there also any other way ?
3.maybe any advice before i work to make my web-app to devices? using koa? i don't even really know what is that, but i'm happily take any advices.
EDIT: i've read How could others, on a local network, access my NodeJS app while it's running on my machine?
let's say I simply using random router, so i can't configure my router-port, my server in my pc and my phone join in the same network, trying to access the server in my phone
1.How do I able to access my server from different devices in the same wireless-network?
All you need to do is find your server's IP address in this same wireless-network, and find the Node.js application's port. Then access the following URL in other devices:
http://{server_IP}:{port}
However, there are some points need to check:
Need to check firewall and confirm the port is not blocked, server IP is not blocked by test device, and test device IP is not blocked by server.
Need to check whether there is any Proxy setting in server and test device. If there is any, disable the proxy.
A computer may have many IP addresses at the same time, you need to find the correct one in the same wireless-network. For example, If you install a virtual machine software such as VMware and run a virtual system inside, your real computer will get IP address as 192.168.*.* -- this IP address looks like an intranet IP in wireless-network, but it is not, and can never be accessed by test device.
2.I've found https with .pem something like that, is that the answer?
No, HTTPS has nothing to do with this problem. HTTPS just add security (based on HTTP layer), it does not impact any HTTP connectivity. Actually, to minify the problem, it is better to only use HTTP in your scenario.
There is only one very special case that may bring your problem by HTTPS -- the test machine is configured and will block any non-HTTPS connection for security.
3.maybe any advice before i work to make my web-app to devices? using koa?
My suggestion is: As there is an HTTP connectivity issue, the first step is trying to find the root cause of that issue. Thus, it is better to make a simplest HTTP server using native Node.js, no Koa, no Express. In this way, the complexity of server will be reduced, which makes root cause investigation easier.
After the HTTP connectivity issue is fixed, you can pick up Koa or Express or any other mature Node.js web framework to help the web-app work.
4.let's say I simply using random router, so i can't...
Do you mean your server get dynamic IP address by DHCP? As long as the IP is not blocked by test device, it does not matter.

Get routable IPV6 address from requester in OWIN when requester is on local machine

I'm working on a system with three parts that communicate over HTTP. The parts are the Service, the ServiceRegistry, and the Client. The Service and the ServiceRegistry are self-hosted OWIN applications. The nature of the client doesn't matter.
In my design, the Service POSTs to the ServiceRegistry to "register" itself. The ServiceRegistry reads Request.GetOwinContext().Request.RemoteIpAddress to determine where the Service is located and GETs back to the Service to perform some handshaking (the port for this GET is supplied in the original POST). Finally, the Client comes along and performs a GET to the ServiceRegistry asking for the location of the Service and receives back the IP address and port on which it can directly interact with the Service.
This works well when all three parts are running on different machines.
However, when the configuration is that the Service and the ServiceManager are running on MACHINE01 and the Client is running on MACHINE02 the system fails. What appears to be happening is (when both parts are located on one machine) RemoteIpAddress receives a link-local version of the IPV6 address. I strip off the Scope ID from the IPV6 address and return the address and port to the Client. But, to the Client running on a different machine, this is an unreachable address.
Can anybody suggest how I can read the remote IP address from the OWIN request in such a way that it will be reachable from another machine on my network?
When you are connected with any address, I don't think there is a way to get other addresses of the peer.
You could either implement and use some registry of address mappings between link locale addresses and global addresses. (Always in the hope the peer accepts requests on its global address as well.)
Or if you have access to it I'd propose to modify the requesting peer to send the request originating from its global address. This can normally achieved with source address selection. But I have no idea how you do this on the .NET platform as I am working on Unix systems.

Resources