leastprivilege / aspnetcoresecuritysamples Goto Github PK

For no resason i can not view ur website from Nigeria ( http://www.leastprivilege.com)

please check

cheers

Doing some test with the OIDC sample I figured out this problem:
Going to secure everything is fine but going to secure2 the result is always 401 unauthorized.
I experienced this problem in other projects after last updates.
Do you know why this is happening??
Thanks in advance.
Have a good day.

Hi first of all thank you for the really good example.
Unfortunately, I have a small problem that I can't solve.
I have modified the ValidatePrincipal method in the AutomaticTokenManagementCookieEvents class in such a way that i call

context.RejectPrincipal();
await context.HttpContext.SignOutAsync( context.Scheme.Name );

if the token is not valid.

I note that calling RejectPrincipal() and await SignOutAsync is part of Microsoft's documented recommendation for invalidating a session if the user's auth ticket cookie contains an invalid OIDC token that requires the user to re-authenticate. (https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-6.0#react-to-back-end-changes)

After await SignOutAsync was called in the ValidatePrincipal method I end up in the overridden SigningOut method. There the await context.HttpContext.AuthenticateAsync() method is called. However, this does not return and is stuck in an infinite loop.

If I end up in the SigningOut method from another context, everything goes through beautifully.
Do you have any idea what could be the reason and how I can solve the problem?

I've been working on a project and I think I have Blazor server and Blazor wasm both working independently in regards to authentication against identity server. It would be nice to just verify I'm doing best practice for Blazor wasm if you had a sample Blazor wasm project that could be added to the samples repo.

I've come across a Blazor hybrid setup as well that allows for runtime switching between server and wasm. Seems to be a good solution for getting the best performance from both server and wasm as a single experience for the user. The authentication from the hybrid project seems to be hand rolled though so I don't know how the hybrid setup would integrate into auth against an external identity server instance. I'm using the hybrid option, but for now I'm allowing server and wasm to authenticate independently. The hybrid project suggests that using cookies is a common auth mechanism that works for both server and wasm, but I wasn't sure how that fits into auth against identity server or even if what they are saying is still true when performing auth in the wasm project against identity server as OIDC code flow + PKCE seems to be the preferred authentication setup. Long story short, if you also interested in seeing if or how Blazor Hybrid could integrate against Identity Server I'd be interested in seeing it. I may pose this question to the Blazor Hybrid project as well, but I don't know if I trust their security implementation response as much as if I heard it from here.

Thanks for all you do. Feel free to cancel this out if you are not interested.

https://github.com/jdtcn/HybridBlazor

Just tested the Authorization sample. The non-secured url keeps redirecting to the login view.

Steps to reproduce:

• Go to http://localhost:5000 and enter the correct credentials. You are redirected to the login view.

Using the secured url https://localhost:5001 shows the home page with information and links after succesful login.

I'm using Firefox 64.0.2.

I keep getting this error when trying to access the BFF Frontend hosted in Docker behind an HAProxy.

The strange thing is that this works as expected when it is running locally.

Any ideas?

Can you create a sample where you have a website A that calls weather API B that depends on a call through an HttpClient to web API C to return a response to A, in this case, B and C need to be authenticated. C doesn't have any relation with A.
A passes all the time a bearer token to B(which is part of the scopes configuration on the identity server and also a valid resource)
My problem here is how to configure C correctly.
In the real-life scenario, my webapi C lives in identity and returns the tenant information on the requests. So B only asks for the tenant information to C to return the response to my website A.