I am trying to use OpenIdConnect claims authentication on an asp.net core 6.0 hosted inside AWS kubernetes.
We are using AzureB2c for authentication.
After my application is hosted inside AWS kubernetes pod, when we try to access it via browser, it redirects to login page which is expected.
After giving username and password, it redirects back to the app with url "https://something.aws.com/signin-oidc".
This is where I am getting an error as shown below in screenshot
Related
I am trying to set up Google Integration in my self-hosted Nextcloud instance. For this I need a Google Cloud API Web application OAUTH Client ID and Secret, along with the preset Authorized redirect URI from my Nextcloud instance. I can easily create the ID and Secret for the Web app. But, if I put the Authorized redirect URI in the Google Cloud OAUTH page, it tells me "Save failed: The request has been classified as abusive and was not allowed to proceed".
For context, the Domain provided is a Google Domain which I am using with a Cloudflare proxied DNS. Google verification TXT record have been added to Cloudflare. I am self-hosting the Nextcloud instance with a subdomain of this domain behind an Nginx Proxy Manager with a Cloudflare SSL certificate. To add, all of these are running as docker containers on Ubuntu. Additionally I have also verified the Redirect URI as Safe from: https://global.sitesafety.trendmicro.com/result.php
Even then, apart from that specific URI, I have tried URI of other services I am self-hosting as well as the parent domain. All of these are giving the same message from the GCP OAUTH screen.
Kindly help me out with this considering I am fairly a novice.
WSO2 APIM is not invoking backend when hostname is changed.
My APIM server is in AWS running in a docker container. Backend is in Azure App service. When I configure API gateway with localhost in AWS EC2 instance, the published API in gateway is able to invoke backend and fetch data without any issue.
When I do the following changes and try out the same API from AWS, it gives 400 response error without anything in logs
change the host name in deployment.toml and the required gateway urls
create new keystore for SSL communication using CA signed certificate and import it in client-truststore
change the secondary keystore to the new one
Build and run the docker with modified keystores and deployment.toml
Created an image using the dockerfile mentioned in https://github.com/wso2/docker-apim.git under dockerfiles/ubuntu/apim and then performed required changes in deployment.toml and Dockerfile
The API is working fine using curl and from postman. It is giving 400 error only when invoked from Publisher/Devportal UI
I have a project where I am hosting an ASP.NET MVC site on an AWS EC2 instance behind an AWS application load balancer (ALB).
I have an ALB listener "Authenticate" rule that takes any traffic that does not have a valid cookie and forwards it to the Azure AD OAuth prvoider (aka OIDC Autentication). The authentication works well, and goes as follows:
HTTPS traffic hits my ALB and since there was not a previous OIDC authentication it forwards the user to Microsoft's Azure AD authentication page for my Azure AD tenant.
On successful authentication, Azure AD forward the response to my ALBs response URL. This is where the Azure AD OAuth flow terminates.
The AWS ALB generates it's own OAuth token, which includes my original Azure AD username and claims, signs the JWT with it's own key, and forwards the request to my EC2 instance via a target group, with additional HTTP headers (X-Amzn-*) which include the AWS token info
However, I cannot figure out how to sign the authenticated user out. I have tried
Using Azure ADs own "outh2/v2.0/logout" URL with information about my tenant and client ID (application ID) and then specifying a logout page I have hosted behind my AWS ALB, This only logs out the Azure AD user, but when I return to my site home page the AWS ALB has persisted info via it's own cookie and forwards the traffic without redirecting to Azuure AD with the old AWS JWT (event if the "Exp" timestamp in the JWT has passed). These subsequent requests contain a cookie named "AWSELBAuthSessionCookie-0" whose value is the entire JWT encoded in Base64, but with a cookie expiration of 1 week in the future.
I have tried clearing the "AWSELBAuthSessionCookie-0" cookie both on the server side of my application and also in the client code (by setting expiration to some time in the past) prior to hitting my website home page again, but the "AWSELBAuthSessionCookie-0" is somehow magically restored containing the old, expired JWT
Is there a prescribed way to logout of an AWS ALB-authenticated session that used Azure AD (with a custom tenant, not the public 'common' tenant) as the OIDC provider?
I configured a Session timeout to be as short as 1 second to prevent users from reusing the old cookie.
The AWSELBAuthSessionCookie-0 is a session cookie containing the secure and httponly attributes issued by the load balancer. As this post points out, the cookie must be changed only on the issuing server.
I'm using elasticsearch and kibana both managed by AWS, I've configured SAML with ADFS to authenticate my users, but some users login successfully by accessing Kibana, while others login fails and shows the following message:
{"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}
Analyzing the errors in the browser I found something about SameSite, but I believe the SameSite error should happen to everyone.
Is there anything you can do in Kibana to solve this problem?
if this is the aws Elasticsearch service you will need to contact their support. they run forks of Elasticsearch and Kibana and their own plugins to handle security that are not source available or community supported
I'm testing GCP Identity Platform with Keycloak as identity provider. I'm using OIDC protocol. From the web app, I am redirected to keycloak login page, I log in (session is active from Keycloak side) and when I'm redirected to the web app page, I have the following error message :
Error 400 - Malformed response cannot be parsed from oidc.#PROVIDER_IDENTITY_NAME# for CERTIFICATE
I have tested from a web app running localhost but also with a web app running on the cloud.