Identity Server, website hosting, octopus - web-services

I have recently inherited a Web API development that exposes key endpoints to a company that is hosting and running our website.
We use Octopus to deploy the API to our webserver.
I have duplicated the API and added the appropriate configuration variable to Octopus and deployed it to a secondary webserver (as a development API) for our 3rd party to use.
We are using identity server along with OpenID connect for authentication.
This has built and deployed however authentication is failing.
I know this is a vague description, but I am looking for pointers for an analysis path.
I have compared the logs of the current Api and the test Api and results are the same. (Stating authentication is successful)

Not really enough information to properly answer this question - but I would start by:
1) Checking all the log files you can find for a more detailed exception message. (application logs, IIS logs, event log)
2) Try to narrow down the issue. Does authentication fail for everyone/all the time? Or is this an issue intermittent? Does it work locally? For certain providers only?
3) Slowly start making the new website look like the old website. Comparing web.config files, copy/pasting the old website code onto the new server etc.
4) Check or restore old service accounts, firewall settings, database values, urls etc.
If all else fails - bring everything back to a working state and start changing one thing at a time until you have a little more experience with the application.

Related

Creating projects on Google Cloud Platform for API Access via OAuth

Assume that there is an application, SPA, that uses Google OAuth2.0 to access the Google Drive API.
Reading the docs, the application flow seems familiar enough on the client-side specially with Google's JavaScript library for authentication. However, I have stumbled upon a roadblock during application registration phase.
When creating the credentials for our client application, I am redirected to fill out the form at the OAuth Consent Screen first. There, among other things it demands us to declare whether the application is in Testing or In Production phase, so it can decide whether the app will be available to everyone or to Test Users only.
Assume I create a project for our application and set it on testing at first and then change it to production once I am ready to publish (with a new set of credentials as well).
My question is this. What if development continues on the application for new features while one instance of the app is in production? During development and testing I would need to restrict the application to my Test Users alone. Since the OAuth consent screen is project specific, not credential specific, will I require multiple projects on the console for every environment in which the application is running?
As in,
Project MyAppTesting will permanently remain in testing mode and will denote our development/testing branch.
Project MyAppProduction is always in production and denotes my production branch.
Similarly for the mobile client:
A MyMobileAppDev project having credentials configured with the debug keystore hash
A MyMobileAppProd project having credentials configured with the production keystore hash.
(both sets of credentials share the same package name).
Is this the idiomatic way? I failed to find any documentation on the matter. Please advise.
What #JohnHanley stated is the best way and the best practice when deploying application/s in GCP.
You can create multiple projects and create different Oauth for each of the projects. Check out this link on service accounts.
In addition to that, there are also some pros and cons when it comes to billing.
Pros:
Users consider having multiple billing accounts with respective projects assigned for each account to be able to see their billing details separately. In this way you can monitor the billing for each of the respective projects for each account.
Cons:
Attaching all the projects to one billing account, however, the billing reports will show all of the sum of the cost for all the projects, but you can still use the filter menu to be able to see the charges for each project.

How can I invoke a desktop app from Google Cloud Platform services?

I'm building a desktop client app (win/linux/mac) with a backend hosted in GCP (I'm considering other cloud platforms too). The desktop app should be minimalistic and provide access to local machine resources to the backend. And I'm looking for a way to invoke my app from the server (when some event occurs) and then the app would do some work on a local machine. Here's what I've tried so far.
Google Cloud Pub/Sub. Seems like it does what I need, but to make it work I have to create a service account, generate JSON key and store it locally, which is not good. I can restrict the service account access permissions, of course, but still it doesn't look good to me. Maybe there are other ways to auth my app running at the end user machine? I want to keep my desktop app minimal (ideally without UI, just an "agent" console process / Windows service). Maybe I could consider a login screen to connect the app with the backend, if that solves the problem, but I don't want to overcomplicate.
Google Cloud Run + SignalR / WebSockets. This solution also looks good, but it has one significant disadvantage. As long as there's at least one open WebSocket the Cloud Run instance is considered active and therefore billed. There are other difficulties related to scalability and container instances synchronization too.
What do you think about the options above, and what are the other possibilities? Am I left with REST API and polling for updates? I'm quite new to the cloud stuff so any help is appreciated. Thanks!
If you want to be able to invoke your local app from Google Cloud, you need 2 things
The first one, to register your app on Google Cloud, with, preferably, a auth mecanism (can be an API key for example). Like this, the GCP backend know where to call you app (which IP/port) and how (the auth mechanism)
The second is to have your app up and running and listen external communication. HTTP is the easiest way. Wait a HTTP call on the IP/port defined during the registration, check the auth and perform the process.
You can store the data (location and the auth) in firestore for example, and use Cloud Run to perform the HTTP call.
You can also inverse the solution and to poll (long polling or regular poll) the backend from the local app when it is running.
The 2 approach are possible, the second one slightly easier but can be challenging to manage the security.

How do you put IIS web services into maintenance mode?

How do you put web services into maintenance mode?
I've tried the app_offline.htm, doesn't seem to work well for web services. Does work for web site though.
app_offline.htm worked fine for web sites, but not for web service. When I called an web service function via code that's supposedly under maintenance (put the app_offline.htm under the root directory of the IIS web service), I still got the proper response as usual.
Ideally I would like the web service that's under maintenance to return to me a message like "under maintenance".
You can edit your Global.asax as suggested by this answer to another question. Then trigger it by setting a flag when you are in maintenance mode
In my opinion, when a service is unavailable, you should respond with a 503 Service Unavailable status; but you can do anything you like with the response.
Create a utility function for your web services, which checks for the presence of app_offline.htm at your website's root path, and responds accordingly.
Note that if you wanted to get fancy with it, you could use a part of the WCF pipeline (assuming you're using WCF and not the legacy .ASMX services) to modify your services/methods by using an attribute (eg, this method).

how to publish and discover a java web service

I am new to developing web services using java. I have an academic project where I need to do dynamic service composition. For that I can't directly create a service-client for a particular service because if I do so then that client will call that particular service only. Client need to search various web services and then out of those services select any one at run time and also call that service at run time.
I was able to develop the web service(JAX-WS) using Eclipse(indigo), I also created the client for that web service and every thing is working fine. Now my problem is that while creating the client I am hard coding the client to call that particular web service only(since I am creating the client using the WSDL file of the service). However I actually need to call any one of the searched service, but for that I need to publish the service some where then discover it and then call it.
I tried publishing the service to juddiv3. But on juddiv3 I could only publish the sample service supplied with the juddiv3. When I try to publish service created by me then it is not getting displayed in the group of published services.
Is there any other UDDI server which I could install on my local machine and then publish and discover the service from that. Also I was not able to figure out how to create a client that will modify itself at run time to call any one service out of various searched services.
Kindly provide the necessary steps and code.
Thanks
You can use jUDDI (http://juddi.apache.org/ ).
juddi is based on UDDI v2.0, v 3.0 .
Here, you can publish as well as discover your web service.
For integration, you have to make some application which integrates with jUDDI.
But I think for your academic project, and for your purpose, jUDDI is best suitable! ( :) )
jUDDI has a boat load of examples in the source code trunk. You may want to check them out. It's difficult to guess what the problem is from the little information you've provided. Consider contacting the jUDDI team for further assistance. http://svn.apache.org/repos/asf/juddi/trunk/juddi-examples/. There's also additional document for working with UDDI in the jUDDI user's guide, which is at the jUDDI web site
You cannot directly publish on jUDDI. You need to create publisher entities in jUDDI server also. You'll find Rename4Sales and Rename4Marketing examples in 'Classes' folder in the standalone server's juddi application. Use these XMLs as your basis and create your own entity. You also need to configure the server's login credentials.
I suggest you follow the tutorials on jUDDI blog.

SharePoint web services "Unable to connect to the remote server"

I'm getting an error when attempting to call SharePoint's webservices on one of our platforms. To start, we have Development (DEV), Testing (QA) and Production (PROD) SharePoint servers. The QA and PROD servers are pretty much identical. We have an ASP.NET web service that sits out as a seperate application on each of them. Our data entry forms hit the web services to insert/update into a SQL database and in some cases make calls to some of SharePoints web services (lists, dws).
We’re having trouble calling SharePoint’s web services on PROD from our web services however, have no problems on QA(or DEV). In our web service code we have a web reference to the SharePoint web services (lists and dws). We attempt to call these web services to create list items/folders when a new entry is made through one of our forms. On QA, there is no problem creating the list items/folder. The form is filled out, calls our web services – which call the SharePoint web services and the list item/folder is created.
On PROD we get the following error when we attempt to call the SharePoint web services:
Unable to connect to the remote server
at System.Net.HttpWebRequest.GetRequestStream()
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
...
However, to make it more interesting, if I call the PROD SharePoint web services directly from my personal computer I have no problem creating the list items/folders. We only have the problem when our web service attempts to call the PROD SharePoint web services. We’ve looked through many different web.config files looking for differences on QA and PROD and are yet to come up with anything.
If anyone has any pointers, they would be greatly apppreciated. Thanks.
Update: I just attempted to refactor the above method to use the SharePoint Object Model API and I'm getting an unauthorized error. When using the Object Model API the credentials do not seemed to be passed properly, because it's attempting to use the MOSS Server credentials. Is there any way to tell it which credentials to use as you do with the web service api?
docLibList.Credentials = System.Net.CredentialCache.DefaultCredentials;
Thanks.
Sean,
I'm not sure I completely understand your calling pattern, but if you are indeed looping back to web services on the same box, you might be running into the infamous loopback issue:
https://serverfault.com/questions/32345/ie-8-authentication-denied-on-local-sharepoint-site/32485#32485
In short: executing hostname-based HTTP calls that loopback to the server from which they're issued can get blocked. If the loopback issue is in-play, you'll be able to call the web services in PROD from another box ... but not from the PROD box itself (i.e., looping back). I think this is consistent with the behavior you described above.
If Windows patch levels are different between your environments, it might explain why your code is failing in PROD but not in your other environments.
I hope this helps!
This probably is not the problem, but is your reference to the web service pointing to the production server correctly. I had a problem before when trying to access a SP service that was referenced incorrectly. The dev server I was pointing to was on a seperate domain and could not be found.
Regarding the update to your question about the unauthorized error using the object model:
Depending on the context that your code runs in you will sometimes need to elevate privileges. See this Elevation of Privilege MSDN article for details (also note the community comment at the end). There's also a Visual How-To.
Another method is to create a new SPSite object using a SPUserToken object. There is more information in this blog post by Daniel Larson. For the system account this would be done with the code:
SPSite site = new SPSite(SPContext.Current.Site.ID,
SPContext.Current.Site.SystemAccount.UserToken);
By the way, this would be better in its own question next time so that it can be correctly voted and answered.