I have a web api application that works good on the local network ( intranet), and it works on the internet also as long as the calls with no authorization header.
All calls with Authorization header gives the following error:
403 Forbidden ( The server denied the specified Uniform Resource
Locator (URL). Contact the server administrator.
What I tried so far
I added the package
Install-Package Microsoft,.AspNet.WebApi.Cors
When I add Authorization : Bearer The Token , the method returns 403
How to solve this
Based on the details you provides, It is clear that you have a firewall preventing this type of requests.
For example the Forefront TMG method to the published web server:
No delegation, and the client cannot authenticate directly
No delegation, but client may authenticate directly
You should use the second option and you will be Good
Hope this will help you
Related
We have a webApi running under Asp.Net with Owin (.Net Framework 4.6).
Several native frontend clients (iOs, android etc.) are using that api.
That API currently uses Microsoft Login with bearer token and cookie authentication. This works, and the access token is returned directly to the webView in the client with the redirected requests and we are able to access our API with the Bearer token and another authentication cookie.
We have now the task to implement authentication with a LinkedIn auth provider in that API. For clearification: we need an OWIN implementation (no AspNet.Core).
We are able to get the access token from LinkedIn within the webAPI using this LinkedIn auth provider. So we see the token in our User.Identity.Claims. We are also able to return it to the client again. Yes, this is maybe no good idea, but it seems to be not possible to get the token directly in the browser/webView because the response_type=code is mandatory for linkedIn authentication. With response_type=token this works for the microsoft authentication.
Anyway at the end the webview is redirected to following url though we already have retrieved the access_token:
http://10.0.2.2:8108/signin-linkedin?error=unsupported_response_type
Please just ignore that we do not use https for now. The host is only for testing, but the important part is the appended error.
Why do we get this error? Who calls this request and why do we have that error though we have the token already?
Another information is, that the access token we have now in the client cannot be used for authentication against the webAPI. So we get back a 401 Unauthorized.
Maybe I should mention explicitly that we use also cookie authentication in the api, which seems to work as we receive the cookie in the webView and we are able to call methods that are protected with cookie authentication only in the correct user context.
Any help is highly appreciated!
The unsupported_response_type error is gone after using HTTPS.
I have an on-premise hosted WCF service with REST endpoint which is configured for Anonymous authentication only in IIS. I installed and configured Azure App proxy connector on the server. I am able to contact the service fine with Pass-through authentication, but struggling to authenticate from a console app when Azure AD is chosen as security mechanism. I know I could have pass-through in Azure and turn on for example windows authentication in IIS, but this is unfortunately not an option in this case.
Using a browser, I am able to access the application fine, don't even need to enter credentials, our on-premise AD is connected and synchronized with Azure AD.
I followed this walk-through despite it is not regarding application proxy, and reusing parts of code I am able to get the Access Token for my application, but when I run the http request with Authorization header I don't get the result of service operation.
Using Fiddler I can note the following:
I get http 302 (Found). I can see my Authorization header in request, and in response I get a cookie AzureAppProxyAnalyticCookie
That is followed with http 200 to login.microsoftonline.com
Example I provided link for above works fine so it is clear that I am doing something wrong. Why is Authorization header not accepted and why am I being redirected to logon page?
Thanks in advance
This is working for another service, have no idea what was wrong with the first one, but suspecting something with DNS on local server. Won't be spending more time on this, point is that I shouldn't have experienced the redirect at all, although browser handled it and managed to get me authenticated.
I have been looking at using Open ID Connect as a third party authentication provider for a Web API application. The flow is as follows:
Users log in through UIWebView with iPhone application to the provider URL from https://daehwa.azurewebsites.net/api/Account/ExternalLogins?returnUrl=%2F&generateState=true
This redirects to my third party site which supports Open ID Connect authentication.
User logs in through this site and redirects back to my site with a token in the fragment of the URL in the form of #id_token=xxxxx
Looking at the following SO article: asp.net web api 2: how to login with external authentication services?
I then should be able to call /api/Account/UserInfo however this always returns 401 Unauthorized. Setting the Authorization: Bearer token doesn't seem to help either and always return unauthorized even when trying to call /api/Account/RegisterExternal.
Just to give you some more information about what I am trying to do I would like to either create an account or at least make subsequent OAuth calls to retrieve their email address and their display name ideally avoiding requesting this information from the user again. However for now I just want the authentication to actually work!
I would really appreciate any help anyone can provide. I'm new to third party auth and I feel as though I am missing something key. I think that my return url is the issue and my server needs to process this token and issue me with another one but not too sure.
Thanks,
Gerard
Iam a beginer in c# .currently iam working on a api in which the request AND response are working properly(Visual studio)
But when it was published in the same pc's iis(iis 7) one error is getting AS " the request failed with http status 403 forbidden"
.Api uses ssl certificate also.
Whats wrong? Any help would be appreciated.
It depends on what user is being used for the service and whether that user is being allowed authentication. You left out a lot details out about your IIS configuration. Out of the box, IIS rarely serves ASPX without some adjustments.
There's a load of stuff to cover, so I'll try to keep it structured, as all good programmers should.. bear with me.
My Environment
.NET 3.5 SP1 Smart Client
Uses WCF+SOAP over HTTP to communicate to server for business logic / data access
Typically uses a custom (username+password) or Windows authentication scheme
Current work aims to extend to include a new Claims-based authentication scheme to facilitate SSO with ADFS
So far...
Main service endpoints using ws2007FederationHttpBinding bindings, configuration set up with Message security via trust/13/issuedtokenmixedsymmetricbasic256 ADFS 2.0 endpoint
Issuer endpoint configured with IssuedTokenOverTransport to HTTPS trust/13/usernamemixed ADFS 2.0 endpoint
Service has federateServiceHostConfiguration service behaviour specified
Created temporary certificate authority (CA) cert
Created temporary certificate signed by CA
Installed certificate (including private key) and made available to IIS app pool process account
Updated service WCF config to use X509 certificate
Client modified with new app’s own Client scheme/mode, programmatically sets up channel factory to ignore errors caused by temporary certificate and disables certificate revocation checks
Username/password credentials are successfully added (via standard WCF ClientCredentials object) to SOAP envelope of token requests
Token is successfully generated by usernamemixed endpoint and is returned to the client
My problem
Immediately following the token being issued, the subsequent call to issuedtokenmixedsymmetricbasic256 endpoint fails with generic error message that the security of the message could not be validated. Inspection of the SOAP envelope result gives no information at all beyond a simple ‘failed’ result enumeration value
Full tracing has been enabled on ADFS 2.0 server, but no events are logged at all in Event Log or event traces to further diagnose
Unable to configure to work in a federated manner thus far; token is successfully issues over usernamemixed endpoint in the ‘test’ environment (the internal ADFS server rather than a remote one). Use of the ‘live’ environment gives a simple unexplained 401 HTTP status code whether using usernamemixed with confirmed and valid credentials, or windowsmixed, when trying to obtain a token
Generally: Resources from Microsoft or other sources are either very scarce, very specific to one situation, and in a couple of cases, completely wrong or misleading
So ask a question already, doofus
Why does the call the issuedtokenmixedsymmetricbasic256 that WCF makes after getting the token fail? How can I diagnose the result? Other than what I've already done - enabling all trace flags in the service host config, checking the event log and event tracing data, what can I do?
Note, if you're about to suggest a link to a screencast/guide/blog/seemingly all-encompassing MSDN article, please stop. I believe I have found them all, tried them all, and what I need at this point - if you can help me please - is an answer to the above question. Not a general resource.