Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anyone hosting a ASP.NET Core Secured App behind a gateway? #33

Open
johnkattenhorn opened this issue Jul 5, 2016 · 9 comments
Open

Anyone hosting a ASP.NET Core Secured App behind a gateway? #33

johnkattenhorn opened this issue Jul 5, 2016 · 9 comments

Comments

@johnkattenhorn
Copy link

johnkattenhorn commented Jul 5, 2016
edited
Loading

We have we believe a cookie mis-match issue; if we browse directly to the SF hosted service we can login into a standard ASP.NET app which is using out of the box auth.

However if we try the same process via the gateway it go through the motions and there are no errors logged but the redirect to home show that the user is not authenticated.

I'm guessing that the path maybe used to generate the cookie and there is invalid when going through the gateway.

@weidazhao, @rmja - Have you done anything along these lines ?
@weidazhao
Copy link
Owner

Can you elaborate what authentication you use? If the path is involved in generating auth cookies, you should pass PathBase + Path to generate it.

@johnkattenhorn
Copy link
Author

Apologies, I should have more explicit, we are just using the default configuration that comes with app.UseIdentity();.

I did some further research and came to a similar conclusion that it would something to do with Path or Domain on the cookie and then I found this issue which suggests maybe this is still broken aspnet/CORS#81

We are going to try this out anyways as it sort of is similar to our situation do you think ?

@johnkattenhorn
Copy link
Author

My current working theory is something to do with the cookie, I've tried various entries of Login Path and Cookie Domain but nothing has worked so far.

@weidazhao - Could you explain a little more about PathBase+Path, how can I set this dynamically given that I'm used to setting these in the config of AddIdentity, do I need to write a little piece of middleware do you think ?

@rmja
Copy link

rmja commented Jul 8, 2016

I had a similar issue some time ago, because cookies were not forwarded by the http client. The resolved issue is #23. Have you updated the client code with the fix?

@johnkattenhorn
Copy link
Author

johnkattenhorn commented Jul 8, 2016
edited
Loading

@rmja - I thought you might have had it then ....

I've just checked and I have the change that was made on the commit mentioned in #23, I also just tried adding in the snippet mentioned in the post itself although I'm guessing it a duplicate way of doing it but still not working.

It looks just like the problem described though, can I check via fiddler etc. if I still have this problem ?

image

I see the following on the POST to Account/Login which also has a status code of 302 ? Given that this is not my gateway url (It's current http://localhost/OpsConsole) I'm wondering if this is correct or showing signs of the problem described.

@johnkattenhorn
Copy link
Author

johnkattenhorn commented Jul 9, 2016
edited
Loading

This is going to sound dumb but I'm having problems hitting breakpoints inside Microsoft.ServiceFabric.AspNetCore.Gateway, I've done a bunch of googling but I get the hollow red dot and the warning of no symbols. Can anyone suggest what's wrong ?

I trying to look at the response in the middleware and I'm think about whether changing the path of the authentication cookie would help solve this issue.

It the only one we have blocking us now from doing a pilot. I've been given this weekend before I'll have to abandon the hosting option and push the site into WebApp or similar.

UPDATE: I was being dumb and debugging the wrong project ....

@johnkattenhorn
Copy link
Author

I've resolved this issue (sort-of) by setting the CookiePath to a fixed Path like this

  services.AddIdentity<ApplicationUser, IdentityRole>(
                config => { config.Cookies.ApplicationCookie.CookiePath = new PathString("/"); })
                .AddUserStore<UserStore<ApplicationUser, ApplicationDbContext>>()
                .AddRoleStore<RoleStore<ApplicationDbContext>>()
                .AddDefaultTokenProviders();

This isn't ideal really as I think a proper fix would be to intercept the request and change the filepath somehow in the response based on the service you were redirecting too otherwise this could be a problem.

@weidazhao
Copy link
Owner

@johnkattenhorn Sorry for slow response.

It appears that the default value of CookiePath should be set to '/' already: https://github.com/aspnet/Security/blob/6294badd972882ba707216c211095474ef8c4709/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs#L62

If you had to explicitly set CookiePath to '/', it looks like a bug in Microsoft.AspNetCore.Authentication.Cookies.dll to me.

@johnkattenhorn
Copy link
Author

Not directly related, but we've found another issue with ASP.NET Core Identity implementation behind the gateway. I've logged another issue here #39

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@johnkattenhorn @rmja @weidazhao