C
C#11mo ago
Henkypenky

✅ Problems with authentication after deployments

4 Replies
MODiX
MODiX11mo ago
Henkypenky
anyone knows when after deploying we get this bug that we need to clear cookies Authorization failed. These requirements were not met: 2024-01-11T18:40:00.424560843Z: [INFO] DenyAnonymousAuthorizationRequirement: Requires an authenticated user. info: Microsoft.AspNetCore.Hosting.Diagnostics[2] 2024-01-11T18:41:14.353252516Z: [INFO] Request finished HTTP/1.1 GET https://foo/StatusCode/401 - 302 0 - 0.0881ms
Quoted by
<@246732334282440704> from #web (click here)
React with ❌ to remove this embed.
Henkypenky
HenkypenkyOP11mo ago
already implemented DataProtection with azure blob storage and azure key vault i see the keys.xml is generated fine but i still get those errors these are the auth settings for the app
Henkypenky
HenkypenkyOP11mo ago
No description
Henkypenky
HenkypenkyOP11mo ago
This change happened when we transitioned from azure app service (windows) to azure app service (linux) azure app service windows runs on IIS and it persists using If the app is hosted in IIS, keys are persisted to the HKLM registry in a special registry key that's ACLed only to the worker process account. Keys are encrypted at rest using DPAPI. so it was automatically managed we were getting this warnings: 
info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[64]
2024-01-11T18:46:36.370740843Z: [INFO]        Azure Web Sites environment detected. Using '/root/ASP.NET/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
2024-01-11T18:46:36.371748878Z: [INFO]  warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
2024-01-11T18:46:36.371778393Z: [INFO]        Storing keys in a directory '/root/ASP.NET/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed. For more information go to https://aka.ms/aspnet/dataprotectionwarning

024-01-11T18:46:36.443625603Z: [INFO]  info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
2024-01-11T18:46:36.443649528Z: [INFO]        Creating key {509ee3f5-5419-4971-b0d2-83022d3e7e4b} with creation date 2024-01-11 18:46:36Z, activation date 2024-01-11 18:46:36Z, and expiration date 2024-04-10 18:46:36Z.
2024-01-11T18:46:36.447864210Z: [INFO]  warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
2024-01-11T18:46:36.447888716Z: [INFO]        No XML encryptor configured. Key {509ee3f5-5419-4971-b0d2-83022d3e7e4b} may be persisted to storage in unencrypted form.
2024-01-11T18:46:36.451160460Z: [INFO]  info: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
2024-01-11T18:46:36.451178844Z: [INFO]        Writing data to file '/root/ASP.NET/DataProtection-Keys/key-509ee3f5-5419-4971-b0d2-83022d3e7e4b.xml'.
2024-01-11T18:46:36.529595630Z: [INFO]  info: Microsoft.Hosting.Lifetime[14]
2024-01-11T18:46:36.529624013Z: [INFO]        Now listening on: http://[::]:8080
info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[64]
2024-01-11T18:46:36.370740843Z: [INFO]        Azure Web Sites environment detected. Using '/root/ASP.NET/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
2024-01-11T18:46:36.371748878Z: [INFO]  warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
2024-01-11T18:46:36.371778393Z: [INFO]        Storing keys in a directory '/root/ASP.NET/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed. For more information go to https://aka.ms/aspnet/dataprotectionwarning

024-01-11T18:46:36.443625603Z: [INFO]  info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
2024-01-11T18:46:36.443649528Z: [INFO]        Creating key {509ee3f5-5419-4971-b0d2-83022d3e7e4b} with creation date 2024-01-11 18:46:36Z, activation date 2024-01-11 18:46:36Z, and expiration date 2024-04-10 18:46:36Z.
2024-01-11T18:46:36.447864210Z: [INFO]  warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
2024-01-11T18:46:36.447888716Z: [INFO]        No XML encryptor configured. Key {509ee3f5-5419-4971-b0d2-83022d3e7e4b} may be persisted to storage in unencrypted form.
2024-01-11T18:46:36.451160460Z: [INFO]  info: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
2024-01-11T18:46:36.451178844Z: [INFO]        Writing data to file '/root/ASP.NET/DataProtection-Keys/key-509ee3f5-5419-4971-b0d2-83022d3e7e4b.xml'.
2024-01-11T18:46:36.529595630Z: [INFO]  info: Microsoft.Hosting.Lifetime[14]
2024-01-11T18:46:36.529624013Z: [INFO]        Now listening on: http://[::]:8080
which were fixed by implementing DataProtection using Azure Blobs and Azure Key Vault we haven't gotten those warnings so far but we still get the 401 (302 redirections) after deployment we have to clear cookies and it works just fine the docs state: 
When hosting in a Docker container, keys should be persisted in a folder that's a Docker volume (a shared volume or a host-mounted volume that persists beyond the container's lifetime) or in an external provider, such as Azure Key Vault or Redis. An external provider is also useful in web farm scenarios if apps can't access a shared network volume (see PersistKeysToFileSystem for more information).
When hosting in a Docker container, keys should be persisted in a folder that's a Docker volume (a shared volume or a host-mounted volume that persists beyond the container's lifetime) or in an external provider, such as Azure Key Vault or Redis. An external provider is also useful in web farm scenarios if apps can't access a shared network volume (see PersistKeysToFileSystem for more information).
so we did this also: 
Persisting keys when hosting in a Docker container
When hosting in a Docker container, keys should be maintained in either:

- A folder that's a Docker volume that persists beyond the container's lifetime, such as a shared volume or a host-mounted volume.

- An external provider, such as Azure Blob Storage (shown in the ProtectKeysWithAzureKeyVault section) or Redis.
Persisting keys when hosting in a Docker container
When hosting in a Docker container, keys should be maintained in either:

- A folder that's a Docker volume that persists beyond the container's lifetime, such as a shared volume or a host-mounted volume.

- An external provider, such as Azure Blob Storage (shown in the ProtectKeysWithAzureKeyVault section) or Redis.
so we are good on this part i can see the xml being generated on the blob and no errors thrown on the wrap unwrap of the key but still the issue remains an expected behaviour i tried was to delete the keys.xml and restart the app, and this obviously generated the same problem without deployment but if it works this way, why doesn't it work after a deployment? this is another issue: 
2024-01-11T22:24:54.065085406Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065113989Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065119229Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.Intercompany)
2024-01-11T22:24:54.065122145Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065124770Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065127274Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.Quotes)
2024-01-11T22:24:54.065129749Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065132053Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065134397Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.ST)
2024-01-11T22:24:54.065085406Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065113989Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065119229Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.Intercompany)
2024-01-11T22:24:54.065122145Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065124770Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065127274Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.Quotes)
2024-01-11T22:24:54.065129749Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065132053Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065134397Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.ST)
and this 
2024-01-11T22:19:54.585226127Z [ERROR] cp: target '/etc/pki/ca-trust/source/anchors' is not a directory
2024-01-11T22:19:54.585226127Z [ERROR] cp: target '/etc/pki/ca-trust/source/anchors' is not a directory
also this: 
warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3] Failed to determine the https port for redirect.
warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3] Failed to determine the https port for redirect.
if anyone needs more info please tag me i'm at the end of the rope here, i have no idea what it can be one more thing, roles are managed in the app in azure so claims are in each users identity but i don't think the issue is when
Want results from more Discord servers?
Add your server