✅ Problems with authentication after deployments
Conversation starts here:
https://discord.com/channels/143867839282020352/156079822454390784/1195075081592913950
4
Replies
Henkypenky
anyone knows when after deploying we get this bug that we need to clear cookies
Authorization failed. These requirements were not met:
2024-01-11T18:40:00.424560843Z: [INFO] DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
2024-01-11T18:41:14.353252516Z: [INFO] Request finished HTTP/1.1 GET https://foo/StatusCode/401 - 302 0 - 0.0881ms
Quoted by
<@246732334282440704> from
#web (click here)
React with ❌ to remove this embed.
already implemented DataProtection with azure blob storage and azure key vault
i see the keys.xml is generated fine
but i still get those errors
these are the auth settings for the app
This change happened when we transitioned from azure app service (windows) to azure app service (linux)
azure app service windows runs on IIS
and it persists using
which were fixed by implementing DataProtection using Azure Blobs and Azure Key Vault
we haven't gotten those warnings so far
but we still get the 401 (302 redirections)
after deployment
we have to clear cookies and it works just fine
the docs state:
If the app is hosted in IIS, keys are persisted to the HKLM registry in a special registry key that's ACLed only to the worker process account. Keys are encrypted at rest using DPAPI.
so it was automatically managed
we were getting this warnings:
info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[64]
2024-01-11T18:46:36.370740843Z: [INFO] Azure Web Sites environment detected. Using '/root/ASP.NET/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
2024-01-11T18:46:36.371748878Z: [INFO] warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
2024-01-11T18:46:36.371778393Z: [INFO] Storing keys in a directory '/root/ASP.NET/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed. For more information go to https://aka.ms/aspnet/dataprotectionwarning
024-01-11T18:46:36.443625603Z: [INFO] info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
2024-01-11T18:46:36.443649528Z: [INFO] Creating key {509ee3f5-5419-4971-b0d2-83022d3e7e4b} with creation date 2024-01-11 18:46:36Z, activation date 2024-01-11 18:46:36Z, and expiration date 2024-04-10 18:46:36Z.
2024-01-11T18:46:36.447864210Z: [INFO] warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
2024-01-11T18:46:36.447888716Z: [INFO] No XML encryptor configured. Key {509ee3f5-5419-4971-b0d2-83022d3e7e4b} may be persisted to storage in unencrypted form.
2024-01-11T18:46:36.451160460Z: [INFO] info: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
2024-01-11T18:46:36.451178844Z: [INFO] Writing data to file '/root/ASP.NET/DataProtection-Keys/key-509ee3f5-5419-4971-b0d2-83022d3e7e4b.xml'.
2024-01-11T18:46:36.529595630Z: [INFO] info: Microsoft.Hosting.Lifetime[14]
2024-01-11T18:46:36.529624013Z: [INFO] Now listening on: http://[::]:8080
When hosting in a Docker container, keys should be persisted in a folder that's a Docker volume (a shared volume or a host-mounted volume that persists beyond the container's lifetime) or in an external provider, such as Azure Key Vault or Redis. An external provider is also useful in web farm scenarios if apps can't access a shared network volume (see PersistKeysToFileSystem for more information).
Persisting keys when hosting in a Docker container
When hosting in a Docker container, keys should be maintained in either:
- A folder that's a Docker volume that persists beyond the container's lifetime, such as a shared volume or a host-mounted volume.
- An external provider, such as Azure Blob Storage (shown in the ProtectKeysWithAzureKeyVault section) or Redis.
2024-01-11T22:24:54.065085406Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065113989Z Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065119229Z RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.Intercompany)
2024-01-11T22:24:54.065122145Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065124770Z Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065127274Z RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.Quotes)
2024-01-11T22:24:54.065129749Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065132053Z Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065134397Z RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.ST)
2024-01-11T22:19:54.585226127Z [ERROR] cp: target '/etc/pki/ca-trust/source/anchors' is not a directory