C# • 9mo ago

✅ Problems with authentication after deployments

Conversation starts here: https://discord.com/channels/143867839282020352/156079822454390784/1195075081592913950

4 Replies

MODiX • 9mo ago

Henkypenky

anyone knows when after deploying we get this bug that we need to clear cookies


                            Authorization failed. These requirements were not met:


                            2024-01-11T18:40:00.424560843Z: [INFO]        DenyAnonymousAuthorizationRequirement: Requires an authenticated user.


                            info: Microsoft.AspNetCore.Hosting.Diagnostics[2]


                            2024-01-11T18:41:14.353252516Z: [INFO]        Request finished HTTP/1.1 GET https://foo/StatusCode/401 - 302 0 - 0.0881ms

Quoted by

<@246732334282440704> from #web (click here)

React with ❌ to remove this embed.

Henkypenky • 9mo ago

already implemented DataProtection with azure blob storage and azure key vault i see the keys.xml is generated fine but i still get those errors these are the auth settings for the app

Henkypenky • 9mo ago

Henkypenky • 9mo ago

This change happened when we transitioned from azure app service (windows) to azure app service (linux) azure app service windows runs on IIS and it persists using


                              If the app is hosted in IIS, keys are persisted to the HKLM registry in a special registry key that's ACLed only to the worker process account. Keys are encrypted at rest using DPAPI.

so it was automatically managed we were getting this warnings:

info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[64]
2024-01-11T18:46:36.370740843Z: [INFO]        Azure Web Sites environment detected. Using '/root/ASP.NET/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
2024-01-11T18:46:36.371748878Z: [INFO]  warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
2024-01-11T18:46:36.371778393Z: [INFO]        Storing keys in a directory '/root/ASP.NET/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed. For more information go to https://aka.ms/aspnet/dataprotectionwarning

024-01-11T18:46:36.443625603Z: [INFO]  info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
2024-01-11T18:46:36.443649528Z: [INFO]        Creating key {509ee3f5-5419-4971-b0d2-83022d3e7e4b} with creation date 2024-01-11 18:46:36Z, activation date 2024-01-11 18:46:36Z, and expiration date 2024-04-10 18:46:36Z.
2024-01-11T18:46:36.447864210Z: [INFO]  warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
2024-01-11T18:46:36.447888716Z: [INFO]        No XML encryptor configured. Key {509ee3f5-5419-4971-b0d2-83022d3e7e4b} may be persisted to storage in unencrypted form.
2024-01-11T18:46:36.451160460Z: [INFO]  info: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
2024-01-11T18:46:36.451178844Z: [INFO]        Writing data to file '/root/ASP.NET/DataProtection-Keys/key-509ee3f5-5419-4971-b0d2-83022d3e7e4b.xml'.
2024-01-11T18:46:36.529595630Z: [INFO]  info: Microsoft.Hosting.Lifetime[14]
2024-01-11T18:46:36.529624013Z: [INFO]        Now listening on: http://[::]:8080

info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[64]
2024-01-11T18:46:36.370740843Z: [INFO]        Azure Web Sites environment detected. Using '/root/ASP.NET/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
2024-01-11T18:46:36.371748878Z: [INFO]  warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
2024-01-11T18:46:36.371778393Z: [INFO]        Storing keys in a directory '/root/ASP.NET/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed. For more information go to https://aka.ms/aspnet/dataprotectionwarning

024-01-11T18:46:36.443625603Z: [INFO]  info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
2024-01-11T18:46:36.443649528Z: [INFO]        Creating key {509ee3f5-5419-4971-b0d2-83022d3e7e4b} with creation date 2024-01-11 18:46:36Z, activation date 2024-01-11 18:46:36Z, and expiration date 2024-04-10 18:46:36Z.
2024-01-11T18:46:36.447864210Z: [INFO]  warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
2024-01-11T18:46:36.447888716Z: [INFO]        No XML encryptor configured. Key {509ee3f5-5419-4971-b0d2-83022d3e7e4b} may be persisted to storage in unencrypted form.
2024-01-11T18:46:36.451160460Z: [INFO]  info: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
2024-01-11T18:46:36.451178844Z: [INFO]        Writing data to file '/root/ASP.NET/DataProtection-Keys/key-509ee3f5-5419-4971-b0d2-83022d3e7e4b.xml'.
2024-01-11T18:46:36.529595630Z: [INFO]  info: Microsoft.Hosting.Lifetime[14]
2024-01-11T18:46:36.529624013Z: [INFO]        Now listening on: http://[::]:8080

which were fixed by implementing DataProtection using Azure Blobs and Azure Key Vault we haven't gotten those warnings so far but we still get the 401 (302 redirections) after deployment we have to clear cookies and it works just fine the docs state:

When hosting in a Docker container, keys should be persisted in a folder that's a Docker volume (a shared volume or a host-mounted volume that persists beyond the container's lifetime) or in an external provider, such as Azure Key Vault or Redis. An external provider is also useful in web farm scenarios if apps can't access a shared network volume (see PersistKeysToFileSystem for more information).

When hosting in a Docker container, keys should be persisted in a folder that's a Docker volume (a shared volume or a host-mounted volume that persists beyond the container's lifetime) or in an external provider, such as Azure Key Vault or Redis. An external provider is also useful in web farm scenarios if apps can't access a shared network volume (see PersistKeysToFileSystem for more information).

so we did this also:

Persisting keys when hosting in a Docker container
When hosting in a Docker container, keys should be maintained in either:

- A folder that's a Docker volume that persists beyond the container's lifetime, such as a shared volume or a host-mounted volume.

- An external provider, such as Azure Blob Storage (shown in the ProtectKeysWithAzureKeyVault section) or Redis.

Persisting keys when hosting in a Docker container
When hosting in a Docker container, keys should be maintained in either:

- A folder that's a Docker volume that persists beyond the container's lifetime, such as a shared volume or a host-mounted volume.

- An external provider, such as Azure Blob Storage (shown in the ProtectKeysWithAzureKeyVault section) or Redis.

so we are good on this part i can see the xml being generated on the blob and no errors thrown on the wrap unwrap of the key but still the issue remains an expected behaviour i tried was to delete the keys.xml and restart the app, and this obviously generated the same problem without deployment but if it works this way, why doesn't it work after a deployment? this is another issue:

2024-01-11T22:24:54.065085406Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065113989Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065119229Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.Intercompany)
2024-01-11T22:24:54.065122145Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065124770Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065127274Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.Quotes)
2024-01-11T22:24:54.065129749Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065132053Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065134397Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.ST)

2024-01-11T22:24:54.065085406Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065113989Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065119229Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.Intercompany)
2024-01-11T22:24:54.065122145Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065124770Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065127274Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.Quotes)
2024-01-11T22:24:54.065129749Z info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-01-11T22:24:54.065132053Z       Authorization failed. These requirements were not met:
2024-01-11T22:24:54.065134397Z       RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Apollo.ST)

and this

2024-01-11T22:19:54.585226127Z [ERROR] cp: target '/etc/pki/ca-trust/source/anchors' is not a directory

2024-01-11T22:19:54.585226127Z [ERROR] cp: target '/etc/pki/ca-trust/source/anchors' is not a directory

also this:

Gaming

Programming

✅ Problems with authentication after deployments