All geek questions in one place

OWIN: call webapi 401 unauthorized error in Azure

I created two applications for the first interface (created using AngularJs and Asp.Net MVC), and for the backend I used the Api web application.

I am trying to protect my application with forms authentication on the front of End and implemented authentication of the main forms at the end.

When I tested locally in IIS, it works fine. But when I hosted my application in Azure, an API call with an authentication attribute returns with an unauthorized 401 error.

Answer Header:

Access-Control-Allow-Origin:* Cache-Control:no-cache Content-Length:0 Date:Wed, 05 Oct 2016 11:08:30 GMT Expires:-1 Pragma:no-cache Server:Microsoft-IIS/8.0 Set-Cookie:ARRAffinity=925cd503f9e5771e9ad651c59baa4a1f678d93cac8b9da4dc9bcb64892ac8710;Path=/;Domain=FrontEnd.azurewebsites.net WWW-Authenticate:Basic realm="Backend.azurewebsites.net" X-AspNet-Version:4.0.30319 X-Powered-By:ASP.NET

Request header;

 Accept:application/json, text/plain, */* Accept-Encoding:gzip, deflate, sdch, br Accept-Language:en-US,en;q=0.8 Cache-Control:no-cache Connection:keep-alive Host:backend.azurewebsites.net Origin:http://FrontEnd.azurewebsites.net Pragma:no-cache Referer:http://FrontEnd.azurewebsites.net/ Token:null User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

But locally along with the request header

  Authorization: Basic dmlzaG53guFua2FyLnNha3Roadh4bEBnbWFpbC5jb206MTIzMTIz Cookie: __RequestVerificationToken_L3Nfg4dwc3Bh0=YGwlXkckjhg6xTESkI-lN9sNtDVsfefshsrvGWPKekmv_GLZ0Rq8eA5P8Z7sdf4trwbPX4WymcGJJrLamQLMe2Vf2D2fVUg4qJptOvcsCWg1; ASP.NET_SessionId=gk4s1rlsfg5gfeafo3455dkr; .ASPXAUTH=C8113FD23FC4902dsfrsdf5FB3399BA121703F41F9A57AEA50667F2AD4FC02F3D3955215A91F6A3A2EA4287202522380435A93D8BE78D45E6D24FB7E05F64653AE06E0026DEB2911343591563F70EE8EE76338F07CBABE6EA4B95359F3C31sdf9C999sdf2864849gfdB916A06gfds29E3C8D01D2371807E98335000D4D14B391CCE3zxcd49DB77696F4BB77E4434

transmitted

The authorization parameter and cookie are not added to the request from the azure frontEND application with forms authentication.

I reviewed the authentication / authorization configuration of my backend application in the azure mode that it installs. Any body knows what the problem is or what I need to configure on the azure portal. Thanks in advance.

+5
source share
2 answers

This problem is related to cors. You can solve this by adding to your request

  $http({ .... headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, withCredentials: true, })

WEB.Config web API

  <system.webServer> <validation validateIntegratedModeConfiguration="false" /> <handlers> <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" /> <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" /> <remove name="ExtensionlessUrlHandler-Integrated-4.0" /> <remove name="OPTIONSVerbHandler" /> <remove name="TRACEVerbHandler" /> <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" /> <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" /> <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" /> </handlers> <httpProtocol> <customHeaders> <add name="Access-Control-Allow-Origin" value="**FrontEnd URL**" /> <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept, Cache-Control" /> <add name="Access-Control-Allow-Credentials" value="true" /> <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" /> </customHeaders> </httpProtocol> </system.webServer>

you also reference this url: https://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

+2
source

This is probably because they are no longer hosted on the same computer (depending on your Azure setup). I had a similar problem with machineKey myself.

Follow the instructions in the following URL to match the settings between the applications, and you should be fine:

https://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx

EDIT: with Access-Control-Allow-Origin:* in the response header, this is probably not a normal CORS problem, although machineKey and CORS problems are often combined. If machineKey does not work, check how you handle CORS pre-checks. See my answer here .

+2
source

Source: https://habr.com/ru/post/1257730/

More articles:


All Articles