All geek questions in one place

WIF to a separate domain through AJAX

We have sites operating in two separate domains, one is a secure API, the other is a website. We want to be able to execute an ajax request from a website in the API using the credentials of the users who are currently logged in.

enter image description here

To do this, I did all the necessary CORS bits to pass our cookie to the API, however, when the API tries to process the cookie, it cannot decrypt it. I understand that this is due to the fact that the area does not match correctly.

The error that I get when I try to do this is as follows:

InvalidOperationException: ID1073: CryptographicException occurred while trying to decrypt a cookie using the ProtectedData API (see the internal exception for details). If you are using IIS 7.5, this could be because the loadUserProfile parameter in the application pool is set to false.

If I manually make the same request with a cookie with: 1444 realm, everything works correctly (so I think the loadUserProfile file is a red herring).

I think the problem is that I cannot reuse this cookie for another world. but if so, how can I do this delegation in javascript? Is it possible even without redirecting the user to STS to receive a cookie for another world? Is there a better way to get closer to this part of javascript?

Useful Supporting Data:

WIF configuration for our API:

<modules runAllManagedModulesForAllRequests="true"> <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /> <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /> </modules>

...

 <microsoft.identityModel> <service> <securityTokenHandlers> <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <sessionTokenRequirement lifetime="1:00" /> </add> </securityTokenHandlers> <audienceUris> <add value="http://localhost:1444/" /> </audienceUris> <federatedAuthentication> <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:1339/account/sign-in" realm="http://localhost:1444/" requireHttps="false" persistentCookiesOnPassiveRedirects="false" /> <cookieHandler requireSsl="false" path="/" name="TheCookieMonster" persistentSessionLifetime="60" /> </federatedAuthentication> <applicationService> <claimTypeRequired> <!--This claim gets mapped to the User.Identity.Name--> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="false" /> <!--Some Other Custom claims--> </claimTypeRequired> </applicationService> <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <trustedIssuers> <add thumbprint="a_thumbprint_key_for_our_cert" name="http://localhost:1339/" /> </trustedIssuers> </issuerNameRegistry> </service> </microsoft.identityModel>

WIF configuration at the end of the website:

(Same, but since: 1337)

  <modules runAllManagedModulesForAllRequests="true"> <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /> <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /> </modules>

...

 <microsoft.identityModel> <service> <securityTokenHandlers> <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <sessionTokenRequirement lifetime="1:00" /> </add> </securityTokenHandlers> <audienceUris> <add value="http://localhost:1337/" /> </audienceUris> <federatedAuthentication> <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:1339/account/sign-in" realm="http://localhost:1337/" requireHttps="false" persistentCookiesOnPassiveRedirects="false" /> <cookieHandler requireSsl="false" path="/" name="TheCookieMonster" persistentSessionLifetime="60" /> </federatedAuthentication> <applicationService> <claimTypeRequired> <!--This claim gets mapped to the User.Identity.Name--> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="false" /> <!--Some Custom claims--> </claimTypeRequired> </applicationService> <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <trustedIssuers> <add thumbprint="a_thumbprint_key_for_our_cert" name="http://localhost:1339/" /> </trustedIssuers> </issuerNameRegistry> </service> </microsoft.identityModel>

What the net tab looks like:

enter image description here

I think this is canceled since JS has discovered some kind of security nonsense.

  • The car key is shared on both sites.
  • Both launch WIF 3.5
+4
source share
1 answer

We were able to figure this out by updating WIF 4.5, which worked perfectly without any special modifications. I'm not too sure what the reason was in 3.5, but that closed the problem for me. If anyone wants, I can send a sample with this work to GitHub

+1
source

Source: https://habr.com/ru/post/1494603/

More articles:


All Articles