When we deploy identity server to azure app service the login page logs an exception about missing assets:
I cannot find any information on how to include those assets to identity server deployment package. Gulpfile-scripts does not seem to copy anything to identity server side. So is there a desingned way to make sure the assets are copied to the Identity Server deployment package.
We have an issue with NgxValidateCoreModule that emerges after it is imported to a module that has a component in which we have the following: The component is a view that has KendoTreeList in which we use kendoTreeListCellTemplate to be able to render our own custom FormControl of choice to its table cells. Kendo rows/cells have “edit mode” which means Kendo renders the form control with the form group when an editable cell or whole row is clicked. There is kendoTreeListEditTemplate for the edit mode content, but in our case, we have a custom form control that has two functionalities in one so we need to use kendoTreeListCellTemplate. This means that the content (form control) is there 100% of the time, not only in the cell’s edit mode like things are with kendo’s own editable cells. The edit mode means that when the user clicks a cell in the tree list table, it transforms to a form control with a form group. So, with the cell template with our custom form control being rendered there straight away when initing the KendoTreeList and it’s there without any surrounding form group. The control is given to it in the template definition via [formControl] directive from the the collection of form groups that represent the tree list table rows (e.g. this.formGroups[rowIndex].controls[col.field]). When we import the NgxValidateCoreModule, the following error is given <customCellTemplateWithOurFormControlCount> times:
core.mjs:6461 ERROR NullInjectorError: R3InjectorError(ConsumptionForecastModule)[ValidationGroupDirective -> ValidationGroupDirective -> ValidationGroupDirective -> ValidationGroupDirective -> ValidationGroupDirective]:
NullInjectorError: No provider for ValidationGroupDirective!
at NullInjector.get (core.mjs:11095:1)
at R3Injector.get (core.mjs:11262:1)
at R3Injector.get (core.mjs:11262:1)
at R3Injector.get (core.mjs:11262:1)
at NgModuleRef.get (core.mjs:21807:1)
at R3Injector.get (core.mjs:11262:1)
at NgModuleRef.get (core.mjs:21807:1)
at R3Injector.get (core.mjs:11262:1)
at NgModuleRef.get (core.mjs:21807:1)
at Object.get (core.mjs:21484:1)
defaultErrorLogger @ core.mjs:6461
handleError @ core.mjs:6508
(anonymous) @ core.mjs:26428
invoke @ zone.js:372
run @ zone.js:134
runOutsideAngular @ core.mjs:25356
tick @ core.mjs:26428
(anonymous) @ core.mjs:26273
invoke @ zone.js:372
onInvoke @ core.mjs:25457
invoke @ zone.js:371
run @ zone.js:134
run @ core.mjs:25311
next @ core.mjs:26272
__tryOrUnsub @ Subscriber.js:183
next @ Subscriber.js:122
_next @ Subscriber.js:72
next @ Subscriber.js:49
next @ Subject.js:39
emit @ core.mjs:22402
checkStable @ core.mjs:25379
onLeave @ core.mjs:25507
onInvokeTask @ core.mjs:25451
invokeTask @ zone.js:405
runTask @ zone.js:178
invokeTask @ zone.js:487
invokeTask @ zone.js:1648
globalCallback @ zone.js:1679
globalZoneAwareCallback @ zone.js:1712
So the questions are:
I found out that we have this kind of configuration
var redis = ConnectionMultiplexer.Connect(configuration["Redis:Configuration"]); var dataProtectionBuilder = context.Services.AddDataProtection().SetApplicationName("ABC"); dataProtectionBuilder.PersistKeysToStackExchangeRedis(redis, "ABC-Protection-Keys");
I can see two different options to discriminate the data between the deployment stages: either define the stage in application name or Redis key name ( ABC-Protection-Keys). The question is which should we use and should we set different application names for the identity server and the web application?
How should the Redis cache be configured between different instances of the application? We have planned to use four deployment stages (UAT, QA, Canary Production and Production). Can we share the Redis cache server between some of the stages or will there be a problem of data mixing between the stages?
Actually, I have now tested this and at least the redirect URL configuration gets mixed up between the stages. Is there a way to define instance-specific key through configuration so the values won't mix up in the cache?
Ahh, I missed that it was related to tawk to integration which we have used in our application. Thank you for your answer!
Hello, we are deploying our project build on top of ABP to Azure. After the deployment, we found that some of the requests are blocked by the OWASP scanner in the Azure Application Gateway Firewall. The first block comes from the authentication call:
requestUri_s /connect/authorize?response_type=code\u0026client_id=OUR_APP_App\u0026state=UXB5Zmh6VWFST3BLVUZTbXVkdEt3dWpfdWF3dy56XzFFMDNyNURESlFRQnNi\u0026redirect_uri=https%3A%2F%2FOUR_APP-qa.lw.app\u0026scope=offline_access%20openid%20profile%20role%20email%20phone%20OUR_APP\u0026code_challenge=JG1J3rF5kFDd-kQNWu5Bi7ji-zOCKWuJ4b_zK0yADjA\u0026code_challenge_method=S256\u0026nonce=UXB5Zmh6VWFST3BLVUZTbXVkdEt3dWpfdWF3dy56XzFFMDNyNURESlFRQnNi\u0026culture=en\u0026ui-culture=en
Message Detects basic SQL authentication bypass attempts 3/3
ruleSetVersion_s 3.2
ruleGroup_s REQUEST-942-APPLICATION-ATTACK-SQLI
details_message_s
Pattern match (?i:(?:["'](?:\\s*?(?:is\\s*?(?:[\\d.]+\\s*?\\W.*?[\"']|\d.+["']?\\w)|\\d\\s*?(?:--|#))|(?:\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+|\\|?[\\w-]{3,}[^\\w\\s.,]+)[\"']|[\%\u0026\u003c\u003e^=]+\d\s*?(?:between|like|x?or|and|div|=))|(?i:n?and|x?x?or|div|like|between|not|\|\||\\u0026\\u0026)\s+[\s\w+]+(?:sounds\s+like\s*?["'`]|regexp\s*?\(|[=\d]+x)|in\s*?\(+\s*?select)) at REQUEST_COOKIES.
details_data_s Matched Data: "uuid":" found within REQUEST_COOKIES:twk_uuid_6272619db0d10b6f3e709056: %7B%22uuid%22%3A%221.DECWNFunxcnpgYWrV82YSGHozzios3WMXMuV6utignc1kwKN9BEe3TVjnjGCKBM2TCtxVLGqUFfGNaX8VCZSQkz0Wb2xdIjkmk7pyyl343KA437h7YKdoYt6PKa2VEcY8hVOatTY%22%2C%22version%22%3A3%2C%22domain%22%3A%22lw.app%22%2C%22ts%22%3A1653031469585%7D
details_file_s REQUEST-942-APPLICATION-ATTACK-SQLI.conf
If we disable that rule, we encounter a couple of similar blocks where the pattern matching founds illegal characters in the request cookies: requestUri_s /api/app/***
Message SQL Comment Sequence Detected.
ruleSetVersion_s 3.2
ruleGroup_s REQUEST-942-APPLICATION-ATTACK-SQLI
details_message_s Pattern match (?:/\!?|\/|[';]--|--[\s\r\n\v\f]|--[^-]?-|[^\u0026-]#.?[\s\r\n\v\f]|;?\x00) at REQUEST_COOKIES.
details_data_s Matched Data: --F5xL1NDlpZthOfOfsLDkvkV1sMEefcR9Pd3u7i6Ap_m8rZALmz3YaT5tiyGccQvL1jexkpbFic8v_TNqzyp9Ke- found within REQUEST_COOKIES:XSRF-TOKEN: CfDJ8G_9tIpyArtNlo7jZliI7olinWNezAaJOZPmYgGvad_rNtd1Ia9uNi0eqRUNAs7--F5xL1NDlpZthOfOfsLDkvkV1sMEefcR9Pd3u7i6Ap_m8rZALmz3YaT5tiyGccQvL1jexkpbFic8v_TNqzyp9Ke-p2fz-iSA0WigEIeo13N67-TJ3LYX3rphCGyhx_zKSQ
details_file_s REQUEST-942-APPLICATION-ATTACK-SQLI.conf
I know this is only partially or not directly an ABP issue, but I'm looking for information if we can affect the token characters in some way in ABP. I suppose we cannot change the uuid- existence in the authorize call?
Hello, we are planning to use Azure AD as a third-party authentication provider. We have this enabled and working already. I just want to clarify for myself how to prevent users from logging into other tenants' environments. If the user manages to guess another tenant's name on the logging screen, how is it prevented that the user is not able to log in? Where the check should be that this user can only log into a certain tenant environment?
Any ideas for this?