We are using angular for presentation, not Mvc. Our security scanner is reporting some Mvc pages under Manage to have security issues. We think we can route to these pages because of the call to this method:
If you share your security reports, we can help better.
is there a way we can remove routing to the Manage pages? When we remove the line above, the site is broken. We think the routing to our webapi is also being preformed by the method
The account module is managed by IdentityServer and it is hosted by the backend application. That's why you are redirected back to the backend for account-related operations.
Console application authorization is non-user interactive Client Credentials flow while others are user-related authorization flows.
You need to grant permission to the console application itself. You can use IdentityServer Management UI or IdentityServer Dataseeder.
Thank you for the steps. We’ll try to reproduce this issue.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://auth-server-v1.mydomain.com/. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://auth-server-v1.mydomain.com/'. ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch
You need to reach authserver using HTTP when trying to communicate internally. So, you can try using http://auth-server-v1.mydomain.com
{ "App": { "SelfUrl": "https://administration-service-v1.mydomain.com", "CorsOrigins": "https://.mydomain.com,http://.mydomain.com" }, "AuthServer": { "Authority": "http://auth-server-v1.mydomain.com", "RequireHttpsMetadata": "false", "SwaggerClientId": "WebGateway_Swagger", "SwaggerClientSecret": "1q2w3e*" }, "RemoteServices": { "AbpIdentity": { "BaseUrl": "https://identity-service-v1.mydomain.com/", "UseCurrentAccessToken": "false" } }, "IdentityClients": { "Default": { "GrantType": "client_credentials", "ClientId": "ChurchPharmacy_AdministrationService", "ClientSecret": "1q2w3e*", "Authority": "https://auth-server-v1.mydomain.com", "Scope": "IdentityService" } }, "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "AllowedHosts": "*", "ConnectionStrings": { "AdministrationService": "-", "SaasService": "-" }, "StringEncryption": { "DefaultPassPhrase": "3VCRVu2hISrQLlgo" }, "Redis": { "Configuration": "localhost:6379" }, "ElasticSearch": { "Url": "http://localhost:9200" }, "Settings": { "Volo.Abp.LeptonTheme.Style": "Style6", "Volo.Abp.LeptonTheme.Style.PublicLayout": "Style5" } }
These settings are obsolete since they are getting overridden by Kubernetes. Can you check helm chart Values?
It is hard to follow the problem, let's go on step by step. You couldn't load the API definition because of the wrong URL (extra swagger on URL). It is fixed. You had problems with CORS. Is this problem fixed?
Also, If you have problems with IIS, I suggest asking in also StackOverflow to get a faster response since it is not related to ABP.
t seems like a misconfiguration in IIS URL rewrite settings.
I know this is only partially or not directly an ABP issue, but I'm looking for information if we can affect the token characters in some way in ABP. I suppose we cannot change the uuid- existence in the authorize call?
Ok, as I have investigated; this is from a library you use for your business and the cookie is set by that library.
As it states in the Connection management cookies section of docs.tawk.help:
The twk_idm_key cookie is a session cookie that is added only if no twk_uuid is found. It is destroyed once the page is closed.
You can try to write a midware to check this cookie and sanitize the request but, if you alter the twk_uuid cookie, it may misbehave and won't work as intended. I would suggest black-listing the URL from azure or contact to tawk support.
twk_uuid cookie seems to be related to a chat-related module named tawk.to.
It doesn't seem to be related to ABP template. Is this related to your business code?
You can check eShopOnAbp k8s readme that has information about how to create self-signed certificate.
Also, you can find faster and better information on StackOverflow since this is out of ABP's scope.