Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Login failing after upgrading from 3.3.1 to 5.1.2 #4355

Open
Dnawrkshp opened this issue Jun 25, 2024 · 7 comments
Open

[BUG] Login failing after upgrading from 3.3.1 to 5.1.2 #4355

Dnawrkshp opened this issue Jun 25, 2024 · 7 comments

Comments

@Dnawrkshp
Copy link

Oqtane Info

Version - 5.1.2
Render Mode - Interactive
Interactivity - Server
Database - SQL Server

Describe the bug

After upgrading our server from Oqtane 3.3.1 to the latest 5.1.2, our site rejects all login attempts. Running the project locally everything works perfectly. We are using IIS. I can confirm that the database connection is functioning and that there are no errors in the stdout log. I can also confirm that the host account I am logging in as has both the Host Users and Registered Users roles.

I installed the ASPNET Core 8.0.5 hosting bundle. Is it possible that there are additional dependencies that are missing?

Any help is much appreciated!

Log:

[2024-06-25 18:02:30+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:30+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:30+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:30+00:00] [Information] Request starting HTTP/1.1 GET http://redacted.com/api/User/login?setcookie=False&persistent=False - - - 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user. 
[2024-06-25 18:02:31+00:00] [Information] AuthenticationScheme: Identity.Application was challenged. 
[2024-06-25 18:02:31+00:00] [Information] Request finished HTTP/1.1 GET http://redacted.com/api/User/login?setcookie=False&persistent=False - 403 - - 14.2463ms 
[2024-06-25 18:02:31+00:00] [Information] Request starting HTTP/1.1 GET http://redacted.com/api/Log - - - 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Administrators) 
[2024-06-25 18:02:31+00:00] [Information] AuthenticationScheme: Identity.Application was challenged. 
[2024-06-25 18:02:31+00:00] [Information] Request finished HTTP/1.1 GET http://redacted.com/api/Log - 403 - - 14.6482ms 
[2024-06-25 18:02:31+00:00] [Information] Request starting HTTP/1.1 GET http://redacted.com/api/Log - - - 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Administrators) 
[2024-06-25 18:02:31+00:00] [Information] AuthenticationScheme: Identity.Application was challenged. 
[2024-06-25 18:02:31+00:00] [Information] Request finished HTTP/1.1 GET http://redacted.com/api/Log - 403 - - 18.6608ms 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:34+00:00] [Information] Executed endpoint 'Microsoft.AspNetCore.Routing.RouteEndpoint' 
[2024-06-25 18:02:34+00:00] [Information] Request finished HTTP/1.1 GET http://redacted.com/_blazor?id=jlNpvOGwi5ZjyZnqBjWPHQ - 101 - - 9706.4012ms 

web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\Oqtane.Server.dll" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" hostingModel="inprocess">
        <environmentVariables>
            <environmentVariable name="ASPNETCORE_DETAILEDERRORS" value="true" />
        </environmentVariables>
      </aspNetCore>
    </system.webServer>
  </location>
</configuration>
@sbwalker
Copy link
Member

@Dnawrkshp are you saying that after the upgrade to 5.1.2 you can navigate the site as a visitor (unauthenticated user) and view pages/content.... and it is only once you try to login that you run into problems?

@Dnawrkshp
Copy link
Author

@sbwalker Thanks for replying! Not quite.. attempting to navigate the site unauthenticated will redirect me to the login page where after attempting to log in as the host user I receive a Error Performing Login response.

@Dnawrkshp
Copy link
Author

Dnawrkshp commented Jun 25, 2024

I was able to resolve this by changing the following in Oqtane.Server/Startup.cs:

  services.Configure<ForwardedHeadersOptions>(options =>
  {
    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
+   options.KnownNetworks.Clear();
+   options.KnownProxies.Clear();
  });

The issue was related to running the server behind a reverse proxy. This discussion helped me find the above solution: dotnet/aspnetcore#54057

@sbwalker
Copy link
Member

sbwalker commented Jun 26, 2024

@Dnawrkshp the ForwardedHeaders configuration was added on Jan 13, 2022 as part of PR #1936 which I believe was added as a result of issue #1843. This logic was included in release 3.0.2 - and it has not caused any issues for the past 2.5 years.

You mentioned that you were upgrading from 3.3.1 to 5.1.2 - so this means that the ForwardedHeaders configuration already existed in the 3.3.1 release you were running. Is there something else which changed in your environment as part of migrating to 5.1.2 ie. did you move to a different server with a different network configuration? I am trying to understand why you experienced this issue. And I am also trying to understand if it makes sense to include the additional configuration to the default Startup.cs ie. will it impact any other users in a negative way.

@Dnawrkshp
Copy link
Author

@sbwalker Apologies, I've been catching up on tasks this week.

The server didn't change. I installed 5.1.2 into a fresh folder so I suppose there might be some configuration in the old installation that I didn't know to move over. A different person was tasked with setting up 3.3.1. I made sure to copy any missing appsettings/web.config data into the new install. If there are configuration files that I missed I could take another look.

I'll spend time this weekend trying to identify why that fix worked.
Thank you for being so responsive!

@Dnawrkshp
Copy link
Author

After digging a little more into I still can't figure out why the old install worked.

I did learn more about the fix I posted above. It is a potential security issue because the server will now accept any forwarded requests from any external source. By default it is configured to only accept from 127.0.0.1. The correct solution is to add the IP/range of the proxy like so..

// ip
options.KnownProxies.Add(IPAddress.Parse("192.168.1.5"));
// or ip range
options.KnownNetworks.Add(IPNetwork.Parse("192.168.1.0/24"));

I think ideally we'd be able to configure the IP/range of our proxy inside the appsettings and then Oqtane would read and configure them accordingly on startup.

I could make a PR if that works for you.

@sbwalker
Copy link
Member

Making a note that the ForwardedForHeaderName property also often needs to be set in a reverse proxy scenario or else you will always get the IP of the proxy server - not the actual client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants