DataProtection | Additional utilities and support for working with ASP.NET | TLS library
kandi X-RAY | DataProtection Summary
kandi X-RAY | DataProtection Summary
Additional utilities and support for working with ASP.NET Core DataProtection. This repo is provided as an example for code that can help get ASP.NET Core data protection working in a non-Azure farm environment.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of DataProtection
DataProtection Key Features
DataProtection Examples and Code Snippets
Community Discussions
Trending Discussions on DataProtection
QUESTION
I have 2 load balanced IIS servers - mirrored. Each server has multiple .NetFramework web applications. Each app is running under different pool user and the code is placed in different folders.
Now I need to migrate these apps to .NET6
I have MSSQL database with dp.Keys table. And I faced with the problem with DataProtection - all apps are using the same key. Because of this I can't use DpapiNG keys protection. I also want to have 1 key per app (app1 on 1st server and app1 on 2nd server use key1 from DB).
Here is my code:
...ANSWER
Answered 2022-Mar-10 at 07:23Found the answer here: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-6.0
Data Protection and app isolation- When multiple apps are pointed at the same key repository, the intention is that the apps share the same master key material. Data Protection is developed with the assumption that all apps sharing a key ring can access all items in that key ring. The application unique identifier is used to isolate application specific keys derived from the key ring provided keys. It doesn't expect item level permissions, such as those provided by Azure KeyVault to be used to enforce extra isolation. Attempting item level permissions generates application errors. If you don't want to rely on the built-in application isolation, separate key store locations should be used and not shared between applications.
- The application discriminator is used to allow different apps to share the same master key material but to keep their cryptographic payloads distinct from one another. For the apps to be able to read each other's cryptographic payloads, they must have the same application discriminator.
- If an app is compromised (for example, by an RCE attack), all master key material accessible to that app must also be considered compromised, regardless of its protection-at-rest state. This implies that if two apps are pointed at the same repository, even if they use different app discriminators, a compromise of one is functionally equivalent to a compromise of both. This "functionally equivalent to a compromise of both" clause holds even if the two apps use different mechanisms for key protection at rest. Typically, this isn't an expected configuration. The protection-at-rest mechanism is intended to provide protection in the event an adversary gains read access to the repository. An adversary who gains write access to the repository (perhaps because they attained code execution permission within an app) can insert malicious keys into storage. The Data Protection system intentionally doesn't provide protection against an adversary who gains write access to the key repository.
- If apps need to remain truly isolated from one another, they should use different key repositories. This naturally falls out of the definition of "isolated". Apps are not isolated if they all have Read and Write access to each other's data stores.
I decided to use Azure blob storage (container per app) with DpapiNG protection. It works perfect.
QUESTION
I want to run my .NET MVC application into a docker image: but I'm unable to test it.
Here is my Dockerfile:
...ANSWER
Answered 2022-Mar-08 at 15:21You don't map any ports when you run it, so you can't reach the container. Your container seems to run fine aside from that.
Try
QUESTION
I created a docker image of my OrchardCore project. I tried to run it using the following command
...ANSWER
Answered 2022-Jan-16 at 22:38Docker options need to go before the image name. Anything after the image name becomes a command for the image. So you need to do
QUESTION
I have a problem that I don't know how to resolve. I have a microservice model (based on the Volo ABP Microservice Demo) for my project, I have an API with all the methods to retrieve data, an AuthServer that acts as the authority for all my projects, and a gateway that translates the requests.
This is how I have configured my authentication in my Gateway
project:
ANSWER
Answered 2022-Jan-07 at 23:46The problem was in the browser. It seems that Google Chrome stores the token
in the Application
tab even if you have the Disable cache
option selected. And even if you force the page to empty the cache and force the reload, the token
will remain there.
In the Application
tab, you need to clean everything under the Storage
section in order to fix this issue. Honestly a nightmare, I lost practically the entire day trying to come up with a solution until I realized this.
QUESTION
I have
- Forked the planetaryDocs project (a sample server resident Blazor Web App),
- Used Visual Studio 2022 to create a docker container
- Run that docker container (via Visual Studio) and
and Visual Studio pops up a browser pointing at the web server and it seems to working fine.
When I do docker image ls
I see the planetarydocs image.
I want to experiment with the docker run command line. How do I do that? I stop the Visual Studio docker container and
...ANSWER
Answered 2021-Dec-31 at 05:06from the repository you pointed, the app seems to use port 8081.
PlanetaryDocs/appsettings.json
QUESTION
I have a Blazor WASM application using Identity for authentication that was working fine on Friday. Last night I went to make changes and both the application running in Azure and running locally on my machine began presenting an exception after startup. Nothing has changed in the environment or the code base between everything working fine and now.
The app runs, redirects to the login page, the get is processed fine on the server but throws an exception on the first line of markup in the .cshtml file (assuming because it is failing to encrypt the content at that point):
An unhandled exception occurred while processing the request. CredentialUnavailableException: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, string additionalMessage)
AggregateException: Multiple exceptions were encountered while attempting to authenticate. (EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot) (ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.) (Process "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\lybeojxv.4oe\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token. 'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '{IDREDACTED}'(Visual Studio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. Trace ID: {IDREDACTED} Correlation ID: {IDREDACTED} Timestamp: 2021-12-20 19:46:59Z'.) (Stored credentials not found. Need to authenticate user in VSCode Azure Account. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/vscodecredential/troubleshoot) (Azure CLI not installed) (PowerShell is not installed.) Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, string additionalMessage)
CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
- EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
- ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.
- Process "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\lybeojxv.4oe\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token. 'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '{IDREDACTED}'(Visual Studio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. Trace ID: {IDREDACTED} Correlation ID: {IDREDACTED} Timestamp: 2021-12-20 19:46:59Z'.
- Stored credentials not found. Need to authenticate user in VSCode Azure Account. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/vscodecredential/troubleshoot
- Azure CLI not installed
- PowerShell is not installed. Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, bool async, CancellationToken cancellationToken)
CryptographicException: An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information. Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(byte[] plaintext)
I can't find anything in the related documentation and troubleshooting guides that seem to be relevant to my setup and issue. And I feel like I have to be missing something simple like an expiration or change of some credentials but I can't find anything that would appear to be the culprit, and not a single part of the codebase was changed, nor was the Azure environment touched at all by anyone from the time I know it was functional to when this began.
...ANSWER
Answered 2021-Dec-20 at 20:42Whelp, after pulling my hair out for 2 days, I was able to resolve this by installing the Azure CLI on my machine and running the "az login" command from a PowerShell window. That's all. Hopefully this saves someone else a lot of time.
QUESTION
On Windows:
I just created app via dotnet new mvc
and created Dockerfile for that:
ANSWER
Answered 2021-Dec-12 at 11:43you need to expose port using -p
QUESTION
I'm using IdentityServer4 (v3.1.x) with the Entity Framework package to allow the configuration and operational settings to be stored in a database. I've noticed however that for -some- reason the duration of which users are logged in to IS4 is determined by the IIS Application Pool 'recycle interval' setting, which I've currently set at 30 minutes. This is different from the expected behavior, of the users' session being as long as the access_token duration / refresh_token duration allows for.
When the IIS Application Pool 'recycle interval' is set to a higher value (1740 minutes max), the problem disappears. What I expect however is for the 'session' (for the lack of a better name) to be persistent between application pools and application pool recycles.
What am I doing wrong, and what do I need to change to make it work?
Durations:
- IdentityTokenLifetime: 300s / 5m
- IdentityAccessToken: 300s / 5m
- AuthorizationCodeLifetime: 300s / 5m
ANSWER
Answered 2021-Nov-15 at 12:32The cookies are encrypted using the Data Protection APIs in ASP.NET Core and for production it is wise to configure this properly, so the encryption key/key-ring is persisted outside your web-application.
I did blog about the data protection API here:
See also these links:
QUESTION
I have a very large log file (more than 2GB) and would like to remove all debug logs if they contain 'EntityFramework'.
...ANSWER
Answered 2021-Oct-15 at 09:56The current error is due to the comma after the b
label, there must be a semi-colon. Also, you should include /.*EntityFramework.*/d
(or better, /EntityFramework/d
) into the command block so that it is executed only inside it:
QUESTION
We are getting warnings in our production logs for .Net Core Web API services that are running in Kubernetes.
Storing keys in a directory '{path}' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.","@l":"Warning","path":"/root/.aspnet/DataProtection-Keys",SourceContext:"Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository"
We do not explicitly call services.AddDataProtection() in StartUp, but it seems that we are getting the warnings for services that are using .Net Core 3.1 and .Net 5.(not for .Net Core 2.1) ,that also have in StartUp
...ANSWER
Answered 2021-Oct-10 at 08:00After analysis how our applications are using protected data(authentication cookies, CSRF tokens etc) our team decided , that “Protected data will be unavailable when container is destroyed." is just a warning and would have no customer impact, so we ignore it.
But YMMV.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install DataProtection
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page