Re: [dotnetopenauth] Requires HTTPS

Andrew Arnott

unread,

Aug 2, 2012, 8:19:28 PM8/2/12

to dotnet...@googlegroups.com

Yes, this has come up recently. And the answer was that the <sectionGroups> in the web.config were incorrect. You should check yours. They should look something like this:

</sectionGroup>

</sectionGroup>

</configSections>

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

On Thu, Aug 2, 2012 at 2:14 PM, Brian Wright <brian.n...@gmail.com> wrote:

This is similar to a very recent question, but different enough I have posted it separately.

I am trying to get a basic DNOA Client Credentials Scenario working. Taking a major chunk from the article at (but changing it to work with the latest DNOA):

http://zamd.net/2012/05/04/claim-based-security-for-asp-net-web-apis-using-dotnetopenauth/

This is what I have:

Controller
--------

public class OAuthTokenController : Controller
{
//
// GET: /OAuthToken/

public ActionResult Index()
{
var authorizationServer = new AuthorizationServer(
new OAuth2Issuer(
new X509Certificate2(Server.MapPath("~/Infrastructure/OAuth/localhost.pfx"), "a"),
new X509Certificate2(Server.MapPath("~/Infrastructure/OAuth/localhost.cer")),
null
)
);

OutgoingWebResponse resp = authorizationServer.HandleTokenRequest(Request);
var response = MessagingUtilities.AsActionResult(resp);

return response;
}

}

Web.config
--------------
<dotNetOpenAuth>
<openid>
<relyingParty>
<security requireSsl="false">
</security>
<behaviors>
<add type="DotNetOpenAuth.OpenId.RelyingParty.Behaviors.AXFetchAsSregTransform, DotNetOpenAuth" />
</behaviors>
</relyingParty>
</openid>
<messaging relaxSslRequirements="true">
<untrustedWebRequest>
<whitelistHosts>
<add name="localhost" />
</whitelistHosts>
</untrustedWebRequest>
</messaging>
<reporting enabled="true" />
</dotNetOpenAuth>

Client Code (Console app)
---------------

private static IAuthorizationState GetAccessToken()
{
var authorizationServer = new AuthorizationServerDescription
{
TokenEndpoint = new Uri("http://localhost:20932/OAuthToken"),
ProtocolVersion = ProtocolVersion.V20
};
var client = new WebServerClient(authorizationServer, "zamd", "test1243");

var state = client.GetClientAccessToken(new[] { "http://localhost/" });
return state;
}

The Problem
-----------
Whenever I call the GetClientAccessToken method, I get a ProtocolException with the message "This message can only be sent over HTTPS."

I have logging enabled using log4net on the webside, but nothing is logged when the client code makes this call (it does log if I hit it directly with a browser so I assume it is logging correctly)

How can I make it not require HTTPS?

--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/gfOE5JCoF74J.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

Brian Wright

unread,

Aug 3, 2012, 11:55:33 AM8/3/12

to dotnet...@googlegroups.com

Thanks so much for your help. Unfortunately, it still gives me the same error. Again, my logging shows nothing even though I believe it is hooked up right.

Is there nothing that I need to configure on the client side other than what I have shown in my code?

So the entire contents of my web.config on the server side are below:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=4.3.1.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
<section name="uri" type="System.Configuration.UriSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

</security>
<behaviors>

<log4net>
<appender name="RollingFileAppender" type="log4net.Appender.RollingFileAppender">
<file value="RelyingParty.log" />
<appendToFile value="true" />
<rollingStyle value="Size" />
<maxSizeRollBackups value="10" />
<maximumFileSize value="100KB" />
<staticLogFileName value="true" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date (GMT%date{%z}) [%thread] %-5level %logger - %message%newline" />
</layout>
</appender>

<root>
<level value="INFO" />
<appender-ref ref="RollingFileAppender" />
</root>

<logger name="DotNetOpenAuth">
<level value="ALL" />
</logger>
</log4net>
</configuration>

On Thursday, August 2, 2012 7:19:28 PM UTC-5, Andrew Arnott wrote:
> Yes, this has come up recently. And the answer was that the <sectionGroups> in the web.config were incorrect. You should check yours. They should look something like this:
>
> <configSections>
>
>
> <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler" requirePermission="false"/>
>
>
> <sectionGroup name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection, DotNetOpenAuth.Core">
> <section name="openid" type="DotNetOpenAuth.Configuration.OpenIdElement, DotNetOpenAuth.OpenId" requirePermission="false" allowLocation="true" />
>
>
> <section name="oauth" type="DotNetOpenAuth.Configuration.OAuthElement, DotNetOpenAuth.OAuth" requirePermission="false" allowLocation="true" />
>
>
> <sectionGroup name="oauth2" type="DotNetOpenAuth.Configuration.OAuth2SectionGroup, DotNetOpenAuth.OAuth2">
> <section name="authorizationServer" type="DotNetOpenAuth.Configuration.OAuth2AuthorizationServerSection, DotNetOpenAuth.OAuth2.AuthorizationServer" requirePermission="false" allowLocation="true" />
>
>
> </sectionGroup>
> <section name="messaging" type="DotNetOpenAuth.Configuration.MessagingElement, DotNetOpenAuth.Core" requirePermission="false" allowLocation="true" />
>
>
> <section name="reporting" type="DotNetOpenAuth.Configuration.ReportingElement, DotNetOpenAuth.Core" requirePermission="false" allowLocation="true" />
>
>
> </sectionGroup>
> </configSections>
>
> --
> Andrew Arnott
>
>
> "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
>
>
>
>
>

Steven Livingstone Pérez

unread,

Aug 3, 2012, 12:12:16 PM8/3/12

to dotnet...@googlegroups.com

I recently extended the same example to get things working using the ROCP Grant (that example is actually an example of Client Credentials grant per my post on the blog).

Is the error you are still getting an issue with HTTPS?

Is so, make sure you relax SSL on both the Issuer website and the API website. This is ALL i have done to fix that particular issue.

There is nothing else i had to do at the client (other than call the correct endpoints).

/steven

http://livz.org

> Date: Fri, 3 Aug 2012 08:55:33 -0700
> From: brian.n...@gmail.com
> To: dotnet...@googlegroups.com
> Subject: Re: [dotnetopenauth] Requires HTTPS

> --
> You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.

> To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/KlKdCyx_7rAJ.

Brian Wright

unread,

Aug 6, 2012, 2:45:41 PM8/6/12

to dotnet...@googlegroups.com

I am starting to feel silly about not resolving this when everyone makes it sound so simple.

In my case, the issuer and api websites are one and the same.. just different URLs and controllers. I believe I have relaxed SSL to the best I know how (I posted my entire web.config earlier).

The client is just a console app and that is where I get the message the HTTP is required. Nothing is logged on the server side when the client makes this call. However, if I hit the server side directly via a browser I do get stuff logged.

I am obviously missing something and any help to get me in the right direction would be greatly appreciated.

On Friday, August 3, 2012 11:12:16 AM UTC-5, weblivz wrote:
> I recently extended the same example to get things working using the ROCP Grant (that example is actually an example of Client Credentials grant per my post on the blog).
>
>
> Is the error you are still getting an issue with HTTPS?
>
>
> Is so, make sure you relax SSL on both the Issuer website and the API website. This is ALL i have done to fix that particular issue.
>
>
> There is nothing else i had to do at the client (other than call the correct endpoints).
>
>
> /steven
> http://livz.org
>
>
>
> > Date: Fri, 3 Aug 2012 08:55:33 -0700

Steven Livingstone Pérez

unread,

Aug 6, 2012, 2:55:01 PM8/6/12

to dotnet...@googlegroups.com

Brian - don't worry about sounding silly - it took a lot of effort for me to get it working too.

One step I would take is to put tracing on the server (/trace.axd) and analyse the request being made from the console app.

I do find it really odd that you are getting the "relax ssl" type message on the request though as AFAIK that config is the only place it can be set.

Would you be able to zip up your entire solution and fire it over?

/steven

> Date: Mon, 6 Aug 2012 11:45:41 -0700
> From: brian.n...@gmail.com
> To: dotnet...@googlegroups.com

> To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/DpGxenlrlqQJ.

Brian Wright

unread,

Aug 6, 2012, 4:33:17 PM8/6/12

to dotnet...@googlegroups.com

Thanks for the help and encouragement. I took your advise and turned on tracing and oddly, if I am doing it right, nothing is traced. Much like the logging behavior I described, if I hit the issuer URL directly via browser, then I do get tracing.

So I went back to my tracing code that I posted earlier. (here it is again)

Client Code (Console app)
---------------

private static IAuthorizationState GetAccessToken()
{
var authorizationServer = new AuthorizationServerDescription
{
TokenEndpoint = new Uri("http://localhost:20932/OAuthToken"),
ProtocolVersion = ProtocolVersion.V20
};
var client = new WebServerClient(authorizationServer, "zamd", "test1243");

var state = client.GetClientAccessToken(new[] { "http://localhost/" });
return state;
}

-----

It turns out that I can put any bogus non-existent address I want to in the TokenEndPoint and I get the exact same message. I get the message on the call to GetClientAccessToken.

It would appear that this requirement is being enforced by the client code before any call to the issuer is even made. Is there anything on the client I can configure to stop this behavior?

On Monday, August 6, 2012 1:55:01 PM UTC-5, weblivz wrote:
> Brian - don't worry about sounding silly - it took a lot of effort for me to get it working too.
>
>
> One step I would take is to put tracing on the server (/trace.axd) and analyse the request being made from the console app.
>
>
> I do find it really odd that you are getting the "relax ssl" type message on the request though as AFAIK that config is the only place it can be set.
>
>
> Would you be able to zip up your entire solution and fire it over?
>
>
> /steven
>
>
>
> > Date: Mon, 6 Aug 2012 11:45:41 -0700

Andrew Arnott

unread,

Aug 8, 2012, 2:59:08 PM8/8/12

to dotnet...@googlegroups.com

Brian,

Yes, DNOA enforces all rules on all parties. You need to set relaxSslRequirements on the client (console app) as well.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/7dqhuiyvl48J.

Reply all

Reply to author

Forward