Skip to content

Instantly share code, notes, and snippets.

@siacomuzzi

siacomuzzi/repro_steps.md

Last active October 11, 2015 20:13
Show Gist options
  • Save siacomuzzi/eb8f1e472d0dd0bc3d2e to your computer and use it in GitHub Desktop.
Save siacomuzzi/eb8f1e472d0dd0bc3d2e to your computer and use it in GitHub Desktop.
Download ZIP
[FIXED] Can't use a generated ZUMO auth token with a Mobile Service .NET Backend
Raw
repro_steps.md

Repro steps

  1. For JS backend, create a table (TodoItem) and set the READ permission to "Authenticated User only".

  2. For .NET backend, set AuthorizationLevel.User in TodoItemController and publish the service:

// GET tables/TodoItem
[AuthorizeLevel(AuthorizationLevel.User)]
public IQueryable<TodoItem> GetAllTodoItems()
{
  return Query();
}

  1. Generate JWTs for both backends using corresponding master keys | details

  2. Hit the table with CURL or Fiddler:

JS backend returns HTTP 200:

curl https://auth0-tests.azure-mobile.net/tables/TodoItem -H "x-zumo-auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6MH0.eyJleHAiOjE0MTkwMTczMDkuOTUyLCJpc3MiOiJ1cm46bWljcm9zb2Z0OndpbmRvd3MtYXp1cmU6enVtbyIsInZlciI6MiwiYXVkIjoiS0NVb1B5QmdnZ1ZkS1dEeWFJVUF6anBZWVlxdlFWNjEiLCJ1aWQiOiJhdXRoMHw1NDQxNTk1OTQ4NTc2OWVmYWYyNjg1NDgifQ.OvqSBhcOldxcCDna1-Vp4-1_o4ar7h0oYyfmtaDkaxU"

.NET backend returns HTTP 401 - {"message":"Authorization has been denied for this request."}:

curl https://auth0-wams.azure-mobile.net/tables/TodoItem -H "x-zumo-auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6MH0.eyJleHAiOjE0MTkwMTg3ODIuODY5LCJpc3MiOiJ1cm46bWljcm9zb2Z0OndpbmRvd3MtYXp1cmU6enVtbyIsInZlciI6MiwiYXVkIjoiZmd4UWF3ZHdsQ1l1SEVkakNPVFJzRHd3cGVESGJDODgiLCJ1aWQiOiJhdXRoMHw1NDQxNTk1OTQ4NTc2OWVmYWYyNjg1NDgifQ.OADa-bDfVHBS82RGj6hv7QgWDmKTHanQvtlJY-Z1Qj0"

From Azure Portal logs:

  • Message: Authentication failed due to an invalid token.
  • Source: Microsoft.WindowsAzure.Mobile.Service.Security.ServiceAuthenticationMiddleware
@siacomuzzi
Copy link
Author

Fixed!

Using reflector tool, I found the following in Microsoft.WindowsAzure.Mobile.Service.Security.ServiceTokenHandler class:

TokenValidationParameters validationParams = new TokenValidationParameters();
validationParams.set_AllowedAudience("urn:microsoft:windows-azure:zumo");
validationParams.set_ValidateIssuer(true);
validationParams.set_ValidIssuer("urn:microsoft:windows-azure:zumo");
return ServiceTokenHandler.TryValidateToken(validationParams, token, secretKey, out claimsPrincipal);
  • Note that aud and iss claims must set to "urn:microsoft:windows-azure:zumo" for .NET Backends.
  • JS Backends are not validating aud and iss, so you can put any value on them.
  • Several articles about how to generate a ZUMO auth token (like this one) are using "urn:microsoft:windows-azure:zumo" only for the iss claim, so I think it could be a breaking change in the WindowsAzure.MobileServices.Backend nuget package.

@ConnectedReasoning
Copy link

how is this fixed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment