zamd

Using mod_sts with upcoming Auth0 token-exchange feature

compile and install instructions

mod_sts allows you to setup Apache as an API gateway. There is currently no built in binaries available. The following instructions can be used to build and install this module in Apache on Ubuntu 18.

Install base tools

zamd

Azure AD OAuth/OIDC evolution

• The v2 endpoints are renamed to Microsoft Identity Platform and should be preferred integration route for new apps. They are fully OAuth2/OIDC compliant.

• The common endpoint can be used for multi-tenant apps, which can sign-in users with personal accounts and/or multiples ad directories

https://login.microsoftonline.com/common/oauth2/v2.0/authorize

• The above endpoint will serve login page where you can sign in with all microsoft identities (personal, school, work)

zamd

Auth0 offers passing extra whitelisted params to upstream IdPs. This feature can be used to pass initial screen/page hint to the upstream IdP.

• PATCH the custom oauth connection to whitelist and alias the upstream param

curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlFqVTVRVEpEUmpnd09UUXpOVGxFUlVZeFJURTRNams0TVRFMlFUUkVNVGxGTlRsRE5VWXlRUSJ9." -X PATCH  -H "Content-Type: application/json" -d '{"options":{"upstream_params":{"initial_page":{"alias":"login_hint"}}}}' "https://{domain}.auth0.com/api/v2/connections/{id}"

• You can now pass intial page as standard login_hint value and auth0 would translate this to the configured outgoing parameter.

zamd

• Create a volume to mount host director into container

docker volume create --driver local --opt device=/Users/zamd/tmp2/dotnetdev --opt type=none --opt o=bind devnet

• Start dotnet container with host directory

docker run -itd -v dotnetdev:/app e1a56dca783e

zamd

az storage blob copy start -u "https://appbuildstorage.blob.core.windows.net/releases/p-release-13130.vhd?sv=SAS-TOKEN" -c vhds -b p-release-13130.vhd --account-name zulfiqar --account-key ACNT-KEY

az storage blob show -c vhds -n p-release-13130.vhd  --account-name zulfiqar --account-key KEYa-=====

zamd

Lock needs tenant/domain level connection information and when cname is enabled lock seems to hit info-v1 endpoint...

Have to override the assetsUrl to correct tenant url manually...

    var customDomain = config.authorizationServer.url.replace('https://', '');
    config.cdn = "https://cdn.au.auth0.com"
    var tenant = config.auth0Domain.split('.')[0];
    config.assetsUrl = config.cdn + "/tenants/v1/" + tenant + ".js";

zamd

dot core 2.0 exploration

Runtime

This repo has runtime packages for various environments etc. This is bit deeper than the public facing download link at dot.net, which includes both SDK and runtimes...

Each runtime package is made up of 3 primary parts:

zamd

Trusting custom root CA certificate in docker containers

Most large enterprises run their own PKI infrastructure and it’s common to issue internal CA signed certificate to services - The Root CA certificate is pushed to domain-joined workstations with group policy etc.

For non-domain joined services (like linux hosts etc.) it’s common to manually trust root CA cert.

Docker deamon automatically picks up the trusted root CA list from the host and use it as it's trusted CA list... Following commands can be used to add a custom CA certficate as trusted CA in Ubuntu

• Go to /usr/share/ca-certificates/
• Add your custom CA cert to this folder as PEM encoded file with .crt extension

zamd

Get the host bus # to rescan

grep mpt /sys/class/scsi_host/host?/proc_name

This would return host number as host2 etc.

/sys/class/scsi_host/host2/proc_name:mptspi

Rescan the bus with the following command

zamd

Auth0 ASP Introspection API

POST https:/{tenant}/oauth/introspect

` { "client_assertion": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FwaS5maW5pc2VuLmNvbSIsInN1YiI6Imh0dHBzOi8vYXBpLmZpbmlzZW4uY29tIiwiYXVkIjoiaHR0cHM6Ly96dWxmaXFhci5hdXRoMC5jb20vIiwiZXhwIjoxNzk4NzU0MTI3fQ.iYS-OdkUYP9vL1i9PFCL_llGla43TmhiAaGAg5cdeDJqfupFb5ZBeVs6vdGOEMGpCFgSJ3aGnZpfrlItvL3whcFaAKpAppFl17tUCAFHFxLZCyVO09pUcQ3y3lKBdmF3HoysmugfK-943R1o5S-91C_ASaU24NhnrOPA0UsUNekqotHCVTr9V6TFIh8qAJPwLbd7Q0GyEAxx6Jj_-_E0k6Un4b6AUEh54A8DDkeodCq1D7KplJMNYoHLW4UCPFKg-5DcB1TAwuHdaIprqKdlipg_RUd6UtK4l66GiKYkXo_onl1B04oCPOxsnwUmYBBNf4vHFEjKArPiOxANretv3A", "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "token": "bw6xGRqEjBQUr9FxJTfp"