[BUG] Login failing after upgrading from 3.3.1 to 5.1.2

[Dnawrkshp]

Oqtane Info

Version - 5.1.2 Render Mode - Interactive Interactivity - Server Database - SQL Server

Describe the bug

After upgrading our server from Oqtane 3.3.1 to the latest 5.1.2, our site rejects all login attempts. Running the project locally everything works perfectly. We are using IIS. I can confirm that the database connection is functioning and that there are no errors in the stdout log. I can also confirm that the host account I am logging in as has both the Host Users and Registered Users roles.

I installed the ASPNET Core 8.0.5 hosting bundle. Is it possible that there are additional dependencies that are missing?

Any help is much appreciated!

Log:

[2024-06-25 18:02:30+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:30+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:30+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:30+00:00] [Information] Request starting HTTP/1.1 GET http://redacted.com/api/User/login?setcookie=False&persistent=False - - - 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user. 
[2024-06-25 18:02:31+00:00] [Information] AuthenticationScheme: Identity.Application was challenged. 
[2024-06-25 18:02:31+00:00] [Information] Request finished HTTP/1.1 GET http://redacted.com/api/User/login?setcookie=False&persistent=False - 403 - - 14.2463ms 
[2024-06-25 18:02:31+00:00] [Information] Request starting HTTP/1.1 GET http://redacted.com/api/Log - - - 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Administrators) 
[2024-06-25 18:02:31+00:00] [Information] AuthenticationScheme: Identity.Application was challenged. 
[2024-06-25 18:02:31+00:00] [Information] Request finished HTTP/1.1 GET http://redacted.com/api/Log - 403 - - 14.6482ms 
[2024-06-25 18:02:31+00:00] [Information] Request starting HTTP/1.1 GET http://redacted.com/api/Log - - - 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Administrators) 
[2024-06-25 18:02:31+00:00] [Information] AuthenticationScheme: Identity.Application was challenged. 
[2024-06-25 18:02:31+00:00] [Information] Request finished HTTP/1.1 GET http://redacted.com/api/Log - 403 - - 18.6608ms 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:31+00:00] [Information] Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Registered Users) 
[2024-06-25 18:02:34+00:00] [Information] Executed endpoint 'Microsoft.AspNetCore.Routing.RouteEndpoint' 
[2024-06-25 18:02:34+00:00] [Information] Request finished HTTP/1.1 GET http://redacted.com/_blazor?id=jlNpvOGwi5ZjyZnqBjWPHQ - 101 - - 9706.4012ms 

web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\Oqtane.Server.dll" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" hostingModel="inprocess">
        <environmentVariables>
            <environmentVariable name="ASPNETCORE_DETAILEDERRORS" value="true" />
        </environmentVariables>
      </aspNetCore>
    </system.webServer>
  </location>
</configuration>

[sbwalker]

@Dnawrkshp are you saying that after the upgrade to 5.1.2 you can navigate the site as a visitor (unauthenticated user) and view pages/content.... and it is only once you try to login that you run into problems?

[Dnawrkshp]

@sbwalker Thanks for replying! Not quite.. attempting to navigate the site unauthenticated will redirect me to the login page where after attempting to log in as the host user I receive a Error Performing Login response.

[Dnawrkshp]

I was able to resolve this by changing the following in Oqtane.Server/Startup.cs:

  services.Configure<ForwardedHeadersOptions>(options =>
  {
    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
+   options.KnownNetworks.Clear();
+   options.KnownProxies.Clear();
  });

The issue was related to running the server behind a reverse proxy. This discussion helped me find the above solution: https://github.com/dotnet/aspnetcore/issues/54057

[sbwalker]

@Dnawrkshp the ForwardedHeaders configuration was added on Jan 13, 2022 as part of PR #1936 which I believe was added as a result of issue #1843. This logic was included in release 3.0.2 - and it has not caused any issues for the past 2.5 years.

You mentioned that you were upgrading from 3.3.1 to 5.1.2 - so this means that the ForwardedHeaders configuration already existed in the 3.3.1 release you were running. Is there something else which changed in your environment as part of migrating to 5.1.2 ie. did you move to a different server with a different network configuration? I am trying to understand why you experienced this issue. And I am also trying to understand if it makes sense to include the additional configuration to the default Startup.cs ie. will it impact any other users in a negative way.

[Dnawrkshp]

@sbwalker Apologies, I've been catching up on tasks this week.

The server didn't change. I installed 5.1.2 into a fresh folder so I suppose there might be some configuration in the old installation that I didn't know to move over. A different person was tasked with setting up 3.3.1. I made sure to copy any missing appsettings/web.config data into the new install. If there are configuration files that I missed I could take another look.

I'll spend time this weekend trying to identify why that fix worked. Thank you for being so responsive!

[Dnawrkshp]

After digging a little more into I still can't figure out why the old install worked.

I did learn more about the fix I posted above. It is a potential security issue because the server will now accept any forwarded requests from any external source. By default it is configured to only accept from 127.0.0.1. The correct solution is to add the IP/range of the proxy like so..

// ip
options.KnownProxies.Add(IPAddress.Parse("192.168.1.5"));
// or ip range
options.KnownNetworks.Add(IPNetwork.Parse("192.168.1.0/24"));

I think ideally we'd be able to configure the IP/range of our proxy inside the appsettings and then Oqtane would read and configure them accordingly on startup.

I could make a PR if that works for you.

[sbwalker]

Making a note that the ForwardedForHeaderName property also often needs to be set in a reverse proxy scenario or else you will always get the IP of the proxy server - not the actual client.