Closed sourabhtewari closed 3 years ago
The issue is due to a WAF rule GenericRFI_QUERYARGUMENTS
This blocks implicit grant requests. Any ideas to circumvent this?
Hi @sourabhtewari - did you find the issue? Thanks!
@skoruba Found the issue but not the solution . WAF blocks any call with "://" pattern in the query parameters. More info for the WAF (RFI related rules) here https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
Asked a question https://github.com/IdentityServer/IdentityServer4/issues/5231.
Opening the issue just @skoruba could help with a solution :)
@skoruba we have logged a ticket with AWS who will help us set up the WAF. this has nothing to do with Identity. Closing the ticket.
@sourabhtewari - Thanks for your feedback, I do not have any experience with this issue and AWS in general. 😉
@sourabhtewari Did the STS and Admin services communicate over internal DNS names when deployed in AWS? Or did you use public DNS names?
Use external dns for prod and internal for pre prod. The 403 was due to WAF ACL blocking the requests, which we sorted it out.
@sourabhtewari If we use internal DNS we get this flow in the browser:
htc-identity-sts is the internal DNS but it should be sts.mydevurl.com
Apologies, I should have been more clear. We use OpenShift. The service is exposed as a Kubernetes route. The dns for our preprod is internal to our local corp. All our environments are sts.
Describe the bug
403 response when we access an Identity enabled client behind a load balancer. We haven't added more nodes, so there is only once node behind the ELB which is serving all requests.
To Reproduce
Steps to reproduce the behavior:
We use an Elastic Load Balancer (AWS) for our needs. There are two scenarios. One is access from corp environment and another from public internet. For corp, there is a direct pass through and it goes straight to the host. But accessing from public internet, it uses the load balancer.
In both the scenarios, we can get to the Identity Server and login. But using an Identity enabled client, like Identity Admin, we get a 403 response when accessing from public internet.
In the log below, the same request is from two locations. (1) to (21) is from corporate internet and the response is Authorization Successful. From (22) to (25), its from public internet, the same request results in 403.
Relevant parts of the log file