Posts

Auth0: Restrict SPA Application Access to API Audience/Permissions/Scopes

Image
In Auth0  you can restrict the APIs/Permissions a Machine-to-Machine type Application has access to using the "APIs" section in the Application Configuration: However, SPA type Applications do not have an equivalent configuration option: There is no way to restrict the APIs a SPA type Application has access to directly . Instead, you must restrict the APIs/Permissions/Scopes a User has access to . (Most likely you'll want to do this using Roles.) You must also ensure the " Enable RBAC " setting is turned on for all of your APIs (this setting is off by default). If the "Enable RBAC" setting is NOT turned on, a SPA Application will be able to request a token for any API/Permission/Scope combination and Auth0 will return a valid token! And even with this setting turned on, a SPA Application will be able to request and receive a token for an API the user does NOT have access to!  The Audience value in the access token will be valid for the API, however the...

Find Azure Application Insights Resource by InstrumentationKey

I had a need to query some Application Insights logs, but all I had was the InstrumentationKey. I didn't want to open each of the Application Insights instances and check the key (there were a lot), but as long as you have the Azure "Az" Powershell Module installed, you can run this script to print out all App Insights instances and their associated Instrumentation Key: https://gist.github.com/aaronhoffman/cf5bd0c59216b3e6a57c0c6ea134cafb # for each subscription in context foreach ( $subId in ( Get-AzSubscription ).Id | Get-Unique ) { write-host " Subscription $subId " # set context to the given subId Set-AzContext - SubscriptionId $subId # List the name and InstrumentationKey of all Application Insights resources in this sub Get-AzResource - ResourceType Microsoft.Insights / components - ExpandProperties | select - ExpandProperty Properties | select Name , InstrumentationKey | ft } Hope this helps! Aaron

Simple Rules Engine in C#

Image
There are some C# "Rules Engines" floating around however they rely on a no-longer-supported nuget package (dynamic linq)  https://github.com/microsoft/RulesEngine   I created this "SimpleRulesEngine" that does not rely on lambdas or expression trees. The expressions can be serialized to JSON.  https://github.com/aaronhoffman/SimpleRulesEngine   I hope to get a simple example web application added to this repo as well, but I'm not sure when I will have time. Please check out the unit tests for now to see how this can be used. Hope this helps, Aaron

Configure SonarAnalyzer.CSharp with .editorconfig, no need for SonarCloud or SonarQube

Our goal was to use  SonarSource / SonarQube  static code analysis with the most "minimal" install/configuration footprint. We wanted the static code analysis to break/fail the build on the local developer machines as well as our CI/CD Azure DevOps environment if a rule was violated. SonarSource products usually rely on some external source,  SonarCloud /SonarQube to determine which rules to apply on the local dev machine, and to store the results. We wanted to eliminate these dependencies. SonarSource also provides a Visual Studio extension called  SonarLint  to help check the static code analysis rules within the Visual Studio IDE without needing an external source for the rules. The static code analysis rules SonarLint enforces are also defined in the  SonarAnalyzer.CSharp  nuget package. This nuget package is a set of  Roslyn Code Analyzers . In .NET Core, Roslyn Code Analyzers are triggered during a build if the nuget package is referenced by...

AspNet Core JWT Authentication ValidateLifetime "The token has no expiration"

Found a "bug" within aspnet core JWT Authentication and thought I'd write something up since I could not find much info online. Found the answer here, but it's not easy to find:  https://github.com/SevenSpikes/api-plugin-for-nopcommerce/issues/99 Essentially, if you create a valid JWT with an expiration time after the year 2038, the default aspnet core JWT Auth will determine that it is invalid saying, " The token has no expiration ". The solution is to create a JWT with an expiration time after "now" but before the year 2038. Hope this helps, Aaron