问题
I have a Web API using oAuth2 that has a mixture of APIs that allow Anonymous and Secured calls. I've deployed the code to a separate server on my network and verified using RESTer (similar to POSTMAN) that the calls work. If I make the same calls from outside the network, only the calls that are set to use the ExternalBearer token fail. Anonymous calls succeed.
I checked out this solution which did not work for me. HTTP 403 Forbidden: Access is denied ASP.NET Web API
I've also ensured on the deployment server that the user account has access to the directory with Full Control.
My anonymous calls (beside the /token call) have the [AllowAnonymous] and [HttpPost] annotations. My secure calls have the [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] and [HttpPost] annotations.
[Authorize]
[RoutePrefix("api/Lookups")]
public class MySettingsClass : ApiController
/* Constructor omitted for readability*/
[HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]
[HttpPost]
[Route("GetSettings")]
public Settings GetSettings(GetSettingsCommand command)
{
//Do something here
return settings;
}
At this point I suspect IIS isn't configured properly in some way or a firewall is doing something, but I'm not sure. I checked the IIS logs on the server and I can see the request coming in. Unfortunately the log says nothing more than it received the request. The log does give an sc-status of 401 for the request which is different than the 403 that is shown.
Actual 403 Error shown on the client side:
403 Forbidden ( The server denied the specified Uniform Resource Locator(URL). Contact the server administrator.)
Update: When I enable IIS Failed Request Tracing I get this warning in the log.
ModuleName="ManagedPipelineHandler", Notification="EXECUTE_REQUEST_HANDLER", HttpStatus="401", HttpReason="Unauthorized", HttpSubStatus="0", ErrorCode="The operation completed successfully.(0x0)", ConfigExceptionInfo=""
回答1:
There was a firewall issue that was specifically blocking clients from directly authenticating. I had to have an IT resource open Forefront TMG properties, go into the Authentication Delegation tab, and set the method to something other than "No delegation, and client cannot authenticate directly"
This SO thread is likely the same solution but the poster doesn't mention exactly what their solution was: WebAPI : 403 Forbidden after publish website
来源:https://stackoverflow.com/questions/54679601/web-api-403-forbidden-outside-of-network-using-bearer-token