From 23d8d9bdfe0729451464c085439c83d02018e33a Mon Sep 17 00:00:00 2001 From: sbolofsson Date: Fri, 25 Aug 2023 18:52:31 +0200 Subject: [PATCH] Update ValidateDataProtectionToken to support IDataProtectionProvider implementations that don't use the default magic header --- ...ictClientDataProtectionHandlers.Protection.cs | 16 +++++++++++++--- ...ictServerDataProtectionHandlers.Protection.cs | 16 +++++++++++++--- ...alidationDataProtectionHandlers.Protection.cs | 16 +++++++++++++--- 3 files changed, 39 insertions(+), 9 deletions(-) diff --git a/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs b/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs index c89dc395..6b2f346b 100644 --- a/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs +++ b/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs @@ -62,9 +62,19 @@ public static partial class OpenIddictClientDataProtectionHandlers return default; } - // Note: ASP.NET Core Data Protection tokens always start with "CfDJ8", that corresponds - // to the base64 representation of the magic "09 F0 C9 F0" header identifying DP payloads. - if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal)) + // Note: ASP.NET Core Data Protection tokens created by the default implementation always start + // with "CfDJ8", that corresponds to the base64 representation of the "09 F0 C9 F0" value used + // by KeyRingBasedDataProtectionProvider as a Data Protection version identifier/magic header. + // + // Unless a custom provider implementation - that may use a different mechanism - has been + // registered, return immediately if the token doesn't start with the expected magic header. + // + // See https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/authenticated-encryption-details + // for more information. + if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal) && + string.Equals(_options.CurrentValue.DataProtectionProvider.GetType().FullName, + "Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtectionProvider", + StringComparison.Ordinal)) { return default; } diff --git a/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs b/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs index 7cbc9818..e4e5df08 100644 --- a/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs +++ b/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs @@ -62,9 +62,19 @@ public static partial class OpenIddictServerDataProtectionHandlers return default; } - // Note: ASP.NET Core Data Protection tokens always start with "CfDJ8", that corresponds - // to the base64 representation of the magic "09 F0 C9 F0" header identifying DP payloads. - if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal)) + // Note: ASP.NET Core Data Protection tokens created by the default implementation always start + // with "CfDJ8", that corresponds to the base64 representation of the "09 F0 C9 F0" value used + // by KeyRingBasedDataProtectionProvider as a Data Protection version identifier/magic header. + // + // Unless a custom provider implementation - that may use a different mechanism - has been + // registered, return immediately if the token doesn't start with the expected magic header. + // + // See https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/authenticated-encryption-details + // for more information. + if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal) && + string.Equals(_options.CurrentValue.DataProtectionProvider.GetType().FullName, + "Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtectionProvider", + StringComparison.Ordinal)) { return default; } diff --git a/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs b/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs index 5b27fcb7..54d2feb9 100644 --- a/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs +++ b/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs @@ -57,9 +57,19 @@ public static partial class OpenIddictValidationDataProtectionHandlers return default; } - // Note: ASP.NET Core Data Protection tokens always start with "CfDJ8", that corresponds - // to the base64 representation of the magic "09 F0 C9 F0" header identifying DP payloads. - if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal)) + // Note: ASP.NET Core Data Protection tokens created by the default implementation always start + // with "CfDJ8", that corresponds to the base64 representation of the "09 F0 C9 F0" value used + // by KeyRingBasedDataProtectionProvider as a Data Protection version identifier/magic header. + // + // Unless a custom provider implementation - that may use a different mechanism - has been + // registered, return immediately if the token doesn't start with the expected magic header. + // + // See https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/authenticated-encryption-details + // for more information. + if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal) && + string.Equals(_options.CurrentValue.DataProtectionProvider.GetType().FullName, + "Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtectionProvider", + StringComparison.Ordinal)) { return default; }