tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Introduce UseSigningCertificate to make X.509 certificates easier to register in the OpenIddict options

pull/114/head
Kévin Chalet 10 years ago
parent
1d1035ae86
commit
82bc684c5f
4 changed files with 156 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. BIN
      samples/Mvc.Server/Certificate.pfx
  2. 20
      samples/Mvc.Server/Startup.cs
  3. 4
      samples/Mvc.Server/project.json
  4. 136
      src/OpenIddict.Core/OpenIddictExtensions.cs

BIN
samples/Mvc.Server/Certificate.pfx
View File

Binary file not shown.

20
samples/Mvc.Server/Startup.cs
View File

@ -1,4 +1,5 @@
using System.Linq;
using System.Reflection;
using AspNet.Security.OAuth.GitHub;
using CryptoHelper;
using Microsoft.AspNetCore.Builder;
@ -83,6 +84,25 @@ namespace Mvc.Server {
app.UseOpenIddict(builder => {
builder.Options.AllowInsecureHttp = true;
// Note: if you don't explicitly register a signing key, one is automatically generated and
// persisted on the disk. If the key cannot be persisted, an in-memory key is used instead:
// when the application shuts down, the key is definitely lost and the access/identity tokens
// will be considered as invalid by client applications/resource servers when validating them.
//
// On production, using a X.509 certificate stored in the machine store is recommended.
// You can generate a self-signed certificate using Pluralsight's self-cert utility:
// https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip
//
// builder.UseSigningCertificate("7D2A741FE34CC2C7369237A5F2078988E17A6A75");
//
// Alternatively, you can also store the certificate as an embedded .pfx resource
// directly in this assembly or in a file published alongside this project:
//
// builder.UseSigningCertificate(
// assembly: typeof(Startup).GetTypeInfo().Assembly,
// resource: "Nancy.Server.Certificate.pfx",
// password: "Owin.Security.OpenIdConnect.Server");
// You can customize the default Content Security Policy (CSP) by calling UseNWebsec explicitly.
// This can be useful to allow your HTML views to reference remote scripts/images/styles.
builder.UseNWebsec(directives => {

4
samples/Mvc.Server/project.json
View File

@ -5,6 +5,10 @@
"warningsAsErrors": true,
"preserveCompilationContext": true,
"embed": {
"include": [ "Certificate.pfx" ]
},
"copyToOutput": {
"include": [
"wwwroot",

136
src/OpenIddict.Core/OpenIddictExtensions.cs
View File

@ -5,14 +5,17 @@
*/
using System;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;
using AspNet.Security.OpenIdConnect.Server;
using JetBrains.Annotations;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.IdentityModel.Tokens;
using OpenIddict;
namespace Microsoft.AspNetCore.Builder {
@ -145,13 +148,14 @@ namespace Microsoft.AspNetCore.Builder {
var environment = app.ApplicationServices.GetRequiredService<IHostingEnvironment>();
builder.Options.AllowInsecureHttp = environment.IsDevelopment() || environment.IsEnvironment("Testing");
configuration(builder);
// Run the configuration delegate
// provided by the application.
configuration.Invoke(builder);
// Add OpenIdConnectServerMiddleware to the ASP.NET 5 pipeline.
// Add OpenIdConnectServerMiddleware to the ASP.NET Core pipeline.
builder.AddModule("ASOS", 0, map => map.UseOpenIdConnectServer(builder.Options));
// Register the OpenIddict modules in the ASP.NET 5 pipeline.
// Register the OpenIddict modules in the ASP.NET Core pipeline.
foreach (var module in builder.Modules.OrderBy(module => module.Position)) {
if (module.Registration == null) {
throw new InvalidOperationException("The registration delegate cannot be null.");
@ -162,5 +166,129 @@ namespace Microsoft.AspNetCore.Builder {
return app;
}
/// <summary>
/// Registers a <see cref="X509Certificate2"/> used to sign the tokens issued by OpenIddict.
/// </summary>
/// <param name="builder">The builder used to configure OpenIddict.</param>
/// <param name="certificate">The certificate used to sign the security tokens issued by the server.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder UseSigningCertificate(
[NotNull] this OpenIddictBuilder builder, [NotNull] X509Certificate2 certificate) {
if (builder == null) {
throw new ArgumentNullException(nameof(builder));
}
// Register the certificate in the ASOS/OpenIddict options.
builder.Options.SigningCredentials.AddCertificate(certificate);
return builder;
}
/// <summary>
/// Registers a <see cref="X509Certificate2"/> retrieved from
/// an embedded resource to sign the tokens issued by OpenIddict.
/// </summary>
/// <param name="builder">The builder used to configure OpenIddict.</param>
/// <param name="assembly">The assembly containing the certificate.</param>
/// <param name="resource">The name of the embedded resource.</param>
/// <param name="password">The password used to open the certificate.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder UseSigningCertificate(
[NotNull] this OpenIddictBuilder builder, [NotNull] Assembly assembly,
[NotNull] string resource, [NotNull] string password) {
if (builder == null) {
throw new ArgumentNullException(nameof(builder));
}
// Register the certificate in the ASOS/OpenIddict options.
builder.Options.SigningCredentials.AddCertificate(assembly, resource, password);
return builder;
}
/// <summary>
/// Registers a <see cref="X509Certificate2"/> extracted
/// from a stream to sign the tokens issued by OpenIddict.
/// </summary>
/// <param name="builder">The builder used to configure OpenIddict.</param>
/// <param name="stream">The stream containing the certificate.</param>
/// <param name="password">The password used to open the certificate.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder UseSigningCertificate(
[NotNull] this OpenIddictBuilder builder,
[NotNull] Stream stream, [NotNull] string password) {
if (builder == null) {
throw new ArgumentNullException(nameof(builder));
}
// Register the certificate in the ASOS/OpenIddict options.
builder.Options.SigningCredentials.AddCertificate(stream, password);
return builder;
}
/// <summary>
/// Registers a <see cref="X509Certificate2"/> extracted
/// from a stream to sign the tokens issued by OpenIddict.
/// </summary>
/// <param name="builder">The builder used to configure OpenIddict.</param>
/// <param name="stream">The stream containing the certificate.</param>
/// <param name="password">The password used to open the certificate.</param>
/// <param name="flags">An enumeration of flags indicating how and where to store the private key of the certificate.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder UseSigningCertificate(
[NotNull] this OpenIddictBuilder builder, [NotNull] Stream stream,
[NotNull] string password, X509KeyStorageFlags flags) {
if (builder == null) {
throw new ArgumentNullException(nameof(builder));
}
// Register the certificate in the ASOS/OpenIddict options.
builder.Options.SigningCredentials.AddCertificate(stream, password, flags);
return builder;
}
/// <summary>
/// Registers a <see cref="X509Certificate2"/> retrieved from the
/// X.509 machine store to sign the tokens issued by OpenIddict.
/// </summary>
/// <param name="builder">The builder used to configure OpenIddict.</param>
/// <param name="thumbprint">The thumbprint of the certificate used to identify it in the X.509 store.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder UseSigningCertificate(
[NotNull] this OpenIddictBuilder builder, [NotNull] string thumbprint) {
if (builder == null) {
throw new ArgumentNullException(nameof(builder));
}
// Register the certificate in the ASOS/OpenIddict options.
builder.Options.SigningCredentials.AddCertificate(thumbprint);
return builder;
}
/// <summary>
/// Registers a <see cref="X509Certificate2"/> retrieved from the
/// given X.509 store to sign the tokens issued by OpenIddict.
/// </summary>
/// <param name="builder">The builder used to configure OpenIddict.</param>
/// <param name="thumbprint">The thumbprint of the certificate used to identify it in the X.509 store.</param>
/// <param name="name">The name of the X.509 store.</param>
/// <param name="location">The location of the X.509 store.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder UseSigningCertificate(
[NotNull] this OpenIddictBuilder builder,
[NotNull] string thumbprint, StoreName name, StoreLocation location) {
if (builder == null) {
throw new ArgumentNullException(nameof(builder));
}
// Register the certificate in the ASOS/OpenIddict options.
builder.Options.SigningCredentials.AddCertificate(thumbprint, name, location);
return builder;
}
}
}
Write Preview
Loading…
Cancel
Save