tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Avoid overriding the issuer/signing keys/decryption keys set in the token validation parameters

pull/971/head
Kévin Chalet 6 years ago
parent
9aae602a64
commit
bbeb29726f
8 changed files with 27 additions and 23 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
  2. 4
      src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
  3. 4
      src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
  4. 4
      src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
  5. 10
      src/OpenIddict.Server/OpenIddictServerConfiguration.cs
  6. 4
      src/OpenIddict.Server/OpenIddictServerHandlers.cs
  7. 5
      src/OpenIddict.Validation/OpenIddictValidationConfiguration.cs
  8. 15
      src/OpenIddict.Validation/OpenIddictValidationHandlers.cs

4
src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
View File

@ -128,10 +128,8 @@ namespace OpenIddict.Server.AspNetCore
}
var parameters = context.Options.TokenValidationParameters.Clone();
parameters.IssuerSigningKeys = context.Options.SigningCredentials.Select(credentials => credentials.Key);
parameters.TokenDecryptionKeys = context.Options.EncryptionCredentials.Select(credentials => credentials.Key);
parameters.ValidIssuer ??= context.Issuer?.AbsoluteUri;
parameters.ValidAudience = context.Issuer?.AbsoluteUri;
parameters.ValidIssuer = context.Issuer?.AbsoluteUri;
parameters.ValidTypes = new[] { JsonWebTokenTypes.Private.AuthorizationRequest };
var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters);

4
src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
View File

@ -126,10 +126,8 @@ namespace OpenIddict.Server.AspNetCore
}
var parameters = context.Options.TokenValidationParameters.Clone();
parameters.IssuerSigningKeys = context.Options.SigningCredentials.Select(credentials => credentials.Key);
parameters.TokenDecryptionKeys = context.Options.EncryptionCredentials.Select(credentials => credentials.Key);
parameters.ValidIssuer ??= context.Issuer?.AbsoluteUri;
parameters.ValidAudience = context.Issuer?.AbsoluteUri;
parameters.ValidIssuer = context.Issuer?.AbsoluteUri;
parameters.ValidTypes = new[] { JsonWebTokenTypes.Private.LogoutRequest };
var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters);

4
src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
View File

@ -127,10 +127,8 @@ namespace OpenIddict.Server.Owin
}
var parameters = context.Options.TokenValidationParameters.Clone();
parameters.IssuerSigningKeys = context.Options.SigningCredentials.Select(credentials => credentials.Key);
parameters.TokenDecryptionKeys = context.Options.EncryptionCredentials.Select(credentials => credentials.Key);
parameters.ValidIssuer ??= context.Issuer?.AbsoluteUri;
parameters.ValidAudience = context.Issuer?.AbsoluteUri;
parameters.ValidIssuer = context.Issuer?.AbsoluteUri;
parameters.ValidTypes = new[] { JsonWebTokenTypes.Private.AuthorizationRequest };
var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters);

4
src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
View File

@ -125,10 +125,8 @@ namespace OpenIddict.Server.Owin
}
var parameters = context.Options.TokenValidationParameters.Clone();
parameters.IssuerSigningKeys = context.Options.SigningCredentials.Select(credentials => credentials.Key);
parameters.TokenDecryptionKeys = context.Options.EncryptionCredentials.Select(credentials => credentials.Key);
parameters.ValidIssuer ??= context.Issuer?.AbsoluteUri;
parameters.ValidAudience = context.Issuer?.AbsoluteUri;
parameters.ValidIssuer = context.Issuer?.AbsoluteUri;
parameters.ValidTypes = new[] { JsonWebTokenTypes.Private.LogoutRequest };
var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters);

10
src/OpenIddict.Server/OpenIddictServerConfiguration.cs
View File

@ -290,6 +290,16 @@ namespace OpenIddict.Server
key.KeyId = GetKeyIdentifier(key);
}
// Attach the signing credentials to the token validation parameters.
options.TokenValidationParameters.IssuerSigningKeys =
from credentials in options.SigningCredentials
select credentials.Key;
// Attach the encryption credentials to the token validation parameters.
options.TokenValidationParameters.TokenDecryptionKeys =
from credentials in options.EncryptionCredentials
select credentials.Key;
static string GetKeyIdentifier(SecurityKey key)
{
// When no key identifier can be retrieved from the security keys, a value is automatically

4
src/OpenIddict.Server/OpenIddictServerHandlers.cs
View File

@ -439,9 +439,7 @@ namespace OpenIddict.Server
}
var parameters = context.Options.TokenValidationParameters.Clone();
parameters.ValidIssuer = context.Issuer?.AbsoluteUri;
parameters.IssuerSigningKeys = context.Options.SigningCredentials.Select(credentials => credentials.Key);
parameters.TokenDecryptionKeys = context.Options.EncryptionCredentials.Select(credentials => credentials.Key);
parameters.ValidIssuer ??= context.Issuer?.AbsoluteUri;
// If a specific token type is expected, override the default valid types to reject
// security tokens whose actual token type doesn't match the expected token type.

5
src/OpenIddict.Validation/OpenIddictValidationConfiguration.cs
View File

@ -158,6 +158,11 @@ namespace OpenIddict.Validation
};
}
}
// Attach the encryption credentials to the token validation parameters.
options.TokenValidationParameters.TokenDecryptionKeys =
from credentials in options.EncryptionCredentials
select credentials.Key;
}
}
}

15
src/OpenIddict.Validation/OpenIddictValidationHandlers.cs
View File

@ -215,11 +215,15 @@ namespace OpenIddict.Validation
var configuration = await context.Options.ConfigurationManager.GetConfigurationAsync(default) ??
throw new InvalidOperationException("An unknown error occurred while retrieving the server configuration.");
// Clone the token validation parameters and set the issuer and the signing keys using the
// Clone the token validation parameters and set the issuer using the value found in the
// OpenID Connect server configuration (that can be static or retrieved using discovery).
var parameters = context.Options.TokenValidationParameters.Clone();
parameters.ValidIssuer = configuration.Issuer ?? context.Issuer?.AbsoluteUri;
parameters.IssuerSigningKeys = configuration.SigningKeys;
parameters.ValidIssuer ??= configuration.Issuer ?? context.Issuer?.AbsoluteUri;
// Combine the signing keys registered statically in the token validation parameters
// with the signing keys resolved from the OpenID Connect server configuration.
parameters.IssuerSigningKeys =
parameters.IssuerSigningKeys?.Concat(configuration.SigningKeys) ?? configuration.SigningKeys;
// If a specific token type is expected, override the default valid types to reject
// security tokens whose actual token type doesn't match the expected token type.
@ -236,11 +240,6 @@ namespace OpenIddict.Validation
};
}
// Populate the token decryption keys from the encryption credentials set in the options.
parameters.TokenDecryptionKeys =
from credentials in context.Options.EncryptionCredentials
select credentials.Key;
// If the token cannot be validated, don't return an error to allow another handle to validate it.
var result = context.Options.JsonWebTokenHandler.ValidateToken(context.Token, parameters);
if (!result.IsValid)

Write Preview
Loading…
Cancel
Save