From bbeb29726f6c91bb53a1c0ac1a271c295e773ab3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Tue, 9 Jun 2020 20:52:16 +0200 Subject: [PATCH] Avoid overriding the issuer/signing keys/decryption keys set in the token validation parameters --- ...dictServerAspNetCoreHandlers.Authentication.cs | 4 +--- .../OpenIddictServerAspNetCoreHandlers.Session.cs | 4 +--- ...OpenIddictServerOwinHandlers.Authentication.cs | 4 +--- .../OpenIddictServerOwinHandlers.Session.cs | 4 +--- .../OpenIddictServerConfiguration.cs | 10 ++++++++++ src/OpenIddict.Server/OpenIddictServerHandlers.cs | 4 +--- .../OpenIddictValidationConfiguration.cs | 5 +++++ .../OpenIddictValidationHandlers.cs | 15 +++++++-------- 8 files changed, 27 insertions(+), 23 deletions(-) diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs index 5f62153e..7ae24f32 100644 --- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs +++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs @@ -128,10 +128,8 @@ namespace OpenIddict.Server.AspNetCore } var parameters = context.Options.TokenValidationParameters.Clone(); - parameters.IssuerSigningKeys = context.Options.SigningCredentials.Select(credentials => credentials.Key); - parameters.TokenDecryptionKeys = context.Options.EncryptionCredentials.Select(credentials => credentials.Key); + parameters.ValidIssuer ??= context.Issuer?.AbsoluteUri; parameters.ValidAudience = context.Issuer?.AbsoluteUri; - parameters.ValidIssuer = context.Issuer?.AbsoluteUri; parameters.ValidTypes = new[] { JsonWebTokenTypes.Private.AuthorizationRequest }; var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters); diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs index c7ad5e58..9ec38aef 100644 --- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs +++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs @@ -126,10 +126,8 @@ namespace OpenIddict.Server.AspNetCore } var parameters = context.Options.TokenValidationParameters.Clone(); - parameters.IssuerSigningKeys = context.Options.SigningCredentials.Select(credentials => credentials.Key); - parameters.TokenDecryptionKeys = context.Options.EncryptionCredentials.Select(credentials => credentials.Key); + parameters.ValidIssuer ??= context.Issuer?.AbsoluteUri; parameters.ValidAudience = context.Issuer?.AbsoluteUri; - parameters.ValidIssuer = context.Issuer?.AbsoluteUri; parameters.ValidTypes = new[] { JsonWebTokenTypes.Private.LogoutRequest }; var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters); diff --git a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs index 1ee04b47..800d318b 100644 --- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs +++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs @@ -127,10 +127,8 @@ namespace OpenIddict.Server.Owin } var parameters = context.Options.TokenValidationParameters.Clone(); - parameters.IssuerSigningKeys = context.Options.SigningCredentials.Select(credentials => credentials.Key); - parameters.TokenDecryptionKeys = context.Options.EncryptionCredentials.Select(credentials => credentials.Key); + parameters.ValidIssuer ??= context.Issuer?.AbsoluteUri; parameters.ValidAudience = context.Issuer?.AbsoluteUri; - parameters.ValidIssuer = context.Issuer?.AbsoluteUri; parameters.ValidTypes = new[] { JsonWebTokenTypes.Private.AuthorizationRequest }; var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters); diff --git a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs index bbe59ba4..a88bdc4e 100644 --- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs +++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs @@ -125,10 +125,8 @@ namespace OpenIddict.Server.Owin } var parameters = context.Options.TokenValidationParameters.Clone(); - parameters.IssuerSigningKeys = context.Options.SigningCredentials.Select(credentials => credentials.Key); - parameters.TokenDecryptionKeys = context.Options.EncryptionCredentials.Select(credentials => credentials.Key); + parameters.ValidIssuer ??= context.Issuer?.AbsoluteUri; parameters.ValidAudience = context.Issuer?.AbsoluteUri; - parameters.ValidIssuer = context.Issuer?.AbsoluteUri; parameters.ValidTypes = new[] { JsonWebTokenTypes.Private.LogoutRequest }; var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters); diff --git a/src/OpenIddict.Server/OpenIddictServerConfiguration.cs b/src/OpenIddict.Server/OpenIddictServerConfiguration.cs index 5fd7bc2f..fe5020fb 100644 --- a/src/OpenIddict.Server/OpenIddictServerConfiguration.cs +++ b/src/OpenIddict.Server/OpenIddictServerConfiguration.cs @@ -290,6 +290,16 @@ namespace OpenIddict.Server key.KeyId = GetKeyIdentifier(key); } + // Attach the signing credentials to the token validation parameters. + options.TokenValidationParameters.IssuerSigningKeys = + from credentials in options.SigningCredentials + select credentials.Key; + + // Attach the encryption credentials to the token validation parameters. + options.TokenValidationParameters.TokenDecryptionKeys = + from credentials in options.EncryptionCredentials + select credentials.Key; + static string GetKeyIdentifier(SecurityKey key) { // When no key identifier can be retrieved from the security keys, a value is automatically diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.cs index 42943982..3e25c9a9 100644 --- a/src/OpenIddict.Server/OpenIddictServerHandlers.cs +++ b/src/OpenIddict.Server/OpenIddictServerHandlers.cs @@ -439,9 +439,7 @@ namespace OpenIddict.Server } var parameters = context.Options.TokenValidationParameters.Clone(); - parameters.ValidIssuer = context.Issuer?.AbsoluteUri; - parameters.IssuerSigningKeys = context.Options.SigningCredentials.Select(credentials => credentials.Key); - parameters.TokenDecryptionKeys = context.Options.EncryptionCredentials.Select(credentials => credentials.Key); + parameters.ValidIssuer ??= context.Issuer?.AbsoluteUri; // If a specific token type is expected, override the default valid types to reject // security tokens whose actual token type doesn't match the expected token type. diff --git a/src/OpenIddict.Validation/OpenIddictValidationConfiguration.cs b/src/OpenIddict.Validation/OpenIddictValidationConfiguration.cs index 4ce5f15c..3ec5a14f 100644 --- a/src/OpenIddict.Validation/OpenIddictValidationConfiguration.cs +++ b/src/OpenIddict.Validation/OpenIddictValidationConfiguration.cs @@ -158,6 +158,11 @@ namespace OpenIddict.Validation }; } } + + // Attach the encryption credentials to the token validation parameters. + options.TokenValidationParameters.TokenDecryptionKeys = + from credentials in options.EncryptionCredentials + select credentials.Key; } } } diff --git a/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs b/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs index c67ed299..1c512947 100644 --- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs +++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs @@ -215,11 +215,15 @@ namespace OpenIddict.Validation var configuration = await context.Options.ConfigurationManager.GetConfigurationAsync(default) ?? throw new InvalidOperationException("An unknown error occurred while retrieving the server configuration."); - // Clone the token validation parameters and set the issuer and the signing keys using the + // Clone the token validation parameters and set the issuer using the value found in the // OpenID Connect server configuration (that can be static or retrieved using discovery). var parameters = context.Options.TokenValidationParameters.Clone(); - parameters.ValidIssuer = configuration.Issuer ?? context.Issuer?.AbsoluteUri; - parameters.IssuerSigningKeys = configuration.SigningKeys; + parameters.ValidIssuer ??= configuration.Issuer ?? context.Issuer?.AbsoluteUri; + + // Combine the signing keys registered statically in the token validation parameters + // with the signing keys resolved from the OpenID Connect server configuration. + parameters.IssuerSigningKeys = + parameters.IssuerSigningKeys?.Concat(configuration.SigningKeys) ?? configuration.SigningKeys; // If a specific token type is expected, override the default valid types to reject // security tokens whose actual token type doesn't match the expected token type. @@ -236,11 +240,6 @@ namespace OpenIddict.Validation }; } - // Populate the token decryption keys from the encryption credentials set in the options. - parameters.TokenDecryptionKeys = - from credentials in context.Options.EncryptionCredentials - select credentials.Key; - // If the token cannot be validated, don't return an error to allow another handle to validate it. var result = context.Options.JsonWebTokenHandler.ValidateToken(context.Token, parameters); if (!result.IsValid)