Use a crypto-secure RNG to generate the request_id parameter

8 years ago · dbfd9f58ab
4 changed files with 22 additions and 6 deletions
--- a/src/OpenIddict/OpenIddictProvider.Authentication.cs
+++ b/src/OpenIddict/OpenIddictProvider.Authentication.cs
@ -15,6 +15,7 @@ using Microsoft.AspNetCore.Diagnostics;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Tokens;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Bson;
 using Newtonsoft.Json.Linq;
@ -306,9 +307,10 @@ namespace OpenIddict
            // to flow across requests and internal/external authentication/registration workflows.
            if (options.EnableRequestCaching && string.IsNullOrEmpty(context.Request.RequestId))
            {
-                // Generate a request identifier. Note: using a crypto-secure
-                // random number generator is not necessary in this case.
-                context.Request.RequestId = Guid.NewGuid().ToString();
+                // Generate a 256-bit request identifier using a crypto-secure random number generator.
+                var bytes = new byte[256 / 8];
+                options.RandomNumberGenerator.GetBytes(bytes);
+                context.Request.RequestId = Base64UrlEncoder.Encode(bytes);

                // Store the serialized authorization request parameters in the distributed cache.
                var stream = new MemoryStream();
--- a/src/OpenIddict/OpenIddictProvider.Session.cs
+++ b/src/OpenIddict/OpenIddictProvider.Session.cs
@ -14,6 +14,7 @@ using Microsoft.AspNetCore.Diagnostics;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Tokens;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Bson;
 using Newtonsoft.Json.Linq;
@ -133,9 +134,10 @@ namespace OpenIddict
            // to make it easier to flow across requests and internal/external logout workflows.
            if (options.EnableRequestCaching && string.IsNullOrEmpty(context.Request.RequestId))
            {
-                // Generate a request identifier. Note: using a crypto-secure
-                // random number generator is not necessary in this case.
-                context.Request.RequestId = Guid.NewGuid().ToString();
+                // Generate a 256-bit request identifier using a crypto-secure random number generator.
+                var bytes = new byte[256 / 8];
+                options.RandomNumberGenerator.GetBytes(bytes);
+                context.Request.RequestId = Base64UrlEncoder.Encode(bytes);

                // Store the serialized logout request parameters in the distributed cache.
                var stream = new MemoryStream();
--- a/test/OpenIddict.Tests/OpenIddictProviderTests.Authentication.cs
+++ b/test/OpenIddict.Tests/OpenIddictProviderTests.Authentication.cs
@ -5,6 +5,7 @@
 */

 using System.IO;
+using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
 using AspNet.Security.OpenIdConnect.Client;
@ -435,6 +436,7 @@ namespace OpenIddict.Tests
        {
            // Arrange
            var cache = new Mock<IDistributedCache>();
+            var generator = new Mock<RandomNumberGenerator>();

            var server = CreateAuthorizationServer(builder =>
            {
@ -455,6 +457,8 @@ namespace OpenIddict.Tests
                builder.Services.AddSingleton(cache.Object);

                builder.EnableRequestCaching();
+
+                builder.Configure(options => options.RandomNumberGenerator = generator.Object);
            });

            var client = new OpenIdConnectClient(server.CreateClient());
@ -478,6 +482,8 @@ namespace OpenIddict.Tests
                It.IsAny<byte[]>(),
                It.IsAny<DistributedCacheEntryOptions>(),
                It.IsAny<CancellationToken>()), Times.Once());
+
+            generator.Verify(mock => mock.GetBytes(It.Is<byte[]>(bytes => bytes.Length == 256 / 8)), Times.Once());
        }

        [Theory]
--- a/test/OpenIddict.Tests/OpenIddictProviderTests.Session.cs
+++ b/test/OpenIddict.Tests/OpenIddictProviderTests.Session.cs
@ -4,6 +4,7 @@
 * the license and the contributors participating to this project.
 */

+using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
 using AspNet.Security.OpenIdConnect.Client;
@ -119,6 +120,7 @@ namespace OpenIddict.Tests
        {
            // Arrange
            var cache = new Mock<IDistributedCache>();
+            var generator = new Mock<RandomNumberGenerator>();

            var server = CreateAuthorizationServer(builder =>
            {
@ -131,6 +133,8 @@ namespace OpenIddict.Tests
                builder.Services.AddSingleton(cache.Object);

                builder.EnableRequestCaching();
+
+                builder.Configure(options => options.RandomNumberGenerator = generator.Object);
            });

            var client = new OpenIdConnectClient(server.CreateClient());
@ -152,6 +156,8 @@ namespace OpenIddict.Tests
                It.IsAny<byte[]>(),
                It.IsAny<DistributedCacheEntryOptions>(),
                It.IsAny<CancellationToken>()), Times.Once());
+
+            generator.Verify(mock => mock.GetBytes(It.Is<byte[]>(bytes => bytes.Length == 256 / 8)), Times.Once());
        }

        [Fact]