-
-
Notifications
You must be signed in to change notification settings - Fork 528
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed token validation bug when using a custom IDataProtectionProvider. #1860
Conversation
Thanks for your PR.
It's not really a bug but a deliberate design choice: while it's defined by
As such, I'm not sure non-conforming |
Use case:
So it's not a non-conformant Data Protection system that I'm hinting at. It's simply a way of migrating away from legacy Owin to your library. However, I have worked around the issue in a less elegant way by hooking into the event handlers pipeline before OpenIddict runs these (for our set up) "problematic" handlers. Also ensuring that newly generated tokens are based on the new DP system. But just a question back. I know the prefix is in the design spec. But the current string prefix validation check could be entirely removed and an invalid auth token would still be discarded in the same method. So what's the purpose of the check? |
Just to make it perfectly clear. We have a workaround. But I just spend almost an entire day to find out that it's a simple string check that "prevents" the And the extra guard that I suggested may not be perfect. But I don't think that the current string prefix check is perfect either. You can only assume that if the prefix is there, then yes it was generated by ASP.NET Core. But if it's not there, then you cannot make any assumptions as to what DP system generated the token. It may still be perfectly valid. |
The Data Protection implementation is not the only thing that differs between OWIN/Katana and ASP.NET Core: the authentication ticket serializer/data format was also updated in ASP.NET Core 1.0 to use As such, replacing the For this scenario, my recommendation so far has always been to use
It's a perf' optimization, to avoid calling DP when we know the payload is not a DP-protected token (i.e misses the magic header). It's worth mentioning that while DP is pretty optimized, there are cases where we need to call it multiple times (e.g for introspection or revocation requests, you need to call DP once per token type with different "purposes"), which has a certain cost. We don't have the same issue with IdentityModel, as it provides a
Well, you could ask the same question for JWT tokens: sure you could create a
Your approach is not unreasonable, but as I said, it's not enough to magically accept tokens produced by the Katana OAuth 2.0 authorization server middleware: you'd also need a custom I'll think more about it before giving you a definitive answer 😃
Glad you like the library! If it was useful to your company, please consider encouraging your employer to sponsor the project on GitHub: https://github.com/sponsors/kevinchalet ❤️ |
I stand corrected. You're right. I'm wrong. I think this is an x-y problem then. It's more about easing the upgrade path from Owin to OpenIddict. I.e. being able to validate old tokens in the old machine key format, while issuing (and validating) new tokens using the new format. You can close this PR then. |
I'm sold, PR merged. Congrats for your first contribution to OpenIddict 👍🏻 |
IDataProtectionProvider
with OpenIddict, the access token validation fails.CfDJ8
) in access tokens as the built-in/nativeMicrosoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtectionProvider
IDataProtectionProvider
is the built-in.KeyRingBasedDataProtectionProvider
is marked asinternal
.