Comments (26)
kevinchalet
commented on May 31, 2024
14
@verdie-g @vlapoec here we go: https://kevinchalet.com/2020/02/18/creating-an-openid-connect-server-proxy-with-openiddict-3-0-s-degraded-mode/ π
from aspnet.security.openid.providers.
kevinchalet
commented on May 31, 2024
4
The JWT middleware can't be used for issuing JWT tokens: its only mission is to validate them, which is why you get an exception when trying to use it as the DefaultSignInScheme.
The scenario you describe is usually achieved by adding an OpenID Connect server (OIDC):
Client (e.g a SPA or a mobile app) -> your OIDC server embedded in your ASP.NET Core app -> Steam (OpenID 2.0 dance) -> your OIDC server -> client.
Projects like IdentityServer (developed by Thinktecture) or OpenIddict (that I develop and maintain) can help you with that.
from aspnet.security.openid.providers.
kinosang
commented on May 31, 2024
1
@vlapoec IdentityServer or other OpenID Connect servers (ASOS, OpenIddict, and etc) are works well with 3rd party login, such as OAuth and OpenID.
Please refer to Asp.Net Core Identity docs and IdentityServer docs for more information.
Simply you can just add services.AddAuthentication().AddSteam() and app.UseAuthentication() (for IdentityServer it's replaced by app.UseIdentityServer())
from aspnet.security.openid.providers.
kevinchalet
commented on May 31, 2024
1
To be honest, it's not the first time I hear someone trying to implement a custom protocol instead of using a battle-tested standard like OIDC (and well-known implementations like IdSrv or OpenIddict).
I'm considering writing a blog post introducing OpenIddict 3.0's degraded mode, which allows using OpenIddict's server without any database. It's a perfect use case for a tiny proxy between a single client and a remote identity provider (Steam in this case). Would you be interested?
from aspnet.security.openid.providers.
volvoplz
commented on May 31, 2024
Did you find a way to resolve this issue ?
from aspnet.security.openid.providers.
jacobmstein
commented on May 31, 2024
Unfortunately not, I ended up switching to Node for better control over the call back.
from aspnet.security.openid.providers.
volvoplz
commented on May 31, 2024
Thanks a lot @PinpointTownes
That sounds exactly like what I need but I don't really understand.
If I'm hosting an IdentityServer, I'm the one who authenticates my users. Will they still be able to log into my website with their steam accounts ? And I will be able to identify their steam info ?
from aspnet.security.openid.providers.
volvoplz
commented on May 31, 2024
Thank you I will dig into that
from aspnet.security.openid.providers.
verdie-g
commented on May 31, 2024
I have found another solution which is handling the redirection yourself in SteamAuthenticationOptions.Events.OnTicketReceived and passing the jwt in a query parameter. See https://stackoverflow.com/questions/59734317/return-a-jwt-after-authenticating-via-open-id.
from aspnet.security.openid.providers.
kevinchalet
commented on May 31, 2024
@verdie-g looks like a super dangerous solution: your RedirectUri endpoint accepts a token parameter in the query string without any additional anti-forgery validation.
The lack of CSRF countermeasures in a callback endpoint typically results in a session fixation vulnerability: nothing prevents a bad guy from authenticating with his own account, extracting the JWT associated to his account and forging a URL he'll be able to send to a victim, that will be logged in as the attacker once clicking on the link.
There's really a reason if we suggest opting for battle-tested options: these threats are clearly identified in standard protocols.
from aspnet.security.openid.providers.
verdie-g
commented on May 31, 2024
Indeed, in my case I'm forbidding CORS which I think, mitigates this security issue (?). Anyway, I should dig more into OIDC servers but it feels so overkill for the size of my project.
from aspnet.security.openid.providers.
kevinchalet
commented on May 31, 2024
Indeed, in my case I'm forbidding CORS which I think, mitigates this security issue (?).
Nope, neither the same-origin policy nor same-site cookies will mitigate that, as the victim directly visits the vulnerable callback endpoint in the attack I described.
from aspnet.security.openid.providers.
verdie-g
commented on May 31, 2024
I misread your scenario. In my case, you have nothing to gain by allowing someone else to log in your account. But my solution is really dirty anyway.
from aspnet.security.openid.providers.
kevinchalet
commented on May 31, 2024
In my case, you have nothing to gain by allowing someone else to log in your account.
Information theft is the main risk with this attack: if your website allows the user to send personal data, you're at risk, as the data will be attached to the attacker's account.
from aspnet.security.openid.providers.
verdie-g
commented on May 31, 2024
I understand. Thanks for pointing this issue.
from aspnet.security.openid.providers.
verdie-g
commented on May 31, 2024
I would be very interested! I have started reading OpenIddict doc which is way more clearer than IdentityServer's one, no magic everywhere. But if I have implemented my custom protocol it is mostly by pure laziness because I didn't find the article matching my use case.
from aspnet.security.openid.providers.
volvoplz
commented on May 31, 2024
Well I would be interested too
β¦On Sun, Feb 16, 2020, 13:31 KΓ©vin Chalet ***@***.***> wrote:
To be honest, it's not the first time I hear someone trying to implement a
custom protocol instead of using a battle-tested standard like OIDC (and
well-known implementations like IdSrv or OpenIddict).
I'm considering writing a blog post introducing OpenIddict 3.0's degraded
mode, which allows using OpenIddict's server without any database. It's a
perfect use case for a tiny proxy between a single client and a remote
identity provider (Steam in this case). Would you be interested?
β
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#50?email_source=notifications&email_token=ALBT4VCKKVTV2KR5C3BNY4DRDGBBPA5CNFSM4GFAYCI2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEL4OO2I#issuecomment-586737513>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALBT4VEVQ6PZCFNLFE2Y3NTRDGBBPANCNFSM4GFAYCIQ>
.
from aspnet.security.openid.providers.
verdie-g
commented on May 31, 2024
That was fast thanks! I'll read that as soon as a I can.
from aspnet.security.openid.providers.
kevinchalet
commented on May 31, 2024
@verdie-g my pleasure π
from aspnet.security.openid.providers.
kevinchalet
commented on May 31, 2024
Closing, as I believe my blog post answered the original question. If not, please add a comment and I'll give it a look.
from aspnet.security.openid.providers.
Gameghostify
commented on May 31, 2024
The Cookie authentication scheme here works without having to add something as heavy as asp net core identity or even identity server to your project
On that note: Does that mean we could create a custom auth scheme that implements SignInAsync?
from aspnet.security.openid.providers.
Gameghostify
commented on May 31, 2024
I'd love to use steam authentication but keep using my own user system, without having to switch to one given by ASP.NET Core Identity/IdentityServer or implementing something like OpenIddict
from aspnet.security.openid.providers.
kevinchalet
commented on May 31, 2024
@Gameghostify nothing prevents you from doing that. As you figured out, you can use the cookies authentication handler alone and build your own membership mechanism on top of that.
from aspnet.security.openid.providers.
Gameghostify
commented on May 31, 2024
Thanks a lot! This seems like a very lightweight alternative (next to
OpenIddict)
KΓ©vin Chalet <[email protected]> schrieb am Fr., 28. Feb. 2020,
16:38:
β¦ @Gameghostify <https://github.com/Gameghostify> nothing prevents you from
doing that. As you figured out, you can use the cookies authentication
handler alone and build your own membership mechanism on top of that.
β
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#50?email_source=notifications&email_token=AH4Q5ZNEFWI23IBNWZO2UPDRFEVYNA5CNFSM4GFAYCI2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENI55SA#issuecomment-592568008>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AH4Q5ZIJACVAPJVV52GI7MTRFEVYNANCNFSM4GFAYCIQ>
.
from aspnet.security.openid.providers.
vshlmahalingam
commented on May 31, 2024
@kevinchalet Need to Use E2E encryption in Openiddict 3.0 instead of using a default Password hashing....Is there is a way to do it?
from aspnet.security.openid.providers.
jacobmstein
commented on May 31, 2024
I ended up revisiting this a while later, and I really appreciate the blog post. Thank you!
I would like to just allow users to login using a SPA, and if authenticated properly, store the info in a databse, and redirect back to my SPA and display a success message. That's it, in which case I don't need to use JWTs. In that case would it be safe to override OnTicketReceived, as long as I ensure the RedirectUri is not foreign? Using a connect server seems overkill if I don't need to issue JWTs.
from aspnet.security.openid.providers.
Related Issues (20)
- How to use options pattern in service registration? HOT 2
- Newtonsoft Json assembly manifest mismatch? HOT 2
- [Question] How to get the user's Steam ID HOT 3
- [Question] How to get the user profile object after authentication HOT 1
- CallbackPaths not defined HOT 2
- Blazor Wasm + Web API -> how to return Steam details to Blazor WASM HOT 1
- Blazor Server app doesn't find/execute the login endpoint when tested outside of Visual Studio HOT 1
- ASP.NET Core 6 Support HOT 1
- ASP.NET Core 7 Support HOT 1
- Is there any way I can login to asp.net using an API using a steam token HOT 1
- Issues trying to get the AddSteam command to work with .NET 7 Angular SPA template HOT 2
- Key value parsing in `VerifyAssertionAsync` is not strictly correct HOT 1
- 'HttpContext' does not contain a definition for 'GetExternalProvidersAsync' or for 'IsProviderSupportedAsync' HOT 1
- ASP.NET Core 8 Support HOT 1
- Can I issue my own JWT token when signing in user? HOT 1
- Authority URL works only on localhost. HOT 1
- Antiforgery issue when hosted in AWS ECS HOT 3
- sgID provider HOT 1
- ASP.NET 5 Support HOT 2
- Steam sign in works after second try HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aspnet.security.openid.providers.