Comments (4)
kevinchalet
commented on August 17, 2024
Interesting scenario 😄
What warning are you referring to, exactly? The one logged when during app initialization?
If so, this should be addressed in OpenIddict 3.0, where we'll no longer have this check.
from aspnet.security.openidconnect.server.
NicolasDorier
commented on August 17, 2024
cool!
Just for information, when OpenIddict 3.0 is out?
We are using openiddict for new feature, so it would be a shame if we develop on something that will soon be supersede by new version (ping @Kukks)
from aspnet.security.openidconnect.server.
kevinchalet
commented on August 17, 2024
The first experimental 3.0 bits should be pushed to GitHub soon (probably later this week) but they'll have many missing features, that will be progressively reintroduced over time. Once I'm sure it meets the usual security bar, I'll start pushing alpha packages on MyGet (so folks can torture it 😄).
.NET Core 3.0's GA is scheduled for September but won't be a LTS version. 3.1 - that will have long-term support - is currently scheduled for November. We should have production-ready packages available by then (at least for the core/server/validation features).
IMHO, there's no need to rush for the 3.0 bits: the core part will be identical and it shouldn't be too hard to migrate to the new server/validation packages. I took a brief look at btcpayserver and I'm confident it shouldn't be too painful: only the event handlers will have to be reworked a bit to adopt the new simplified API. Here's an example of an event handler in 3.0:
/// <summary>
/// Contains the logic responsible of rejecting authorization requests that specify an invalid response_mode parameter.
/// </summary>
public class ValidateResponseModeParameter : IOpenIddictServerHandler<ValidateAuthorizationRequestContext>
{
/// <summary>
/// Gets the default descriptor definition assigned to this handler.
/// </summary>
public static OpenIddictServerHandlerDescriptor Descriptor { get; }
= OpenIddictServerHandlerDescriptor.CreateBuilder<ValidateAuthorizationRequestContext>()
.UseSingletonHandler<ValidateResponseModeParameter>()
.SetOrder(ValidateResponseTypeParameter.Descriptor.Order + 1000)
.Build();
/// <summary>
/// Processes the event.
/// </summary>
/// <param name="context">The context associated with the event to process.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
/// </returns>
public Task HandleAsync([NotNull] ValidateAuthorizationRequestContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
// response_mode=query (explicit or not) and a response_type containing id_token
// or token are not considered as a safe combination and MUST be rejected.
// See http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Security
if (context.Request.IsQueryResponseMode() && (context.Request.HasResponseType(ResponseTypes.IdToken) ||
context.Request.HasResponseType(ResponseTypes.Token)))
{
context.Logger.LogError("The authorization request was rejected because the 'response_type'/'response_mode' " +
"combination was invalid: {ResponseType} ; {ResponseMode}.",
context.Request.ResponseType, context.Request.ResponseMode);
context.Reject(
error: Errors.InvalidRequest,
description: "The specified 'response_type'/'response_mode' combination is invalid.");
return Task.CompletedTask;
}
// Reject requests that specify an unsupported response_mode.
if (!string.IsNullOrEmpty(context.Request.ResponseMode) && !context.Request.IsFormPostResponseMode() &&
!context.Request.IsFragmentResponseMode() &&
!context.Request.IsQueryResponseMode())
{
context.Logger.LogError("The authorization request was rejected because the '{ResponseMode}' " +
"response mode is not supported.", context.Request.ResponseMode);
context.Reject(
error: Errors.InvalidRequest,
description: "The specified 'response_mode' parameter is not supported.");
return Task.CompletedTask;
}
return Task.CompletedTask;
}
}from aspnet.security.openidconnect.server.
NicolasDorier
commented on August 17, 2024
@PinpointTownes thanks for the information.
we will then continue on 2.0. I did not knew that the 3.0 was for .NET 3.0. We will move to .NET 3.0 only after the first LTS.
That said, I was expecting .NETCore2.1 packages to "just work" on .NETCore3.0. That is not the case? (assuming no netstandard support)
from aspnet.security.openidconnect.server.
Related Issues (20)
- How can handle Authorize attribute on ASOS HOT 6
- Does not support Owin/Katana 3/4 HOT 1
- Plans for the aspnet-contrib introspection, validation and server middleware for ASP.NET Core 3.0 HOT 5
- Support Source Link HOT 4
- Serve ui endpoints in separate web client HOT 2
- Add no-store as part of the CacheControl headers to totally prevent response being saved HOT 3
- I am not getting useful/appropriate information while using some functionality of ASOS. HOT 1
- get userinfo HOT 3
- Getting 404 issue when requesting the token from postman/Restlet API
- Add support for async OnHandleTokenRequest HOT 1
- Access token generated but authorize attribute gives internal server error HOT 1
- Make ID Token signature mandatory HOT 2
- nonce (xdafadsfdsa) does not match nonce from token () HOT 1
- Support for User Managed Access (UMA)? HOT 1
- User is already not authorization at HandleLogoutRequest
- [Q]Hosting Azure Functions sample HOT 1
- open-id configuration modifications HOT 2
- Support for ASP.Net core 3.1? HOT 6
- Q: Is this still active, relevant in contemporary contexts? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aspnet.security.openidconnect.server.