by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 06:59
    kinosang commented #736
  • Aug 03 17:50
    kevinchalet closed #858
  • Aug 03 17:50
    kevinchalet commented #858
  • Aug 03 17:49
    kevinchalet labeled #1051
  • Aug 03 17:49
    kevinchalet milestoned #1051
  • Aug 03 17:49
    kevinchalet labeled #1051
  • Aug 03 17:49
    kevinchalet opened #1051
  • Aug 03 17:41
    kevinchalet commented #736
  • Aug 03 17:12

    kevinchalet on 3.0.0-beta3

    (compare)

  • Aug 03 10:53
    igorklimenko commented #1049
  • Aug 03 10:27
    kevinchalet commented #1049
  • Aug 03 10:10
    kinosang commented #1049
  • Aug 03 10:08
    kinosang commented #1049
  • Aug 03 10:05
    kinosang commented #1049
  • Aug 03 10:01
    igorklimenko commented #1049
  • Aug 03 05:53

    kevinchalet on dev

    Remove authorization code/ident… (compare)

  • Aug 03 05:53
    kevinchalet closed #1050
  • Aug 03 05:40
    kevinchalet assigned #1050
  • Aug 03 05:40
    kevinchalet milestoned #1050
  • Aug 03 05:40
    kevinchalet opened #1050
Kévin Chalet
@kevinchalet
You can generate a certificate and store it in an appropriate place (Azure Key Vault, X.509 machine store, etc.)
Regarding the scheme, it's not configurable. However, you can create your own Bearer -> OpenIddict.Validation.AspNetCore redirection using the ASP.NET Core AddSchemeHandler() extension.
Alexey
@askalione
@kevinchalet thank you!
I have not found docs about AddSchemeHandler() extensions, can u please give me a link?
I'm trying AddPolicyScheme() but dont understand how it's work yet.
Kévin Chalet
@kevinchalet
Ah yeah, it’s AddPolicyScheme, my bad.
Dunno if there’s any docs yet.
Alexey
@askalione
You mean something like that? -
services.AddAuthentication(options =>
{
    options.DefaultScheme = "PolicyScheme";
})
.AddCookie("CookieScheme")
.AddPolicyScheme("PolicyScheme", "PolicyScheme", options =>
{
    options.ForwardDefaultSelector = context =>
    {
        var header = context.Request.Headers["Authorization"].FirstOrDefault();
        if (header?.StartsWith("Bearer ") == true)
        {
            return OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
        }

        return "CookieScheme";
    };
});
Kévin Chalet
@kevinchalet
Well, falling back to cookies for Bearer is quite dangerous, so yeah, but without the if and the cookies handler.
Alexey
@askalione
@kevinchalet okay, thank you!
Alexey
@askalione
@kevinchalet , it's great! ty!
@kevinchalet, can u help me pls.
After decorate Controller [Authorize(AuthenticationSchemes = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme)] the response has become just 401 status code only with empty content.
But i need return some json content { statusCode: 401, message: "Unauthorized" } beside Response.StatusCode 401.
How i can handle authorization result?
Kévin Chalet
@kevinchalet
You have multiple options to support that: you can use the status code middleware shipping with ASP.NET Core to intercept 401 responses and return the body you want or you can use OpenIddict's event model (see https://github.com/openiddict/openiddict-core/blob/dev/src/OpenIddict.Validation.AspNetCore/OpenIddictValidationAspNetCoreHandlers.cs)
That said, unless you have legacy clients that use this specific content, consider using the standard WWW-Authenticate response header.
@/all OpenIddict 3.0 beta2 is out. Read https://kevinchalet.com/2020/07/08/openiddict-3-0-beta2-is-out/ for more information.
Alexey
@askalione
@kevinchalet, sorry for one more question.
When i do AuthorizationCode flow and callback with authorization code - IIS error - 404.15 - Query String Too Long
Is it OK that code too much length (see screenshot)?
Is it possible to somehow reduce the size of authorization code? (Actualy principal have 4 claims payload)?
Kévin Chalet
@kevinchalet
Did you read my blog post? :worried:
Alexey
@askalione

You mean this ? -

With response_mode=form_post being impacted by same-site, some applications are moving back to the query response mode (the default mode for the authorization code flow). To avoid token length issues with clients using response_mode=query and having strict query string limits, authorization codes are now reference tokens in OpenIddict 3.0 beta2.

I'm using OpenIddict 3.0 beta1 for now
Can i use options.UseReferenceTokens() with options.EnableDegradedMode()?
Kévin Chalet
@kevinchalet
No, reference tokens are only supported with the degraded mode disabled.
You’ll get full length authorization codes with the degraded mode enabled.
You can use Data Protection, it produces smaller tokens.
Alexey
@askalione
When i added options.UseDataProtection() authorization code has become shorter, thx!
But now, when callback - authorization code is not valid {"error":"invalid_grant","error_description":"The specified token is not valid."} (by Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler) :(
Kévin Chalet
@kevinchalet
Call options.DisableTokenStorage() to see if it makes a difference.
Kévin Chalet
@kevinchalet
Did that help?
Alexey
@askalione
Thx! Now better)) now with options.DisableSlidingExpiration() i'm getting - {"error":"invalid_client","error_description":"The specified 'client_id' or 'client_secret' doesn't match a registered client."}... trying to figure it out
Kévin Chalet
@kevinchalet
I don't think it's a built-in error. Is it a custom error of yours?
Alexey
@askalione
No, it's from Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>
Kévin Chalet
@kevinchalet
But it's returned by the server. That method only rethrows the error returned by the server.
You probably have a ValidateTokenRequestContext event handler with that error inside :)
Alexey
@askalione
Oh.... you are right!!!))
Kévin Chalet
@kevinchalet
I opened openiddict/openiddict-core#1022 to track the first issue.
robertovaldesperez
@robertovaldesperez
@kevinchalet is there any example to refresh the token?
flutterfromscratch
@flutterfromscratch
so, when i'm using openiddict in docker, where the containers get pulled down and brought back up all the time, how can i keep my tokens valid?
i'm using a signing certificate which is the same
and the database tokens are still stored in the database etc
but when i stop the containers and then subsequently docker-compose up, it invalidates all preivously generated tokens
i would have assumed that assigning a security certificate at start up would have been enough for the tokens to hopefully remain trusted between application startups
the options.AddSigningCertificate(_signingCertificate); option is what i mean
Kévin Chalet
@kevinchalet
What version and access token format are you using?
flutterfromscratch
@flutterfromscratch
openiddict 2.0.1
i'm not sure i am configuring a token format in startup
so i'm going to go with "le default"
Kévin Chalet
@kevinchalet
When it uses ASP.NET Core Data Protection, that you'll need to configure to store the master keys in a persistent location.
There are plenty of docs for that on docs.asp.net.
flutterfromscratch
@flutterfromscratch
ah okay, so the master keys are the default store is what i'm getting from this
flutterfromscratch
@flutterfromscratch
that works perfectly - thank you so much
Kévin Chalet
@kevinchalet
You're welcome :)
flutterfromscratch
@flutterfromscratch
@kevinchalet , I just want to say, thanks for your support on this library. I don't know what's in it for you (apart from warm fuzzies from helping fellow developers) and you are well within your rights to tell me to read the docs or search the github issue.... but it's just turned midnight here in Australia and your quick help means i can sleep tonight having my app one step closer to production readiness. This level of community support and courteousness is very rare in my experience, so thank you for your unyielding support
Kévin Chalet
@kevinchalet
Haha, thanks for your kind words :smile: