Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Use ECCurve.Oid.Value when comparing EC curves

See original GitHub issue

Hosted on Ubuntu, NGINX, Cloudflare DNS with proxy OpenIdDict v2.0.1 and other STS are working fine in production. Dev build works fine. Being new to OpenIdDict, I’m probably missing something obvious.

Api side:

services
   .AddOpenIddict()
   .AddValidation(options =>
   {       
   // Note: the validation handler uses OpenID Connect discovery
   // to retrieve the issuer signing keys used to validate tokens.
       options.SetIssuer(stsOptions.Authority);         
       options.AddAudiences(CLIENT_ID);          
       options.UseSystemNetHttp();          
       options.UseAspNetCore();
   });

Everything works using JwtBearer auth instead OpenIdDict

services.AddAuthentication(options => 
   .AddJwtBearer(options =>
   {
       options.Authority = stsOptions.Authority;
       options.Audience = CLIENT_ID;       
       options.TokenValidationParameters = new TokenValidationParameters
       {
           IssuerSigningKey = ECDsaKey,           
       };
});

Api stack:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://***/.well-known/openid-configuration'.
 ---> OpenIddict.Abstractions.OpenIddictExceptions+GenericException: An error occurred while handling the cryptography response.
  Error: server_error
  Error description: A JWKS response containing an invalid key was returned.
  Error URI:
   at OpenIddict.Validation.OpenIddictValidationService.<>c__DisplayClass3_0.<<GetSecurityKeysAsync>g__HandleCryptographyResponseAsync|3>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at OpenIddict.Validation.OpenIddictValidationService.GetSecurityKeysAsync(Uri address, CancellationToken cancellationToken)
   at OpenIddict.Validation.OpenIddictValidationService.GetSecurityKeysAsync(Uri address, CancellationToken cancellationToken)
   at OpenIddict.Validation.OpenIddictValidationRetriever.Microsoft.IdentityModel.Protocols.IConfigurationRetriever<Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration>.GetConfigur
ationAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at OpenIddict.Validation.OpenIddictValidationHandlers.ValidateIdentityModelToken.HandleAsync(ProcessAuthenticationContext context)
   at OpenIddict.Validation.OpenIddictValidationDispatcher.DispatchAsync[TContext](TContext context)
   at OpenIddict.Validation.OpenIddictValidationDispatcher.DispatchAsync[TContext](TContext context)
   at OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandler.HandleAuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Serilog.AspNetCore.RequestLoggingMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Server side:

services.AddOpenIddict()
	.AddCore(options => ...
	.AddServer(options =>
		{
		 options
			.SetTokenEndpointUris("/connect/token")
			.SetAuthorizationEndpointUris("/connect/authorize")
			.SetLogoutEndpointUris("/connect/logout")
			.SetUserinfoEndpointUris("/api/userinfo");
			...
			.UseAspNetCore()
            .EnableAuthorizationEndpointPassthrough()
            .EnableVerificationEndpointPassthrough()
            .EnableTokenEndpointPassthrough()
	    .AddSigningKey(ECDsaKey);
			
	.AddValidation(options =>
	{
		options.UseLocalServer();	
		options.UseAspNetCore();
	});

Server log (Api is calling http:// instead https://):

[16:55:23 Information] Microsoft.AspNetCore.Hosting.Diagnostics
Request starting HTTP/1.1 GET http://***/.well-known/jwks

[16:55:23 Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher
No candidates found for the request path '/.well-known/jwks'

[16:55:23 Debug] Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware
Request did not match any endpoints

[16:55:23 Information] OpenIddict.Server.OpenIddictServerDispatcher
The request address matched a server endpoint: Cryptography.
...
[16:55:23 Information] OpenIddict.Server.OpenIddictServerDispatcher
The response was successfully returned as a JSON document: {
  "keys":...
}.

...

[16:56:12 Information] Microsoft.AspNetCore.Hosting.Diagnostics
Request starting HTTP/1.1 GET http://***/.well-known/openid-configuration

[16:56:12 Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher
No candidates found for the request path '/.well-known/openid-configuration'

[16:56:12 Information] OpenIddict.Server.OpenIddictServerDispatcher
The response was successfully returned as a JSON document: {
  "issuer": "https://***/",
  ...
}.
...
[16:56:14 Information] Microsoft.AspNetCore.Hosting.Diagnostics
Request starting HTTP/1.1 GET http://***/.well-known/jwks

[16:56:14 Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher
No candidates found for the request path '/.well-known/jwks'

[16:56:14 Debug] Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware
Request did not match any endpoints

[16:56:14 Information] OpenIddict.Server.OpenIddictServerDispatcher
The request address matched a server endpoint: Cryptography.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:29 (15 by maintainers)

github_iconTop GitHub Comments

1reaction
rvlajcevcommented, Oct 12, 2020

Of course, as soon as I get home.

1reaction
kevinchaletcommented, Oct 12, 2020

Updated packages were pushed to MyGet.org to fix this issue. Can you please give them a try?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Add support for import\export and named Crypto Elliptic ...
ECCurve.Oid is immutable, even though the underlying Oid object is not (the Value and FriendlyName properties are settable). This is achieved by ...
Read more >
ECCurve.Oid Property (System.Security.Cryptography)
The identifier of a named curve. Remarks. You cannot set a value for the Oid property directly. Instead, to create a named curve,...
Read more >
How to find the matching curve name from an ECPublicKey
Another way is to get the ECCurve (bc implementation) or the EllipticCurve (jre implentation) and compare the curve details with the supported ...
Read more >
RFC 6637 - Elliptic Curve Cryptography (ECC) in OpenPGP
RFC 6637 ECC in OpenPGP June 2012 Algorithm-Specific Fields for ECDH keys: o a variable-length field containing a curve OID, formatted as...
Read more >
Elliptic Curve Digital Signature Algorithm - Crypto++ Wiki
An alternative to using a random number generator and OID is shown below. In the code below, the OID is used to construct...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Quartz needs reference to Quartz.Extensions.Hosting

Next page

Grant type `authorization_code` does not work in OpenIddict 3.0 beta 3