Use ECCurve.Oid.Value when comparing EC curves
See original GitHub issueHosted on Ubuntu, NGINX, Cloudflare DNS with proxy OpenIdDict v2.0.1 and other STS are working fine in production. Dev build works fine. Being new to OpenIdDict, I’m probably missing something obvious.
Api side:
services
.AddOpenIddict()
.AddValidation(options =>
{
// Note: the validation handler uses OpenID Connect discovery
// to retrieve the issuer signing keys used to validate tokens.
options.SetIssuer(stsOptions.Authority);
options.AddAudiences(CLIENT_ID);
options.UseSystemNetHttp();
options.UseAspNetCore();
});
Everything works using JwtBearer auth instead OpenIdDict
services.AddAuthentication(options =>
.AddJwtBearer(options =>
{
options.Authority = stsOptions.Authority;
options.Audience = CLIENT_ID;
options.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = ECDsaKey,
};
});
Api stack:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://***/.well-known/openid-configuration'.
---> OpenIddict.Abstractions.OpenIddictExceptions+GenericException: An error occurred while handling the cryptography response.
Error: server_error
Error description: A JWKS response containing an invalid key was returned.
Error URI:
at OpenIddict.Validation.OpenIddictValidationService.<>c__DisplayClass3_0.<<GetSecurityKeysAsync>g__HandleCryptographyResponseAsync|3>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at OpenIddict.Validation.OpenIddictValidationService.GetSecurityKeysAsync(Uri address, CancellationToken cancellationToken)
at OpenIddict.Validation.OpenIddictValidationService.GetSecurityKeysAsync(Uri address, CancellationToken cancellationToken)
at OpenIddict.Validation.OpenIddictValidationRetriever.Microsoft.IdentityModel.Protocols.IConfigurationRetriever<Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration>.GetConfigur
ationAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at OpenIddict.Validation.OpenIddictValidationHandlers.ValidateIdentityModelToken.HandleAsync(ProcessAuthenticationContext context)
at OpenIddict.Validation.OpenIddictValidationDispatcher.DispatchAsync[TContext](TContext context)
at OpenIddict.Validation.OpenIddictValidationDispatcher.DispatchAsync[TContext](TContext context)
at OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Serilog.AspNetCore.RequestLoggingMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Server side:
services.AddOpenIddict()
.AddCore(options => ...
.AddServer(options =>
{
options
.SetTokenEndpointUris("/connect/token")
.SetAuthorizationEndpointUris("/connect/authorize")
.SetLogoutEndpointUris("/connect/logout")
.SetUserinfoEndpointUris("/api/userinfo");
...
.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnableVerificationEndpointPassthrough()
.EnableTokenEndpointPassthrough()
.AddSigningKey(ECDsaKey);
.AddValidation(options =>
{
options.UseLocalServer();
options.UseAspNetCore();
});
Server log (Api is calling http:// instead https://):
[16:55:23 Information] Microsoft.AspNetCore.Hosting.Diagnostics
Request starting HTTP/1.1 GET http://***/.well-known/jwks
[16:55:23 Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher
No candidates found for the request path '/.well-known/jwks'
[16:55:23 Debug] Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware
Request did not match any endpoints
[16:55:23 Information] OpenIddict.Server.OpenIddictServerDispatcher
The request address matched a server endpoint: Cryptography.
...
[16:55:23 Information] OpenIddict.Server.OpenIddictServerDispatcher
The response was successfully returned as a JSON document: {
"keys":...
}.
...
[16:56:12 Information] Microsoft.AspNetCore.Hosting.Diagnostics
Request starting HTTP/1.1 GET http://***/.well-known/openid-configuration
[16:56:12 Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher
No candidates found for the request path '/.well-known/openid-configuration'
[16:56:12 Information] OpenIddict.Server.OpenIddictServerDispatcher
The response was successfully returned as a JSON document: {
"issuer": "https://***/",
...
}.
...
[16:56:14 Information] Microsoft.AspNetCore.Hosting.Diagnostics
Request starting HTTP/1.1 GET http://***/.well-known/jwks
[16:56:14 Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher
No candidates found for the request path '/.well-known/jwks'
[16:56:14 Debug] Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware
Request did not match any endpoints
[16:56:14 Information] OpenIddict.Server.OpenIddictServerDispatcher
The request address matched a server endpoint: Cryptography.
Issue Analytics
- State:
- Created 3 years ago
- Comments:29 (15 by maintainers)
Top Results From Across the Web
Add support for import\export and named Crypto Elliptic ...
ECCurve.Oid is immutable, even though the underlying Oid object is not (the Value and FriendlyName properties are settable). This is achieved by ...
Read more >ECCurve.Oid Property (System.Security.Cryptography)
The identifier of a named curve. Remarks. You cannot set a value for the Oid property directly. Instead, to create a named curve,...
Read more >How to find the matching curve name from an ECPublicKey
Another way is to get the ECCurve (bc implementation) or the EllipticCurve (jre implentation) and compare the curve details with the supported ...
Read more >RFC 6637 - Elliptic Curve Cryptography (ECC) in OpenPGP
RFC 6637 ECC in OpenPGP June 2012 Algorithm-Specific Fields for ECDH keys: o a variable-length field containing a curve OID, formatted as...
Read more >Elliptic Curve Digital Signature Algorithm - Crypto++ Wiki
An alternative to using a random number generator and OID is shown below. In the code below, the OID is used to construct...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Of course, as soon as I get home.
Updated packages were pushed to MyGet.org to fix this issue. Can you please give them a try?