You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
support providing custom cryptography via the CryptoProviderFactory and its SignatureProvider I find it odd that Identity Server has it's own list to check algorithms against.- and that it blows up if I supply e.g. my own derived SecurityKey with such customization.
I would expect that there would be an overload for advanced users that allows bypassing this fixed list validation.
Log output/exception with stacktrace
Unhandled exception. System.InvalidOperationException: Signing algorithm CRYDI3 is not supported.
at Microsoft.Extensions.DependencyInjection.IdentityServerBuilderExtensionsCrypto.AddSigningCredential(IIdentityServerBuilder builder, SigningCredentials credential) in /_/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Crypto.cs:line 39
The text was updated successfully, but these errors were encountered:
I am still able to work around this limitation by simply calling this instead of going through the "official" builder method but since the security key is, well, of SecurityKey type you could still register it using that method separately and then it blows up. That supported algorithm check is also internally done in key management which I am also not sure is necessary.
I understand you only want to have "safe algorithms" but I think, without further complicating things, maybe even a global static toggle would be nice to allow to opt in extended algo set (similar to e.g. IdentityModelEventSource.ShowPII or some other flag on IdSrv options), especially as the underlying security model from IdentityModel allows for such extensibility. Also, IdentityServer is remarkably extensible already (you can swap pretty much everything, which is great) so this feels a bit too restrictive.
@filipw, thanks for your feedback. I've added an issue to our backlog to consider customization of the supported signing algorithms that we'll consider for future releases. For now, it sounds like you were able to customize things in DI to accomplish what you wanted. Is that accurate/is there anything else that you need? Otherwise, we'll close this issue - thanks!
Which version of Duende IdentityServer are you using?
6.3.3
Which version of .NET are you using?
7.0
Describe the bug
Identity Server contains a hardcoded fixed list of signing algorithms https://github.com/DuendeSoftware/IdentityServer/blob/main/src/IdentityServer/IdentityServerConstants.cs#L101.
To Reproduce
Try to use register a custom or non-standard (outside of that list) SigningCredential.
Expected behavior
Given that all of:
support providing custom cryptography via the
CryptoProviderFactory
and itsSignatureProvider
I find it odd that Identity Server has it's own list to check algorithms against.- and that it blows up if I supply e.g. my own derivedSecurityKey
with such customization.I would expect that there would be an overload for advanced users that allows bypassing this fixed list validation.
Log output/exception with stacktrace
The text was updated successfully, but these errors were encountered: