From 5bc516223cfdddd3bf8556bb4cc74f1bbde0beac Mon Sep 17 00:00:00 2001 From: damienbod Date: Sat, 29 Apr 2023 22:55:01 +0200 Subject: [PATCH] Removing OpenIddict.Validation.AspNetCore, version 4.3.0 breaks the JWT auth from other schemes --- .../IdentityProvider/usersdatabase.sqlite | Bin 192512 -> 192512 bytes MultiIdentityProvider/WebApi/Consts.cs | 30 ++++----- MultiIdentityProvider/WebApi/Startup.cs | 63 +++++++++++------- MultiIdentityProvider/WebApi/WebApi.csproj | 2 - MultiIdentityProvider/WebApi/appsettings.json | 6 +- 5 files changed, 56 insertions(+), 45 deletions(-) diff --git a/MultiIdentityProvider/IdentityProvider/usersdatabase.sqlite b/MultiIdentityProvider/IdentityProvider/usersdatabase.sqlite index 789bd8cbb5e41c1ecf1c84b95013b857c53ae621..00d18e8cb47d239d0a06d78a8c4a364f32fcadc3 100644 GIT binary patch delta 11966 zcmeHtORVJBd0yY!Gou+P(|0D8{E#7Nj7W}Rg)P1xgGd%xe3M0170F^15lxBjV)0od zt5_rulm-E^31CPV2)(os?~=vXuz`WSNsxsX36OZHYyuPGv+AHMOy zRbkn!pR(Xb;G)fh9FDTO7Mx>^7CgVqJkk&pe($<^Mvi;LQL8NO6;wLY?9v`LdjhRO zwi5Yhad6V_es|>>@|>3i+mTUk#mO6uGA+q)Y|UjH zbu3OO0wZDw^J4Pgi{d?1wKJR zaYADOK}QjWlPHX05R5}8^BxMnkK^yd^kW#oNN|TIe|o+7>PKJs;2*rz#BJ$Uan(Qh z&Fjs7ee?G2;|F&i-~9~u_WO4qeO$l(t(WlV_8&fU-g@#^|Lpb~@4ODi;pXmd!1=*< z?*8V6`{bP;-=H@HXuJhMIv95U$*(v_6h}l5;1L8z0S4hd219-r#88YRVaP-ba1*@` z^!hSA5(Hrwg1{jLrtf*D%DV2;en@hY@l=a2Vt>4EPsLLLx+H zl)%E5jt9pg62p@iBB=<4aEu^;G2Dj;*ryT{Ln8(bKIJ?ZT;};EqnO2%Xm(;*t;FC9gI(=hIb6yzrfNKpj! zK`w(X!D0pv2r@<@l6v0dXDRxrDDJcN7e~SQVHkJavq+u@H+Rp*<6l2~FpIzDATSN? z5Yk`{QV0p*bVxu90lE}}LlO&MB4(b=r1E7FjK+~9@<}kqP>KOV46-#KX&fRWA_`*) zCL^5qY$)`nnwawt8+^6 zd{&YLp_2Bo)A(xXlP2lUE2x7urisS;gQV}oj*<+1F<=y%nwSzJmws1v3vPdb4mGcj zhX^ZD-}5qJCtRu4xA20gCj^4)bGp&Sdb?UQfs1-ZJLfpg7YsDQf(mI{-3G>SE;Zq0 zQpn@1X;u!hu)p2ftSP#uz!i*AlJ(yp8Iajb8QgB6kFXa#Or?{yx% z%J%YcGFCyP_F@;$EY#A+wy7iV5Xma+DBC8>X(HC(T5u*U6rxja9j*KF4DV+HFy(EP zbwpr0l~DAGWs+Xu7Hg9{@u;_%=$aq#!eh{6fh5O@surb%LzNSIm)4>PcvP+i-MGmn zaeZc_rHghrZ@k?0B&&-ToF+-dG49f}xz1@DJ>iZLuxHh1kZr1|QM#N9iyq?%dFx&3 zK05|rw0)^!pcs!mI9eXhLgfcmBA(z)hnKTUu(>D`BBCofh)V1fX5v-Eq(;zbP8JEdP6b(ppFCB#Z~AJwLKbSsc=^iG)* zpx_sG17Bj!C|sXxH}JU9ZP7u9Y&%V((imY}nP!`3%N6jdn%G>3B4E*EdPmR&VNjGfcvz|}fa8%-{%#=gC4q*AbD{1I-JVKg$ z!cVF@2lI{5Y0{>a=U}-Sph=GW6kRPh2D^=2B(X2^Yq4~{JNE{bX?`~9^bEqT6Kc_uBccYC*~cQpc0)Ce{aNa)rBW}W zQy~+F-IxXYJmJR5R_nl$J?@ZGlp<=U$mRw)DWkQJ({dRf0!B6^-VgT7j7-I&NY-hg zY4*}-Hx>mKi)4XfD|vEV7()mW!KUksbc$I(P`ZoD)qZ(mIlY%Ehqo%k%DA}%XOqW zM!Q_kx$){)mtqTL6eV(YhstbkOe;^7GRK?_m&{V+Lpg@*Wu`#lxa_-{VV0S2X{KgH zpUXkopWV>a4-_dYd@NNR%VjnquSv_8jq#e5*b!3m*yO}^xh%5`o}(x}>+E=OM2}Wl zOxJRltHXwr;ep#8xA=w9^I8yhmZ_;t3$3Nf9tpITsF8q=$)bq+DhnLJBt(7NoN@zO z+q~jVJC0LM+oPO|G-eE=UHZZ<>}6zb(uVD9>w1|HzPmRkh^(1|oGd$(KqVI5U!(O# z^7W}uH(74&&QY;T5icb}W3d|*bMLOLRb*<-o<&c>me4YM0k-rTVY}lbWM;k)4Y0blk;NX>UCF9wBM4d+F_){#ZlZboQn}05nWP45+or# zT?_~GvO2inS(l_>?)S35)7?@@y93Ll$)IJ*C9;S{3Xf>Cb+?;B8?W*pn&-79A!lJi zx9g}{L>_r6_+lr*5Y{2k%w%YE+YMhpTB&WhS7DZ5#_ zSQ_=Eiiw?dsk2>JF;gK<2VB@kCq=U()=&>VYJ>|z*ei3fyaqEU-6rk0R$}!c_uipD zsKMT5S$j#Hu@tWcez%KZ#i=Hm^p;YLZSpfbS2!Ccao&b-y=b*`2{m1B`UkJ|z|65M ztLy<7AlqGioUd1bGIO~K?q>mZV0_ssLIYmahQ1x#t2TDpZgp13RXE$L?0k|ZZs$NN z#5kD*v5rwSErU%gF+3S7VC|8|nmLykNZ-}gK?9{$a((^6c@+Y*r4r@j(Bg6K@g4vM6DC}!tv(Jl-v~A90 zG_ho)aOt!XcBLEcNCKY3D0+OKAH}yE?s?4_!%4uQ?8FQoqMd@Z_;or8HQ5v z@Jy;aBvX*-uG=Tt;B_Xiw3qm5o0Yt*SaDO3*`&3AWIKUrN08kXb z9}L*KLli=UbPyuI2=>PPg#m&mSJY1kaBu(Vy%{KA==+@vhJfc(5KsyH`u&wJ12kW| zzwl)c+{339e-4tw{~Jnr3W;9^gM9IiZs7m<^?&vKcb@(J@$GBh2OwN{aQFLn0s!I6 z-5Wo6!vV~|M?d`dn@|32ar?$SYJc~CqxRc>`t;Mc?orwO$N%V)|6$&~{mz%)d>eak z_vBH1M?QM==)b)Ehi|uUW1sx$4{v|{?I(Yb-hS`q&1ZkU@Z`@Ax5&N8xBnItzVSm~ z@yTCBx6sq(=TX+{PktxA#qXPc>4l7W3W;C)tf_}DnELYbrf&CdH~^(R^ZUK>_N{xX zPyX_EZ+`i!Z{FQJxO?O72BhA{Ao+d(QtwM||M&aXllPk2U;Bh=ZvVrh>uV1m+`M^z zdYU*d1LB@0&dXf*G;coV!s}Bi=2_yr1Vi#PaX!c7Q;SdY<|QutI`MRd-hKGs?myoB z+1-!t{w3(D5AS|@_vg=EPu}~{E%}N4qg&|ixvskJuQ%>bufq@H8*6M5BU^v_+kAcy zQJCEjHZ4>IF5oMR)0uD{94;w^Y-ck2-Pi8F_3-|5`<;jJTYs08=F!_=EqQp$KX{FP z_)l(mkksTY@rpqCe4_6af%2(m-75m+6@l`KKzT)=ydqFu5h$++lvf1GD+1*ef%5+a zf%3^;{_gFsz4w)e0O))h9FM{AkAMFD+dpA{`4jZt-TvpVzYAJkfAF)P!=RhrdGNEJ z{N&Gw53x6a2K(S|mGO7K`7*4^6C}I+h8lzzwvKwzk+??MMqwSwRz@92-Jayj$k0>hd^sh0KY@ycmffL zA7en1kC@=I#RxzUey%Khz35r>(#KLKNS;r>s7Yv3lt!LL6hL02BwHB#_l{ zln9|9h(V7>XyQjy0(i2|3eqoDJUr|1UtICQeeQoRI`K>+d(2K*ol zMNEu?N|q3igVEFR31Je5^gcp`&u7ZhGJzLE0ZsSC8&BT(>CN~4UyJKnY-&_!nW15o z#3&%~rerVDY%?e1a2sI<-;2`1M7HRD4tJ7R&+{7TkRbL#H{RowVwmeK+Cf{N5%@+# z`-&Ymc2J=$ti#!)JHAvTn!i;8cUW9EqV23H)w`6V+*&haVOXo)PSfqOOhax;WiGR* zm6|IibkZ7Fg9!Pw6;}}{^PN!~XMPlI1fU7vT#K>iBQ8_D#a?z@coGVOg%2)+6wcAa z_9lXJjkFm&Z?$gxq3r}oy%5(t)*_FXp-sPJWuVA7oRzLpDQ41Ywm;GaGwRl2oLiZg zw%xKo=>+bo9lRchN&-@vMAwy}cKvxFQEg)j5RL3Amdr!VXUwIkY|ikR#r3IaH|%3S z)e4tn$O}GpF%p|}qh4))c#JQItaP-p5)m#B>Pn@Yi|-zqOT%6qy*^uAJ7=3RxSa83 z-Z`niNVrwe`?xw%yS_T`Ikd2~X0vhK8p?T+IfqK5_vnVsAi6jphjq?d#cI17W|#t~ zb&NrmDJ&6XRbOYBN%-lGR|haOMFXbg2`5Xdf@4)An#OxcMkVmDb@PL^iw>h_2$oG;34OUmp<&UBO9x5o&n4b)&9Pxu z4U3WZ%;5A(V=8*Tqt44+yc)JF-Si=j8nq>%a+C@-N^#9KSgtL%#KrjA4?_|4s@cF7ZaP4rUY*#ja%?%un^2p32IL2Nh;CZYP0fUgd|TgE*OXj zBq&qXP<)thP(7rM>l_~n;m{k^dkKS;c+|>xpq!FgTcCV;tmafU z3Gu>a&-$^YO059lubs4=pPG_`$auxg_+n)jlx(xDTS~k68t=yRa12t2vbIO2w6av5 zjd{L{X}um=bmeGZn`G?w_Ap_EWo9AgTVPIISLfgr0sR1aNxK+mp32Zqh8RNdGX`es-jQY&I24QINB5~3Li zdE%u#ZH@)nH~rahsCKPxVyi=Ye;DUi5|w7q>8#Z%Epo`Y#(@?M)Mdv=WwYj$I^EA9 z-#_`hIJknOtcV851?VK6lU@v3Z64UBh@7TN(FNvK&m$hm9x7wxpCyIhZJ$-+f`0k=UupHs2u z1fVzrhukHx62iu==yDP0A`)WVQk9v7S7?P78|!F39vk><={|pkBV#Gr(`8~AXLHIg zC%LU=)N+0V`Ngs`iw?$0MARArJ@-SHIb zjko2cd42Wm8kFs#yLF}PwRIN}$zd$_enkbR4qqM@GduQY@Ti}6%B&2tBgZU9-?Zdi znI%jZy3Nqzn^K4}Y?&fUzuT>1h{H(}l`jc;-b|x-bc9V}P1#Wgpbjog+~8)54LU zli+becxkW7K~OHsU|V6e6K5D1qQtQYq_c>}^Myn6Yt5zG?TpxOcX8(hi&7{Rejw|s z;Hev_>)})0*{l{HqSi>*A XV}bP;`lxud&Zuz zXT~!ECKVEoC96su!9x_KPi-PXlG5!%5d{Pf<)Od>f)`ZrfcjEZ5tRr~3H<+WTdME? zJR+@+kM!xYkH7DH=i=|D^XhjVef2w!zV^w-?=~8Z+jRx&dhyhg9$51cgbx0I5JATI8zdsVyrJU0=ufEdftVpWbbX*lnT z0S~88boZ_>)QurN;83NFk3k&1tq)(m|KZEc$DX*@Jbkut`t18pT>r(>H|h&Tzw9;G;3)$RX&i+q6bGG}U3QOC|8YK?ciKr*M()SpGVIZmB)<@7){9h=^GF+p5yP{A%IFRFDo4a>p>3q|NL z>12{tEqJvY?3G)q7_Ot~Zry&8a{`{aExlhVw|rTTTjF#JN%FeDXNPq)0kw@H+BnbJ z#bypB6o}4tb9l6v@YCHM9g9v0YbB%bl~*`(DDCU>y*Hc%Nk`#M^%PMY!Bdws{ zNhm5*U~Cm<{H8C+Cd|_@=#+Rr4imD)J0#wQbUBQ zvLNQnWJa~He!6uRC~S|h9CmSp$Iz}ei_0O`%i~DfsE6%-m?z|Z7kR2zPr^XYXL2yX zEOSV@N(90)gRJTYQd@CIiAR^ z6mwAufsV|Q$YUV8%s^lCJ1Z{mlYPOk`FuR_IPcIW;9j&IMBdmFy9+<;Btz7eoP7}R zAv9JY*A~)@$%hFtDZxR16mZ5SjVg7|584}rW_hb!^2XSsg^Vby3A!&Mkc$hUYfR_G zbgD^9%d*MN5-!n|i0JN4+RRB7o#xv)WT5nL}>S=9uR5FQd&FuXg?X3oO1et6$R%TVGCkl^?$=W2?#h^c( znwe}!)lP|w%!3CQg@rP|=tWv2h-6=?`_JTki|=VFD0jw5Hy8UWANKZ=Op*9#yO(e> z7{^tgbH${HwGqiNc&`OV6C`lv{&r7@_6Su<*JZ+zlxH1pwjiwfUBlRMQ;o|ej??1_ zk!q<(Nk-+iHS(va&Lp-Iw=uOv90oCg`a75PGiOdwet)S}cw9|9xyY-XUCq1QVF0n? z4l`gB7_a(R$C-iKR^H;*o-}E%5@y?0I~z1rTXr`sU=^3>T%!Eex}&US(5kDGTW1hq zR;!zcjN!UOC>M$Chl@QytJHz9+X+?D)Krr5QfPUCRJk}Dn6&E*a}nWVWP;3#cusot zE>>n_%q2)@VeEJW#T!a;CQ`@@EN?xl#;Quh*)SFM<1M^KHG#2{4zls>E|^pc-ilGU zu=q8nsQqN44`%qj6$l62-mWIS5oI`un>)*p)hlY?QBEi7c<`hXbRDG=1o0YWEoEsh zu}n&Zq$9%UvhAYGid}Ir!RIbFopK>q^vQO-vRAXAT5mE%hSDo!H0NwXk<>I@Ppg1Z zdVHyMQLJ919dNoh7>a4KOe+ccJB-TY4a?z@wm`Fxrb<7Zm1UL$&XmQSPAi#76s#an zh-;P0lA10U3w18^nRb6(rJg)3LT)_w0#Hmjh!p$%2#*=g+Y@rY5&?wCQ)<158Q5^V z4Y}BJdu&i1$PwBbDomT2$+KlwlvZ`r6 zp{9^Y9AX8Vu4K#P6Ng|SpWo`^Ii3zNa?1)SsI8DyQ4n2Mm!M*2wT(ix2QxxsB8^f8 zyDW}r%n|rV0QUyzM;1dal5D&39hb6Ab7K^g2yS_3HyN3GYVS<5vhQ@nC7-XUu#K%J z?Za4>ncUea+E84BG~Ve+)pQwzgMgRQQAd{@IvgxV^1g=_Z48xlMz?oTHvxC^pko^O z$j+qoI^X3~D_DBn3Yji_VKeSB^#Y$Od#T=T&ZNxiKaUvL(u(j}8*stUrZDfWlse5Y`vvb+L}!0Mb9#q^ z!dQ26VK7*DZ3L>2c1-#KFD%X7fECx2zg5)*QIe&ll42VpVsTNqB-oo*FA(4u9uLg28Q zRdStNdB`dsIXj1PEf3t_3Ac+TmCTJd1eUcYtR!a%Z?yu_7~~KhaY=uFi%R1>akJLG zOjslC#aO&r$VGQTq0qvjJZd`*T+3}2_2U0X76{$JF!&Zpp$I~gS?EotiAFw;`(*tC z%hSxto-c;C34vZqL>BK-Z^?_T0O`xeKlwKB!WVPk!iBT!_ju!tCUJz`Xg+y=^hPtf zrn(48A()GRgy)|n*cc7cAx42gNI{O{p*Z3Pmrt?AXJC|sVe%~DMM4zB2;2c_GzdW) zK?w{(LWh8;OV2%GG>^aY72xKri>JR`xA92QB|QlADa;2kiu6G`pkR>jQ6Kkk#3M-h zV&bb?(IsW^Z_(&}($A5ksxcOP27N7gye{g>lxbR{P z1Yc^LeyIk6-#xwb(naGF#xqyG;JkD5m=A!9$EO3}Q}_R606c#E<7crsC9cF*;%mQm z>H81L{U=`mKKc0ZnLh@eKe>ACR~vtHTuy;I%`3-0h=5-?xm;^rc%ZrTKy&fh-~U*1 za;~{_)}dcBp8CQo?|k~dEFPbJ6S#cd!EYTu@PU^upLH-c;0KP~m;)a>H+eQ>zi{r> zJCA?wzn9~U9QgVBWDb1m+VQnFfsda&RtG#eN1f)Q#}|GRcVFFS>k)qo_`~Brz7714IO5II zhcNdL<{rY_LzsIAa}QzeA9KQqq z2v{Ge=sWP4>iF*409@N@{P3r3efs$1SAJ{@B5{|l@exEJ2nVs+Fi5*@4T~;DL%xIK YkQ@Auw$9BTKZpVR{() }; }) + .AddJwtBearer(Consts.MY_OPENIDDICT_SCHEME, options => + { + options.Authority = Consts.MY_OPENIDDICT_ISS; + options.Audience = "rs_dataEventRecordsApi"; + options.TokenValidationParameters = new TokenValidationParameters + { + ValidateIssuer = true, + ValidateAudience = true, + ValidateIssuerSigningKey = true, + ValidAudiences = Configuration.GetSection("ValidAudiences").Get(), + ValidIssuers = Configuration.GetSection("ValidIssuers").Get() + }; + }) .AddPolicyScheme("UNKNOWN", "UNKNOWN", options => { options.ForwardDefaultSelector = context => @@ -67,7 +79,7 @@ public void ConfigureServices(IServiceCollection services) var issuer = jwtHandler.ReadJwtToken(token).Issuer; if(issuer == Consts.MY_OPENIDDICT_ISS) // OpenIddict { - return OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme; + return Consts.MY_OPENIDDICT_SCHEME; } if (issuer == Consts.MY_AUTH0_ISS) // Auth0 @@ -87,30 +99,31 @@ public void ConfigureServices(IServiceCollection services) }; }); + // Remove this if using multiple schemes, version 4.3.0 breaks other JWT // Register the OpenIddict validation components. - services.AddOpenIddict() // Scheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme - .AddValidation(options => - { - // Note: the validation handler uses OpenID Connect discovery - // to retrieve the address of the introspection endpoint. - options.SetIssuer("https://localhost:44318/"); - options.AddAudiences("rs_dataEventRecordsApi"); - - // Configure the validation handler to use introspection and register the client - // credentials used when communicating with the remote introspection endpoint. - //options.UseIntrospection() - // .SetClientId("rs_dataEventRecordsApi") - // .SetClientSecret("dataEventRecordsSecret"); - - // disable access token encryption for this - options.UseAspNetCore(); - - // Register the System.Net.Http integration. - options.UseSystemNetHttp(); - - // Register the ASP.NET Core host. - options.UseAspNetCore(); - }); + //services.AddOpenIddict() // Scheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme + // .AddValidation(options => + // { + // // Note: the validation handler uses OpenID Connect discovery + // // to retrieve the address of the introspection endpoint. + // options.SetIssuer("https://localhost:44318/"); + // options.AddAudiences("rs_dataEventRecordsApi"); + + // // Configure the validation handler to use introspection and register the client + // // credentials used when communicating with the remote introspection endpoint. + // //options.UseIntrospection() + // // .SetClientId("rs_dataEventRecordsApi") + // // .SetClientSecret("dataEventRecordsSecret"); + + // // disable access token encryption for this + // options.UseAspNetCore(); + + // // Register the System.Net.Http integration. + // options.UseSystemNetHttp(); + + // // Register the ASP.NET Core host. + // options.UseAspNetCore(); + // }); services.AddSingleton(); diff --git a/MultiIdentityProvider/WebApi/WebApi.csproj b/MultiIdentityProvider/WebApi/WebApi.csproj index faf84b9..1dee2a1 100644 --- a/MultiIdentityProvider/WebApi/WebApi.csproj +++ b/MultiIdentityProvider/WebApi/WebApi.csproj @@ -8,8 +8,6 @@ - - diff --git a/MultiIdentityProvider/WebApi/appsettings.json b/MultiIdentityProvider/WebApi/appsettings.json index 25bb45c..1d261c4 100644 --- a/MultiIdentityProvider/WebApi/appsettings.json +++ b/MultiIdentityProvider/WebApi/appsettings.json @@ -11,11 +11,13 @@ }, "ValidAudiences": [ "b2a09168-54e2-4bc4-af92-a710a64ef1fa", - "https://auth0-api1" + "https://auth0-api1", + "rs_dataEventRecordsApi" // OpenIddict ], "ValidIssuers": [ "https://login.microsoftonline.com/7ff95b15-dc21-4ba6-bc92-824856578fc1/v2.0", - "https://dev-damienbod.eu.auth0.com/" + "https://dev-damienbod.eu.auth0.com/", + "https://localhost:44318/" ], "Logging": { "Debug": {