Consider constraining NWebSec to OpenIddict endpoints

[kevinchalet]

No description provided.

[kevinchalet]

@ilmax @Bartmax still no sign of a port of NWebSec for vNext. Should we simply replace it by something else, that would also work on CoreCLR?

[ilmax]

Maybe we should ping @klings :)

[klings]

Hey guys, you're well underway with your ASP.NET 5 support? Which NWebsec libraries have you been using, the middleware? ASP.NET 5 support is next in line for NWebsec, but there's no trace of it on GitHub as I've been poking around with the new ASP.NET locally so far.

[kevinchalet]

Hey André (and sorry for the late answer)! 😄

Hey guys, you're well underway with your ASP.NET 5 support?

Actually, OpenIddict is totally new and was designed from scratch for ASP.NET 5, but ASOS (the OpenID Connect library behind this project: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server) comes with a default sample that demonstrates how to use NWebSec with ASP.NET 5 for a long time now (more than a year, actually: aspnet-contrib/AspNet.Security.OpenIdConnect.Server@0111029 🎉)

Which NWebsec libraries have you been using, the middleware?

Yep, the main middleware. Ideally, we'd also like to use the MVC adapter, since OpenIddict internally uses a controller to render the critical authorization pages.

ASP.NET 5 support is next in line for NWebsec, but there's no trace of it on GitHub as I've been poking around with the new ASP.NET locally so far.

If you want us to test the early bits, don't hesitate, we're now pretty good at that 😄
(if you have specific questions about ASP.NET 5 or DNX, please feel free to ping me on JabbR: https://jabbr.net/#/rooms/AspNetvNext)

[klings]

I've made progress and the first version of the vnext packages are out. This includes ASP.NET 5 middleware, as well as an updated MVC package. It's a gamma release, as I'll have to make a few minor breaking changes before I'm happy calling it an RC. Still, it works (mostly) as before, and should be safe to "put in production". The middleware is almost identical, but there were a few system.web specific things that had to go in the MVC package.

You can keep an eye on the progress here NWebsec/NWebsec#59 as I make my way to an RC.

Let me know should you run into any issues.

[kevinchalet]

Woooo, it looks really nice, we'll give it a try ASAP! 🎉
Thanks for the info, André.

/cc @damccull

[damccull]

Just waiting on rc2 HTTPS bug to be fixed so I can use it properly. I'll be submitting an issue on it today.

[kevinchalet]

FYI, it's not a bug. See my remark on JabbR 👏

[damccull]

Haha! Looking.

On Tue, Dec 8, 2015, 09:22 Kévin Chalet notifications@github.com wrote:

FYI, it's not a bug. See my remark on JabbR [image: 👏]

—
Reply to this email directly or view it on GitHub
#14 (comment).

[damccull]

Today we merged in an update using the aspnet5 nwebsec middleware (#37). I'm looking at how to allow OpenIddict users to set the CSP headers themselves.

[kevinchalet]

Closing as invalid (OpenIddict.Security - that used NWebsec - has been removed from the core code base).