Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issuer validation #785

Open
charlieH1 opened this issue Jan 30, 2024 · 4 comments
Open

Issuer validation #785

charlieH1 opened this issue Jan 30, 2024 · 4 comments
Labels
enhancement question

Comments

@charlieH1
Copy link

Hi

With the update to the packages I noticed that issuer validation is being enforced differently, previously I didnt have to put in a Valid issuer or anything in the AddOpenIdConnect defaults now I have to, here's some sample code to demo it, below is what I have to do now

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie("Cookies", options =>
        {
            options.Cookie.Name = "mycookie";
            options.Cookie.SameSite = SameSiteMode.None;

        })
        .AddOpenIdConnect(options =>
        {
            options.ClientId = "__invalid"; // Needed for validation, will be overwritten per-tenant.
            options.Authority = "https://__invalid"; // Needed for validation, will be overwritten per-tenant.
            options.Prompt = "login consent"; // For sample purposes.
            options.ResponseType = "code";
            options.RequireHttpsMetadata = false;//remove when switch to https
            options.GetClaimsFromUserInfoEndpoint = true;
            options.ClaimActions.MapAll();
            options.ClaimActions.Add(new RoleClaimAction());
            options.TokenValidationParameters.ValidIssuers= new List<string>() {"https:/myissuer.dev.com", "http://myissuer2.dev.com/" };

        });

and before

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie("Cookies", options =>
        {
            options.Cookie.Name = "mycookie";
            options.Cookie.SameSite = SameSiteMode.None;

        })
        .AddOpenIdConnect(options =>
        {
            options.ClientId = "__invalid"; // Needed for validation, will be overwritten per-tenant.
            options.Authority = "https://__invalid"; // Needed for validation, will be overwritten per-tenant.
            options.Prompt = "login consent"; // For sample purposes.
            options.ResponseType = "code";
            options.RequireHttpsMetadata = false;//remove when switch to https
            options.GetClaimsFromUserInfoEndpoint = true;
            options.ClaimActions.MapAll();
            options.ClaimActions.Add(new RoleClaimAction());


        });

Is there a way that hasnt been documented to have per tenant issuer validation or not and if not I'd suggest this might be worth a look into?
@AndrewTriesToCode
Copy link
Sponsor Contributor

Hi can you please post the error message? I’ve checked OpenIdConnectOptions and they don’t have this validation. I will check a few more places in the aspnetcore source code.

@charlieH1
Copy link
Author

Hi Andrew

Sorry for the slow reply, see below

Main Error:

An unhandled exception occurred while processing the request.
SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: '<removed for security>'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'null' or validationParameters.ConfigurationManager.CurrentConfiguration.Issuer: 'localhost:5000'. For more details, see https://aka.ms/IdentityModel/issuer-validation.
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(string idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters)

AuthenticationFailureException: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()

Stack:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: '<removed for security>'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'null' or validationParameters.ConfigurationManager.CurrentConfiguration.Issuer: 'localhost:5000'. For more details, see https://aka.ms/IdentityModel/issuer-validation. 
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(String idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

Hope that helps

@AndrewTriesToCode
Copy link
Sponsor Contributor

Ok I found that it was this commit that added this:
dotnet/aspnetcore@a56e968

Per tenant issuer should be possible. You would just use per-tenant options for OpenIdConnectOptions and override that property for the options class using something on the tenant info. Likely you'd want to add a specific property to your tenant info type to store that. I will add a convention to the per-tenant authentication functionality that will look for a property with that name and use it by convention.

@AndrewTriesToCode
Copy link
Sponsor Contributor

Also I’ll add that in most of my dev and samples I disable issuer validation so I wouldn’t have seen this for a while. Thanks for bringing it to the community’s attention.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement question
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AndrewTriesToCode @charlieH1