Sample source code from scottbrady91.com
The samples for the following are currently being tested across various versions of .NET. If you notice any issues, feel free to open a pull request.
Sample code from scottbrady91.com
Home Page: https://www.scottbrady91.com
License: MIT License
Sample source code from scottbrady91.com
The samples for the following are currently being tested across various versions of .NET. If you notice any issues, feel free to open a pull request.
The solution will only work for Windows. It won't work for MAc/Linux as linux Does not support .p8 files in .NET Core 2.x as-per https://github.com/dotnet/corefx/issues/18733#issuecomment-296723615
new SigningCredentials(new ECDsaSecurityKey(eCDsa), SecurityAlgorithms.EcdsaSha256)) gives exception on linux.
Hi Scott, firstly thanks for this awesome post on Legacy ASP.NET & PKCE!
In that article you mention:
// remember code verifier in cookie (adapted from OWIN nonce cookie)
I'm curious why the cookie's key is somewhat stateful/dynamic..?
The problem I'm seeing is when the user refreshes, it creates new nonce
& cv
cookies, leaving the old ones orphaned. This could eventually cause the request header to grow too big.
Do you see any issue with changing this cookie key to something constant like OpenIdConnect.cv.foo
?
Hello! Sorry for asking stupid things, but help will be really appreciated. I'm trying to follow your blog post. The following code works like a charm with Microsoft.AspNetCore.Authentication.OpenIdConnect
:
services
.AddAuthentication(cfg =>
{
cfg.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
cfg.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(cfg =>
{
cfg.Authority = "https://myoauthserver/";
cfg.ClientId = "hangfire";
cfg.ResponseType = "code";
cfg.Scope.Clear();
cfg.Scope.Add("openid");
cfg.Scope.Add("profile");
});
but similar code don't with Microsoft.Owin.Security.OpenIdConnect
:
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions { });
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
Authority = "https://myoauthserver/",
ClientId = "hangfire",
ResponseType = OpenIdConnectResponseType.Code,
Scope = OpenIdConnectScope.OpenIdProfile
});
At first, it doesn't pass redirect_url
if it is not set explicitly. But if I set it to something like RedirectUri = "http://localhost:9001/signin-oidc"
or just RedirectUri = "http://localhost:9001/"
myself, redirect works but I got 404 error for /
or /signin-oidc
endpoint. Am I doing something wrong? I'm using latest version of Microsoft.Owin.Security.OpenIdConnect
and unfortunately I stuck with Framework.
What is the correct length of signature is it 64 or 71 ? the value always 64 byte and the documents talk about ECDSA say it's 71 ?
can anyone help me i'm new to this field of crypto
Hello I am trying to follow your article https://www.scottbrady91.com/c-sharp/supporting-custom-jwt-signing-algorithms-in-dotnet-core
Apparently for .net 7 and
Microsoft.IdentityModel.JsonWebTokens 7.0.3
Portable.BouncyCastle 1.9.0
while I am veryfying the token I get the following error
{"IDX10511: Signature validation failed. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. \nNumber of keys in TokenValidationParameters: '1'. \nNumber of keys in Configuration: '0'. \nMatched key was in 'TokenValidationParameters'. \nkid: '123'. \nExceptions caught:\n '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.\ntoken: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. See https://aka.ms/IDX10511 for details."}
Hi,
Turns out we we don't really have roll as much crypto as your article says. Specifically, we can avoid implementing the round functions ourselves, and use regular Chacha20 instead. Here's an example in C, using Monocypher's public interface of IETF Chacha20:
void crypto_hchacha20(u8 out[32], const u8 key[32], const u8 in [16])
{
const u8 zero[64] = {0};
const u8 *nonce = in + 4;
const u32 ctr = load32_le(in);
const u8 *constant = (const u8*)"expand 32-byte k";
u8 block[64];
u32 words[ 8];
crypto_ietf_chacha20_ctr(block, zero, 64, key, nonce, ctr);
words[0] = load32_le(block + 0) - load32_le(constant + 0);
words[1] = load32_le(block + 4) - load32_le(constant + 4);
words[2] = load32_le(block + 8) - load32_le(constant + 8);
words[3] = load32_le(block + 12) - load32_le(constant + 12);
words[4] = load32_le(block + 48) - load32_le(in + 0);
words[5] = load32_le(block + 52) - load32_le(in + 4);
words[6] = load32_le(block + 56) - load32_le(in + 8);
words[7] = load32_le(block + 60) - load32_le(in + 12);
FOR (i, 0, 8) {
store32_le(out + i*4, words[i]);
}
WIPE_BUFFER(words);
WIPE_BUFFER(block);
}
There. No round function, and hardly any poking at Chacha20's internals. We can do this because HChacha20 is designed specifically to only reveal those values the attacker could have reconstructed, using the nonce and counter (which aren't secret). That's why the security reduction works.
Now this is still kind of a "roll your own crypto" thing, in the sense that even though I know Chacha20 like the back of my hand, I didn't get it right on the first try. But it's closest to "building HChacha20 on top of Chacha20" as you'll ever get.
Scott, this is far above the best sample for multi tenancy, ๐ so thanks for sharing this, and also I wanted to ask for some understanding help
Does this mean if I have a SAAS app, and I have two companies registeresd COMPxyz and COMPabc - will this multi-tenant id isolate the members of the two groups? i.e. managers role from a group/COMPxyz can only see employees in COMPxyz but not employess in COMPabc -
I saw this code below, but the blog did not list usage snippets on how to check inside the action for the tenants, if I need to use/check the tenantID
in the usermanager()
show me snippet on how to check
var context = new ApplicationUserDbContext<ApplicationUser>("DefaultConnection");
var userStore = new ApplicationUserStore<ApplicationUser>(context) { TenantId = 1 };
var userManager = new UserManager<ApplicationUser, string>(userStore);
Can you tell me how/(where in the code, is login form the best place?) to watch/log/audit the login attempts from a user, for e.g. we want to know if there is a brute force attack and someone is trying to log-in. I want to lock the account, if there are 5 bad logins within 5 mins.
thanks
Hi Scott, kudos, very nice blog article, a missing ๐ in multi tenant solution,
tenantID
from an extended Identity userID/principal from the session to save/preform data operations. Am I wrong here, can you help with a modification. I believe the key to making this work, would be letting the user select a Tenant(or Organization, during registration).thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.