Hi @maliming, is there a way to override the handler?
Hi @maliming, I have provided the source code via email, I also attached the ECDSA cert that we use for testing.
I tried AddSigningCertificate, it does not work with ECDSA cert.
Hi @maliming, ok, let me share the full code to you.
Hi, I did disable the development cert, below is my full PreConfigureServices:
public override void PreConfigureServices(ServiceConfigurationContext context)
{
var environment = context.Services.GetHostingEnvironment();
var configuration = context.Services.GetConfiguration();
PreConfigure<OpenIddictBuilder>(builder =>
{
builder.AddValidation(options =>
{
options.AddAudiences("DigitalPlatform");
options.UseLocalServer();
options.UseAspNetCore();
});
});
// disable developer signing credential
PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
{
options.AddDevelopmentEncryptionAndSigningCertificate = false;
});
PreConfigure<OpenIddictServerBuilder>(builder =>
{
// get ECDSA certificate
var ecdsaCertificate = CertificateHelper.GetClientCertificate(configuration["Key:ThumbPrint"]);
ECDsaSecurityKey ecdsaCertificatePublicKey = new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey());
// add signing key
builder.AddSigningKey(new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey()));
// add encryption credentials
var encryptionKey = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(ecdsaCertificatePublicKey);
encryptionKey.KeyId = "encryption_key_id";
encryptionKey.Use = JsonWebKeyUseNames.Enc;
builder.AddEncryptionCredentials(new EncryptingCredentials(encryptionKey, SecurityAlgorithms.EcdsaSha256, "ECDH-ES+A192KW"));
});
PreConfigure<IdentityBuilder>(builder =>
{
builder.AddSignInManager<CustomSignInManager>();
});
}
Hi, yes, I did add the PreConfigure<OpenIddictServerBuilder>
Below is the result of JWKS URL, it contains the signing key only:
{
"keys": [
{
"kid": "NLRNW5UYTDMFJCTK0WOLUKLIL3GJYCEYYL5SEAT0",
"use": "sig",
"kty": "EC",
"alg": "ES256",
"crv": "P-256",
"x": "nLrNw5uYtDmFjCTk0wOlukLil3gJyCEYYl5Seat0AXM",
"y": "OIgBQXQFSdvmnOFa59MTQyHhyy6t17yNIbbOFKJdQTw"
}
]
}
Hi, our application needs to expose an encryption key in JWKS URL for the other party using it to encrypt their data before returning to us, and we have implemented it in IdentityServer, below is how the JWKS URL response look like:
{
"keys": [
{
"kty": "EC",
"use": "sig",
"kid": "esj_keyid",
"alg": "ES256",
"x": "nLrNw5uYtDmFjCTk0wOlukLil3gJyCEYYl5Seat0AXM",
"y": "OIgBQXQFSdvmnOFa59MTQyHhyy6t17yNIbbOFKJdQTw",
"crv": "P-256"
},
{
"kty": "EC",
"use": "enc",
"kid": "6HFIeNOix6zxe2En3bjhZJBX78OY0IG8u1KU41HeNoU",
"alg": "ECDH-ES+A192KW",
"x": "nLrNw5uYtDmFjCTk0wOlukLil3gJyCEYYl5Seat0AXM",
"y": "OIgBQXQFSdvmnOFa59MTQyHhyy6t17yNIbbOFKJdQTw",
"crv": "P-256"
}
]
}
I tried the code below, but it did not succeed in OpenIdDict:
PreConfigure< OpenIddictServerBuilder >(builder =>
{
// get ECDSA certificate
var ecdsaCertificate = CertificateHelper.GetCertificate(configuration["Key:ThumbPrint"]);
ECDsaSecurityKey ecdsaCertificatePublicKey = new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey());
// add signing key
builder.AddSigningKey(new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey()));
// add encryption credentials
var encryptionKey = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(ecdsaCertificatePublicKey);
encryptionKey.KeyId = "encryption_key_id";
encryptionKey.Use = JsonWebKeyUseNames.Enc;
builder.AddEncryptionCredentials(new EncryptingCredentials(encryptionKey, SecurityAlgorithms.EcdsaSha256, "ECDH-ES+A192KW"));
});
Any idea how to do it?
Hi @maliming, thanks for the confirmation.
Hi, understand that IdentityServer4 has reached its End of Support (EOS) date as of December 13th, 2022. I am wondering if you will continue to provide security fixes for IdentityServer4 in your latest version. If so, how long do you plan to provide this support for IdentityServer4?
Hi @maliming, thanks for the reply. we managed to implement it, just found a minor issue in documentation, it should be "AbpAspNetCoreMultiTenancyOptions" instead of "AbpMultiTenancyOptions".
Hi @maliming, thanks for the reply.
While waiting for the upgrade, is there a way to override the current AbpAspNetCoreMultiTenancyOptions to implement the fix?