- ABP Framework version: v9.0.1
- UI Type: MVC
- Database System: EF Core (SQL Server, Oracle, MySQL, PostgreSQL, etc..) / MongoDB
- Tiered (for MVC) or Auth Server Separated (for Angular): yes/no
- Exception message and full stack trace:
- Steps to reproduce the issue:
Hello Abp team,
Hope I am giving you exciting challenges :-)
I need to pitch a Government Contract and I need to test two requirements before I send the proposal, as per my understanding OpenIddict do support RequireProofKeyForCodeExchange (PKCE) and a security feature Manual-Ltd https://www.rfc-editor.org/rfc/rfc8705
However, I don't know, how I can enable this feature in my ABP MVC Tieried Application.
Can you please suggest, how I can achieve this?
I am extending Openiddict to remove public string LogoUri { get; set; } and replace it with Filetype to allow my clients to upload images by themselves, what is the best way to achieve this to upload and save images in the database? maybe:
ConfigureOpenIddict(openIddict = {
openIddict.ConfigureApplication(spp =>
spp. AddOrUpdateProperty<File>( ----> to show upload and show image?
"ApplicationIcon"
Regards, Navneet
11 Answer(s)
-
0
hi
OpenIddict do support RequireProofKeyForCodeExchange (PKCE)
Yes, https://abp.io/docs/latest/modules/openiddict#pkce https://documentation.openiddict.com/configuration/proof-key-for-code-exchange.html
I am extending Openiddict to remove public string LogoUri { get; set; } and replace it with Filetype to allow my clients to upload images by themselves, what is the best way to achieve this to upload and save images in the database? maybe:
You can add a new property. You don't need to remove the
LogoUri, just hide it in UI page.See https://abp.io/docs/latest/framework/architecture/modularity/extending/customizing-application-modules-extending-entities
-
0
hi
OpenIddict do support RequireProofKeyForCodeExchange (PKCE)
Yes, https://abp.io/docs/latest/modules/openiddict#pkce https://documentation.openiddict.com/configuration/proof-key-for-code-exchange.html
I am extending Openiddict to remove public string LogoUri { get; set; } and replace it with Filetype to allow my clients to upload images by themselves, what is the best way to achieve this to upload and save images in the database? maybe:
You can add a new property. You don't need to remove the
LogoUri, just hide it in UI page.See https://abp.io/docs/latest/framework/architecture/modularity/extending/customizing-application-modules-extending-entities
Thanks Maliming,
My confusion is whether I should apply the below manually or OpenIddict will apply automatically if the client app (like mobile) has this enabled from the client side.
Requirements = { Requirements.Features.ProofKeyForCodeExchange }The reason I am saying this is that I have not seen this configuration in ABP Maui or Reactive Native template.
According to OppenIddict documentation:
The OpenIddict client always uses Proof Key for Code Exchange when the configuration metadata indicates this feature is supported by the authorization server: you don't have to configure anything to enable it at the client level.Could you please help me with the code to add upload to save images in db and show them in the Application Index Page, what is the correct type to save the image (basically it's an Icone), I tried to create similar in ABP suite, but it creates a Guid property for image 🤷♂️
ConfigureOpenIddict(openIddict = { openIddict.ConfigureApplication(spp => spp.AddOrUpdateProperty<File>( ----> to show upload and show image? //or spp.AddOrUpdateProperty<byte[]>( //or spp.AddOrUpdateProperty<IFormFile>( "ApplicationIcon" -
0
hi
PKCE is enabled by default in openiddict. so you don't need add any code.
If you want to force the client and server to use PKCE.
- Proof Key for Code Exchange can be enforced globally by calling options.RequireProofKeyForCodeExchange() in the server options:
public override void PreConfigureServices(ServiceConfigurationContext context) { PreConfigure<OpenIddictBuilder>(builder => { builder.AddValidation(options => { options.AddAudiences("MyProjectName"); options.UseLocalServer(); options.UseAspNetCore(); }); }); //Proof Key for Code Exchange can be enforced globally by calling options.RequireProofKeyForCodeExchange() in the server options: PreConfigure<OpenIddictServerBuilder>(serverBuilder => { serverBuilder.RequireProofKeyForCodeExchange()); }); }Update the requiredments for your client application, We will add enable/disable option in
ApplicationUI page in next version//B3E5E483-1B83-C653-39E6-3A174BE73792 is your client id UPDATE [dbo].[OpenIddictApplications] SET [Requirements] = N'["ft:pkce"]' WHERE [Id] = 'B3E5E483-1B83-C653-39E6-3A174BE73792'React-native already set
usePKCE: trueMAUI usesOidcClientand it always doesPKCE.
Could you please help me with the code to add upload to save images in db and show them in the Application Index Page, what is the correct type to save the image (basically it's an Icone), I tried to create similar in ABP suite, but it creates a Guid property for image 🤷♂️
Can you create a new question for this?
Thanks.
-
0
Hi Maliming,
I have created a separate question for Application Icon.
For the Original Question, can you please help me with how can I achieve the security feature Manual-Ltd https://www.rfc-editor.org/rfc/rfc8705
This is one of two minimum requirements for me to pitch for the contract.
Regards, Navneet
-
0
hi
how can I achieve the security feature Manual-Ltd https://www.rfc-editor.org/rfc/rfc8705
I'm not proficient in this. If you have any questions/problems about openiddict, you can leave a message here.
Thanks.
-
0
hi
how can I achieve the security feature Manual-Ltd https://www.rfc-editor.org/rfc/rfc8705
I'm not proficient in this. If you have any questions/problems about openiddict, you can leave a message here.
Thanks.
Hi Maliming,
Sorry, I may have gone too advanced, it is an existing security Handshake feature of Openiddict, please see the link below: https://github.com/openiddict/openiddict-core/blob/ea7a9e2503422178e3ca9dcd8368c4a6a2330b76/src/OpenIddict.Abstractions/OpenIddictConstants.cs#L543
I can set and get this certificate in OpenIddictApplication by extending the property, however, how can I configure it in a way that only the Application that has this certificate are validated only if the application explicitly requires like calling:- https://github.com/openiddict/openiddict-core/blob/ea7a9e2503422178e3ca9dcd8368c4a6a2330b76/src/OpenIddict.Server/OpenIddictServerHandlers.Exchange.cs#L135
Thanks, Navneet
-
0
hi
I think OpenIddict Server doesn't support
tls_client_certificate_bound_access_tokensyet.See https://github.com/openiddict/openiddict-core/blob/dev/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs#L796-L801
-
0
hi
I think OpenIddict Server doesn't support
tls_client_certificate_bound_access_tokensyet.See https://github.com/openiddict/openiddict-core/blob/dev/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs#L796-L801
Thanks Maliming,
This is one of the requirements for my RFP submission to Government.
Do you think if I switch to IdentityServer.Pro, will that help me to achieve this?
Thanks, Navneet
-
0
Hi
If Identity Server 4 supports TLS, you can use it. However, Identity Server 4 is no longer maintained.
-
0
hi
I think OpenIddict Server doesn't support
tls_client_certificate_bound_access_tokensyet.See https://github.com/openiddict/openiddict-core/blob/dev/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs#L796-L801
Thanks Maliming,
This is one of the requirements for my RFP submission to Government.
Do you think if I switch to IdentityServer.Pro, will that help me to achieve this?
Thanks, Navneet
Hi Maliming,
I believe, I have found a way to enable this feature, it's manual but may work with ABP, need to figure out how to ensure that the certificate is validated and the token issued is bound to the certificate.
I may be able to use the Application "ExtraProperties" to save a flag to user TLS configuration, Can you please point me to documentation or Openiddict class where validation happens, For Example, where the application checks if the requested scope is in the Application scope?
Properties = { // Specify the token binding method for Mutual-TLS [OpenIddictConstants.Properties.TokenBindingMethod] = OpenIddictConstants.TokenBindingMethods.TlsClientCertificate }//Middleware to extract certificate app.Use(async (context, next) => { var clientCertificate = await context.Connection.GetClientCertificateAsync(); if (clientCertificate != null) { context.Items["ClientCertificate"] = clientCertificate; } await next(); });//Custom Validator public class CustomCertificateValidator : ICertificateValidator { public ValueTask<bool> ValidateAsync(X509Certificate2 certificate, CancellationToken cancellationToken = default) { if (certificate != null && certificate.Issuer == "CN=TrustedIssuer" && certificate.NotAfter > DateTime.UtcNow) { return new ValueTask<bool>(true); } return new ValueTask<bool>(false); } }options.Configure(config => { // Use TlsClientCertificate for Mutual-TLS config.TokenBindingMethods = new[] { OpenIddictConstants.TokenBindingMethods.TlsClientCertificate }; });I am struggling with how can I make it more dynamic not to force validation for all applications, but only those application which has TlsClientCertificate Enabled.
If you are interested, I will keep you in the loop on how I am progressing
Thanks, Navneet
-
0
hi
https://abp.io/docs/latest/modules/openiddict#request-response-process https://documentation.openiddict.com/introduction#events-model
