OpenIddict Azure #8609

inavarro.cp created 2 months ago

ABP Framework version: v6.0.1
UI Type: MVC
Database System: EF Core (PostgreSQL)
Tiered (for MVC) or Auth Server Separated (for Angular): Tiered
Exception message and full stack trace:
Steps to reproduce the issue:

I already have a certificate in Azure and I would like to use it for OpenIddict. In my App Service in Azure where I have my application deployed, in Identity in the environment variables I already have WEBSITE_LOAD_CERTIFICATES configured. Now I would need to modify the code to be able to use that certificate. I am giving you the code that I currently have.

public override void PreConfigureServices(ServiceConfigurationContext context)
    {
        var hostingEnvironment = context.Services.GetHostingEnvironment();
        var configuration = context.Services.GetConfiguration();

        PreConfigure(builder =>
        {
            builder.AddValidation(options =>
            {
                options.AddAudiences("WebApp");
                options.UseLocalServer();
                options.UseAspNetCore();
            });
        });
        /*
        * This configuration is used when the AuthServer is running on docker containers at localhost.
        * Configuring the redirectin URLs for internal network and the web
        */
        if (!hostingEnvironment.IsDevelopment())
        {
            PreConfigure(options =>
            {
                options.AddDevelopmentEncryptionAndSigningCertificate = false;
            });
            
            PreConfigure(serverBuilder =>
            {
                serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "00000000-0000-0000-0000-000000000000");
                serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
            });
        }
    }

maliming created 2 months ago

Support Team Fullstack Developer

What’s your azure certificate path?

Can you read it as stream via code?

Thanks

inavarro.cp created 2 months ago

In my environment variable WEBSITE_LOAD_CERTIFICATES I store the Thumbprint of the certificate.

maliming created 2 months ago

Support Team Fullstack Developer

Can you read the WEBSITE_LOAD_CERTIFICATES value from your ASP Net core app?

Environment.GetEnvironmentVariable("WEBSITE_LOAD_CERTIFICATES")

What is the value of WEBSITE_LOAD_CERTIFICATES?

PreConfigure<OpenIddictServerBuilder>(builder =>
{
    //https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
    //https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
    builder.AddSigningKey(new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_C40DBB176E78")));
    builder.AddEncryptionKey(new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_87E33FC57D80")));
});

inavarro.cp created 2 months ago

I have already been able to solve it.
Here I have the certificate.

In the environment variables I have added the thumbprint of my certificate

This is the new code I added

public override void PreConfigureServices(ServiceConfigurationContext context)
    {
        var hostingEnvironment = context.Services.GetHostingEnvironment();
        var configuration = context.Services.GetConfiguration();

        PreConfigure(builder =>
        {
            builder.AddValidation(options =>
            {
                options.AddAudiences("WebApp");
                options.UseLocalServer();
                options.UseAspNetCore();
            });
        });

        if (!hostingEnvironment.IsDevelopment())
        {
            PreConfigure(options =>
            {
                options.AddDevelopmentEncryptionAndSigningCertificate = false;
            });

            PreConfigure(serverBuilder =>
            {
                // Obtén el thumbprint del certificado desde la variable de entorno
                var certificateThumbprint = Environment.GetEnvironmentVariable("WEBSITE_LOAD_CERTIFICATES");

                if (!string.IsNullOrWhiteSpace(certificateThumbprint))
                {
                    // Obtén el certificado directamente desde Azure App Service
                    var certificate = GetCertificateFromAzure(certificateThumbprint);

                    if (certificate == null)
                    {
                        throw new InvalidOperationException($"No se pudo encontrar el certificado con thumbprint '{certificateThumbprint}' en Azure App Service.");
                    }

                    serverBuilder.AddEncryptionCertificate(certificate);
                    serverBuilder.AddSigningCertificate(certificate);
                }
                else
                {
                    throw new InvalidOperationException("La variable de entorno 'WEBSITE_LOAD_CERTIFICATES' no está configurada o está vacía.");
                }

                // Establece el issuer a partir de la configuración
                serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
            });
        }
    }

    private X509Certificate2? GetCertificateFromAzure(string thumbprint)
    {
        try
        {
            var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly);

            var certificate = store.Certificates
                .Find(X509FindType.FindByThumbprint, thumbprint, validOnly: false)
                .OfType()
                .FirstOrDefault();

            store.Close();

            return certificate;
        }
        catch (Exception ex)
        {
            throw new InvalidOperationException("Error al cargar el certificado desde Azure App Service.", ex);
        }
    }