Hi @liangshiwei, sorry if my question confused you, but I want to know what cookies are created by this method in abp.js
abp.utils.setCookieValue = function (key, value, expireDate, path) {
var cookieValue = encodeURIComponent(key) + '=';
if (value) {
cookieValue = cookieValue + encodeURIComponent(value);
}
if (expireDate) {
cookieValue = cookieValue + "; expires=" + expireDate.toUTCString();
}
if (path) {
cookieValue = cookieValue + "; path=" + path;
}
document.cookie = cookieValue;
};
The purpose of using these cookies and do they contain any sensitive info?
Hi, what I want to achieve is instead of using RSA key, I want to use ECDSA key for signing credentials and encryption credentials. I find this is supported by OpenIddict in their documentation:
Encryption and signing credentials
To protect the tokens it issues, OpenIddict uses 2 types of credentials:
Signing credentials are used to protect against tampering. They can be either asymmetric (e.g a RSA or ECDSA key) or symmetric.
Encryption credentials are used to ensure the content of tokens cannot be read by malicious parties. They can be either asymmetric (e.g a RSA key) or symmetric.
but don't know why keep getting this error:
[09:54:04 DBG] An exception was thrown by OpenIddict.Server.OpenIddictServerHandlers+Protection+GenerateIdentityModelToken while handling the OpenIddict.Server.OpenIddictServerEvents+GenerateTokenContext event.
System.ArgumentNullException: IDX10000: The parameter 'privateKey' cannot be a 'null' or an empty object. (Parameter 'privateKey')
at Microsoft.IdentityModel.Tokens.EcdhKeyExchangeProvider..ctor(SecurityKey privateKey, SecurityKey publicKey, String alg, String enc)
Is there any sample code using ECDSA key instead of RSA key?
Hi @maliming, thanks, I managed to add the encryption key into JWKS URL but I got the below error when using Angular UI to login to retrieve the access token:
[09:54:04 DBG] An exception was thrown by OpenIddict.Server.OpenIddictServerHandlers+Protection+GenerateIdentityModelToken while handling the OpenIddict.Server.OpenIddictServerEvents+GenerateTokenContext event.
System.ArgumentNullException: IDX10000: The parameter 'privateKey' cannot be a 'null' or an empty object. (Parameter 'privateKey')
at Microsoft.IdentityModel.Tokens.EcdhKeyExchangeProvider..ctor(SecurityKey privateKey, SecurityKey publicKey, String alg, String enc)
Even the security key I put into EncryptingCredentials already had the private key, I have provided you the source code through email, able to help us check?
Hi @maliming, is there a way to override the handler?
Hi @maliming, I have provided the source code via email, I also attached the ECDSA cert that we use for testing.
I tried AddSigningCertificate, it does not work with ECDSA cert.
Hi @maliming, ok, let me share the full code to you.
Hi, I did disable the development cert, below is my full PreConfigureServices:
public override void PreConfigureServices(ServiceConfigurationContext context)
{
var environment = context.Services.GetHostingEnvironment();
var configuration = context.Services.GetConfiguration();
PreConfigure<OpenIddictBuilder>(builder =>
{
builder.AddValidation(options =>
{
options.AddAudiences("DigitalPlatform");
options.UseLocalServer();
options.UseAspNetCore();
});
});
// disable developer signing credential
PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
{
options.AddDevelopmentEncryptionAndSigningCertificate = false;
});
PreConfigure<OpenIddictServerBuilder>(builder =>
{
// get ECDSA certificate
var ecdsaCertificate = CertificateHelper.GetClientCertificate(configuration["Key:ThumbPrint"]);
ECDsaSecurityKey ecdsaCertificatePublicKey = new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey());
// add signing key
builder.AddSigningKey(new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey()));
// add encryption credentials
var encryptionKey = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(ecdsaCertificatePublicKey);
encryptionKey.KeyId = "encryption_key_id";
encryptionKey.Use = JsonWebKeyUseNames.Enc;
builder.AddEncryptionCredentials(new EncryptingCredentials(encryptionKey, SecurityAlgorithms.EcdsaSha256, "ECDH-ES+A192KW"));
});
PreConfigure<IdentityBuilder>(builder =>
{
builder.AddSignInManager<CustomSignInManager>();
});
}
Hi, yes, I did add the PreConfigure<OpenIddictServerBuilder>
Below is the result of JWKS URL, it contains the signing key only:
{
"keys": [
{
"kid": "NLRNW5UYTDMFJCTK0WOLUKLIL3GJYCEYYL5SEAT0",
"use": "sig",
"kty": "EC",
"alg": "ES256",
"crv": "P-256",
"x": "nLrNw5uYtDmFjCTk0wOlukLil3gJyCEYYl5Seat0AXM",
"y": "OIgBQXQFSdvmnOFa59MTQyHhyy6t17yNIbbOFKJdQTw"
}
]
}
Hi @maliming, thanks for the confirmation.
Hi @maliming, thanks for the reply. we managed to implement it, just found a minor issue in documentation, it should be "AbpAspNetCoreMultiTenancyOptions" instead of "AbpMultiTenancyOptions".
