Hi, I did disable the development cert, below is my full PreConfigureServices:
public override void PreConfigureServices(ServiceConfigurationContext context)
{
var environment = context.Services.GetHostingEnvironment();
var configuration = context.Services.GetConfiguration();
PreConfigure<OpenIddictBuilder>(builder =>
{
builder.AddValidation(options =>
{
options.AddAudiences("DigitalPlatform");
options.UseLocalServer();
options.UseAspNetCore();
});
});
// disable developer signing credential
PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
{
options.AddDevelopmentEncryptionAndSigningCertificate = false;
});
PreConfigure<OpenIddictServerBuilder>(builder =>
{
// get ECDSA certificate
var ecdsaCertificate = CertificateHelper.GetClientCertificate(configuration["Key:ThumbPrint"]);
ECDsaSecurityKey ecdsaCertificatePublicKey = new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey());
// add signing key
builder.AddSigningKey(new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey()));
// add encryption credentials
var encryptionKey = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(ecdsaCertificatePublicKey);
encryptionKey.KeyId = "encryption_key_id";
encryptionKey.Use = JsonWebKeyUseNames.Enc;
builder.AddEncryptionCredentials(new EncryptingCredentials(encryptionKey, SecurityAlgorithms.EcdsaSha256, "ECDH-ES+A192KW"));
});
PreConfigure<IdentityBuilder>(builder =>
{
builder.AddSignInManager<CustomSignInManager>();
});
}
Hi, yes, I did add the PreConfigure<OpenIddictServerBuilder>
Below is the result of JWKS URL, it contains the signing key only:
{
"keys": [
{
"kid": "NLRNW5UYTDMFJCTK0WOLUKLIL3GJYCEYYL5SEAT0",
"use": "sig",
"kty": "EC",
"alg": "ES256",
"crv": "P-256",
"x": "nLrNw5uYtDmFjCTk0wOlukLil3gJyCEYYl5Seat0AXM",
"y": "OIgBQXQFSdvmnOFa59MTQyHhyy6t17yNIbbOFKJdQTw"
}
]
}
Hi, our application needs to expose an encryption key in JWKS URL for the other party using it to encrypt their data before returning to us, and we have implemented it in IdentityServer, below is how the JWKS URL response look like:
{
"keys": [
{
"kty": "EC",
"use": "sig",
"kid": "esj_keyid",
"alg": "ES256",
"x": "nLrNw5uYtDmFjCTk0wOlukLil3gJyCEYYl5Seat0AXM",
"y": "OIgBQXQFSdvmnOFa59MTQyHhyy6t17yNIbbOFKJdQTw",
"crv": "P-256"
},
{
"kty": "EC",
"use": "enc",
"kid": "6HFIeNOix6zxe2En3bjhZJBX78OY0IG8u1KU41HeNoU",
"alg": "ECDH-ES+A192KW",
"x": "nLrNw5uYtDmFjCTk0wOlukLil3gJyCEYYl5Seat0AXM",
"y": "OIgBQXQFSdvmnOFa59MTQyHhyy6t17yNIbbOFKJdQTw",
"crv": "P-256"
}
]
}
I tried the code below, but it did not succeed in OpenIdDict:
PreConfigure< OpenIddictServerBuilder >(builder =>
{
// get ECDSA certificate
var ecdsaCertificate = CertificateHelper.GetCertificate(configuration["Key:ThumbPrint"]);
ECDsaSecurityKey ecdsaCertificatePublicKey = new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey());
// add signing key
builder.AddSigningKey(new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey()));
// add encryption credentials
var encryptionKey = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(ecdsaCertificatePublicKey);
encryptionKey.KeyId = "encryption_key_id";
encryptionKey.Use = JsonWebKeyUseNames.Enc;
builder.AddEncryptionCredentials(new EncryptingCredentials(encryptionKey, SecurityAlgorithms.EcdsaSha256, "ECDH-ES+A192KW"));
});
Any idea how to do it?
Hi @maliming, thanks for the confirmation.
Hi, understand that IdentityServer4 has reached its End of Support (EOS) date as of December 13th, 2022. I am wondering if you will continue to provide security fixes for IdentityServer4 in your latest version. If so, how long do you plan to provide this support for IdentityServer4?
Hi @maliming, thanks for the reply. we managed to implement it, just found a minor issue in documentation, it should be "AbpAspNetCoreMultiTenancyOptions" instead of "AbpMultiTenancyOptions".
Hi @maliming, thanks for the reply.
While waiting for the upgrade, is there a way to override the current AbpAspNetCoreMultiTenancyOptions to implement the fix?
Hi @maliming, sorry, forgot to mention that this issue happens with ABP endpoint as well, it shows the tenant not found page:
Hi @maliming:
I found that the query string value below caused the issue:
I capture it as the screenshot and managed to post it already.
Please close the ticket, thanks
Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.
If you're creating a bug/problem report, please include followings:
Hi, a cross-site scripting issue has been flagged out in our project by penetration test team. This vulnerability is related to "__tenant" parameter in query string:
Subject:
Reflected Cross-Site Scripting (XSS)
https://<masked url>/api/* [GET parameter: __tenant]
https://<masked url>/identity/* [GET parameter: __tenant]
Description:
Reflected XSS occurs when malicious JavaScript code is supplied in a user’s request and returned back to them for
execution within their browser in the context of the website itself. This allows an attacker to inject code which is executed
by legitimate users when they are tricked into opening a malicious link or visiting a site under an attacker’s control. This
allows an attacker to perform unauthorised actions in the application on behalf of legitimate users or spread malware via
the application.
The __tenant parameter used in the identified subjects is vulnerable to XSS attacks. An example is demonstrated below:
Payload used:
Attached file is the screenshot that I have tested in my local:
