Replace INonceCache by IDistributedCache #293
Conversation
| { | ||
| Logger.LogError(Resources.OIDCH_0033_TryAddNonceFailed, message.Nonce); | ||
| throw new OpenIdConnectProtocolException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0033_TryAddNonceFailed, message.Nonce)); | ||
| } | ||
|
|
||
| // Review: do we need to define an expiration date? | ||
| await Options.NonceCache.SetAsync(message.Nonce, new byte[0], new DistributedCacheEntryOptions()); |
There was a problem hiding this comment.
Yes, specify an expiration. The Nonce's are only good for an hour(?).
There was a problem hiding this comment.
Is it worth making it configurable?
If yes, I guess we would have to modify cookies' lifetime to match this new parameter.
There was a problem hiding this comment.
Use the existing config.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/KDev/src/Microsoft.IdentityModel.Protocol.Extensions/OpenIdConnectProtocolValidator.cs#L108
Options.ProtocolValidator.NonceLifetime
There was a problem hiding this comment.
The cookie doesn't set a timeout because we want it to expire as soon as you close the tab. Setting a timeout may extend it beyond the tab lifetime.
There was a problem hiding this comment.
Well, IIRC, most browsers actually clear sessions cookies when their process is shut down, not just when the tab is closed. And it's not rare to see people who never close their browser: in this case, session cookies can have a "virtually unlimited lifetime" 😄
Anyway, that's now fixed.
|
In regards to name, would CacheNonces be correct? |
|
@HaoK name updated, thanks 😄 |
| { | ||
| if (!Options.NonceCache.TryAddNonce(message.Nonce)) | ||
| if (await Options.NonceCache.GetAsync(message.Nonce) != null) | ||
| { | ||
| Logger.LogError(Resources.OIDCH_0033_TryAddNonceFailed, message.Nonce); |
There was a problem hiding this comment.
This resource name is out of date. It was probably too specific.
There was a problem hiding this comment.
Updating it is on my todo list, but it's a bit painful as I have to edit the .resx file and the designer class manually. I'll do that when the rest is done 😄
There was a problem hiding this comment.
You shouldn't have to update the designer manually. build resx should update the designer.
There was a problem hiding this comment.
Except that there are currently many designers that are not located in the Properties directory: build resx doesn't detect them and creates new designers under Properties, which results in duplicate files. I could remove the existing designers, but that's not something I want to do as part of this PR.
There was a problem hiding this comment.
Ah, file a separate bug for that please.
There was a problem hiding this comment.
|
Looks good. Remove aspnet-contrib and squash. |
|
@Tratcher is there a public identity provider supporting OIDC that we could use to replace AAD? |
|
.resx item renamed. And squashed 😄 |
|
None that I know of. That has been one of our big problems verifying the middleware at all. |
| @@ -4,5 +4,6 @@ | |||
| <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" /> | |||
| <add key="NuGet" value="https://nuget.org/api/v2/" /> | |||
| <add key="AzureAD" value="http://www.myget.org/F/azureadwebstacknightly"/> | |||
| <add key="aspnet-contrib" value="https://www.myget.org/F/aspnet-contrib"/> | |||
There was a problem hiding this comment.
I thought you were removing this?
There was a problem hiding this comment.
I'll remove everything related to the embedded OIDC server once we're done with all the changes... testing an OIDC middleware without a server is a bit hard 🎉
There was a problem hiding this comment.
Push it into a separate branch, I don't want to merge this into dev.
There was a problem hiding this comment.
Meh, removing it from this PR will be easier. Just tell me we're done with this PR, and I'll revert these changes.
There was a problem hiding this comment.
That's what I meant. I think we're done and ready to merge.
There was a problem hiding this comment.
Ah, that was not clear 😄
Changes reverted.
There was a problem hiding this comment.
@HaoK can you merge this? I'm going offline.
From: Kévin Chaletmailto:notifications@github.com
Sent: 6/26/2015 4:10 PM
To: aspnet/Securitymailto:Security@noreply.github.com
Cc: Chris Rmailto:Tratcher@Outlook.com
Subject: Re: [Security] Replace INonceCache by IDistributedCache (#293)
@@ -4,5 +4,6 @@
Ah, that was not clear 😄
Changes reverted.
Reply to this email directly or view it on GitHub:
https://github.com/aspnet/Security/pull/293/files#r33403824
There was a problem hiding this comment.
Fixes #212.
For the first attempt, I opted for the "hybrid" approach (#212 (comment)): the distributed cache is retrieved from the options when available, and from the DI container when the user didn't provide his own cache.
Storing nonces in the distributed cache is not enabled by default but can easily be using
StoreNoncesInCache. I'm not super satisfied with the name, so don't hesitate to suggest another one 😄FYI, I haven't been able to use the
OpenIdConnectSampleapp because it delegates authentication to AAD, that doesn't allow me to log in using my live.com account. I worked around this issue usingAspNet.Security.OpenIdConnect.Server(https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server).Of course, I'll revert these changes before merging (though depending on AAD is not really a good idea IMHO).
/cc @Eilon @HaoK @Tratcher