From 9a56f5fd0190b5a6869e4d73a13da7c4579c2e92 Mon Sep 17 00:00:00 2001
From: Kirill Kovalev <125643929+kirill-abblix@users.noreply.github.com>
Date: Tue, 2 Apr 2024 17:30:47 +0300
Subject: [PATCH] Switch from X509Certificates as keys to JWKs
---
Abblix.Jwt/JsonWebKey.cs | 52 ++++-
.../Common/Configuration/OidcOptions.cs | 211 +++++-------------
...Provider.cs => OidcOptionsKeysProvider.cs} | 17 +-
.../Features/ServiceCollectionExtensions.cs | 2 +-
.../Formatters/AuthServiceJwtFormatter.cs | 2 +-
5 files changed, 110 insertions(+), 174 deletions(-)
rename Abblix.Oidc.Server/Common/Implementation/{ServiceKeysProvider.cs => OidcOptionsKeysProvider.cs} (86%)
diff --git a/Abblix.Jwt/JsonWebKey.cs b/Abblix.Jwt/JsonWebKey.cs
index 15ae2ebd..1b63afc6 100644
--- a/Abblix.Jwt/JsonWebKey.cs
+++ b/Abblix.Jwt/JsonWebKey.cs
@@ -34,41 +34,48 @@ namespace Abblix.Jwt;
//TODO consider to split this class into specialized subclasses (RSA/EllipticCurve)
///
-/// Represents a JSON Web Key (JWK), a data structure that represents a cryptographic key in JSON format.
-/// The class supports various key types including RSA and Elliptic Curve, and is capable of representing both public and private keys.
+/// Represents a JSON Web Key (JWK), a versatile structure for representing cryptographic keys using JSON.
+/// It supports various cryptographic algorithms, including RSA and Elliptic Curve, and can represent both
+/// public and private keys. JWKs are crucial for digital signatures, encryption, and ensuring secure
+/// communication in web-based protocols.
///
-public class JsonWebKey
+public record JsonWebKey
{
///
- /// Key type (kty). Identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC" for Elliptic Curve.
+ /// Identifies the cryptographic algorithm family used with the key, such as RSA or EC (Elliptic Curve),
+ /// specifying the key's type and its intended cryptographic use.
///
[JsonPropertyName("kty")]
[JsonPropertyOrder(1)]
public string? KeyType { get; set; }
///
- /// Intended use of the key (use). Indicates how the key is meant to be used, such as "sig" for signing or "enc" for encryption.
+ /// Indicates the intended use of the key, for example, "sig" (signature) for signing operations or
+ /// "enc" (encryption) for encryption operations, guiding clients on how to use the key appropriately.
///
[JsonPropertyName("use")]
[JsonPropertyOrder(2)]
public string? Usage { get; set; }
///
- /// Algorithm (alg). Specifies the algorithm that the key is intended to be used with.
+ /// Specifies the algorithm intended for use with the key, aligning with JWT and JWA specifications
+ /// to ensure interoperability and secure key management.
///
[JsonPropertyName("alg")]
[JsonPropertyOrder(3)]
public string? Algorithm { get; set; }
///
- /// Key ID (kid). A hint indicating which specific key owned by the signer should be used.
+ /// A unique identifier for the key, facilitating key selection and management in multi-key environments,
+ /// enabling clients and servers to reference and utilize the correct key for cryptographic operations.
///
[JsonPropertyName("kid")]
[JsonPropertyOrder(4)]
public string? KeyId { get; set; }
///
- /// X.509 Certificate Chain (x5c). Contains a chain of one or more PKIX certificates.
+ /// Contains a chain of one or more PKIX certificates (RFC 5280), offering a method to associate X.509
+ /// certificates with the key for validation and trust chain establishment in secure communications.
///
[JsonPropertyName("x5c")]
[JsonPropertyOrder(5)]
@@ -76,7 +83,8 @@ public class JsonWebKey
public byte[][]? Certificates { get; set; }
///
- /// X.509 Certificate SHA-1 Thumbprint (x5t). A base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate.
+ /// A base64url-encoded SHA-1 thumbprint of the DER encoding of an X.509 certificate, providing a compact
+ /// means to associate a certificate with the JWK for verification purposes without transmitting the full certificate.
///
[JsonPropertyName("x5t")]
[JsonPropertyOrder(5)]
@@ -169,4 +177,30 @@ public class JsonWebKey
[JsonPropertyOrder(16)]
[JsonConverter(typeof(Base64UrlTextEncoderConverter))]
public byte[]? FirstCrtCoefficient { get; set; }
+
+ ///
+ /// Prepares a sanitized version of the JWK that excludes private key information unless explicitly included,
+ /// suitable for public sharing while preserving the integrity of sensitive data.
+ ///
+ /// Whether to include private key data in the sanitized output.
+ ///
+ /// A new instance of with or without private key data based on the input parameter.
+ ///
+ public JsonWebKey Sanitize(bool includePrivateKeys)
+ {
+ return includePrivateKeys switch
+ {
+ true when PrivateKey is { Length: > 0} => this,
+ true => throw new InvalidOperationException($"There is no private key for kid={KeyId}"),
+ false => this with
+ {
+ PrivateKey = null,
+ FirstCrtCoefficient = null,
+ FirstPrimeFactor = null,
+ FirstFactorCrtExponent = null,
+ SecondPrimeFactor = null,
+ SecondFactorCrtExponent = null,
+ }
+ };
+ }
}
diff --git a/Abblix.Oidc.Server/Common/Configuration/OidcOptions.cs b/Abblix.Oidc.Server/Common/Configuration/OidcOptions.cs
index 316a63d8..8130dfba 100644
--- a/Abblix.Oidc.Server/Common/Configuration/OidcOptions.cs
+++ b/Abblix.Oidc.Server/Common/Configuration/OidcOptions.cs
@@ -27,9 +27,7 @@
// For more information, please refer to the license agreement located at:
// https://github.com/Abblix/Oidc.Server/blob/master/README.md
-using System.Security.Cryptography.X509Certificates;
using Abblix.Jwt;
-using Abblix.Oidc.Server.Common.Constants;
using Abblix.Oidc.Server.Features.ClientInformation;
using Abblix.Oidc.Server.Model;
@@ -41,215 +39,122 @@ namespace Abblix.Oidc.Server.Common.Configuration;
public record OidcOptions
{
///
- /// The OIDC discovery options.
+ /// Configuration options for OIDC discovery. These options control how the OIDC server advertises its capabilities
+ /// and endpoints to clients through the OIDC Discovery mechanism. Proper configuration ensures that clients can
+ /// dynamically discover information about the OIDC server, such as URLs for authorization, token, userinfo, and
+ /// JWKS endpoints, supported scopes, response types, and more.
///
public DiscoveryOptions Discovery { get; set; } = new();
///
- /// The issuer identifier to be used in tokens. It is useful for scenarios where the issuer
- /// needs to be consistent and predefined, such as environments with multiple hosts.
+ /// Represents the unique identifier of the OIDC server.
+ /// It is recommended to use a URL that is controlled by the entity operating the OIDC server, and it should be
+ /// consistent across different environments to maintain trust with client applications.
///
public string? Issuer { get; set; }
///
- /// The client configurations supported by the OIDC server.
+ /// A collection of client configurations supported by this OIDC server. Each object
+ /// defines the settings and capabilities of a registered client, including client ID, client secrets,
+ /// redirect URIs, and other OAuth2/OIDC parameters. Proper client configuration is essential for securing client
+ /// applications and enabling them to interact with the OIDC server according to the OAuth2 and OIDC specifications.
///
public IEnumerable Clients { get; set; } = Array.Empty();
///
- /// The URI for account selection during authentication.
+ /// The URL to a user interface or service that allows users to select an account during the authentication process.
+ /// This is useful in scenarios where users have multiple accounts and need to choose which one to use for signing in.
///
public Uri? AccountSelectionUri { get; set; }
///
- /// The URI for obtaining user consent during authentication.
+ /// The URL to a user interface or service for obtaining user consent during the authentication process. Consent is
+ /// often required when the client application requests access to user data or when sharing information between
+ /// different parties. This URI should point to a page or API that can manage consent workflows and communicate
+ /// the user's decisions back to the OIDC server.
///
public Uri? ConsentUri { get; set; }
///
- /// The URI for handling interactions during the authentication process.
+ /// The URL to a user interface or service for handling additional interactions required during the authentication
+ /// process. This can include multi-factor authentication, user consent, or any custom interaction required by the
+ /// authentication flow. The OIDC server can redirect users to this URI when additional interaction is needed.
///
public Uri? InteractionUri { get; set; }
///
- /// The URI for initiating a login process.
+ /// The URL to initiate the login process. This URI is typically used in scenarios where the OIDC server needs to
+ /// direct users to a specific login interface or when integrating with external identity providers. Configuring
+ /// this URI allows the OIDC server to delegate the initial user authentication step to another service or UI.
///
public Uri? LoginUri { get; set; }
///
- /// The parameter name for authorization request identifier.
+ /// The name of the parameter used by the OIDC server to pass the authorization request identifier. This parameter
+ /// name is used in URLs and requests to reference specific authorization requests, especially in advanced features
+ /// like Pushed Authorization Requests (PAR). Customizing this parameter name can help align with specific client
+ /// requirements or naming conventions.
///
public string RequestUriParameterName { get; set; } = AuthorizationRequest.Parameters.RequestUri;
///
- /// Specifies which OIDC endpoints are enabled.
+ /// Specifies which OIDC endpoints are enabled on the server. This property allows for fine-grained control over
+ /// the available functionality, enabling or disabling specific endpoints based on the server's role, security
+ /// considerations, or operational requirements. By default, all endpoints are enabled.
///
public OidcEndpoints EnabledEndpoints { get; set; } = OidcEndpoints.All;
///
- /// The certificates used for signing tokens.
+ /// The collection of JSON Web Keys (JWK) used for signing tokens issued by the OIDC server.
+ /// Signing tokens is a critical security measure that ensures the integrity and authenticity of the tokens.
+ /// These keys are used to digitally sign ID tokens, access tokens, and other JWTs issued by the server,
+ /// allowing clients to verify that the tokens have not been tampered with and were indeed issued by this server.
+ /// It is recommended to rotate these keys periodically to maintain the security of the token signing process.
///
- public IReadOnlyCollection SigningCertificates { get; set; } = Array.AsReadOnly(Array.Empty());
+ public IReadOnlyCollection SigningKeys { get; set; } = Array.Empty();
///
- /// The options related to the check session cookie.
+ /// Options related to the check session mechanism in OIDC. This configuration controls how the OIDC server manages
+ /// session state information, allowing clients to monitor the login session's status. Properly configuring these
+ /// options ensures that clients can react to session changes (e.g., logout) in a timely and secure manner.
///
public CheckSessionCookieOptions CheckSessionCookie { get; set; } = new();
///
- /// The duration of a login session's expiration.
+ /// The duration after which a login session expires. This setting determines how long a user's authentication
+ /// session remains valid before requiring re-authentication. Configuring this duration is essential for balancing
+ /// security concerns with usability, particularly in environments with varying security requirements.
///
public TimeSpan LoginSessionExpiresIn { get; set; } = TimeSpan.FromMinutes(10);
///
- /// Indicates support for claims parameters in requests.
- ///
- public bool ClaimsParameterSupported { get; set; } = true;
-
- ///
- /// A list of scopes supported by the service.
- ///
- public IList ScopesSupported { get; set; } = new List
- {
- Scopes.OpenId,
- Scopes.Profile,
- Scopes.Email,
- Scopes.Phone,
- Scopes.Address,
- Scopes.OfflineAccess,
- };
-
- ///
- /// The claims supported by the service.
- ///
- public IList ClaimsSupported { get; set; } = new List
- {
- JwtClaimTypes.Subject,
- JwtClaimTypes.Email,
- JwtClaimTypes.EmailVerified,
- JwtClaimTypes.PhoneNumber,
- JwtClaimTypes.PhoneNumberVerified,
- };
-
- ///
- /// The response types supported by the service.
- ///
- public IList ResponseTypesSupported { get; set; } = new List
- {
- ResponseTypes.Code,
- ResponseTypes.Token,
- ResponseTypes.IdToken,
- string.Join(" ", ResponseTypes.IdToken, ResponseTypes.Token),
- string.Join(" ", ResponseTypes.Code, ResponseTypes.IdToken),
- string.Join(" ", ResponseTypes.Code, ResponseTypes.Token),
- string.Join(" ", ResponseTypes.Code, ResponseTypes.IdToken, ResponseTypes.Token),
- };
-
- ///
- /// The response modes supported by the service.
- ///
- public IList ResponseModesSupported { get; set; } = new List
- {
- ResponseModes.FormPost,
- ResponseModes.Query,
- ResponseModes.Fragment,
- };
-
- ///
- /// A list of algorithms supported for signing ID tokens.
- ///
- public IList IdTokenSigningAlgorithmValuesSupported { get; set; } = new List
- {
- SigningAlgorithms.None,
- SigningAlgorithms.RS256,
- };
-
- ///
- /// A list of subject types supported by the OIDC service.
- ///
- public IList SubjectTypesSupported { get; set; } = new List
- {
- SubjectTypes.Public,
- SubjectTypes.Pairwise,
- };
-
- ///
- /// A list of supported methods for code challenge in PKCE (Proof Key for Code Exchange).
- ///
- public IList CodeChallengeMethodsSupported { get; set; } = new List
- {
- CodeChallengeMethods.Plain,
- CodeChallengeMethods.S256,
- };
-
- ///
- /// Indicates whether the request parameter is supported by the OIDC service.
- ///
- public bool RequestParameterSupported { get; set; } = true;
-
- ///
- /// A list of prompt values supported by the OIDC service.
- ///
- public IList PromptValuesSupported { get; set; } = new List
- {
- Prompts.None,
- Prompts.Login,
- Prompts.Consent,
- Prompts.SelectAccount,
- Prompts.Create,
- };
-
- ///
- /// Options for configuring a new client in the OIDC service.
+ /// Configuration options for registering new clients dynamically in the OIDC server. These options define default
+ /// values and constraints for new client registrations, facilitating dynamic and secure client onboarding processes.
///
public NewClientOptions NewClientOptions { get; init; } = new();
///
- /// A list of algorithms supported for signing UserInfo responses.
- ///
- public IList UserInfoSigningAlgValuesSupported { get; set; } = new List
- {
- SigningAlgorithms.None,
- SigningAlgorithms.RS256,
- };
-
- ///
- /// A list of algorithms supported for signing request objects.
- ///
- public IList RequestObjectSigningAlgValuesSupported { get; set; } = new List
- {
- SigningAlgorithms.None,
- SigningAlgorithms.RS256,
- };
-
- ///
- /// The encryption certificates for the OpenID Connect service tokens.
+ /// The collection of JSON Web Keys (JWK) used for encrypting tokens or sensitive information sent to the clients.
+ /// Encryption is essential for protecting sensitive data within tokens, especially when tokens are passed through
+ /// less secure channels or when storing tokens at the client side. These keys are utilized to encrypt ID tokens and,
+ /// optionally, access tokens when the OIDC server sends them to clients. Clients use the corresponding public keys
+ /// to decrypt the tokens and access the contained claims.
///
- public IList EncryptionCertificates { get; set; } = new List();
+ public IReadOnlyCollection EncryptionKeys { get; set; } = Array.Empty();
///
- /// The duration for which a pushed authorization request (PAR) is considered valid.
+ /// The duration for which a Pushed Authorization Request (PAR) is valid. PAR is a security enhancement that allows
+ /// clients to pre-register authorization requests directly with the authorization server. This duration specifies
+ /// the maximum time a pre-registered request is considered valid, balancing the need for security with usability
+ /// in completing the authorization process.
///
- ///
- /// This property defines the lifespan of a pushed authorization request. Pushed authorization requests are
- /// a security feature in OIDC that allows clients to send authorization requests directly to the authorization
- /// server via a backchannel connection, rather than through the user's browser. This duration specifies
- /// how long the server should consider the request valid after it has been received. It is important to balance
- /// security and usability when configuring this value, ensuring that requests are valid long enough for users
- /// to complete the authentication process without leaving too large a window for potential misuse.
- ///
public TimeSpan PushedAuthorizationRequestExpiresIn { get; set; } = TimeSpan.FromMinutes(1);
///
- /// The JWT used for licensing and configuration validation of the OIDC service.
+ /// A JWT used for licensing and configuration validation of the OIDC service. This token contains claims that the
+ /// OIDC service uses to validate its configuration, features, and licensing status, ensuring the service operates
+ /// within its licensed capabilities. Proper validation of this token is crucial for the service's legal and functional
+ /// compliance.
///
- ///
- /// This property holds a JSON Web Token (JWT) that the OIDC service uses to validate its configuration and
- /// licensing status. The token typically contains claims that the service decodes to determine the features
- /// and capabilities that are enabled, based on the licensing agreement. Proper validation of this token
- /// is crucial for ensuring that the service operates within the terms of its licensing and has access
- /// to the correct set of features. The format and content of this token are determined by the service provider
- /// and may include information such as the license expiry date, the licensed feature set and other relevant data.
- ///
public string? LicenseJwt { get; set; }
}
diff --git a/Abblix.Oidc.Server/Common/Implementation/ServiceKeysProvider.cs b/Abblix.Oidc.Server/Common/Implementation/OidcOptionsKeysProvider.cs
similarity index 86%
rename from Abblix.Oidc.Server/Common/Implementation/ServiceKeysProvider.cs
rename to Abblix.Oidc.Server/Common/Implementation/OidcOptionsKeysProvider.cs
index ddaab61d..cea07923 100644
--- a/Abblix.Oidc.Server/Common/Implementation/ServiceKeysProvider.cs
+++ b/Abblix.Oidc.Server/Common/Implementation/OidcOptionsKeysProvider.cs
@@ -37,17 +37,16 @@
namespace Abblix.Oidc.Server.Common.Implementation;
///
-/// Provides access to JSON Web Keys (JWK) used for encryption and signing JWT tokens,
-/// based on the preconfigured X509 certificates defined in OIDC options.
+/// Provides access to JSON Web Keys (JWK) used for encryption and signing JWT tokens.
///
///
/// This implementation provides keys for encryption and signing purposes by mapping X509 certificates to JWK format.
/// It is recommended to implement a dynamic resolution mechanism in production environments
/// to enable seamless certificate replacement without the need for service reloading.
///
-internal class ServiceKeysProvider : IAuthServiceKeysProvider
+internal class OidcOptionsKeysProvider : IAuthServiceKeysProvider
{
- public ServiceKeysProvider(IOptions options)
+ public OidcOptionsKeysProvider(IOptions options)
{
_options = options;
}
@@ -62,9 +61,8 @@ public ServiceKeysProvider(IOptions options)
public IAsyncEnumerable GetEncryptionKeys(bool includePrivateKeys)
{
var jsonWebKeys =
- from cert in _options.Value.EncryptionCertificates
- orderby cert.NotAfter descending
- select cert.ToJsonWebKey(includePrivateKeys);
+ from jwk in _options.Value.EncryptionKeys
+ select jwk.Sanitize(includePrivateKeys);
return jsonWebKeys.AsAsync();
}
@@ -77,9 +75,8 @@ orderby cert.NotAfter descending
public IAsyncEnumerable GetSigningKeys(bool includePrivateKeys)
{
var jsonWebKeys =
- from cert in _options.Value.SigningCertificates
- orderby cert.NotAfter descending
- select cert.ToJsonWebKey(includePrivateKeys);
+ from jwk in _options.Value.SigningKeys
+ select jwk.Sanitize(includePrivateKeys);
return jsonWebKeys.AsAsync();
}
diff --git a/Abblix.Oidc.Server/Features/ServiceCollectionExtensions.cs b/Abblix.Oidc.Server/Features/ServiceCollectionExtensions.cs
index 4573ec9e..f43ac8f2 100644
--- a/Abblix.Oidc.Server/Features/ServiceCollectionExtensions.cs
+++ b/Abblix.Oidc.Server/Features/ServiceCollectionExtensions.cs
@@ -270,7 +270,7 @@ public static IServiceCollection AddIdentityToken(this IServiceCollection servic
public static IServiceCollection AddAuthServiceJwt(this IServiceCollection services)
{
return services
- .AddSingleton()
+ .AddSingleton()
.AddSingleton()
.AddSingleton();
diff --git a/Abblix.Oidc.Server/Features/Tokens/Formatters/AuthServiceJwtFormatter.cs b/Abblix.Oidc.Server/Features/Tokens/Formatters/AuthServiceJwtFormatter.cs
index af2e35b0..606e076c 100644
--- a/Abblix.Oidc.Server/Features/Tokens/Formatters/AuthServiceJwtFormatter.cs
+++ b/Abblix.Oidc.Server/Features/Tokens/Formatters/AuthServiceJwtFormatter.cs
@@ -64,7 +64,7 @@ public AuthServiceJwtFormatter(
///
public async Task FormatAsync(JsonWebToken token)
{
- // Select the appropriate signing key based on the JWT's specified algorithm
+ // Select the appropriate signing key based on the JWT specified algorithm
var signingCredentials = await _serviceKeysProvider.GetSigningKeys(true)
.FirstByAlgorithmAsync(token.Header.Algorithm);