How to add encryption key in OpenIdDict JWKS URL? #4679 | Support

nhontran created 2 years ago

Hi, our application needs to expose an encryption key in JWKS URL for the other party using it to encrypt their data before returning to us, and we have implemented it in IdentityServer, below is how the JWKS URL response look like:

{
  "keys": [
    {
      "kty": "EC",
      "use": "sig",
      "kid": "esj_keyid",
      "alg": "ES256",
      "x": "nLrNw5uYtDmFjCTk0wOlukLil3gJyCEYYl5Seat0AXM",
      "y": "OIgBQXQFSdvmnOFa59MTQyHhyy6t17yNIbbOFKJdQTw",
      "crv": "P-256"
    },
    {
      "kty": "EC",
      "use": "enc",
      "kid": "6HFIeNOix6zxe2En3bjhZJBX78OY0IG8u1KU41HeNoU",
      "alg": "ECDH-ES+A192KW",
      "x": "nLrNw5uYtDmFjCTk0wOlukLil3gJyCEYYl5Seat0AXM",
      "y": "OIgBQXQFSdvmnOFa59MTQyHhyy6t17yNIbbOFKJdQTw",
      "crv": "P-256"
    }
  ]
}

I tried the code below, but it did not succeed in OpenIdDict:

    PreConfigure< OpenIddictServerBuilder >(builder =>
    {
        // get ECDSA certificate
        var ecdsaCertificate = CertificateHelper.GetCertificate(configuration["Key:ThumbPrint"]);
        ECDsaSecurityKey ecdsaCertificatePublicKey = new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey());
        
        // add signing key
        builder.AddSigningKey(new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey()));
        
        // add encryption credentials
        var encryptionKey = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(ecdsaCertificatePublicKey);
        encryptionKey.KeyId = "encryption_key_id";
        encryptionKey.Use = JsonWebKeyUseNames.Enc;
        builder.AddEncryptionCredentials(new EncryptingCredentials(encryptionKey, SecurityAlgorithms.EcdsaSha256, "ECDH-ES+A192KW"));
    });

Any idea how to do it?

13 Answer(s)

0

maliming created 2 years ago
Support Team

hi

Did you add PreConfigure<OpenIddictServerBuilder> code on PreConfigureServices method?

What is the result of JWKS URL after your code is added?

nhontran created 2 years ago

Hi, yes, I did add the PreConfigure<OpenIddictServerBuilder>

Below is the result of JWKS URL, it contains the signing key only:

{
  "keys": [
    {
      "kid": "NLRNW5UYTDMFJCTK0WOLUKLIL3GJYCEYYL5SEAT0",
      "use": "sig",
      "kty": "EC",
      "alg": "ES256",
      "crv": "P-256",
      "x": "nLrNw5uYtDmFjCTk0wOlukLil3gJyCEYYl5Seat0AXM",
      "y": "OIgBQXQFSdvmnOFa59MTQyHhyy6t17yNIbbOFKJdQTw"
    }
  ]
}

maliming created 2 years ago

Support Team

Can you try to set AddDevelopmentEncryptionAndSigningCertificate to false?


public override void PreConfigureServices(ServiceConfigurationContext context)
{
    PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
    {
        options.AddDevelopmentEncryptionAndSigningCertificate = false;
    });
}

0

maliming created 2 years ago
Support Team

if still not working, Please share the full code to reproduce. Thanks

nhontran created 2 years ago

Hi, I did disable the development cert, below is my full PreConfigureServices:

public override void PreConfigureServices(ServiceConfigurationContext context)
{
    var environment = context.Services.GetHostingEnvironment();
    var configuration = context.Services.GetConfiguration();

    PreConfigure<OpenIddictBuilder>(builder =>
    {
        builder.AddValidation(options =>
        {
            options.AddAudiences("DigitalPlatform");
            options.UseLocalServer();
            options.UseAspNetCore();
        });
    });

    // disable developer signing credential
    PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
    {
        options.AddDevelopmentEncryptionAndSigningCertificate = false;
    });

    PreConfigure<OpenIddictServerBuilder>(builder =>
    {
        // get ECDSA certificate
        var ecdsaCertificate = CertificateHelper.GetClientCertificate(configuration["Key:ThumbPrint"]);
        ECDsaSecurityKey ecdsaCertificatePublicKey = new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey());

        // add signing key
        builder.AddSigningKey(new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey()));

        // add encryption credentials
        var encryptionKey = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(ecdsaCertificatePublicKey);
        encryptionKey.KeyId = "encryption_key_id";
        encryptionKey.Use = JsonWebKeyUseNames.Enc;
        builder.AddEncryptionCredentials(new EncryptingCredentials(encryptionKey, SecurityAlgorithms.EcdsaSha256, "ECDH-ES+A192KW"));
    });

    PreConfigure<IdentityBuilder>(builder =>
    {
        builder.AddSignInManager<CustomSignInManager>();
    });
}

0

nhontran created 2 years ago

Hi @maliming, ok, let me share the full code to you.
0

maliming created 2 years ago
Support Team

Thanks you can create a new template project. liming.ma@volosoft.com
0

maliming created 2 years ago
Support Team

and you can try to use AddSigningCertificate instead of AddEncryptionCredentials
0

nhontran created 2 years ago

Hi @maliming, I have provided the source code via email, I also attached the ECDSA cert that we use for testing.

I tried AddSigningCertificate, it does not work with ECDSA cert.
0

maliming created 2 years ago
Support Team

OK
0

maliming created 2 years ago
Support Team

hi nhontran

The .well-known/jwks endpoint only AttachSigningKeys.

https://github.com/openiddict/openiddict-core/blob/dev/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs#L1069
0

nhontran created 2 years ago

Hi @maliming, is there a way to override the handler?
0

maliming created 2 years ago
Support Team

hi

You can refer to its document

https://documentation.openiddict.com/guides/index.html#events-model

https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictAspNetCoreModule.cs#L119 https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/WildcardDomains/AbpValidateAuthorizedParty.cs

Have an answer to this question? Log in and write your answer.