The new aspnet-contrib packages are out

Earlier today, I pushed new packages for all the aspnet-contrib projects. This is the first release since July (and probably one of the most exciting so far).

What's new?

New OAuth2 social providers

Thanks to our amazing contributors, 10 new providers have been added in this release:


New primitives for the OpenID Connect server middleware

Starting with beta7, the OpenID Connect server middleware (ASOS) no longer relies on IdentityModel's OpenIdConnectMessage, that proved to be way too limited to represent complex JSON payloads and wasn't able to preserve non-string parameters types.

Instead, ASOS now comes with its own primitives: OpenIdConnectMessage, OpenIdConnectRequest and OpenIdConnectResponse. Unlike their IdentityModel equivalent, these types are backed by JSON.NET's primitives, which means that code like this will now work flawlessly:

1
2
3
4
5
6
7
8
9
var response = new OpenIdConnectResponse();
response["array_parameter"] = new JArray(new[] { 1, 2, 3 });
response["object_parameter"] = JObject.FromObject(new
{
name = "value"
});
// Outputs {"array_parameter":[1,2,3],"object_parameter":{"name":"value"}}
Console.WriteLine(JsonConvert.SerializeObject(response));

The other good news is that these primitives are part of a whole new .NET Standard 1.0 package (AspNet.Security.OpenIdConnect.Primitives) that is shared between the OWIN/Katana and the ASP.NET Core flavors of ASOS, which helps reduce code duplication between the two projects.


Proof Key for Code Exchange (PKCE) is now supported

In August, ASOS was updated to support the Proof Key for Code Exchange specification:

OAuth 2.0 [RFC6749] public clients are susceptible to the authorization code interception attack.

In this attack, the attacker intercepts the authorization code returned from the authorization endpoint within a communication path not protected by Transport Layer Security (TLS), such as inter-application communication within the client's operating system.

Once the attacker has gained access to the authorization code, it can use it to obtain the access token.

This change makes ASOS fully compatible with client libraries supporting PKCE, like AppAuth for iOS.


All ASOS' endpoints are now disabled by default

To reduce ASOS' attack surface, all its endpoints – except the discovery endpoints – are now disabled by default. This means that you now have to explicitly assign a path to enable an endpoint:

1
2
3
4
5
app.UseOpenIdConnectServer(options =>
{
options.Provider = new AuthorizationProvider();
options.TokenEndpointPath = "/connect/token";
});

This change makes ASOS consistent with how OAuthAuthorizationServerMiddleware used to work.


The automatic RSA key generation feature was removed

Starting with beta7, ASOS will no longer generate and register a signing key for you if you don't explicitly add one and will throw an exception if no signing credentials have been registered:

At least one signing key must be registered. Consider registering a X.509 certificate or call options.SigningCredentials.AddEphemeralKey() to generate and register an ephemeral signing key.

Though very convenient, this feature proved to be unreliable so I've decided to remove it and replace it by an opt-in ephemeral key generation extension:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
app.UseOpenIdConnectServer(options =>
{
options.Provider = new AuthorizationProvider();
options.TokenEndpointPath = "/connect/token";
// Register a new ephemeral key, that is discarded when the application
// shuts down. Tokens signed using this key are automatically invalidated.
// This method should only be used during development.
options.SigningCredentials.AddEphemeralKey();
// On production, using a X.509 certificate stored in the machine store is recommended.
// You can generate a self-signed certificate using Pluralsight's self-cert utility:
// https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip
//
// options.SigningCredentials.AddCertificate("7D2A741FE34CC2C7369237A5F2078988E17A6A75");
});

ECDSA signing keys support

When running ASOS on .NET Core, you can now use ECDSA keys/certificates to sign your identity tokens:

1
2
3
4
5
6
7
8
app.UseOpenIdConnectServer(options =>
{
options.Provider = new AuthorizationProvider();
options.TokenEndpointPath = "/connect/token";
// Register a new ECDSA ephemeral key.
options.SigningCredentials.AddEphemeralKey(SecurityAlgorithms.EcdsaSha256Signature);
});

Though ASOS exposes ECDSA keys via the discovery endpoint, this feature is not yet supported by the JWT bearer middleware. You can track the progress here.


ASOS is now fully unit-tested

A huge effort has been made to add unit tests for all the ASOS primitives and endpoints (1955 tests at the time of writing).


What's next?

This release will be the last ASOS beta, as we're now done with the important design changes.

A first release candidate version should be released in March and ASOS should RTM in April.