OpenIdDict 4.0 Error while generating access token when using ephemeral signing & encryption keys on test env
elisaaioanei opened this issue · comments
Confirm you've already contributed to this project or that you sponsor it
- I confirm I'm a sponsor or a contributor
Version
4.x
Describe the bug
Hello,
I'm using OpenIdDict 4.0 on a NET Core 6.0 app which I've configure like below.
Locally it works as expected all the time and it generates the access token, but when i deploy it on a IIS Server using an Azure pipeline i cannot login randomly and i get this error message in logs.
Can you please tell if it's an issue with the way I've configured OpenIdDict or the ephemeral keys or is it something else?
Any help is greatly appreciated!
To reproduce
`builder.Services.AddOpenIddict()
.AddCore(options => options.UseEntityFrameworkCore().UseDbContext())
.AddServer(options =>
{
// Enable the required endpoints
options.SetTokenEndpointUris("/token");
options.AllowPasswordFlow();
options.AllowRefreshTokenFlow();
// Set the lifetime of your tokens
options.SetAccessTokenLifetime(TimeSpan.FromMinutes(60));
options.SetRefreshTokenLifetime(TimeSpan.FromDays(30));
// Register signing and encryption details
options.AddDevelopmentEncryptionCertificate()
.AddDevelopmentSigningCertificate();
// Enable the required endpoints
options.SetTokenEndpointUris("/token");
options.AllowPasswordFlow();
options.AllowRefreshTokenFlow();
// Set the lifetime of your tokens
options.SetAccessTokenLifetime(TimeSpan.FromMinutes(60));
options.SetRefreshTokenLifetime(TimeSpan.FromDays(30));
// Register signing and encryption details
options.AddDevelopmentEncryptionCertificate()
.AddDevelopmentSigningCertificate();
options.AddEphemeralEncryptionKey();
options.AddEphemeralSigningKey();
options.DisableAccessTokenEncryption();
// Register ASP.NET Core host and configure options
options.UseAspNetCore().EnableTokenEndpointPassthrough();
})
.AddValidation(options =>
{
options.UseLocalServer();
options.UseAspNetCore();
});`
Exceptions (if any)
[2023-07-14 09:52:34.628 +03:00 INF] The request URI matched a server endpoint: "Token".
[2023-07-14 09:52:34.663 +03:00 INF] The token request was successfully extracted: {
"username": "[redacted]",
"password": "[redacted]",
"type": "[redacted]",
"grant_type": "password",
"client_id": "[redacted]",
"client_secret": "[redacted]"
}.
[2023-07-14 09:52:36.929 +03:00 INF] The token request was successfully validated.
[2023-07-14 09:52:37.443 +03:00 INF] An ad hoc authorization was automatically created and associated with the 'client-app' application: b1b43150-aec1-45f9-bde2-3dc34e3eedf4.
[2023-07-14 09:52:37.648 +03:00 DBG] An exception was thrown by OpenIddict.Server.OpenIddictServerHandlers+Protection+GenerateIdentityModelToken while handling the OpenIddict.Server.OpenIddictServerEvents+GenerateTokenContext event.
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: **The system cannot find the file specified.**
at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider)
at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPrivateKey(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey()
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKeyStatus()
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.FoundPrivateKey(SecurityKey key)
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures, CryptoProviderFactory cryptoProviderFactory)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm)
at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.CreateTokenPrivate(String payload, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials, String compressionAlgorithm, IDictionary`2 additionalHeaderClaims, IDictionary`2 additionalInnerHeaderClaims, String tokenType)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.CreateToken(SecurityTokenDescriptor tokenDescriptor)
at OpenIddict.Server.OpenIddictServerHandlers.Protection.GenerateIdentityModelToken.HandleAsync(GenerateTokenContext context)
at OpenIddict.Server.OpenIddictServerDispatcher.DispatchAsync[TContext](TContext context)
Hi,
Support is reserved to sponsors and contributors. For more information on how to sponsor the project on GitHub, visit https://github.com/sponsors/kevinchalet.
Hope to see you on board soon!