leastprivilege
commented
8 years ago Where is version 4.1.0 coming from?
Closed fabiodiluca closed 8 years ago
leastprivilege
commented
8 years ago Where is version 4.1.0 coming from?
fabiodiluca
commented
8 years ago Thank you for your super lightining fast feedback. System,Net.Http 4.1.0 is used by refit (popular Rest TypeSafe Client) nuget package. The thing is that i am mixing .Net Standard compatible nuget with this middleware.
Inheritance security has been violated by the type "System.Net.WebRequestHandler'. Derived types must correspond to the base type accessibility or be less accessible.
If I disable(skip) this middleware than I don't get any exceptions.
I am not a developer expert, sorry if I making anything wrong.
fabiodiluca
commented
8 years ago It it is indirectly because refit:
fabiodiluca
commented
8 years ago I have modified this project(AccessTokenValidation) to use System.Net.Http 4.1.0, what I beleived it would solve it.I did it, but I was wrong, the error still the same. Can't figure out what is causing this.
leastprivilege
commented
8 years ago Yes - the dependencies are incompatible. You should report that to Microsoft.
It is not even our code using the HttpClient - but Microsoft's OpenID Connect library.
fabiodiluca
commented
8 years ago Are you sure they are incompatible? I don't even know if I am doing something wrong.
leastprivilege
commented
8 years ago Maybe this other library should also have a pain .NET compilation target - this way it wouldn't force you to use the CoreFX libs.
Anyways - this is not an identityserver issue. closing for now. feel free to re-open when you have new infos
fabiodiluca
commented
8 years ago Just updating info: I discovered that System.Net.Http 4.1.0 has a critical security problem that makes it not working on .net.4.6.1. https://github.com/dotnet/corefx/issues/11100
I am trying to use this middleware inside a pack that also uses System.Net.Http 4.1.0, but it gives me an exception at this line: 'var handler = options.BackchannelHttpHandler ?? new WebRequestHandler();' (DiscoveryDocumentIssuerSecurityTokenProvider.cs).It says that the class is less accessible than the base class. Is it possible to update this project to use the new nuget System.Net.Http 4.1.0?