IdentityServer / IdentityServer4

OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
https://identityserver.io
Apache License 2.0
9.23k stars 4.02k forks source link

CSP issue with IS4, RedirectUris #2541

Closed mfnaseem closed 6 years ago

mfnaseem commented 6 years ago

I'm just creating the new solution by using https://github.com/identityserver/IdentityServer4.QuickStart.UI/tree/release

everything was working fine, but when i tried to add my template it started to give CSP errors

I debugged the application and see that it successfully logs me in, when it goes to redirect it ends up with a CSP error:

plz help me out whats i m missing Thanks!

image

image

Identity Startup is below

public void ConfigureServices(IServiceCollection services) { services.AddDbContext(options => options.UseSqlServer( Configuration.GetConnectionString("DefaultConnection")));

        services.AddIdentity<ApplicationUser, IdentityRole>()
            .AddEntityFrameworkStores<CollexaDBContext>()
            .AddDefaultTokenProviders();
        services.AddMvc();

        services.Configure<IISOptions>(iis =>
        {
            iis.AuthenticationDisplayName = "Windows";
            iis.AutomaticAuthentication = false;
        });

        var builder = services.AddIdentityServer(options =>
        {
            options.Events.RaiseErrorEvents = true;
            options.Events.RaiseInformationEvents = true;
            options.Events.RaiseFailureEvents = true;
            options.Events.RaiseSuccessEvents = true;
        })
            .AddInMemoryIdentityResources(Config.GetIdentityResources())
            .AddInMemoryApiResources(Config.GetApiResources())
            .AddInMemoryClients(Config.GetClients())
            .AddAspNetIdentity<ApplicationUser>();

        builder.AddDeveloperSigningCredential();

}

public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); }

        app.UseAuthentication();

        app.UseCsp(opts => opts
            .BlockAllMixedContent()
            .StyleSources(s => s.Self())
            .StyleSources(s => s.UnsafeInline())
            .FontSources(s => s.Self())
            .FormActions(s => s.Self())
            .FrameAncestors(s => s.Self())
            .ImageSources(s => s.Self())
            .ScriptSources(s => s.Self())
        );

        //app.UseXContentTypeOptions();

        app.UseStaticFiles();
        app.UseIdentityServer();
        app.UseMvcWithDefaultRoute();
    }

Client Startup is below

public void ConfigureServices(IServiceCollection services) { // Add framework services. services.AddMvc();

        // register an IHttpContextAccessor so we can access the current
        // HttpContext in services by injecting it
        services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();

        // register an IImageGalleryHttpClient
        services.AddScoped<IImageGalleryHttpClient, ImageGalleryHttpClient>();

        services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";
        }).AddCookie("Cookies")
          .AddOpenIdConnect("oidc", options =>
          {
              //options.RequireHttpsMetadata = false;
              options.SignInScheme = "Cookies";
              options.Authority = "https://localhost:44340/";
              //options.SignedOutCallbackPath = new PathString("");
              options.ClientId = "dealersnet";
              options.ResponseType = "code id_token";
              options.Scope.Add("openid");
              options.Scope.Add("profile");
              options.Scope.Add("api");
              options.Scope.Add("offline_access");
              options.SaveTokens = true;
              options.ClientSecret = "secret";
              options.GetClaimsFromUserInfoEndpoint = true;
          });

        services.AddSignalR();

    }

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } else { app.UseExceptionHandler("/Home/Error"); app.UseHsts(); }

        //app.UseHttpsRedirection();
        app.UseAuthentication();

        app.UseCsp(opts => opts
            .BlockAllMixedContent()
            .StyleSources(s => s.Self())
            .StyleSources(s => s.UnsafeInline())
            .FontSources(s => s.Self())
            .FormActions(s => s.Self())
            .FrameAncestors(s => s.Self())
            .ImageSources(s => s.Self())
            .ScriptSources(s => s.Self())
        );

        //app.UseXContentTypeOptions();

        app.UseStaticFiles();
        app.UseCookiePolicy();

        app.UseSignalR(routes =>
        {
            routes.MapHub<DealersNetHub>("/dealernetHub");
        });

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Gallery}/{action=Index}/{id?}");
        });
    }
brockallen commented 6 years ago

Can you elaborate on which code you started with and what additional code you added? I'm trying to understand your steps.

mfnaseem commented 6 years ago

Step1: I followed the exact course from plural sight securing-aspdotnet-core2-oauth2-openid-connect till I can login with IS4 and that redirects back to my website Step2: Included my own template into that solution Step3: after getting the CSP errors I added the Nuget package of NWebSec.AspNetCore.Middleware in Identity layer that resolved the issue till login (authorization), but redirecting back to the Identity project instead of Client Step4: to resolve that I added the same nuget package into Client

brockallen commented 6 years ago

So you will need to track down which CSP rules you added (either intentionally or unintentionally) and find out if they're from IdentityServer's CSP from our templates or elsewhere (I suspect it's from elsewhere). And then you'll need to find out how to configure those CSP rules to work with what IdentityServer needs to do on that one rendered page. You should notice we already emit the scipt hash for the script you show above. So I bet some additional CSP is interfering. Not sure, tho.

mfnaseem commented 6 years ago

Thanks brokallen..

I came out from this issue with a little change removed " .FormActions(s => s.Self())" added ".ScriptSources(s => s.UnsafeInline())"

app.UseCsp(opts => opts .BlockAllMixedContent() .StyleSources(s => s.Self()) .StyleSources(s => s.UnsafeInline()) .FontSources(s => s.Self()) .FrameAncestors(s => s.Self()) .ImageSources(s => s.Self()) .ScriptSources(s => s.Self()) .ScriptSources(s => s.UnsafeInline()) );

Thanks!

brockallen commented 6 years ago

So all set on this issue? We can close?

lock[bot] commented 4 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.