search

IdentityServer / IdentityServer4

OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
https://identityserver.io
Apache License 2.0
9.21k stars 4k forks source link

MFA Validation is Loading a Certificate from Local Machine #5447

Closed erenken closed 2 years ago

erenken commented 2 years ago

I am trying to figure out where this code is getting the certificate path and how it knows to load the X509 from Local Machine.

        public override async Task<string> GetAuthenticatorKeyAsync(User user, CancellationToken cancellationToken)
        {
            var key = await base.GetAuthenticatorKeyAsync(user, cancellationToken);
            if (key != null)
            {
                try
                {
                    key = _dataProtector.Unprotect(key);
                }
                catch(Exception ex)
                {
                    key = null;
                    _logger.LogError(ex, "GetAuthenticatorKeyAsync failed to unprotect the authenticator key for subjectId: {subjectId}.", user.Id);
                }
            }

            return key;
        }

When I hit _dataProtector.Update(key) if the certificate it needs is removed from Local Machine this fails, and if it is there it works. I don't have any configurations that point to the certificate name or thumbprint, so I'm not sure how it knows. I assume it is part of the User object in the UserStore, but I haven't found it yet.

_dataProtector comes from, IDataProtectionProvider.CreateProtector(nameof(UserStore) + ":mfa_key");

I don't see anywhere in the project where IDataProtectionProvider is registered to DI. I am thinking a lot of this configuration comes from:

var dataProtection = services.AddDataProtection();

Any direction would be appreciated.

leastprivilege commented 2 years ago

Important update

This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.

The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.

erenken commented 2 years ago

Thanks, we are working on our upgrade to v6 currently, and will be licensing it. Still in development currently. Brock reached out and this looks like something that is happening in code Alliance did for us. I am reading all the docs now for v6 to figure out how to migrate from the custom key management that was put into our version into the built-in version.

github-actions[bot] commented 2 years ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.