Closed digitarenet closed 1 year ago
Hello . I will try to do my best to help you.
Thank You!! Only point number "2." seem to be problematic...
With "EphemeralKeySet" in StartUp.cs... ... X509Certificate2 encryptionKey = new X509Certificate2(encryptionKeyBytes, Configuration["Identity:EncryptionCertificateKey"], X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet); ...
This is the error response:
>> publish % dotnet Pixel.Identity.Provider.dll --urls=https://localhost:44382/
[08:39:37 FTL] Host terminated unexpectedly
System.PlatformNotSupportedException: This platform does not support loading with EphemeralKeySet.
Remove the flag to allow keys to be temporarily created on disk.
at Internal.Cryptography.Pal.AppleCertificatePal.FromBlob(ReadOnlySpan`1 rawData,
SafePasswordHandle password, Boolean readingFromFile, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData,
String password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData,
String password, X509KeyStorageFlags keyStorageFlags)
at Pixel.Identity.Provider.Startup.<ConfigureOpenIddict>b__8_1(
OpenIddictServerBuilder options) in
/Developer/Examples/pixel-identity/src/Pixel.Identity.Provider/Startup.cs:line 250
at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(
OpenIddictBuilder builder, Action`1 configuration)
at Pixel.Identity.Provider.Startup.ConfigureOpenIddict(IServiceCollection services,
IDataStoreConfigurator configurator)
in /Developer/Examples/pixel-identity/src/Pixel.Identity.Provider/Startup.cs:line 217
at Pixel.Identity.Provider.Startup.<>c__DisplayClass4_0.<ConfigureServices>b__4(
IDataStoreConfigurator p,
IServiceCollection s) in /Developer/Examples/pixel-identity/src
/Pixel.Identity.Provider/Startup.cs:line 90
at Pixel.Identity.Provider.Extensions.ServiceExtensions.AddPlugin[T](
IServiceCollection services, Plugin plugin,
Action`2 configure) in /Developer/Examples/pixel-identity/src
/Pixel.Identity.Provider/Extensions/ServiceExtensions.cs:
line 63
at Pixel.Identity.Provider.Startup.ConfigureServices(IServiceCollection services) in
/Developer/Examples/pixel-identity/src/Pixel.Identity.Provider/Startup.cs:line 87
at System.RuntimeMethodHandle.InvokeMethod(Object target, Span`1& arguments,
Signature sig, Boolean constructor, Boolean wrapExceptions)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr,
Binder binder, Object[] parameters, CultureInfo culture)
at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.InvokeCore(
Object instance, IServiceCollection services)
at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass9_0
<Invoke>g__Startup|0(IServiceCollection serviceCollection)
at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke(Object instance,
IServiceCollection services)
at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass8_0.<Build>b__0(
IServiceCollection services)
at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.UseStartup(Type startupType,
HostBuilderContext context, IServiceCollection services, Object instance)
at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.<>c__DisplayClass13_0.
<UseStartup>b__0(HostBuilderContext context, IServiceCollection services)
at Microsoft.Extensions.Hosting.HostBuilder.CreateServiceProvider()
at Microsoft.Extensions.Hosting.HostBuilder.Build()
at Pixel.Identity.Provider.Program.Main(String[] args) in /Developer/Examples/pixel-identity/src/
Pixel.Identity.Provider/Program.cs:line 21
Removing the OR statement (| X509KeyStorageFlags.EphemeralKeySet) in StartUp.cs all work fine.
After pfx are created, upload to Secret Manager with gcloud CLI:
gcloud secrets create **YourGoogleSecretName** \
--replication-policy=automatic \
--data-file=**path/to/file/certificate.pfx**
To retrieve certificate from Secret Manager (using Google API) I need to authenticate to Google (https://cloud.google.com/docs/authentication/application-default-credentials) and I have used this code (it work):
using Google.Cloud.SecretManager.V1;
using Google.Protobuf;
SecretManagerServiceClient client = SecretManagerServiceClient.Create();
SecretVersionName secretVersionName =
new SecretVersionName("googleProjectId", "**YourGoogleSecretName**", "latest");
AccessSecretVersionResponse result =
client.AccessSecretVersion(secretVersionName);
ByteString secretData = result.Payload.Data;
byte[] encryptionKeyBytes = secretData.ToByteArray();
X509Certificate2 encryptionKey =
new X509Certificate2(
encryptionKeyBytes,
Configuration["Identity:EncryptionCertificateKey"],
X509KeyStorageFlags.MachineKeySet);
Seems this is not going to be an easy upgrade to OpenIdDict -> 4.7.0 . I ran in to an issue with MongoDb and have raised it at https://github.com/openiddict/openiddict-core/issues/1861 for any workaround. The issue is in newer versions of MongoDb driver.
Additionally, I tried to upgrade to 4.6.0 instead but have hit an issue with it as well for Sql based backends as well. I will first investigate this before raising it with openiddict team.
System.InvalidOperationException: Unable to resolve service for type 'Microsoft.Extensions.Caching.Memory.IMemoryCache' while attempting to activate 'OpenIddict.EntityFrameworkCore.OpenIddictEntityFrameworkCoreApplicationStore
5[OpenIddict.EntityFrameworkCore.Models.OpenIddictEntityFrameworkCoreApplication,OpenIddict.EntityFrameworkCore.Models.OpenIddictEntityFrameworkCoreAuthorization,OpenIddict.EntityFrameworkCore.Models.OpenIddictEntityFrameworkCoreToken,Pixel.Identity.Store.Sql.Shared.Stores.ApplicationDbContext,System.String]'.`
4.6.0 upgrade seems feasible and merged now . I have few other enhancements planned . I will try to get them ready and release a new version in a week or two if no hurry.
Updated to 4.7.0 now with workaround for mongodb issue.
Do you need a official build for 4.7.0 upgrade of openiddict ? If not , would it be ok to close this ticket ? I am thinking to leave the EphemeralKeySet change for the time being as I doubt anyone will ever host this on mac in production environment. I will revisit this when upgrading to dotnet 8 with a hope that this is addressed as part of dotnet 8 for mac.
Great work! Thank you! I have to change only 3 details to succesfully run the Provider from source code:
http
tohttps
everywhere| X509KeyStorageFlags.EphemeralKeySet
in StartUp.cs when loading certificates from fileI have 4 questions, I hope you can help me...
Thank you!!