Update to openiddict v4.7.0 & Ephemeral Key & Deploy on Google Cloud Run

[digitarenet]

Great work! Thank you! I have to change only 3 details to succesfully run the Provider from source code:

• change http to https everywhere
• correctly set certificates path and Plugins path in appsettings.json (I'm working on macOS so I need to use '/')
• comment | X509KeyStorageFlags.EphemeralKeySet in StartUp.cs when loading certificates from file

I have 4 questions, I hope you can help me...

1. Do you have a roadmap to update to latest openiddict-core (4.7.0)?
2. What about removing EphemeralKeySet in my source code?
3. Now I'm running on localhost for testing but I'm going to move to Google Cloud Run (Artifact Registry Containers) in production so: it is a good practice to load certificates with COPY.... via Dockerfile or there is a better (technical/security) way (ENV VARS?)?
4. For Google Cloud Run deployment I need to move all settings in Environment vars, is it correct?

Thank you!!

[Nfactor26]

Hello . I will try to do my best to help you.

1. Do you have a roadmap to update to latest openiddict-core (4.7.0)?
   • I can definitely upgrade it. Any specific features from the library you are looking for or just need a binary upgrade ?
   • How soon do you need it ?
2. What about removing EphemeralKeySet in my source code?
   • What problem is this causing and is this happening only on MAC ? I can explore alternatives if this is causing issue.
3. Now I'm running on localhost for testing but I'm going to move to Google Cloud Run (Artifact Registry Containers) in production so: it is a good practice to load certificates with COPY.... via Dockerfile or there is a better (technical/security) way (ENV VARS?)?
   • You will need 3 certificates in all as documented at https://nfactor26.github.io/pixel-identity/docs/certificates/.
   • The current implementation loads 2 of the certificates required by OpenIdDict from disk.
   • Recommended way to store certificates would be to use some kind of vault e.g. https://www.hashicorp.com/blog/certificate-management-with-vault. Cloud providers will also have some kind of vault or secret management.
   • You will need to customize the part of code to load certificates based on your environment for more advanced scenarios.
4. For Google Cloud Run deployment I need to move all settings in Environment vars, is it correct?
   • Asp.net core supports multiple sources of configuration. You can specify in appsettings.json or environment variables or pass from command line. Please see order of precedence documented at https://devblogs.microsoft.com/premier-developer/order-of-precedence-when-configuring-asp-net-core/.

[digitarenet]

Thank You!! Only point number "2." seem to be problematic...

1. I've seen that in the new OpenIddict versions there are some new integrations available and some other improvements for client integrations. I have to deploy in production my project by the end of september and I need an IdP to deploy on Google Cloud Run to allow SSO [my application is a Front End application that allow users to buy subscriptions of a service (hosted in another server) but the users should not register and login two times after buyed subscription in order to use the service...so I need to use an OpenId Connect compliant provider to simplify user logins]. The service application can use only onpenId Connect compliant IdP to SSO users so I need to implement one and use it also in my application. (I hope it is clear...)

---

2. My environment: macOS Ventura (13.5) on intel x64 building with JetBrains Rider and .NET SDK v7.0.400.

With "EphemeralKeySet" in StartUp.cs... ... X509Certificate2 encryptionKey = new X509Certificate2(encryptionKeyBytes, Configuration["Identity:EncryptionCertificateKey"], X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet); ...

This is the error response:

>> publish % dotnet Pixel.Identity.Provider.dll --urls=https://localhost:44382/
[08:39:37 FTL] Host terminated unexpectedly
System.PlatformNotSupportedException: This platform does not support loading with EphemeralKeySet.
Remove the flag to allow keys to be temporarily created on disk.
   at Internal.Cryptography.Pal.AppleCertificatePal.FromBlob(ReadOnlySpan`1 rawData, 
SafePasswordHandle password, Boolean readingFromFile, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, 
String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, 
String password, X509KeyStorageFlags keyStorageFlags)
   at Pixel.Identity.Provider.Startup.<ConfigureOpenIddict>b__8_1(
OpenIddictServerBuilder options) in
/Developer/Examples/pixel-identity/src/Pixel.Identity.Provider/Startup.cs:line 250
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(
OpenIddictBuilder builder, Action`1 configuration)
   at Pixel.Identity.Provider.Startup.ConfigureOpenIddict(IServiceCollection services, 
IDataStoreConfigurator configurator)
in /Developer/Examples/pixel-identity/src/Pixel.Identity.Provider/Startup.cs:line 217
   at Pixel.Identity.Provider.Startup.<>c__DisplayClass4_0.<ConfigureServices>b__4(
IDataStoreConfigurator p,
IServiceCollection s) in /Developer/Examples/pixel-identity/src
/Pixel.Identity.Provider/Startup.cs:line 90
   at Pixel.Identity.Provider.Extensions.ServiceExtensions.AddPlugin[T](
IServiceCollection services, Plugin plugin, 
Action`2 configure) in /Developer/Examples/pixel-identity/src
/Pixel.Identity.Provider/Extensions/ServiceExtensions.cs:
line 63
   at Pixel.Identity.Provider.Startup.ConfigureServices(IServiceCollection services) in 
/Developer/Examples/pixel-identity/src/Pixel.Identity.Provider/Startup.cs:line 87
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Span`1& arguments, 
Signature sig, Boolean constructor, Boolean wrapExceptions)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, 
Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.InvokeCore(
Object instance, IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass9_0
<Invoke>g__Startup|0(IServiceCollection serviceCollection)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke(Object instance, 
IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass8_0.<Build>b__0(
IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.UseStartup(Type startupType, 
HostBuilderContext context, IServiceCollection services, Object instance)
   at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.<>c__DisplayClass13_0.
<UseStartup>b__0(HostBuilderContext context, IServiceCollection services)
   at Microsoft.Extensions.Hosting.HostBuilder.CreateServiceProvider()
   at Microsoft.Extensions.Hosting.HostBuilder.Build()
   at Pixel.Identity.Provider.Program.Main(String[] args) in /Developer/Examples/pixel-identity/src/
Pixel.Identity.Provider/Program.cs:line 21

Removing the OR statement (| X509KeyStorageFlags.EphemeralKeySet) in StartUp.cs all work fine.

---

3. I have solved how to store Certificates on Google Secret Manager:

After pfx are created, upload to Secret Manager with gcloud CLI:

gcloud secrets create **YourGoogleSecretName** \
    --replication-policy=automatic \
    --data-file=**path/to/file/certificate.pfx**

To retrieve certificate from Secret Manager (using Google API) I need to authenticate to Google (https://cloud.google.com/docs/authentication/application-default-credentials) and I have used this code (it work):

using Google.Cloud.SecretManager.V1;
using Google.Protobuf;

SecretManagerServiceClient client = SecretManagerServiceClient.Create();
SecretVersionName secretVersionName = 
    new SecretVersionName("googleProjectId", "**YourGoogleSecretName**", "latest");

AccessSecretVersionResponse result = 
    client.AccessSecretVersion(secretVersionName);

ByteString secretData = result.Payload.Data;
byte[] encryptionKeyBytes = secretData.ToByteArray();

X509Certificate2 encryptionKey = 
    new X509Certificate2(
        encryptionKeyBytes, 
        Configuration["Identity:EncryptionCertificateKey"], 
    X509KeyStorageFlags.MachineKeySet); 

---

4. Perfect, I'll try to deploy to Google Cloud Run as soon as possible.

[Nfactor26]

Seems this is not going to be an easy upgrade to OpenIdDict -> 4.7.0 . I ran in to an issue with MongoDb and have raised it at https://github.com/openiddict/openiddict-core/issues/1861 for any workaround. The issue is in newer versions of MongoDb driver.

Additionally, I tried to upgrade to 4.6.0 instead but have hit an issue with it as well for Sql based backends as well. I will first investigate this before raising it with openiddict team. System.InvalidOperationException: Unable to resolve service for type 'Microsoft.Extensions.Caching.Memory.IMemoryCache' while attempting to activate 'OpenIddict.EntityFrameworkCore.OpenIddictEntityFrameworkCoreApplicationStore5[OpenIddict.EntityFrameworkCore.Models.OpenIddictEntityFrameworkCoreApplication,OpenIddict.EntityFrameworkCore.Models.OpenIddictEntityFrameworkCoreAuthorization,OpenIddict.EntityFrameworkCore.Models.OpenIddictEntityFrameworkCoreToken,Pixel.Identity.Store.Sql.Shared.Stores.ApplicationDbContext,System.String]'.`

[Nfactor26]

4.6.0 upgrade seems feasible and merged now . I have few other enhancements planned . I will try to get them ready and release a new version in a week or two if no hurry.

[Nfactor26]

Updated to 4.7.0 now with workaround for mongodb issue.

[Nfactor26]

Do you need a official build for 4.7.0 upgrade of openiddict ? If not , would it be ok to close this ticket ? I am thinking to leave the EphemeralKeySet change for the time being as I doubt anyone will ever host this on mac in production environment. I will revisit this when upgrading to dotnet 8 with a hope that this is addressed as part of dotnet 8 for mac.