Open Piedone opened 1 year ago
Kevin:
Also, using raw RSA keys instead of RSA keys embedded in X.509 certificates (for which we tend to see fewer issues in hostile environments) in conjunction with https://github.com/OrchardCMS/OrchardCore/pull/7891 might be a better approach than making the storage of the current feature replaceable.
Should we trust him?
Should we trust him?
A tes risques et périls :trollface:
Hmm, perhaps IOpenIdServerService.PruneManagedCertificatesAsync()
can be used (or something else) to reset the certificate store after deployment, to get rid of the exception, at least.
Is your feature request related to a problem? Please describe.
Having the web server stateless, i.e. it not storing anything that you want to keep and can't be redeployed (like content, media), is useful for having a clear deployment story and a requirement for horizontal scaling. The OpenID module's
OpenIdServerService
stores certificates on the local file system, however. This causes the below exception if you wipe the storage (like when you deploy a new version of the app:This is logged here.
Despite this BTW, OpenID still appears to be working.
Related: https://github.com/OrchardCMS/OrchardCore/issues/7137
Describe the solution you'd like
Similar to Azure Data Protection we could have an implementation to store the certificates in a Blob Storage account. Basically, we could have something like
IOpenIdServerCertificateStorage
, with a default implementation that accesses local files likeOpenIdServerService
does today, and another feature that provides a Blob Storage-based implementation. (And later others can be added too.)Describe alternatives you've considered
You need to fully override
OpenIdServerService
to implement this currently. Also see the comment by @kevinchalet here.