search

aspnet-contrib / AspNet.Security.OAuth.Providers

OAuth 2.0 social authentication providers for ASP.NET Core
Apache License 2.0
2.35k stars 533 forks source link

Apple Sign in redirects to blank page #771

Closed ECD10 closed 1 year ago

ECD10 commented 1 year ago

Additional information

I develop an app using Maui. I am using Web Authenticator. Google login works perfectly. But apple login not works. Redirects to blank page after apple login. I upload p8 file to project folder. I don't know what the problem is. Can anyone help me?

.net version 3.1 return url: domain.com/signin-apple

My Startup.cs

{
    public class Startup
    {
        public Startup(IConfiguration configuration, IWebHostEnvironment webHostEnvironment)
        {
            Configuration = configuration;
            WebHostEnvironment = webHostEnvironment;
        }

        IConfiguration Configuration { get; }

        IWebHostEnvironment WebHostEnvironment { get; }

        public void ConfigureServices(IServiceCollection services)
        {

            services.AddControllers();

            services.AddAuthentication(o =>
                {
                    o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                })
                .AddCookie()
                .AddGoogle(g =>
                {
                    g.ClientId = "*****";
                    g.ClientSecret = "*****";
                    g.SaveTokens = true;
                })
                .AddApple(a =>
                {
                    a.ClientId = "****";
                    a.KeyId = "****";
                    a.TeamId = "*****";
                    a.UsePrivateKey(keyId
                        => WebHostEnvironment.ContentRootFileProvider.GetFileInfo($"AuthKey_{keyId}.p8"));
                    a.SaveTokens = true;
                });

        }

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseRouting();

            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
    }
}
martincostello commented 1 year ago

A few points:

A sample app you can use for further reference can be found in this repo: https://github.com/martincostello/SignInWithAppleSample

ECD10 commented 1 year ago

A few points:

  • It is not safe to store the p8 file in wwwroot as then it can be downloaded to the browser, leaking your private key. It should be stored in the same folder in the app as your compiled binaries (or even better, externally in a technology such as Azure Key Vault).
  • If storing the key on disk with the app, ensure you include it in the published website artefact.
  • Turning up logging should give you clues as to what the error is.
  • .NET Core 3.1 is out of support since December 2022 and no longer receives security patches. You should update to at least .NET 6.

A sample app you can use for further reference can be found in this repo: https://github.com/martincostello/SignInWithAppleSample

warn: Microsoft.AspNetCore.DataProtection.Repositories.EphemeralXmlRepository[50] Using an in-memory repository. Keys will not be persisted to storage. warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[59] Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits. warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35] No XML encryptor configured. Key {27c4441a-c32b-4565-937f-f1eadba51faa} may be persisted to storage in unencrypted form. info: Microsoft.Hosting.Lifetime[0] Application started. Press Ctrl+C to shut down. info: Microsoft.Hosting.Lifetime[0] Hosting environment: Production info: Microsoft.Hosting.Lifetime[0] Content root path: C:\Inetpub\vhosts\encada.com.tr\mobileauth.encada.com.tr info: AspNet.Security.OAuth.Apple.AppleAuthenticationHandler[7] Apple was not authenticated. Failure message: Not authenticated info: AspNet.Security.OAuth.Apple.AppleAuthenticationHandler[12] AuthenticationScheme: Apple was challenged. fail: AspNet.Security.OAuth.Apple.Internal.DefaultAppleClientSecretGenerator[1] Failed to generate new client secret for the Apple authentication scheme. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified. at System.Security.Cryptography.CngKeyLite.ImportKeyBlob(String blobType, ReadOnlySpan1 keyBlob, Boolean encrypted, ReadOnlySpan1 password) at System.Security.Cryptography.CngPkcs8.ImportPkcs8(ReadOnlySpan1 keyBlob) at System.Security.Cryptography.CngPkcs8.ImportPkcs8PrivateKey(ReadOnlySpan1 source, Int32& bytesRead) at System.Security.Cryptography.ECDsaImplementation.ECDsaCng.ImportPkcs8PrivateKey(ReadOnlySpan1 source, Int32& bytesRead) at Internal.Cryptography.PemKeyImportHelpers.ImportPem(ReadOnlySpan1 input, FindImportActionFunc callback) at System.Security.Cryptography.ECDsa.ImportFromPem(ReadOnlySpan1 input) at AspNet.Security.OAuth.Apple.Internal.DefaultAppleClientSecretGenerator.CreateAlgorithm(ReadOnlyMemory1 pem) at AspNet.Security.OAuth.Apple.Internal.DefaultAppleClientSecretGenerator.GenerateNewSecretAsync(AppleGenerateClientSecretContext context) at AspNet.Security.OAuth.Apple.Internal.DefaultAppleClientSecretGenerator.<>c__DisplayClass5_0.<<GenerateAsync>b__0>d.MoveNext() info: AspNet.Security.OAuth.Apple.AppleAuthenticationHandler[4] Error from RemoteAuthentication: The system cannot find the file specified.. fail: Microsoft.AspNetCore.Server.IIS.Core.IISHttpServer[2] Connection ID "17509995417251614254", Request ID "80000e2f-000f-f300-b63f-84710c7967bb": An unhandled exception was thrown by the application. System.Exception: An error was encountered while handling the remote login. ---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified. at System.Security.Cryptography.CngKeyLite.ImportKeyBlob(String blobType, ReadOnlySpan1 keyBlob, Boolean encrypted, ReadOnlySpan1 password) at System.Security.Cryptography.CngPkcs8.ImportPkcs8(ReadOnlySpan1 keyBlob) at System.Security.Cryptography.CngPkcs8.ImportPkcs8PrivateKey(ReadOnlySpan1 source, Int32& bytesRead) at System.Security.Cryptography.ECDsaImplementation.ECDsaCng.ImportPkcs8PrivateKey(ReadOnlySpan1 source, Int32& bytesRead) at Internal.Cryptography.PemKeyImportHelpers.ImportPem(ReadOnlySpan1 input, FindImportActionFunc callback) at System.Security.Cryptography.ECDsa.ImportFromPem(ReadOnlySpan1 input) at AspNet.Security.OAuth.Apple.Internal.DefaultAppleClientSecretGenerator.CreateAlgorithm(ReadOnlyMemory1 pem) at AspNet.Security.OAuth.Apple.Internal.DefaultAppleClientSecretGenerator.GenerateNewSecretAsync(AppleGenerateClientSecretContext context) at AspNet.Security.OAuth.Apple.Internal.DefaultAppleClientSecretGenerator.<>c__DisplayC

martincostello commented 1 year ago

Based on this error:

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified.

You likely need to do this:

https://github.com/martincostello/SignInWithAppleSample#azure-app-service-deployment

ECD10 commented 1 year ago

Based on this error:

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified.

You likely need to do this:

https://github.com/martincostello/SignInWithAppleSample#azure-app-service-deployment

Thanks for your help.

ECD10 commented 1 year ago

I am using shared hosting and cannot enable load user profile. What can I do in this situation?

martincostello commented 1 year ago

There's nothing you can do on the shared hosting tier - this is a limitation of Azure App Service and Windows.

Either you need to move to a higher tier with the feature you need or switch to Linux.