Nonce caching should not require two properties on OpenIdConnectAuthenticationOptions: CacheNonces and NonceCache

aspnet / Security

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore

Apache License 2.0

1.27k stars 599 forks source link

Nonce caching should not require two properties on OpenIdConnectAuthenticationOptions: CacheNonces and NonceCache #321

Closed brentschmaltz closed 9 years ago

brentschmaltz commented 9 years ago

By default NonceCache is null. It seems reasonable to me if the user set it that should be an indication to use it.

Tratcher commented 9 years ago

The CacheNonces bool is also used in the constructor to request the cache from DI: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs#L132

brentschmaltz commented 9 years ago

This is different than the pattern for IDataFormatter. Could we have a default NonceCache that uses cookies, have users override as they do with the formatter.

Tratcher commented 9 years ago

IDataFormatter? Do you mean ISecureDataFormat?

brentschmaltz commented 9 years ago

Yes, ISecureDataFormat.

Eilon commented 9 years ago

This is behaving as designed.