OpenID Connect Dynamic provider for ASP.NET Core Identity

[TomCJones]

General

The existing OpenID Connect provider in ASP.NET Core will not accept a dynamic registration for an Identity Provider. That makes it very difficult to get OpenID certification for an ASP.NET web site.

I have posted a solution to both issues at https://bitbucket.org/tomcjones/idesgrp

I would like to create an article for docs that describes how to solve these problems once this is approved.

[TomCJones]

Eventually, but I am working on identity prover in 2.0 that I need to finish first.

thx ..tom (mobile outlook)

---

From: Luke Latham notifications@github.com Sent: Saturday, September 23, 2017 1:59:44 PM To: aspnet/Docs Cc: tom jones; Mention Subject: Re: [aspnet/Docs] OpenID Connect Dynamic provider for ASP.NET Core Identity (#4369)

@TomCJoneshttps://github.com/tomcjones Is your intention to produce the sample in 2.0?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/aspnet/Docs/issues/4369#issuecomment-331669557, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKxq1hVAaaymJNsJ-a3lW4LRNnOAMWHFks5slXFAgaJpZM4PhpR0.

[Rick-Anderson]

@HaoK or @blowdart please review proposal for article OpenID Connect Dynamic provider for ASP.NET Core Identity

[blowdart]

Given that OIDC certification does not require implementation of everything, and dynamic registration introduces a whole new bunch of threats we've not considered I'm not sure this belongs in the official documentation.

[kevinchalet]

@blowdart not sure I'm proud of that... :trollface:

[TomCJones]

Oidc relying party certification is dependent on dynamic registration. I am a prior member of windows security and can supply a threat model as part of documentation, which should be sufficient reason alone for docs.

thx ..tom (mobile outlook)

---

From: Barry Dorrans notifications@github.com Sent: Monday, September 25, 2017 2:51:22 PM To: aspnet/Docs Cc: tom jones; Mention Subject: Re: [aspnet/Docs] OpenID Connect Dynamic provider for ASP.NET Core Identity (#4369)

Given that OIDC certification does not require implementation of everything, and dynamic registration introduces a whole new bunch of threats we've not considered I'm not sure this belongs in the official documentation.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/aspnet/Docs/issues/4369#issuecomment-332024304, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKxq1rvyVvfzX7dLWiKPdcZyIvzTsL4Zks5smCBagaJpZM4PhpR0.

[kevinchalet]

Oidc relying party certification is dependent on dynamic registration.

There are 5 certification profiles and the first 4 don't require implementing Dynreg (the last one is named Dynamic RP and is dedicated to this feature): http://openid.net/wordpress-content/uploads/2016/12/OpenID-Connect-Conformance-Profiles.pdf

I am a prior member of windows security and can supply a threat model as part of documentation, which should be sufficient reason alone for docs.

The threat model is actually well known: the main threats are IdP mix-up attacks, XSS injection via specially crafted claims and less subtile things that target the backchannel communication (e.g a deliberately slow TCP connection or a connection that returns insane amounts of data, leading to network and memory issues).

What's complicated is not defining the threat model, it's implementing the appropriate countermeasures in the OIDC middleware (that has not been designed with non-trusted IdPs support in mind).

I took a brief look at your code when @guardrex pinged me yesterday about that and while the backchannel attacks vectors are likely mitigated by using appropriate timeout/response length limits, I didn't find anything that would help prevent mix-up attacks. There are also a bunch of thread-safety issues in your code that could potentially be used as attack vectors (e.g the providers collection is not thread safe).

[kevinchalet]

@TomCJones note that I'm not trying to deter you from contributing to the ASP.NET Core docs, but like @blowdart, I think this part is probably too complicated and requires implementing so much custom code that it's probably not a good fit for the official docs.

[Rick-Anderson]

@TomCJones if you write a blog on this I'll be happy to tweet it.

[TomCJones]

You are wrong about the RP certification. Unfortunately the RP certification pages have been removed from openid.net so I cannot point you to the reason why you are wrong.

I would be happy to address any shortcomings in the providers collection, but I am not likely to engage with this team again given this experience. ..tom

---

From: Kévin Chalet notifications@github.com Sent: Monday, September 25, 2017 4:34 PM To: aspnet/Docs Cc: tom jones; Mention Subject: Re: [aspnet/Docs] OpenID Connect Dynamic provider for ASP.NET Core Identity (#4369)

Oidc relying party certification is dependent on dynamic registration.

There are 5 certification profiles and the first 4 don't require implementing Dynreg (the last one is named Dynamic RP and is dedicated to this feature): http://openid.net/wordpress-content/uploads/2016/12/OpenID-Connect-Conformance-Profiles.pdf

I am a prior member of windows security and can supply a threat model as part of documentation, which should be sufficient reason alone for docs.

The threat model is actually well knownhttps://arxiv.org/abs/1508.04324: the main threats are IdP mix-up attacks, XSS injection via specially crafted claims and less subtile things that target the backchannel communication (e.g a deliberately slow TCP connection or a connection that returns insane amounts of data, leading to network and memory issues).

What's complicated is not defining the threat model, it's implementing the appropriate countermeasures in the OIDC middleware (that has not been designed with non-trusted IdPs support in mind).

I took a brief look at your code when @guardrexhttps://github.com/guardrex pinged me yesterday about that and while the backchannel attacks vectors are likely mitigated by using appropriate timeout/response length limits, I didn't find anything that would help prevent mix-up attacks. There are also a bunch of thread-safety issues in your code that could potentially be used as attack vectors (e.g the providers collection is not thread safe).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/aspnet/Docs/issues/4369#issuecomment-332043312, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKxq1rHubeOqJQIQ9bbrigQeKYnhucaIks5smDiPgaJpZM4PhpR0.

[kevinchalet]

You are wrong about the RP certification. Unfortunately the RP certification pages have been removed from openid.net so I cannot point you to the reason why you are wrong.

Nope, I don't think I am. The page you're looking for is still available at http://openid.net/certification/ and lists the 16 providers officially certified by the OpenID Foundation. Only 5 support the dynamic RP feature.

[TomCJones]

Maybe you should ask yourself why my code is the only asp.nethttp://asp.net RP certified!

..Tom's phone

On Sep 25, 2017, at 6:01 PM, Kévin Chalet notifications@github.com<mailto:notifications@github.com> wrote:

You are wrong about the RP certification. Unfortunately the RP certification pages have been removed from openid.nethttp://openid.net so I cannot point you to the reason why you are wrong.

Nope, I don't think I am. The page you're looking for is still available at http://openid.net/certification/ and lists the 16 providers officially certified by the OpenID Foundation. Only 5 support the dynamic RP feature.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/aspnet/Docs/issues/4369#issuecomment-332055370, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKxq1vg2R1ZsfSCQFPmoTlKPhy3PyLKYks5smEzogaJpZM4PhpR0.

[kevinchalet]

Maybe you should ask yourself why my code is the only asp.nethttp://asp.net RP certified!

Oh sorry, I had not realized this thread was all about satisfying your ego :sweat_smile:

And FWIW, that's inexact. SimpleIdentityServer's client - certified for the 5 profiles - and IdentityModel.OidcClient - certified for basic and config - are compatible with .NET Standard and can be used in any ASP.NET or ASP.NET Core app.