redhook62
commented
1 month ago Hi, @apr-un
Thanks very much. Packages where updated in version 6.36.0 because version 6.23.1 are obsolete
Regards
Closed apr-un closed 1 month ago
redhook62
commented
1 month ago Hi, @apr-un
Thanks very much. Packages where updated in version 6.36.0 because version 6.23.1 are obsolete
Regards
Hi @redhook62
I found few problems in newest solution 2409.0 code.
First it contains two new projects, which aren't included in code:
They're probably a leftover from examples sent to discussion about SMS Implementation https://github.com/neos-sdi/adfsmfa/discussions/349 These projects should probably be removed, however it would be super nice if we have some example of how to work with custom version of sms implementations. If that is not possible general guide what should be implemented or where to should we put our code would be very helpful. Please consider adding that example, even with no real code but general comments like "// add here your code to connect to your webservice", "// here overwrite this method so it return your sms code" or something like that :)
Second, You upgraded packages System.IdentityModel.Tokens.Jwt, Microsoft.IdentityModel.JsonWebTokens (and others related) from 6.23.1 to 8.0.2 - probably due to github report about moderate vulnerability (I did the same on my version without checking, but later I found it affect only .NET Core ).
This change will cause errors in retrieval and deserialization of blob.db file. Microsoft did some hidded breaking change and changed some internal code in these .NET packages, and now application will return something like this:
Error Initializing WebAuthN Metdata Repository : IDX12729: Unable to decode the header '[PII of type 'System.String' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'](https://aka.ms/IdentityModel/PII.]%27) as Base64Url encoded string. /// at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ReadJwtToken(String token) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Neos.IdentityServer.MultiFactor.WebAuthN.Metadata.MDSMetadataRepository.DeserializeAndValidateBlob(BLOBPayloadInformations infos) in C:\Repo\adfsmfa\Neos.IdentityServer 3.1\Neos.IdentityServer.MultiFactor.WebAuthN.Core\Metadata\MDSMetadataRepository.cs:line 158 at Neos.IdentityServer.MultiFactor.WebAuthN.Metadata.MDSMetadataRepository.GetBLOB() in C:\Repo\adfsmfa\Neos.IdentityServer 3.1\Neos.IdentityServer.MultiFactor.WebAuthN.Core\Metadata\MDSMetadataRepository.cs:line 71 at Neos.IdentityServer.MultiFactor.WebAuthN.MFAMetadataService.InitializeRepository(IMetadataRepository repository) in C:\Repo\adfsmfa\Neos.IdentityServer 3.1\Neos.IdentityServer.MultiFactor.WebAuthN.Core\Services\MFAMetadataService.cs:line 70This is confirmed there: https://github.com/dotnet/aspnetcore/issues/54321 and there: https://learn.microsoft.com/en-us/dotnet/core/compatibility/aspnet-core/8.0/securitytoken-events
They say that JwtSecurityTokenHandler should be changed to JsonWebTokenHandler and SecurityToken from output should be cast to JsonWebToken - near Neos.IdentityServer 3.1\Neos.IdentityServer.MultiFactor.WebAuthN.Core\Metadata\MDSMetadataRepository.cs:line 158.
To be honest, I didn't check if this works, I just get back to 6.23.1 on all packages.
Please check if this works correctly for You when restoring deleted blob.db - I get that error when I was messing with configuration, blob.db from version 2405.0 returned error (due to upgraded packages to 8.0.2), so I deleted it and tried to get back fresh version from fidoalliance...
Regards apr-un