search

openiddict / openiddict-core

Flexible and versatile OAuth 2.0/OpenID Connect stack for .NET
https://openiddict.com/
Apache License 2.0
4.36k stars 510 forks source link

Consider constraining NWebSec to OpenIddict endpoints #14

Closed kevinchalet closed 8 years ago

kevinchalet commented 8 years ago

@ilmax @Bartmax still no sign of a port of NWebSec for vNext. Should we simply replace it by something else, that would also work on CoreCLR?

ilmax commented 8 years ago

Maybe we should ping @klings :)

klings commented 8 years ago

Hey guys, you're well underway with your ASP.NET 5 support? Which NWebsec libraries have you been using, the middleware? ASP.NET 5 support is next in line for NWebsec, but there's no trace of it on GitHub as I've been poking around with the new ASP.NET locally so far.

kevinchalet commented 8 years ago

Hey André (and sorry for the late answer)! :smile:

Hey guys, you're well underway with your ASP.NET 5 support?

Actually, OpenIddict is totally new and was designed from scratch for ASP.NET 5, but ASOS (the OpenID Connect library behind this project: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server) comes with a default sample that demonstrates how to use NWebSec with ASP.NET 5 for a long time now (more than a year, actually: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/commit/0111029cfe69d3f357074c0d882b4d197b641c03 :tada:)

Which NWebsec libraries have you been using, the middleware?

Yep, the main middleware. Ideally, we'd also like to use the MVC adapter, since OpenIddict internally uses a controller to render the critical authorization pages.

ASP.NET 5 support is next in line for NWebsec, but there's no trace of it on GitHub as I've been poking around with the new ASP.NET locally so far.

If you want us to test the early bits, don't hesitate, we're now pretty good at that :smile: (if you have specific questions about ASP.NET 5 or DNX, please feel free to ping me on JabbR: https://jabbr.net/#/rooms/AspNetvNext)

klings commented 8 years ago

I've made progress and the first version of the vnext packages are out. This includes ASP.NET 5 middleware, as well as an updated MVC package. It's a gamma release, as I'll have to make a few minor breaking changes before I'm happy calling it an RC. Still, it works (mostly) as before, and should be safe to "put in production". The middleware is almost identical, but there were a few system.web specific things that had to go in the MVC package.

You can keep an eye on the progress here NWebsec/NWebsec#59 as I make my way to an RC.

Let me know should you run into any issues.

kevinchalet commented 8 years ago

Woooo, it looks really nice, we'll give it a try ASAP! :tada: Thanks for the info, André.

/cc @damccull

damccull commented 8 years ago

Just waiting on rc2 HTTPS bug to be fixed so I can use it properly. I'll be submitting an issue on it today.

kevinchalet commented 8 years ago

FYI, it's not a bug. See my remark on JabbR :clap:

damccull commented 8 years ago

Haha! Looking.

On Tue, Dec 8, 2015, 09:22 Kévin Chalet notifications@github.com wrote:

FYI, it's not a bug. See my remark on JabbR [image: :clap:]

— Reply to this email directly or view it on GitHub https://github.com/openiddict/core/issues/14#issuecomment-162913215.

damccull commented 8 years ago

Today we merged in an update using the aspnet5 nwebsec middleware (https://github.com/openiddict/core/pull/37). I'm looking at how to allow OpenIddict users to set the CSP headers themselves.

kevinchalet commented 8 years ago

Closing as invalid (OpenIddict.Security - that used NWebsec - has been removed from the core code base).