Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple issuers in JwtBearerConfigureOptions #42000

Closed
1 task done
martincostello opened this issue Jun 2, 2022 · 1 comment · Fixed by #42679
Closed
1 task done

Support multiple issuers in JwtBearerConfigureOptions #42000

martincostello opened this issue Jun 2, 2022 · 1 comment · Fixed by #42679
Assignees
@captainsafia
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI feature-userjwts The `dotnet user-jwts` CLI tool untriaged
Milestone
7.0-preview7

Comments

@martincostello
Copy link
Member

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

When configuring default bearer authentication options from configuration, only one valid issuer is supported.

aspnetcore/src/Security/Authentication/JwtBearer/src/JwtBearerConfigureOptions.cs

Lines 38 to 55 in d7d7deb

var configSection = _authenticationConfigurationProvider.GetAuthenticationSchemeConfiguration(name);
if (configSection is null || !configSection.GetChildren().Any())
{
return;
}
var issuer = configSection["ClaimsIssuer"];
var audiences = configSection.GetSection("Audiences").GetChildren().Select(aud => aud.Value).ToArray();
options.TokenValidationParameters = new()
{
ValidateIssuer = issuer is not null,
ValidIssuers = new[] { issuer },
ValidateAudience = audiences.Length > 0,
ValidAudiences = audiences,
ValidateIssuerSigningKey = true,
IssuerSigningKey = GetIssuerSigningKey(_configuration, issuer),
};

Describe the solution you'd like

The configuration schema should support the configuration of multiple valid issuers, like it does for audiences.

aspnetcore/src/Security/Authentication/JwtBearer/src/JwtBearerConfigureOptions.cs

Line 46 in d7d7deb

var audiences = configSection.GetSection("Audiences").GetChildren().Select(aud => aud.Value).ToArray();

Additional context

See #41956 (comment).

/cc @DamianEdwards
@javiercn javiercn added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Jun 2, 2022
@captainsafia captainsafia self-assigned this Jun 3, 2022
@Tratcher Tratcher added this to the .NET 7 Planning milestone Jun 3, 2022
@ghost
Copy link

ghost commented Jun 3, 2022

Thanks for contacting us.

We're moving this issue to the .NET 7 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

@captainsafia captainsafia added the feature-userjwts The `dotnet user-jwts` CLI tool label Jun 6, 2022
@captainsafia captainsafia mentioned this issue Jul 13, 2022
Merged
@captainsafia captainsafia mentioned this issue Jul 18, 2022
Merged
10 tasks
@ghost ghost locked as resolved and limited conversation to collaborators Aug 15, 2022
@amcasey amcasey added the area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI label Jun 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@captainsafia captainsafia

Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI feature-userjwts The `dotnet user-jwts` CLI tool untriaged
Projects
None yet
Milestone
7.0-preview7
Development

Successfully merging a pull request may close this issue.

Support loading OIDC options from configuration dotnet/aspnetcore
5 participants
@martincostello @Tratcher @captainsafia @javiercn @amcasey