Consider supporting System.Web.Security.MachineKey #324
Description
Summary
System.Web.Security.MachineKey is a static class that is used in class libraries that can be adapted to be used with ASP.NET Core applications.
Motivation and goals
MachineKey calls are static calls that may occur in low levels of code that is used to protect/unprotect data. In ASP.NET Core, the data protection APIs provide similar functionality. However, as with HttpContext.Current, these calls have been static on ASP.NET Framework and now require DI to retrieve on ASP.NET Core.
My providing the APIs for MachineKey, code that relies on this can be migrated to .NET Standard, but get the benefits of data protection without having to refactor the existing code to pass it in. Given that there is support in ASP.NET Framework to replace the underlying provider for MachineKey with the data protection APIs, this feature will simplify migration for apps.
In scope
- In
Microsoft.AspNetCore.SystemWebAdapters
namespace System.Web.Security.MachineKey
{
public static class MachineKey
{
public static byte[] Unprotect(byte[] protectedData, params string[] purpose);
public static byte[] Protect(byte[] userData, params string[] purposes);
}
}Out of scope
- We do not want to try to mimic the actual data protection that occurs in .NET Framework in-box. If someone wants to do that, it will integrate into the adapters as-is as long as it is the registered
IDataProtectionProvider. To support this migration scenario, we want people to initially move their use of the protection to the new stack.
Risks / unknowns
- Users may not understand that they must do some extra configuration in order to share keys between framework and core apps to be able to unprotect data the other protects
- In order to replace the data protection on framework, it will invalidate existing values that are protected and steps must be take to mitigate that
Detailed design
An initial implementation and sample:
- MachineKey implementatoin
- Sample (video below)