From b7ddfb11f65dc7116afb465c26f2221368084c3e Mon Sep 17 00:00:00 2001 From: nikolajlauridsen Date: Fri, 2 Dec 2022 10:45:43 +0100 Subject: [PATCH 1/3] Enable reference tokens --- .../DependencyInjection/BackOfficeAuthBuilderExtensions.cs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs b/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs index 5331acaaa9f8..5c23d0f2a96e 100644 --- a/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs +++ b/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs @@ -80,6 +80,12 @@ private static IUmbracoBuilder AddOpenIddict(this IUmbracoBuilder builder) options .UseAspNetCore() .EnableAuthorizationEndpointPassthrough(); + + // Enable reference tokens + // - see https://documentation.openiddict.com/configuration/token-storage.html + options + .UseReferenceAccessTokens() + .UseReferenceRefreshTokens(); }) // Register the OpenIddict validation components. From 1c9034fa7c7b3017fa9b9a7c1907879253ecda41 Mon Sep 17 00:00:00 2001 From: nikolajlauridsen Date: Fri, 2 Dec 2022 10:45:52 +0100 Subject: [PATCH 2/3] Enable token validation --- .../DependencyInjection/BackOfficeAuthBuilderExtensions.cs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs b/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs index 5c23d0f2a96e..a348fb414dca 100644 --- a/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs +++ b/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs @@ -96,6 +96,10 @@ private static IUmbracoBuilder AddOpenIddict(this IUmbracoBuilder builder) // Register the ASP.NET Core host. options.UseAspNetCore(); + + // Enable token entry validation + // - see https://documentation.openiddict.com/configuration/token-storage.html#enabling-token-entry-validation-at-the-api-level + options.EnableTokenEntryValidation(); }); builder.Services.AddTransient(); From bff0433c47a766cb6cd7f6fcd89292670952b79a Mon Sep 17 00:00:00 2001 From: nikolajlauridsen Date: Fri, 2 Dec 2022 11:40:38 +0100 Subject: [PATCH 3/3] Add Data protection --- .../BackOfficeAuthBuilderExtensions.cs | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs b/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs index a348fb414dca..3e708b6c1e54 100644 --- a/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs +++ b/src/Umbraco.Cms.ManagementApi/DependencyInjection/BackOfficeAuthBuilderExtensions.cs @@ -86,6 +86,16 @@ private static IUmbracoBuilder AddOpenIddict(this IUmbracoBuilder builder) options .UseReferenceAccessTokens() .UseReferenceRefreshTokens(); + + // Use ASP.NET Core Data Protection for tokens instead of JWT. + // This is more secure, and has the added benefit of having a high throughput + // but means that all servers (such as in a load balanced setup) + // needs to use the same application name and key ring, + // however this is already recommended for load balancing, so should be fine. + // See https://documentation.openiddict.com/configuration/token-formats.html#switching-to-data-protection-tokens + // and https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-7.0 + // for more information + options.UseDataProtection(); }) // Register the OpenIddict validation components. @@ -100,6 +110,9 @@ private static IUmbracoBuilder AddOpenIddict(this IUmbracoBuilder builder) // Enable token entry validation // - see https://documentation.openiddict.com/configuration/token-storage.html#enabling-token-entry-validation-at-the-api-level options.EnableTokenEntryValidation(); + + // Use ASP.NET Core Data Protection for tokens instead of JWT. (see note in AddServer) + options.UseDataProtection(); }); builder.Services.AddTransient();