openiddict / openiddict-documentation Goto Github PK
View Code? Open in Web Editor NEWOpenIddict documentation
Home Page: https://documentation.openiddict.com/
OpenIddict documentation
Home Page: https://documentation.openiddict.com/
Things to document:
The entities were renamed to include the name of the store (e.g for the Mongo DB stores, OpenIddictApplication
was renamed to OpenIddictMongoDbApplication
).
A new Requirements
property was introduced in the application entity.
The Subject
property on the authorization/token entities is no longer required (which was needed for device flow support, where the user is not known until the authorization is granted).
Encrypted JWT is the new token format for all token types.
The validation handler now natively supports JWT tokens and introspection.
We'll want to include this setup script as part of the documentation:
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using MongoDB.Driver;
using OpenIddict.MongoDb;
using OpenIddict.MongoDb.Models;
namespace MongoDbSetup
{
public static class Program
{
public static async Task Main(string[] args)
{
var services = new ServiceCollection();
services.AddOpenIddict()
.AddCore(options => options.UseMongoDb());
services.AddSingleton(new MongoClient("mongodb://localhost:27017").GetDatabase("openiddict"));
var provider = services.BuildServiceProvider();
var context = provider.GetRequiredService<IOpenIddictMongoDbContext>();
var options = provider.GetRequiredService<IOptionsMonitor<OpenIddictMongoDbOptions>>().CurrentValue;
var database = await context.GetDatabaseAsync(CancellationToken.None);
var applications = database.GetCollection<OpenIddictMongoDbApplication>(options.ApplicationsCollectionName);
await applications.Indexes.CreateManyAsync(new[]
{
new CreateIndexModel<OpenIddictMongoDbApplication>(
Builders<OpenIddictMongoDbApplication>.IndexKeys.Ascending(application => application.ClientId),
new CreateIndexOptions
{
Unique = true
}),
new CreateIndexModel<OpenIddictMongoDbApplication>(
Builders<OpenIddictMongoDbApplication>.IndexKeys.Ascending(application => application.PostLogoutRedirectUris),
new CreateIndexOptions
{
Background = true
}),
new CreateIndexModel<OpenIddictMongoDbApplication>(
Builders<OpenIddictMongoDbApplication>.IndexKeys.Ascending(application => application.RedirectUris),
new CreateIndexOptions
{
Background = true
})
});
var authorizations = database.GetCollection<OpenIddictMongoDbAuthorization>(options.AuthorizationsCollectionName);
await authorizations.Indexes.CreateOneAsync(new CreateIndexModel<OpenIddictMongoDbAuthorization>(
Builders<OpenIddictMongoDbAuthorization>.IndexKeys
.Ascending(authorization => authorization.ApplicationId)
.Ascending(authorization => authorization.Scopes)
.Ascending(authorization => authorization.Status)
.Ascending(authorization => authorization.Subject)
.Ascending(authorization => authorization.Type),
new CreateIndexOptions
{
Background = true
}));
var scopes = database.GetCollection<OpenIddictMongoDbScope>(options.ScopesCollectionName);
await scopes.Indexes.CreateOneAsync(new CreateIndexModel<OpenIddictMongoDbScope>(
Builders<OpenIddictMongoDbScope>.IndexKeys.Ascending(scope => scope.Name),
new CreateIndexOptions
{
Unique = true
}));
var tokens = database.GetCollection<OpenIddictMongoDbToken>(options.TokensCollectionName);
await tokens.Indexes.CreateManyAsync(new[]
{
new CreateIndexModel<OpenIddictMongoDbToken>(
Builders<OpenIddictMongoDbToken>.IndexKeys.Ascending(token => token.ReferenceId),
new CreateIndexOptions<OpenIddictMongoDbToken>
{
// Note: partial filter expressions are not supported on Azure Cosmos DB.
// As a workaround, the expression and the unique constraint can be removed.
PartialFilterExpression = Builders<OpenIddictMongoDbToken>.Filter.Exists(token => token.ReferenceId),
Unique = true
}),
new CreateIndexModel<OpenIddictMongoDbToken>(
Builders<OpenIddictMongoDbToken>.IndexKeys
.Ascending(token => token.ApplicationId)
.Ascending(token => token.Status)
.Ascending(token => token.Subject)
.Ascending(token => token.Type),
new CreateIndexOptions
{
Background = true
})
});
}
}
}
This is a placeholder,
Some description why I need all these flows, and the downsides, e.g. Password Flow is not good for anything basically cause it does not allow standard way to do two factor authentication.
Implicit is the only way for JS apps.
Code flow for other "native" apps such as iOS apps / Android apps.
openiddict/openiddict-core#1396 introduced a new web integration package for the OpenIddict client that aims at offering an alternative to https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers, for which many of the providers were provided by the community.
To increase the number of contributions, we'll need to document this process.
A few things that should likely be included:
- Does the provider offer multiple environments? (e.g production, development, staging). If so, the provider MUST have multiple
<Environment />
nodes with the corresponding configuration.- Does the provider expose a configuration document for the supported environments? If so, the provider MUST use discovery instead of static configuration for all environments that support it.
- If static configuration is used, does the provider support PKCE?
- If static configuration is used, does the provider require using
client_secret_basic
?- Does the provider require custom code to accommodate to non-standard behaviors?
No response
We're still on DocFX 2.24, which is a bit old now. We should migrate to 2.54, which is the latest version.
Using web providers such as Github is barely documented. In the Contributing a new Web provider, it quickly mentions how to test it's hard to know what to do just for that. On Github it seems like no projects use the web providers (sourcegraph).
Here are the questions I've asked myself when reading trying to use web providers with open iddict:
identity_provider
?identity_provider=steam
?No response
OpenIddict RC2 will include schema changes and will require updating columns in the applications and authorizations tables. That can be simplified using a tiny script that should be included in the how-to:
private async Task UpdateOpenIddictTablesAsync(IServiceProvider services)
{
using (var scope = services.GetRequiredService<IServiceScopeFactory>().CreateScope())
{
var context = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
await context.Database.EnsureCreatedAsync();
foreach (var application in context.Set<OpenIddictApplication>())
{
// Convert the space-separated PostLogoutRedirectUris values to JSON.
if (!string.IsNullOrEmpty(application.PostLogoutRedirectUris) && application.PostLogoutRedirectUris[0] != '[')
{
application.PostLogoutRedirectUris = new JArray(application.PostLogoutRedirectUris.Split(
new[] { " " }, StringSplitOptions.RemoveEmptyEntries)).ToString(Formatting.None);
}
// Convert the space-separated RedirectUris values to JSON.
if (!string.IsNullOrEmpty(application.RedirectUris) && application.RedirectUris[0] != '[')
{
application.RedirectUris = new JArray(application.RedirectUris.Split(
new[] { " " }, StringSplitOptions.RemoveEmptyEntries)).ToString(Formatting.None);
}
if (string.IsNullOrEmpty(application.Permissions))
{
application.Permissions = new JArray(OpenIddictConstants.Permissions.Wildcard).ToString(Formatting.None);
}
}
foreach (var authorization in context.Set<OpenIddictAuthorization>())
{
// Convert the space-separated Scopes to JSON.
if (!string.IsNullOrEmpty(authorization.Scopes) && authorization.Scopes[0] != '[')
{
authorization.Scopes = new JArray(authorization.Scopes.Split(
new[] { " " }, StringSplitOptions.RemoveEmptyEntries)).ToString(Formatting.None);
}
}
await context.SaveChangesAsync();
}
}
Add a simple device flow sample. If I figure it, I'll setup a pull request..
Things like sliding expiration, reference tokens, rolling tokens, opaque/JWT tokens should be explained in a dedicated page.
We're getting close to 4.0 RTM, so we'll need to work on a migration guide listing the major changes between 3.x and 4.x.
No response
OpenIddict 3.0 returns error_uri
s containing a link to this repository. We should progressively document all the errors returned by the server and validation stacks.
Example of a link: https://documentation.openiddict.com/errors/ID2093
Many steps are not specific to OpenIddict (like how to add a certificate to the Windows Certificates Store), but folks who are not familiar with this procedure might be blocked or afraid to do things incorrectly.
Consider adding a how-to guide indicating how to deploy an OpenIddict-based application.
openiddict/openiddict-core#1690 (comment)
No response
Hi @PinpointTownes ,
I want to start looking into generating the API documentation for the OpenIddict assemblies. Docfx can generate metadata for the classes in a project from the source code, and then subsequently generate the docs from that.
In the case of OpenIddict, the docs repo (this current repo) lives separately from the actual source code of the project (openiddict/openiddict-core), so for the CI server to build the docs correctly, we will somehow need to be able to reference the source code file from this repo.
Two quick options that comes to mind:
The first option would be most seamless probably to other people who want to contribute to this repo. The second option would mean that when people want to build the docs on their own computer, they need to manually clone the openiddict-core repo as well to the same relative path as the AppVeyor build script does, so docfx can reference those file correctly locally.
I am sure you probably have some other questions and perhaps another suggestion to handle this, so this is just to kick off the discussion
2 goals:
Describe how to use the correct overloads when using a custom key type or custom entities derived from the default entities.
Add a few hints about you can create custom stores when opting for custom entities that don't derive from the built-in ones.
(opened on behalf of Weston Weems)
Enabling the degraded mode has multiple effects that should be listed in the documentation:
// Explicitly disable all the features that are implicitly excluded when the degraded mode is active.
if (options.EnableDegradedMode)
{
options.DisableAuthorizationStorage = options.DisableTokenStorage = options.DisableRollingRefreshTokens = true;
options.IgnoreEndpointPermissions = options.IgnoreGrantTypePermissions = true;
options.IgnoreResponseTypePermissions = options.IgnoreScopePermissions = true;
options.UseReferenceAccessTokens = options.UseReferenceRefreshTokens = false;
}
No response
The documentation for EF Core can be reused but the "custom key type" will differ as EF 6.x doesn't support generic entities (non-generic custom entities are required for this scenario to work): https://documentation.openiddict.com/integrations/entity-framework-core.html
We should update the home page with at least a description of what OpenIddict consists in, a few links to the samples we have and probably some other things like a contact info or a link to the OpenID Connect specification.
/cc @jerriep
I have been looking for information related to this process, but it seems to be rather piecemeal between the OpenIddict docs themselves (which are a good jumping off point) and searching for information in StackOverflow/github.
I would like there to be some kind of document about the basic process for migrating from ASOS to using OpenIddict. Highlighting the things that are no longer relevant, or what the new versions of the old stuff was.
I am trying to go through this process during the process of updating an OpenIdConnect server built on Net Framework and ASOS (a very early version of ASOS) to work on net5.0 and OpenIddict.
I would be happy to contribute to such a document in any way I can as I am going through this process.
In case it is easier to just answer some questions outright rather than creating (and maintaining) this proposed migration document, I'm going to include my current set of questions/problems:
OpenIdConnectServerProvider
-derived class that was being used on Net Framework. There's some custom code in there that hooks into the process, and I'm trying to evaluate whether that code just needs to move into a new abstraction that OpenIddict has, or if it can be removed entirely.
client_id
parameter, and then verify the client_secret
, and any redirect_uri
s (including logout redirect_uri
).
client_secret
that is being stored at rest, we would need to apply that process to the incoming client_secret
in order to properly match.Our metadata action currently points to the .cs
files to work around a limitation in DocFX, that doesn't seem to support MSBuild SDKs (yet OpenIddict uses Arcade).
Sadly this comes with annoying limitations and many references are currently not correctly resolved.
4.x
We are deploying our .net core 6 web app to Azure App Service environment.
I followed the guidelines from https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-a-certificate-recommended-for-production-ready-scenarios to generate two self-signed RSA certificates, uploaded it to Azure app service and added/set appsetting/configuration WEBSITE_LOAD_CERTIFICATES to *.
In the StartUp.cs, I added these lines:
options.AddEncryptionCertificate("cert-thumbprint-1", StoreName.My, StoreLocation.CurrentUser);
options.AddSigningCertificate("cert-thumbprint-2", StoreName.My, StoreLocation.CurrentUser);
However, there seems to be an issue with options.AddSigningCertificate, because when it is present the site gives error: HTTP Error 500.30 - ASP.NET Core app failed to start
When I remove that line and leave the line "options.AddEncryptionCertificate ...", the error message is: "InvalidOperationException: At least one asymmetric signing key must be registered in the OpenIddict server options.."
Do you have any suggestion on how I should go about adding the signing certificate? I have verified in a separate test web app that both certificates are accessible.
Thank you.
Fely Naval
Computer Packages Inc.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.