What to do since Auth0.OpenIdConnectSigningKeyResolve is now unlisted?

matthew.hartz · November 19, 2019, 10:48pm

Hi,

I am trying to update an .net framework API layer to using access token (previously was utilized ID token and /ro endpoint and want to use /oauth/token endpoint).

I am trying to follow the listed here Auth0 ASP.NET Web API (OWIN) SDK Quickstarts: Authorization and am now having issues. I think i must’ve had the dll local at one time because it was able to build locally, but then via CI/CD it started erroring with missing dlls.

After investigation I found that nuget has “Auth0.OpenIdConnectSigningKeyResolver” is unlisted now, which i assume is the issue. The github project GitHub - auth0/auth0-aspnet-owin: Auth0 ASP.NET 4.5 Owin/Katana Authentication Handler mentions using Auth0 ASP.NET (OWIN) SDK Quickstarts: Login but this appears to be for MVC projects utilizing openid, which i don’t think is my case.

Any recommendations on how to use .net framework with just access token authentication? Thanks!

Edit: Another idea would be to pull down the code locally to the project from github. Is this too risky until I can migrate to .net core?

brian.hulick · November 22, 2019, 8:00pm

I was hoping to see an answer to this since I am running into the same problem. My plan, for now, is to create a local version of just this: auth0-aspnet-owin/src/Auth0.Owin.OpenIdConnectSigningKeyResolver at master · auth0/auth0-aspnet-owin · GitHub and reference that in my projects.
My limited understanding of the security concerns around the project makes me believe that they apply to the other portion of the package as the security notice involves interaction with the client and the OpenIdConnectSigningKeyResolver portion does not interact with the client.

tom1 · November 25, 2019, 8:13pm

Also looking for direction here. Looking to secure a .net web api project still on .net 4.6

landry.dubus · January 8, 2020, 8:18am

I was wondering why the Auth0.OpenIdConnectSigningKeyResolver package was unlisted if it does not cause any security issue.

The quick start guide for securing an API with ASP.NET WebAPI (OWIN) still recommends to use this package.

The security notice recommends to follow the ASP.NET (OWIN) guide but it does seem to be relating to ASP.NET MVC and not ASP.NET WebAPI and does not seem appropriate for an API.

Should we still use this package even though it is unlisted?

konrad.sopala · January 8, 2020, 8:46am

Hey everyone!

Let me research that for you! It seems that there’s some misunderstanding around that in our docs

caristix-support · January 13, 2020, 6:47pm

Anyone found a workaround? @Auth0 any best practices to suggest?

konrad.sopala · January 14, 2020, 1:46pm

Hey there I sent the message to tool maintainers. As soon as I have any info from them I will share it here!

caristix-support · January 21, 2020, 5:43pm

Any news so far? I need this to be able to build my proof of concept using Auth0. Thanks!

konrad.sopala · January 27, 2020, 4:53pm

Hey there! The internal ticket I opened is now in hands of our security team. I asked them how you should proceed now having all thee context you provided in mind.

konrad.sopala · January 28, 2020, 9:48am

Got the info back from our Security Team.

The SigningKeyResolver class itself is not vulnerable, however, it’s simply a (utility) wrapper class.
It was never intended to be the core reason of using this package. The best approach is to simply customize:

github.com

auth0/auth0-aspnet-owin/blob/master/src/Auth0.Owin.OpenIdConnectSigningKeyResolver/OpenIdConnectSigningKeyResolver.cs

using System.Linq;
using Microsoft.IdentityModel.Protocols;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;

namespace Auth0.Owin
{
    public class OpenIdConnectSigningKeyResolver
    {
        private readonly OpenIdConnectConfiguration openIdConfig;

        public OpenIdConnectSigningKeyResolver(string authority)
        {
            var cm = new ConfigurationManager<OpenIdConnectConfiguration>($"{authority.TrimEnd('/')}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
            openIdConfig = AsyncHelper.RunSync(async () => await cm.GetConfigurationAsync());
        }

        public SecurityKey[] GetSigningKey(string kid)
        {
            // Find the security token which matches the identifier

This file has been truncated. show original

to individual needs if you’d really like using a key resolver.

system · February 12, 2020, 9:48am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.