ASPNETSelfCreatedTokenAuthExample icon indicating copy to clipboard operation
ASPNETSelfCreatedTokenAuthExample copied to clipboard

Published 20 hours ago verified publisher icon mrsheepuk

added KeyContainer for storing RSA keys

Open nordbo opened this issue 9 years ago • 5 comments

Hi. I've updated the code, using a KeyContainer to store the RSA keys. If the keyset does not exist, they are created, and if they exist they are obtained from the container. See https://msdn.microsoft.com/en-us/library/tswxhw92(v=vs.110).aspx for more information.

nordbo avatar Jan 03 '16 18:01 nordbo

Interesting! I have been trying something similar out in this branch but yours is a much more straightforward way of reaching the same result.

I'll have a look and see if I can combine your approach with what I've done in that branch.

mrsheepuk avatar Jan 04 '16 13:01 mrsheepuk

Out of curiosity, how does this work if used on an elastic scalable web service on azure? Multiple machines should use the same private key to sign and validate tokens, right?

bragma avatar Jan 07 '16 15:01 bragma

Yes absolutely @bragma - which is why the strategy used in this pull request (or my branch) would work if used on a single machine, or used in a situation where the data protection API has been set up to share keys across multiple machines (see the documentation here for info on how this would need to be configured. I've not tried it though).

mrsheepuk avatar Jan 07 '16 15:01 mrsheepuk

@bragma I've just noticed that, specifically in the case of Azure, the default DPAPI configuration should handle this so this may well "just work" - see the docs for the default settings here - specifically:

If the system is being hosted in Azure Web Sites, keys are persisted to the “%HOME%\ASP.NET\DataProtection-Keys” folder. This folder is backed by network storage and is synchronized across all machines hosting the application. Keys are not protected at rest.

mrsheepuk avatar Jan 07 '16 17:01 mrsheepuk

The only problem with this @nordbo is that I suspect when the key rollover occurs (by default every 90 days), the verify signature will fail so, in effect, all logged in users will be logged out. I think you'd need to use the DPAPI to "unprotect" in a custom validator for checking the signature, but I've not worked out how that should be done yet.

I may have misunderstood how the whole thing works though, any ideas? I'll try and run a few tests to see if my suspicion is correct on this one.

mrsheepuk avatar Jan 07 '16 18:01 mrsheepuk