Re: [dotnetopenauth] Resource Server cannot validate signature properly when deployed
95 views
Skip to first unread message
Andrew Arnott
Jul 26, 2012, 9:34:48 PM7/26/12
to dotnet...@googlegroups.com
I'm not too familiar with your KeyContainerName works. Are you certain that you're not deriving two new keys for each of these servers? Have you verified that the resource server and authorization server are sharing keys rather than creating their own?
--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
That's the only idea I have so far.
On Thursday, July 26, 2012, Brad Laney wrote:
On Thursday, July 26, 2012, Brad Laney wrote:
So I had everything working just fine, locally, with resource server and auth server on the same box.I deployed the auth server and resource server code to a deployment box (the same box).Now I get errors saying that "Message signature was incorrect". From the samples, the method erroring isVerifyOAuth2()return resourceServer.GetPrincipal(httpDetails, requestUri, requiredScopes);I changed my keys to be:--Auth Server--private static readonly RSAParameters ResourceServerEncryptionPublicKey = GetSigningKey("OAuthResourceServerEncryptionKey", false);private static RSAParameters CreateAuthorizationServerSigningKey(){return GetSigningKey("OAuthAuthorizationServerSigningKey", true);}private static RSAParameters GetSigningKey(string containerName, bool includePrivate){// This is how you could generate your own public/private key pair.// As we generate a new random key, we need to set the UseMachineKeyStore flag so that this doesn't// crash on IIS. For more information:var cspParameters = new CspParameters();cspParameters.KeyContainerName = containerName;cspParameters.Flags = CspProviderFlags.UseArchivableKey | CspProviderFlags.UseMachineKeyStore;var keyPair = new RSACryptoServiceProvider(cspParameters);// After exporting the private/public key information, read the information out and store it somewherevar key = keyPair.ExportParameters(includePrivate);// Ultimately the private key information must be what is returned through the AccessTokenSigningPrivateKey property.return key;}--Resource server--public static readonly RSAParameters AuthorizationServerSigningPublicKey = GetSigningKey("OAuthAuthorizationServerSigningKey", false);
internal static readonly RSAParameters ResourceServerEncryptionPrivateKey =GetSigningKey("OAuthResourceServerEncryptionKey", true);Method GetSigningKey is the same in both instances.I output the following to a file on the resource server, and everything matches the auth server (its the same server)
Inside the VerifyOAuth2 method:System.Security.Principal.WindowsIdentity.GetCurrent().Namesignxml = signing.ToXmlString(true);encryptxml = encrypting.ToXmlString(true);I ran the commands to give access to the windows identity to those two rsa key containers.ie:aspnet_regiis -pa "OAuthResourceServerEncryptionKey" "bradl"In my web.config on the resource server I put <identity impersonate="false"> just for safety<serviceHostingEnvironment multipleSiteBindingsEnabled="true"></serviceHostingEnvironment> so the WCF example can run under IISAnyone have ideas?--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/8lyfxuGIHpEJ.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.
--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
Brad Laney
Jul 27, 2012, 11:56:28 AM7/27/12
to dotnet...@googlegroups.com
I figured out a solution to the problem, it's so finicky. Seems like some kind of internal caching in windows or something.
I ended up just installing them via command line and giving them access to the asp.net processes.
Thanks.
Andrew Arnott
Jul 28, 2012, 9:27:03 AM7/28/12
to dotnet...@googlegroups.com
Thanks for sharing, Brad. That sounds like a great blog post, if you have time.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/qzD9EP05msEJ.
Reply all
Reply to author
Forward
0 new messages