dotnet/aspnetcore

Log decryption failures

Open

#4,651 opened on Jun 1, 2018

View on GitHub
 (2 comments) (0 reactions) (0 assignees)C# (37,933 stars) (10,653 forks)batch import
affected-mediumarea-authenhancementhelp wantedseverity-minor

Description

"Correlation failed" is one of the most common failures in OIDC or OAuth flows. Many of the things that can go wrong here happen on the client and can't be traced from the server. However there's one scenario where everything does flow back to the server and the server fails to decrypt the values. This can happen in a multi-node environment with misconfigured dataprotection (RE: https://github.com/aspnet/Security/issues/1755). We can highlight this by logging decryption failures in OAuth, OIDC, and CookieAuth.

Contributor guide

Tech stack
csharp
Domain
authenticationsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
ASP.NET Core middlewareOAuth 2.0 / OIDCASP.NET Core Data Protection
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
50
Research direction
Investigate the codebase for places where decryption failures occur in OAuth, OIDC, and CookieAuth handlers. Look at the referenced issue #1755 for context. Implement logging for decryption failures, possibly by adding custom exception handling in the authentication middleware. Consider adding a log message with details about the decryption failure and the cookie name or token identifier.
Log decryption failures · dotnet/aspnetcore#4651 | Good First Issue