From 517e0e9d19b2cbf8d6daaffa0d2debeb7fe4549a Mon Sep 17 00:00:00 2001
From: Elitsa Marinovska <21998037+elit0451@users.noreply.github.com>
Date: Wed, 11 Oct 2023 14:15:08 +0200
Subject: [PATCH] Removing dev certificates and adding enc and signing keys
 that are required by OpenIddict but won't be used when we calling
 UseDataProtection() (#14958)

---
 .../UmbracoBuilderAuthExtensions.cs           | 23 ++++++++++++-------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs b/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs
index c315d545c0..233630107d 100644
--- a/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs
+++ b/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs
@@ -1,4 +1,6 @@
+using System.Security.Cryptography;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.IdentityModel.Tokens;
 using Umbraco.Cms.Api.Common.Security;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.DependencyInjection;
@@ -50,14 +52,6 @@ public static class UmbracoBuilderAuthExtensions
                     .RequireProofKeyForCodeExchange()
                     .AllowRefreshTokenFlow();
 
-                // Register the encryption and signing credentials.
-                // - see https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
-                options
-                    // TODO: use actual certificates here, see docs above
-                    .AddDevelopmentEncryptionCertificate()
-                    .AddDevelopmentSigningCertificate()
-                    .DisableAccessTokenEncryption();
-
                 // Register the ASP.NET Core host and configure for custom authentication endpoint.
                 options
                     .UseAspNetCore()
@@ -79,6 +73,19 @@ public static class UmbracoBuilderAuthExtensions
                 // and https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-7.0
                 // for more information
                 options.UseDataProtection();
+
+                // Register encryption and signing credentials to protect tokens.
+                // Note that for tokens generated/validated using ASP.NET Core Data Protection,
+                // a separate key ring is used, distinct from the credentials discussed in
+                // https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
+                // More details can be found here: https://github.com/openiddict/openiddict-core/issues/1892#issuecomment-1737308506
+                // "When using ASP.NET Core Data Protection to generate opaque tokens, the signing and encryption credentials
+                // registered via Add*Key/Certificate() are not used". But since OpenIddict requires the registration of such,
+                // we can generate random keys per instance without them taking effect.
+                // - see also https://github.com/openiddict/openiddict-core/issues/1231
+                options
+                    .AddEncryptionKey(new SymmetricSecurityKey(RandomNumberGenerator.GetBytes(32))) // generate a cryptographically secure random 256-bits key
+                    .AddSigningKey(new RsaSecurityKey(RSA.Create(keySizeInBits: 2048))); // generate RSA key with recommended size of 2048-bits
             })
 
             // Register the OpenIddict validation components.