Update the introspection middleware to encrypt authentication tickets before storing them in the distributed cache

Author: kevinchalet

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -292,7 +292,7 @@ protected virtual Task<AuthenticationTicket> CreateTicketAsync(JObject payload)
         }
 
         protected virtual Task StoreTicketAsync(string token, AuthenticationTicket ticket) {
-            var bytes = Options.TicketSerializer.Serialize(ticket);
+            var bytes = Encoding.UTF8.GetBytes(Options.AccessTokenFormat.Protect(ticket));
             Debug.Assert(bytes != null);
 
             return Options.Cache.SetAsync(token, bytes, new DistributedCacheEntryOptions {
@@ -308,7 +308,7 @@ protected virtual async Task<AuthenticationTicket> RetrieveTicketAsync(string to
                 return null;
             }
 
-            return Options.TicketSerializer.Deserialize(bytes);
+            return Options.AccessTokenFormat.Unprotect(Encoding.UTF8.GetString(bytes));
         }
     }
 }

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs

@@ -9,6 +9,7 @@
 using System.Text.Encodings.Web;
 using JetBrains.Annotations;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
@@ -21,7 +22,8 @@ public OAuthIntrospectionMiddleware(
             [NotNull] IOptions<OAuthIntrospectionOptions> options,
             [NotNull] ILoggerFactory loggerFactory,
             [NotNull] UrlEncoder encoder,
-            [NotNull] IDistributedCache cache)
+            [NotNull] IDistributedCache cache,
+            [NotNull] IDataProtectionProvider dataProtectionProvider)
             : base(next, options, loggerFactory, encoder) {
             if (string.IsNullOrEmpty(Options.Authority) &&
                 string.IsNullOrEmpty(Options.IntrospectionEndpoint)) {
@@ -33,6 +35,18 @@ public OAuthIntrospectionMiddleware(
                 throw new ArgumentException("Client credentials must be configured.", nameof(options));
             }
 
+            if (Options.DataProtectionProvider == null) {
+                Options.DataProtectionProvider = dataProtectionProvider;
+            }
+
+            if (Options.AccessTokenFormat == null) {
+                var protector = Options.DataProtectionProvider.CreateProtector(
+                    nameof(OAuthIntrospectionMiddleware),
+                    Options.AuthenticationScheme, "Access_Token", "v1");
+
+                Options.AccessTokenFormat = new TicketDataFormat(protector);
+            }
+
             if (Options.Cache == null) {
                 Options.Cache = cache;
             }

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs

@@ -8,6 +8,7 @@
 using System.Net.Http;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.Caching.Distributed;
 
 namespace AspNet.Security.OAuth.Introspection {
@@ -62,9 +63,17 @@ public OAuthIntrospectionOptions() {
         public ISystemClock SystemClock { get; set; } = new SystemClock();
 
         /// <summary>
-        /// Gets or sets the serializer used to serialize and deserialize
+        /// Gets or sets the data format used to serialize and deserialize
         /// the authenticated tickets stored in the distributed cache.
         /// </summary>
-        public IDataSerializer<AuthenticationTicket> TicketSerializer { get; set; } = new TicketSerializer();
+        public ISecureDataFormat<AuthenticationTicket> AccessTokenFormat { get; set; }
+
+        /// <summary>
+        /// Gets or sets the data protection provider used to create the default
+        /// data protectors used by <see cref="OAuthIntrospectionMiddleware"/>.
+        /// When this property is set to <c>null</c>, the data protection provider
+        /// is directly retrieved from the dependency injection container.
+        /// </summary>
+        public IDataProtectionProvider DataProtectionProvider { get; set; }
     }
 }

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -286,7 +286,7 @@ protected virtual Task<AuthenticationTicket> CreateTicketAsync(JObject payload)
         }
 
         protected virtual Task StoreTicketAsync(string token, AuthenticationTicket ticket) {
-            var bytes = Options.TicketSerializer.Serialize(ticket);
+            var bytes = Encoding.UTF8.GetBytes(Options.AccessTokenFormat.Protect(ticket));
             Debug.Assert(bytes != null);
 
             return Options.Cache.SetAsync(token, bytes, new DistributedCacheEntryOptions {
@@ -302,7 +302,7 @@ protected virtual async Task<AuthenticationTicket> RetrieveTicketAsync(string to
                 return null;
             }
 
-            return Options.TicketSerializer.Deserialize(bytes);
+            return Options.AccessTokenFormat.Unprotect(Encoding.UTF8.GetString(bytes));
         }
     }
 }

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs

@@ -7,11 +7,15 @@
 using System;
 using System.Net.Http;
 using JetBrains.Annotations;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Caching.Memory;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Owin;
+using Microsoft.Owin.BuilderProperties;
 using Microsoft.Owin.Security.Infrastructure;
+using Microsoft.Owin.Security.Interop;
 
 namespace Owin.Security.OAuth.Introspection {
     public class OAuthIntrospectionMiddleware : AuthenticationMiddleware<OAuthIntrospectionOptions> {
@@ -30,6 +34,39 @@ public OAuthIntrospectionMiddleware(
                 throw new ArgumentException("Client credentials must be configured.", nameof(options));
             }
 
+            if (options.DataProtectionProvider == null) {
+                // Create a new DI container and register
+                // the data protection services.
+                var services = new ServiceCollection();
+
+                services.AddDataProtection(configuration => {
+                    // Try to use the application name provided by
+                    // the OWIN host as the application discriminator.
+                    var discriminator = new AppProperties(app.Properties).AppName;
+
+                    // When an application discriminator cannot be resolved from
+                    // the OWIN host properties, generate a temporary identifier.
+                    if (string.IsNullOrEmpty(discriminator)) {
+                        discriminator = Guid.NewGuid().ToString();
+                    }
+
+                    configuration.ApplicationDiscriminator = discriminator;
+                });
+
+                var container = services.BuildServiceProvider();
+
+                // Resolve a data protection provider from the services container.
+                options.DataProtectionProvider = container.GetRequiredService<IDataProtectionProvider>();
+            }
+
+            if (options.AccessTokenFormat == null) {
+                var protector = Options.DataProtectionProvider.CreateProtector(
+                    nameof(OAuthIntrospectionMiddleware),
+                    Options.AuthenticationType, "Access_Token", "v1");
+
+                options.AccessTokenFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));
+            }
+
             if (options.Cache == null) {
                 options.Cache = new MemoryDistributedCache(new MemoryCache(new MemoryCacheOptions {
                     CompactOnMemoryPressure = true

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs

@@ -6,11 +6,11 @@
 
 using System.Collections.Generic;
 using System.Net.Http;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
 using Microsoft.Owin.Infrastructure;
 using Microsoft.Owin.Security;
-using Microsoft.Owin.Security.DataHandler.Serializer;
 
 namespace Owin.Security.OAuth.Introspection {
     public class OAuthIntrospectionOptions : AuthenticationOptions {
@@ -70,9 +70,15 @@ public OAuthIntrospectionOptions()
         public ISystemClock SystemClock { get; set; } = new SystemClock();
 
         /// <summary>
-        /// Gets or sets the serializer used to serialize and deserialize
+        /// Gets or sets the data format used to serialize and deserialize
         /// the authenticated tickets stored in the distributed cache.
         /// </summary>
-        public IDataSerializer<AuthenticationTicket> TicketSerializer { get; set; } = new TicketSerializer();
+        public ISecureDataFormat<AuthenticationTicket> AccessTokenFormat { get; set; }
+
+        /// <summary>
+        /// Gets or sets the data protection provider used to create the default
+        /// data protectors used by <see cref="OAuthIntrospectionMiddleware"/>.
+        /// </summary>
+        public IDataProtectionProvider DataProtectionProvider { get; set; }
     }
 }

src/Owin.Security.OAuth.Introspection/project.json

@@ -31,13 +31,14 @@
     "JetBrains.Annotations": { "type": "build", "version": "10.1.2-eap" },
     "Microsoft.Extensions.Caching.Memory": "1.0.0-*",
     "Microsoft.Extensions.Logging": "1.0.0-*",
-    "Microsoft.Owin.Security": "3.0.1",
+    "Microsoft.Owin.Security.Interop": "1.0.0-*",
     "Newtonsoft.Json": "8.0.3"
   },
 
   "frameworks": {
     "net451": {
       "frameworkAssemblies": {
+        "System.ComponentModel": { "type": "build" },
         "System.Net.Http": "4.0.0.0",
         "System.Runtime": { "type": "build" },
         "System.Threading.Tasks": { "type": "build" }