Ticket #458 : Can create FAPI client

habarthierry-hue · habarthierry-hue · commit 869131ff590d · 2023-03-20T16:53:11.000+01:00
diff --git a/src/IdServer/SimpleIdServer.IdServer.Startup/IdServerConfiguration.cs b/src/IdServer/SimpleIdServer.IdServer.Startup/IdServerConfiguration.cs
@@ -30,8 +30,8 @@ public class IdServerConfiguration
 
         public static ICollection<Client> Clients => new List<Client>
         {
-            ClientBuilder.BuildTraditionalWebsiteClient("website", "password", null, "https://localhost.com:5001/signin-oidc").SetClientName("Website").SetClientLogoUri("https://cdn.logo.com/hotlink-ok/logo-social.png").AddScope(Constants.StandardScopes.OpenIdScope, Constants.StandardScopes.Profile).Build(),
-            ClientBuilder.BuildExternalAuthDeviceClient("bankWebsite", "password", null, "https://localhost.com:5001/signin-oidc").SetClientName("Bank Website").AddScope(Constants.StandardScopes.OpenIdScope, Constants.StandardScopes.Profile).Build(),
+            ClientBuilder.BuildTraditionalWebsiteClient("website", "password", null, "https://localhost:5001/signin-oidc", "https://localhost.com:5001/signin-oidc").SetClientName("Website").SetClientLogoUri("https://cdn.logo.com/hotlink-ok/logo-social.png").AddScope(Constants.StandardScopes.OpenIdScope, Constants.StandardScopes.Profile).Build(),
+            ClientBuilder.BuildExternalAuthDeviceClient("bankWebsite", "password", null, "https://localhost:5001/signin-oidc", "https://localhost.com:5001/signin-oidc").SetClientName("Bank Website").AddScope(Constants.StandardScopes.OpenIdScope, Constants.StandardScopes.Profile).Build(),
             WsClientBuilder.BuildWsFederationClient("urn:website").SetClientName("NAME").Build(),
             ClientBuilder.BuildUserAgentClient("oauth", "password", null, "https://oauth.tools/callback/code").AddScope(Constants.StandardScopes.OpenIdScope, Constants.StandardScopes.Profile).Build(),
             ClientBuilder.BuildTraditionalWebsiteClient("fapi", "password", null, "https://localhost:8443/test/(.*)").SetIdTokenSignedResponseAlg(SecurityAlgorithms.EcdsaSha256).SetRequestObjectSigning(SecurityAlgorithms.EcdsaSha256).SetSigAuthorizationResponse(SecurityAlgorithms.EcdsaSha256).AddScope(Constants.StandardScopes.OpenIdScope, Constants.StandardScopes.Profile).UseClientTlsAuthentication("CN=sidClient, O=Internet Widgits Pty Ltd, S=BE, C=BE").AddSigningKey(new SigningCredentials(PemImporter.Import(new PemResult("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEK21CoKCA2Vk5zPM+7+vqtnrq4pIe\nsCLiWObLDFKKf3gJl0hll/ZTI5ww/oRrKIXO/uRe9AkckkKwqrqqXGnvsQ==\n-----END PUBLIC KEY-----", "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIDHtu+N0u38ZN7DF/TpycDfaUs8WfPGUB3UusR0uv3TVoAoGCCqGSM49\nAwEHoUQDQgAEK21CoKCA2Vk5zPM+7+vqtnrq4pIesCLiWObLDFKKf3gJl0hll/ZT\nI5ww/oRrKIXO/uRe9AkckkKwqrqqXGnvsQ==\n-----END EC PRIVATE KEY-----"), "keyId"), SecurityAlgorithms.EcdsaSha256), SecurityAlgorithms.EcdsaSha256, SecurityKeyTypes.ECDSA).Build()
diff --git a/src/IdServer/SimpleIdServer.IdServer.Startup/Program.cs b/src/IdServer/SimpleIdServer.IdServer.Startup/Program.cs
@@ -17,9 +17,11 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Net;
 using System.Reflection;
 using System.Security.Cryptography;
 
+ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true;
 var builder = WebApplication.CreateBuilder(args);
 builder.Services.Configure<KestrelServerOptions>(options =>
 {
@@ -129,7 +131,8 @@ void SeedData(WebApplication application)
 
             if(!dbContext.SerializedFileKeys.Any())
             {
-                dbContext.SerializedFileKeys.Add(KeyGenerator.GenerateSigningCredentials(SimpleIdServer.IdServer.Constants.StandardRealms.Master));
+                dbContext.SerializedFileKeys.Add(KeyGenerator.GenerateRSASigningCredentials(SimpleIdServer.IdServer.Constants.StandardRealms.Master, "rsa-1"));
+                dbContext.SerializedFileKeys.Add(KeyGenerator.GenerateECDSASigningCredentials(SimpleIdServer.IdServer.Constants.StandardRealms.Master, "ecdsa-1"));
                 dbContext.SerializedFileKeys.Add(WsFederationKeyGenerator.GenerateWsFederationSigningCredentials(SimpleIdServer.IdServer.Constants.StandardRealms.Master));
             }
 
diff --git a/src/IdServer/SimpleIdServer.IdServer.Startup/Properties/launchSettings.json b/src/IdServer/SimpleIdServer.IdServer.Startup/Properties/launchSettings.json
@@ -5,7 +5,7 @@
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
       },
-      "applicationUrl": "https://localhost:5001"
+      "applicationUrl": "https://localhost:5001;https://172.27.192.1:5001"
     }
   }
 }
diff --git a/src/IdServer/SimpleIdServer.IdServer.Website/Pages/CertificateAuthorityClients.razor b/src/IdServer/SimpleIdServer.IdServer.Website/Pages/CertificateAuthorityClients.razor
@@ -103,26 +103,39 @@
         contextMenuService.Open(args, new List<ContextMenuItem>
         {
             new ContextMenuItem { Text = "Delete", Value = 1 },
-            new ContextMenuItem { Text = "Download", Value = 2 }
+            new ContextMenuItem { Text = "Download", Value = 2 },
+            new ContextMenuItem { Text= "View", Value = 3 }
         }, async (a) =>
     {
-    if (a.Value.Equals(1))
-    {
-        var caIds = searchCertificateClientsState.Value?.ClientCertificates.Where(c => c.IsSelected).Select(c => c.Value.Id)?.ToList();
-        if (!caIds.Contains(certificateAuthority.Value.Id)) caIds.Add(certificateAuthority.Value.Id);
-        var act = new RemoveSelectedClientCertificatesAction { CertificateClientIds = caIds, CertificateAuthorityId = CertificateAuthority.Id };
-        dispatcher.Dispatch(act);
-        contextMenuService.Close();
-    }
+        if (a.Value.Equals(1))
+        {
+            var caIds = searchCertificateClientsState.Value?.ClientCertificates.Where(c => c.IsSelected).Select(c => c.Value.Id)?.ToList();
+            if (!caIds.Contains(certificateAuthority.Value.Id)) caIds.Add(certificateAuthority.Value.Id);
+            var act = new RemoveSelectedClientCertificatesAction { CertificateClientIds = caIds, CertificateAuthorityId = CertificateAuthority.Id };
+            dispatcher.Dispatch(act);
+            contextMenuService.Close();
+        }
 
-    if (a.Value.Equals(2))
-    {
-        var memoryStream = new MemoryStream(certificateAuthority.Certificate.Export(X509ContentType.Pkcs12));
-        var fileName = $"{certificateAuthority.Value.Name}.pfx";
-        using var streamRef = new DotNetStreamReference(stream: memoryStream);
-        await JS.InvokeVoidAsync("downloadFileFromStream", fileName, streamRef);
-    }
-    });
+        if (a.Value.Equals(2))
+        {
+            var memoryStream = new MemoryStream(certificateAuthority.Certificate.Export(X509ContentType.Pkcs12));
+            var fileName = $"{certificateAuthority.Value.Name}.pfx";
+            using var streamRef = new DotNetStreamReference(stream: memoryStream);
+            await JS.InvokeVoidAsync("downloadFileFromStream", fileName, streamRef);
+        }
+
+        if (a.Value.Equals(3))
+        {
+            var dic = new Dictionary<string, object> { { "ClientCertificate", certificateAuthority.Value } };
+            await dialogService.OpenAsync<ViewClientCertificateDialog>("Client Certificate", dic, new DialogOptions
+                {
+                    Width = "700px",
+                    Height = "512px",
+                    Resizable = true,
+                    Draggable = true
+                });
+        }
+        });
     }
 
     async void AddCertificateClient()
diff --git a/src/IdServer/SimpleIdServer.IdServer.Website/Shared/AddClientDialog.razor b/src/IdServer/SimpleIdServer.IdServer.Website/Shared/AddClientDialog.razor
@@ -124,6 +124,20 @@
                                 </p>
                                 <RadzenRequiredValidator Component="RedirectionUris" Text="At leat one redirection URL must be specified"></RadzenRequiredValidator>
                             </div>
+                            <div class="mb-1">
+                                <RadzenCheckBox @bind-Value=@websiteApplication.IsFAPICompliant TValue="bool" />
+                                <RadzenLabel Text="Compliant with FAPI1.0" Style="margin-left: 8px; vertical-align: middle;" />
+                            </div>
+                            @if (websiteApplication.IsFAPICompliant)
+                            {
+                                <RadzenText TextStyle="TextStyle.Subtitle2" TagName="TagName.H3">Subject Name</RadzenText>
+                                <RadzenTextBox Name="SubjectName" @bind-Value="@websiteApplication.SubjectName" Class="w-100"></RadzenTextBox>
+                                <p class="text-muted">
+                                    MTLS authentication is configured by default. <br/>
+                                    Subject Name is used to check the validity of the Client Certificate.
+                                </p>
+                            }
+
                             <RadzenButton class="mt-1" Variant="Variant.Flat" ButtonType="ButtonType.Submit" ButtonStyle="ButtonStyle.Success" Text="@(addClientState.Value.IsAdding ? "Adding..." : "Save")" Disabled="@(addClientState.Value.IsAdding)" />
                         </RadzenTemplateForm>
                         break;
@@ -231,6 +245,8 @@
         public string ClientIdentifier { get; set; } = null!;
         public string ClientSecret { get; set; } = null!;
         public string RedirectionUris { get; set; } = null!;
+        public string SubjectName { get; set; } = null!;
+        public bool IsFAPICompliant { get; set; } = false;
     }
 
     record MachineApplication
@@ -307,7 +323,7 @@
 
     void AddWebsiteApplication(WebsiteApplication websiteApplication)
     {
-        dispatcher.Dispatch(new AddWebsiteApplicationAction { ClientId = websiteApplication.ClientIdentifier, ClientName = websiteApplication.ClientName, RedirectionUrls = websiteApplication.RedirectionUris.Split(';'), ClientSecret = websiteApplication.ClientSecret });
+        dispatcher.Dispatch(new AddWebsiteApplicationAction { SubjectName = websiteApplication.SubjectName, IsFAPICompliant = websiteApplication.IsFAPICompliant, ClientId = websiteApplication.ClientIdentifier, ClientName = websiteApplication.ClientName, RedirectionUrls = websiteApplication.RedirectionUris.Split(';'), ClientSecret = websiteApplication.ClientSecret });
     }
 
     void AddMobileApplication(MobileApplication mobileApplication)
diff --git a/src/IdServer/SimpleIdServer.IdServer.Website/Shared/ViewClientCertificateDialog.razor b/src/IdServer/SimpleIdServer.IdServer.Website/Shared/ViewClientCertificateDialog.razor
@@ -0,0 +1,19 @@
+﻿@using Fluxor.Blazor.Web.Components;
+@using SimpleIdServer.IdServer.Website.Resources;
+@using SimpleIdServer.IdServer.Website.Stores.CertificateAuthorityStore;
+
+<!-- Public Key -->
+<div>
+    <RadzenText TextStyle="TextStyle.Subtitle2" TagName="TagName.H3">Public Key</RadzenText>
+    <RadzenTextArea Rows=10 Name="PublicKey" @bind-Value="@ClientCertificate.PublicKey" Class="w-100"></RadzenTextArea>
+</div>
+<!-- Private Key -->
+<div>
+    <RadzenText TextStyle="TextStyle.Subtitle2" TagName="TagName.H3">Private Key</RadzenText>
+    <RadzenTextArea Rows=10 Name="PrivateKey" @bind-Value="@ClientCertificate.PrivateKey" Class="w-100"></RadzenTextArea>
+</div>
+
+@code {
+    [Parameter]
+    public ClientCertificate ClientCertificate { get; set; }
+}
diff --git a/src/IdServer/SimpleIdServer.IdServer.Website/Shared/ViewClientCertificateDialog.razor.css b/src/IdServer/SimpleIdServer.IdServer.Website/Shared/ViewClientCertificateDialog.razor.css
@@ -0,0 +1 @@
+﻿
diff --git a/src/IdServer/SimpleIdServer.IdServer.Website/Stores/CertificateAuthorityStore/CertificateAuthorityEffects.cs b/src/IdServer/SimpleIdServer.IdServer.Website/Stores/CertificateAuthorityStore/CertificateAuthorityEffects.cs
@@ -140,7 +140,7 @@ public async Task Handle(AddClientCertificateAction action, IDispatcher dispatch
         {
             var ca = await _certificateAuthorityRepository.Query().Include(c => c.ClientCertificates).FirstAsync(c => c.Id == action.CertificateAuthorityId);
             var certificate = _certificateAuthorityStore.Get(ca);
-            var pem = KeyGenerator.GenerateClientCertificate(certificate, action.SubjectName, action.NbDays, CancellationToken.None);
+            var pem = KeyGenerator.GenerateClientCertificate(certificate, action.SubjectName, action.NbDays);
             var record = new ClientCertificate
             {
                 Id = Guid.NewGuid().ToString(),
diff --git a/src/IdServer/SimpleIdServer.IdServer.Website/Stores/ClientStore/ClientEffects.cs b/src/IdServer/SimpleIdServer.IdServer.Website/Stores/ClientStore/ClientEffects.cs
@@ -98,6 +98,14 @@ public async Task Handle(AddWebsiteApplicationAction action, IDispatcher dispatc
                     .AddScope(scopes.ToArray());
                 if (!string.IsNullOrWhiteSpace(action.ClientName))
                     newClientBuilder.SetClientName(action.ClientName);
+                if(action.IsFAPICompliant)
+                {
+                    newClientBuilder.UseClientTlsAuthentication(action.SubjectName);
+                    newClientBuilder.SetSigAuthorizationResponse(SecurityAlgorithms.EcdsaSha256);
+                    newClientBuilder.SetIdTokenSignedResponseAlg(SecurityAlgorithms.EcdsaSha256);
+                    newClientBuilder.SetRequestObjectSigning(SecurityAlgorithms.EcdsaSha256);
+                }
+
                 var newClient = newClientBuilder.Build();
                 dbContext.Clients.Add(newClient);
                 await dbContext.SaveChangesAsync(CancellationToken.None);
@@ -474,6 +482,8 @@ public class AddWebsiteApplicationAction
         public string ClientId { get; set; } = null!;
         public string ClientSecret { get; set; } = null!;
         public string? ClientName { get; set; } = null;
+        public bool IsFAPICompliant { get; set; } = false;
+        public string? SubjectName { get; set; } = null;
     }
 
     public class AddMobileApplicationAction
diff --git a/src/IdServer/SimpleIdServer.IdServer.WsFederation/Auth/ConfigureWsFederationOptions.cs b/src/IdServer/SimpleIdServer.IdServer.WsFederation/Auth/ConfigureWsFederationOptions.cs
@@ -11,6 +11,12 @@ public class ConfigureWsFederationOptions : IPostConfigureOptions<WsFederationOp
     {
         public void PostConfigure(string name, WsFederationOptions options)
         {
+            var handler = new HttpClientHandler();
+            handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => {
+                return true;
+            };
+            var httpClient = new HttpClient(handler);
+            options.Backchannel = httpClient;
             options.ConfigurationManager = new IdServerWsFederationConfigurationManager(options.MetadataAddress, new WsFederationConfigurationRetriever(),
                 new HttpDocumentRetriever(options.Backchannel) { RequireHttps = options.RequireHttpsMetadata });
         }
diff --git a/src/IdServer/SimpleIdServer.IdServer/Auth/ConfigureOpenIdOptions.cs b/src/IdServer/SimpleIdServer.IdServer/Auth/ConfigureOpenIdOptions.cs
@@ -4,6 +4,7 @@
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.Protocols;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using System.Net.Http;
 
 namespace SimpleIdServer.IdServer.Auth
 {
@@ -12,6 +13,12 @@ public class ConfigureOpenIdOptions : IPostConfigureOptions<OpenIdConnectOptions
     {
         public void PostConfigure(string name, OpenIdConnectOptions options)
         {
+            var handler = new HttpClientHandler();
+            handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => {
+                return true; 
+            };
+            var httpClient = new HttpClient(handler);
+            options.Backchannel = httpClient;
             options.ConfigurationManager = new IdServerOpenIdConfigurationManager(options.Authority, new OpenIdConnectConfigurationRetriever(),
                 new HttpDocumentRetriever(options.Backchannel) { RequireHttps = options.RequireHttpsMetadata })
             {
diff --git a/src/IdServer/SimpleIdServer.IdServer/Auth/IdServerCookieAuthenticationHandler.cs b/src/IdServer/SimpleIdServer.IdServer/Auth/IdServerCookieAuthenticationHandler.cs
@@ -284,6 +284,7 @@ protected virtual async Task FinishResponseAsync()
                     GetCookieName()!,
                     cookieValue,
                     cookieOptions);
+
                 await ApplyHeaders(shouldRedirect: false, shouldHonorReturnUrlParameter: false, properties: properties);
             }
         }
@@ -362,16 +363,6 @@ protected override async Task HandleSignInAsync(ClaimsPrincipal user, Authentica
                 cookieValue,
                 signInContext.CookieOptions);
 
-            var realm = RealmContext.Instance().Realm;
-            if (!string.IsNullOrWhiteSpace(realm))
-            {
-                Options.CookieManager.AppendResponseCookie(
-                    Context,
-                    Constants.DefaultRealmCookieName,
-                    realm,
-                    cookieOptions);
-            }
-
             var signedInContext = new CookieSignedInContext(
                 Context,
                 Scheme,
diff --git a/src/IdServer/SimpleIdServer.IdServer/KeyGenerator.cs b/src/IdServer/SimpleIdServer.IdServer/KeyGenerator.cs
@@ -5,27 +5,42 @@
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
-using System.Threading;
 
 namespace SimpleIdServer.IdServer
 {
     public static class KeyGenerator
     {
-        public static SerializedFileKey GenerateSigningCredentials(Realm realm)
+        public static SerializedFileKey GenerateRSASigningCredentials(Realm realm, string keyid = "keyId", string alg = SecurityAlgorithms.RsaSha256)
         {
-            var rsa = RSA.Create();
-            var key = new RsaSecurityKey(rsa)
+            var sig = ClientKeyGenerator.GenerateRSASignatureKey(keyid, alg);
+            var pem = PemConverter.ConvertFromSecurityKey(sig.Key);
+            var result = new SerializedFileKey
             {
-                KeyId = "keyid"
+                Id = Guid.NewGuid().ToString(),
+                Alg = alg,
+                CreateDateTime = DateTime.UtcNow,
+                UpdateDateTime = DateTime.UtcNow,
+                KeyId = sig.Kid,
+                PrivateKeyPem = pem.PrivateKey,
+                PublicKeyPem = pem.PublicKey,
+                Usage = Constants.JWKUsages.Sig,
+                IsSymmetric = false
             };
-            var pem = PemConverter.ConvertFromSecurityKey(key);
+            result.Realms.Add(realm);
+            return result;
+        }
+
+        public static SerializedFileKey GenerateECDSASigningCredentials(Realm realm, string keyid = "keyId", string alg = SecurityAlgorithms.EcdsaSha256)
+        {
+            var sig = ClientKeyGenerator.GenerateECDsaSignatureKey(keyid, alg);
+            var pem = PemConverter.ConvertFromSecurityKey(sig.Key);
             var result = new SerializedFileKey
             {
                 Id = Guid.NewGuid().ToString(),
-                Alg = SecurityAlgorithms.RsaSha256,
+                Alg = alg,
                 CreateDateTime = DateTime.UtcNow,
                 UpdateDateTime = DateTime.UtcNow,
-                KeyId = key.KeyId,
+                KeyId = sig.Kid,
                 PrivateKeyPem = pem.PrivateKey,
                 PublicKeyPem = pem.PublicKey,
                 Usage = Constants.JWKUsages.Sig,
@@ -68,7 +83,7 @@ public static X509Certificate2 GenerateCertificateAuthority(string subjectName,
             }
         }
 
-        public static PemResult GenerateClientCertificate(X509Certificate2 ca, string subjectName, int nbValidDays, CancellationToken cancellationToken)
+        public static PemResult GenerateClientCertificate(X509Certificate2 ca, string subjectName, int nbValidDays)
         {
             using (var rsa = RSA.Create(2048))
             {
diff --git a/src/IdServer/SimpleIdServer.IdServer/Middlewares/RealmMiddleware.cs b/src/IdServer/SimpleIdServer.IdServer/Middlewares/RealmMiddleware.cs
@@ -43,7 +43,20 @@ public async Task InvokeAsync(HttpContext context)
                     if (routeValues.ContainsKey(Constants.Prefix))
                     {
                         var prefix = routeValues.First(v => v.Key == Constants.Prefix).Value?.ToString();
-                        if (routeValues.Any(v => v.Key == Constants.Prefix) && (await realmRepository.Query().AnyAsync(r => r.Name == prefix)))
+                        if (realmCookie.Value != prefix)
+                        {
+                            if (await realmRepository.Query().AnyAsync(r => r.Name == prefix))
+                            {
+                                realm = prefix;
+                                if (!string.IsNullOrWhiteSpace(realm))
+                                {
+                                    context.Response.Cookies.Append(
+                                        Constants.DefaultRealmCookieName,
+                                        realm);
+                                }
+                            }
+                        }
+                        else
                             realm = prefix;
                     }
 

Original file line number	Diff line number	Diff line change
`@@ -17,9 +17,11 @@`
`17`	`17`	`using System;`
`18`	`18`	`using System.Collections.Generic;`
`19`	`19`	`using System.Linq;`
	`20`	`+using System.Net;`
`20`	`21`	`using System.Reflection;`
`21`	`22`	`using System.Security.Cryptography;`
`22`	`23`
	`24`	`+ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true;`
`23`	`25`	`var builder = WebApplication.CreateBuilder(args);`
`24`	`26`	`builder.Services.Configure<KestrelServerOptions>(options =>`
`25`	`27`	`{`
`@@ -129,7 +131,8 @@ void SeedData(WebApplication application)`
`129`	`131`
`130`	`132`	`if(!dbContext.SerializedFileKeys.Any())`
`131`	`133`	`{`
`132`		`- dbContext.SerializedFileKeys.Add(KeyGenerator.GenerateSigningCredentials(SimpleIdServer.IdServer.Constants.StandardRealms.Master));`
	`134`	`+ dbContext.SerializedFileKeys.Add(KeyGenerator.GenerateRSASigningCredentials(SimpleIdServer.IdServer.Constants.StandardRealms.Master, "rsa-1"));`
	`135`	`+ dbContext.SerializedFileKeys.Add(KeyGenerator.GenerateECDSASigningCredentials(SimpleIdServer.IdServer.Constants.StandardRealms.Master, "ecdsa-1"));`
`133`	`136`	`dbContext.SerializedFileKeys.Add(WsFederationKeyGenerator.GenerateWsFederationSigningCredentials(SimpleIdServer.IdServer.Constants.StandardRealms.Master));`
`134`	`137`	`}`
`135`	`138`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`"environmentVariables": {`
`6`	`6`	`"ASPNETCORE_ENVIRONMENT": "Development"`
`7`	`7`	`},`
`8`		`- "applicationUrl": "https://localhost:5001"`
	`8`	`+ "applicationUrl": "https://localhost:5001;https://172.27.192.1:5001"`
`9`	`9`	`}`
`10`	`10`	`}`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,7 @@ public async Task Handle(AddClientCertificateAction action, IDispatcher dispatch`
`140`	`140`	`{`
`141`	`141`	`var ca = await _certificateAuthorityRepository.Query().Include(c => c.ClientCertificates).FirstAsync(c => c.Id == action.CertificateAuthorityId);`
`142`	`142`	`var certificate = _certificateAuthorityStore.Get(ca);`
`143`		`- var pem = KeyGenerator.GenerateClientCertificate(certificate, action.SubjectName, action.NbDays, CancellationToken.None);`
	`143`	`+ var pem = KeyGenerator.GenerateClientCertificate(certificate, action.SubjectName, action.NbDays);`
`144`	`144`	`var record = new ClientCertificate`
`145`	`145`	`{`
`146`	`146`	`Id = Guid.NewGuid().ToString(),`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,12 @@ public class ConfigureWsFederationOptions : IPostConfigureOptions<WsFederationOp`
`11`	`11`	`{`
`12`	`12`	`public void PostConfigure(string name, WsFederationOptions options)`
`13`	`13`	`{`
	`14`	`+ var handler = new HttpClientHandler();`
	`15`	`+ handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => {`
	`16`	`+ return true;`
	`17`	`+ };`
	`18`	`+ var httpClient = new HttpClient(handler);`
	`19`	`+ options.Backchannel = httpClient;`
`14`	`20`	`options.ConfigurationManager = new IdServerWsFederationConfigurationManager(options.MetadataAddress, new WsFederationConfigurationRetriever(),`
`15`	`21`	`new HttpDocumentRetriever(options.Backchannel) { RequireHttps = options.RequireHttpsMetadata });`
`16`	`22`	`}`