Persist identity grant store to db

Persist machine Keys to Redis

Author: ramon-tomas-c

k8s/deployments.yaml

@@ -69,6 +69,7 @@ kind: Deployment
 metadata:
   name: identity
 spec:
+  replicas: 3
   paused: true
   template:
     metadata:

src/Services/Identity/Identity.API/Configuration/Config.cs

@@ -80,6 +80,7 @@ public static IEnumerable<Client> GetClients(Dictionary<string,string> clientsUr
                     },
                     ClientUri = $"{clientsUrl["Mvc"]}",                             // public uri of the client
                     AllowedGrantTypes = GrantTypes.Hybrid,
+                    AllowAccessTokensViaBrowser = false,
                     RequireConsent = false,
                     AllowOfflineAccess = true,
                     RedirectUris = new List<string>

src/Services/Identity/Identity.API/Extensions/DataProtectionBuilderExtensions.cs

@@ -0,0 +1,96 @@
+namespace DataProtectionExtensions
+{
+    using System;
+    using System.Linq;
+    using System.Security.Cryptography.X509Certificates;
+    using Microsoft.AspNetCore.DataProtection;
+    using Microsoft.AspNetCore.DataProtection.Repositories;
+    using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+    using Microsoft.Extensions.DependencyInjection;
+    using Microsoft.Extensions.Logging;
+    using System.Net;
+
+    /// <summary>
+    /// Extension methods for <see cref="IDataProtectionBuilder"/> for configuring
+    /// data protection options.
+    /// </summary>
+    public static class DataProtectionBuilderExtensions
+    {
+        /// <summary>
+        /// Sets up data protection to persist session keys in Redis.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/> used to set up data protection options.</param>
+        /// <param name="redisConnectionString">The connection string specifying the Redis instance and database for key storage.</param>
+        /// <returns>
+        /// The <paramref name="builder" /> for continued configuration.
+        /// </returns>
+        /// <exception cref="System.ArgumentNullException">
+        /// Thrown if <paramref name="builder" /> or <paramref name="redisConnectionString" /> is <see langword="null" />.
+        /// </exception>
+        /// <exception cref="System.ArgumentException">
+        /// Thrown if <paramref name="redisConnectionString" /> is empty.
+        /// </exception>
+        public static IDataProtectionBuilder PersistKeysToRedis(this IDataProtectionBuilder builder, string redisConnectionString)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (redisConnectionString == null)
+            {
+                throw new ArgumentNullException(nameof(redisConnectionString));
+            }
+
+            if (redisConnectionString.Length == 0)
+            {
+                throw new ArgumentException("Redis connection string may not be empty.", nameof(redisConnectionString));
+            }
+            
+            var ips = Dns.GetHostAddressesAsync(redisConnectionString).Result;
+
+            return builder.Use(ServiceDescriptor.Singleton<IXmlRepository>(services => new RedisXmlRepository(ips.First().ToString(), services.GetRequiredService<ILogger<RedisXmlRepository>>())));
+        }
+
+        /// <summary>
+        /// Updates an <see cref="IDataProtectionBuilder"/> to use the service of
+        /// a specific type, removing all other services of that type.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/> that should use the specified service.</param>
+        /// <param name="descriptor">The <see cref="ServiceDescriptor"/> with the service the <paramref name="builder" /> should use.</param>
+        /// <returns>
+        /// The <paramref name="builder" /> for continued configuration.
+        /// </returns>
+        /// <exception cref="System.ArgumentNullException">
+        /// Thrown if <paramref name="builder" /> or <paramref name="descriptor" /> is <see langword="null" />.
+        /// </exception>
+        public static IDataProtectionBuilder Use(this IDataProtectionBuilder builder, ServiceDescriptor descriptor)
+        {
+            // This algorithm of removing all other services of a specific type
+            // before adding the new/replacement service is how the base ASP.NET
+            // DataProtection bits work. Due to some of the differences in how
+            // that base set of bits handles DI, it's better to follow suit
+            // and work in the same way than to try and debug weird issues.
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (descriptor == null)
+            {
+                throw new ArgumentNullException(nameof(descriptor));
+            }
+
+            for (int i = builder.Services.Count - 1; i >= 0; i--)
+            {
+                if (builder.Services[i]?.ServiceType == descriptor.ServiceType)
+                {
+                    builder.Services.RemoveAt(i);
+                }
+            }
+
+            builder.Services.Add(descriptor);
+            return builder;
+        }
+    }
+}

src/Services/Identity/Identity.API/Extensions/RedisXmlRepository.cs

@@ -0,0 +1,214 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
+using System.IO;
+using System.Linq;
+using System.Text;
+using System.Text.RegularExpressions;
+using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.Extensions.Logging;
+using StackExchange.Redis;
+
+namespace DataProtectionExtensions
+{
+    /// <summary>
+    /// Key repository that stores XML encrypted keys in a Redis distributed cache.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// The values stored in Redis are XML documents that contain encrypted session
+    /// keys used for the protection of things like session state. The document contents
+    /// are double-encrypted - first with a changing session key; then by a master key.
+    /// As such, there's no risk in storing the keys in Redis - even if someone can crack
+    /// the master key, they still need to also crack the session key. (Other solutions
+    /// for sharing keys across a farm environment include writing them to files
+    /// on a file share.)
+    /// </para>
+    /// <para>
+    /// While the repository uses a hash to keep the set of encrypted keys separate, you
+    /// can further separate these items from other items in Redis by specifying a unique
+    /// database in the connection string.
+    /// </para>
+    /// <para>
+    /// Consumers of the repository are responsible for caching the XML items as needed.
+    /// Typically repositories are consumed by things like <see cref="Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider"/>
+    /// which generates <see cref="Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.CacheableKeyRing"/>
+    /// values that get cached. The mechanism is already optimized for caching so there's
+    /// no need to create a redundant cache.
+    /// </para>
+    /// </remarks>
+    /// <seealso cref="Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository" />
+    /// <seealso cref="System.IDisposable" />
+    public class RedisXmlRepository : IXmlRepository, IDisposable
+    {
+        /// <summary>
+        /// The root cache key for XML items stored in Redis
+        /// </summary>
+        public static readonly string RedisHashKey = "DataProtectionXmlRepository";
+
+        /// <summary>
+        /// The connection to the Redis backing store.
+        /// </summary>
+        private IConnectionMultiplexer _connection;
+
+        /// <summary>
+        /// Flag indicating whether the object has been disposed.
+        /// </summary>
+        private bool _disposed = false;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="RedisXmlRepository"/> class.
+        /// </summary>
+        /// <param name="connectionString">
+        /// The Redis connection string.
+        /// </param>
+        /// <param name="logger">
+        /// The <see cref="ILogger{T}"/> used to log diagnostic messages.
+        /// </param>
+        /// <exception cref="System.ArgumentNullException">
+        /// Thrown if <paramref name="connectionString" /> or <paramref name="logger" /> is <see langword="null" />.
+        /// </exception>
+        public RedisXmlRepository(string connectionString, ILogger<RedisXmlRepository> logger)
+            : this(ConnectionMultiplexer.Connect(connectionString), logger)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="RedisXmlRepository"/> class.
+        /// </summary>
+        /// <param name="connection">
+        /// The Redis database connection.
+        /// </param>
+        /// <param name="logger">
+        /// The <see cref="ILogger{T}"/> used to log diagnostic messages.
+        /// </param>
+        /// <exception cref="System.ArgumentNullException">
+        /// Thrown if <paramref name="connection" /> or <paramref name="logger" /> is <see langword="null" />.
+        /// </exception>
+        public RedisXmlRepository(IConnectionMultiplexer connection, ILogger<RedisXmlRepository> logger)
+        {
+            if (connection == null)
+            {
+                throw new ArgumentNullException(nameof(connection));
+            }
+
+            if (logger == null)
+            {
+                throw new ArgumentNullException(nameof(logger));
+            }
+
+            this._connection = connection;
+            this.Logger = logger;
+
+            // Mask the password so it doesn't get logged.
+            var configuration = Regex.Replace(this._connection.Configuration, @"password\s*=\s*[^,]*", "password=****", RegexOptions.IgnoreCase);
+            this.Logger.LogDebug("Storing data protection keys in Redis: {RedisConfiguration}", configuration);
+        }
+
+        /// <summary>
+        /// Gets the logger.
+        /// </summary>
+        /// <value>
+        /// The <see cref="ILogger{T}"/> used to log diagnostic messages.
+        /// </value>
+        public ILogger<RedisXmlRepository> Logger { get; private set; }
+
+        /// <summary>
+        /// Performs application-defined tasks associated with freeing, releasing,
+        /// or resetting unmanaged resources.
+        /// </summary>
+        public void Dispose()
+        {
+            this.Dispose(true);
+        }
+
+        /// <summary>
+        /// Gets all top-level XML elements in the repository.
+        /// </summary>
+        /// <returns>
+        /// An <see cref="IReadOnlyCollection{T}"/> with the set of elements
+        /// stored in the repository.
+        /// </returns>
+        public IReadOnlyCollection<XElement> GetAllElements()
+        {
+            var database = this._connection.GetDatabase();
+            var hash = database.HashGetAll(RedisHashKey);
+            var elements = new List<XElement>();
+
+            if (hash == null || hash.Length == 0)
+            {
+                return elements.AsReadOnly();
+            }
+
+            foreach (var item in hash.ToStringDictionary())
+            {
+                elements.Add(XElement.Parse(item.Value));
+            }
+
+            this.Logger.LogDebug("Read {XmlElementCount} XML elements from Redis.", elements.Count);
+            return elements.AsReadOnly();
+        }
+
+        /// <summary>
+        /// Adds a top-level XML element to the repository.
+        /// </summary>
+        /// <param name="element">The element to add.</param>
+        /// <param name="friendlyName">
+        /// An optional name to be associated with the XML element.
+        /// For instance, if this repository stores XML files on disk, the friendly name may
+        /// be used as part of the file name. Repository implementations are not required to
+        /// observe this parameter even if it has been provided by the caller.
+        /// </param>
+        /// <remarks>
+        /// The <paramref name="friendlyName" /> parameter must be unique if specified.
+        /// For instance, it could be the ID of the key being stored.
+        /// </remarks>
+        /// <exception cref="System.ArgumentNullException">
+        /// Thrown if <paramref name="element" /> is <see langword="null" />.
+        /// </exception>
+        public void StoreElement(XElement element, string friendlyName)
+        {
+            if (element == null)
+            {
+                throw new ArgumentNullException(nameof(element));
+            }
+
+            if (string.IsNullOrEmpty(friendlyName))
+            {
+                // The framework always passes in a name, but
+                // the contract indicates this may be null or empty.
+                friendlyName = Guid.NewGuid().ToString();
+            }
+
+            this.Logger.LogDebug("Storing XML element with friendly name {XmlElementFriendlyName}.", friendlyName);
+
+            this._connection.GetDatabase().HashSet(RedisHashKey, friendlyName, element.ToString());
+        }
+
+        /// <summary>
+        /// Releases unmanaged and - optionally - managed resources.
+        /// </summary>
+        /// <param name="disposing">
+        /// <see langword="true" /> to release both managed and unmanaged resources;
+        /// <see langword="false" /> to release only unmanaged resources.
+        /// </param>
+        protected virtual void Dispose(bool disposing)
+        {
+            if (!this._disposed)
+            {
+                if (disposing)
+                {
+                    if (this._connection != null)
+                    {
+                        this._connection.Close();
+                        this._connection.Dispose();
+                    }
+                }
+
+                this._connection = null;
+                this._disposed = true;
+            }
+        }
+    }
+}

src/Services/Identity/Identity.API/Identity.API.csproj

@@ -38,6 +38,7 @@
     </PackageReference>
     <PackageReference Include="IdentityServer4.AspNetIdentity" Version="1.0.1" />
     <PackageReference Include="IdentityServer4.EntityFramework" Version="1.0.1" />
+    <PackageReference Include="StackExchange.Redis" Version="1.2.3" />
   </ItemGroup>
 
   <Target Name="PrepublishScript" BeforeTargets="PrepareForPublish">