DEVHIDE
Login Or Sign up

Restrict the exposure of the discovery jwks key in a web browser/ UI

210 Views Asked by At

Need to restrict the exposure of the discovery jwks key in a web browser/ UI. The is the request from the security team to prevent the exposure in jwks url . .well-known/openid-configuration/jwks

im using asp.net core 3.1 and identity server 4 and have tried below methods which is not working

services.AddIdentityServer(options =>
            {
                options.Discovery.ShowIdentityScopes = false;
                options.Discovery.ShowApiScopes = false;
                options.Discovery.ShowClaims = false;
                options.Discovery.ShowExtensionGrantTypes = false;
                options.Discovery.ShowEndpoints = false;
                options.Discovery.ShowTokenEndpointAuthenticationMethods = false;
               // options.Discovery.ShowKeySet = false;
            })

If i uncomment options.Discovery.ShowKeySet = false then getting unauthorized error in API request.

Below is the authentication method

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = applicationUrl;
                    options.SupportedTokens = SupportedTokens.Jwt;
                    options.RequireHttpsMetadata = true; 
                    options.ApiName = IdentityServerConfig.ApiName;
                });

im not signing any certificate hence jwks url is not required.

Client details

new Client {
                    ClientId = *******,
                    ClientSecrets = { new Secret("*******".ToSha256()) },
                    AllowedGrantTypes = GrantTypes.ClientCredentials,
                    RefreshTokenExpiration = TokenExpiration.Absolute,
                    AccessTokenLifetime = 900,
                    AllowedScopes = { ApiName },
                    AllowAccessTokensViaBrowser = false

                },

Any help would be much appreciated.

asp.net-web-api identityserver4 openid-connect discovery jwk
Original Q&A
1

There are 1 best solutions below

0
Tore Nestenius On

You could in IdentityServer create a simple request handler that blocks requests to that endpoint that does not originate from for example a given IP-address range.

Just add something simple this this before UseIdentityServer()?

app.Use(async (context, next) =>
{
    //sample psuedo code
    var ip = GetIpAddress();
    var url = GetUrl();
   
    //Only accept requests from this IP
    if(ip == "192.168.0.10" && Url=="/well-known/openid-configuration/jwks")
        await next.Invoke();
});

Related Questions in ASP.NET-WEB-API

Related Questions in IDENTITYSERVER4

Related Questions in OPENID-CONNECT

Related Questions in DISCOVERY

Related Questions in JWK

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.