Comments (6)
This came up during the initial development of the provider but then went away: dotnet/aspnetcore#39664 (comment)
50:50 on whether it's a latent bug with some weird edge cases, or some latest CEO-driven development broke something on their end.
from aspnet.security.oauth.providers.
This issue was also discussed here: dotnet/aspnetcore#42192
50:50 on whether it's a latent bug with some weird edge cases, or some latest CEO-driven development broke something on their end.
It's neither a bug nor one of those stupid Musky decisions: the Twitter devs just opted for a way too short limit for the state
parameter, that cannot exceed 500 chars exactly. If your AuthenticationProperties
is populated with too much data (e.g because a large ReturnUrl
is stored), the resulting DP-protected state
will exceed Twitter's limit and you'll get a generic error.
@Mike-E-angelo you could probably work around this issue by creating an ISecureDataFormat<AuthenticationProperties>
that stores the actual data in a distributed cache and returns a reference ID with a fixed short length.
Alternatively, you can replace the aspnet-contrib Twitter by its OpenIddict equivalent, that doesn't suffer from this issue as the JWT state tokens it produces are stored in the DB. The OpenIddict client and its ~60 providers generally require a bit more configuration (as there's less magic involved) but is also much more flexible and comes with tons of additional security checks compared to the aspnet-contrib. More info here: https://kevinchalet.com/2022/12/16/getting-started-with-the-openiddict-web-providers/
from aspnet.security.oauth.providers.
Oh my goodness, thank you both @martincostello and @kevinchalet for your great support and guidance! It is greatly appreciated. It's also a far cry from Twitter which is really quite abysmal. You may or may not be aware of this, but developers are paying $5k/mo and not getting any dedicated support for the use of Twitter API. π€― In light of this and in comparison to Twitter support, I feel like I just got $5k worth of support from your responses alone. :D
It definitely makes me appreciative when I see replies here in GitHub from Microsoft repositories and on developercommunity the replies, and really after having to try deal with Twitter support, any acknowledgment of my existence. π πππ
I will look into the IDistributedCache
solution as this is something I have been meaning to do w/ my application, the whole scaling story and all. :D
I will close this ticket now that the limitation is understood. Thank you again for your efforts and time. π
from aspnet.security.oauth.providers.
OK I got the ISecureDataFormat<AuthenticationProperties>
implemented and everything works as expected, @kevinchalet. Thank you again for the guidance.
There is one hitch though and one I have been noodling on. The ISecureDataFormat<AuthenticationProperties
is synchronous and IDistrubutedCache
is asynchronous in nature. IDistributedCache
has synchronous methods, of course, but if I understand correctly, that could possibly lead to thread starvation if enough calls are made concurrently.
I wanted to throw that your way and gauge my understanding of the situation. Is this something to worry about? Is there another consideration to make it asynchronous all the way? Thank you for any continued insight you can provide.
from aspnet.security.oauth.providers.
Two things I'd throw in the mix for your consideration:
- How slow is your cache? If it's very fast, then any sync call isn't going to consume much resources.
- How often do you actually expect people to be signing in and out of your application with Twitter? I would have thought relative to the rest of your application's purpose it would be small.
from aspnet.security.oauth.providers.
Much along the lines I have been thinking @martincostello. This is actually a limited scenario, so from the outset I would say it's OK to brave the sync path as there should not be much thread utilization during the process. However, if you know anything about the asynchronous underbelly of .NET there's a lot that can bite you. π¬
Additionally, even if the cache is typically fast, if it does hang for whatever reason (HTTP request to Redis, I am guessing) that is a thread that is being held up which is a Bad Thingβ’ as I understand it with the asynchronous model.
So, I guess I am wanting to be a little confident here that I can get away with this. Sounds like I can, but wanted to be sure of my reasoning. :)
from aspnet.security.oauth.providers.
Related Issues (20)
- Add support of the new LinkedIn API version format HOT 8
- Discord Provider StackOverflowException HOT 2
- Determine whether the Kloudless provider is still working HOT 2
- add wechat official account providers. HOT 1
- Shopify provider AuthenticationProperties must contain ShopNameAuthenticationProperty HOT 3
- MyGet.org is down HOT 6
- Update AspNet.Security.OAuth.LinkedIn to work with Sign In with LinkedIn using OpenID Connect HOT 2
- Weixin use qrcode login HOT 2
- Unable to retrieve OpenID configuration for Apple HOT 11
- how to implement external login provders(linkedin) login using .net core with openidconnect? HOT 1
- X/Twitter v2 iPhone Browser Interception Issue: Correlation failed. HOT 7
- Cannot register all BattleNet Provider Regions at the same time. HOT 5
- Okta Provider not respecting Options settings HOT 3
- Multiple tenants for Okta at runtime HOT 3
- Unable to obtain authorization during callback after logging in using QQ HOT 3
- Angular client HOT 2
- I could not authenticate by Linkedin when I redirected to redirect_url after confirm linkedin page authentication HOT 2
- Add Atlassian Provider
- How do I update Claims (Discord provider)? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aspnet.security.oauth.providers.