Add support for Alipay certificate signing #1131
Conversation
src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationConstants.cs
Outdated
Show resolved
Hide resolved
src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationConstants.cs
Outdated
Show resolved
Hide resolved
src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationHandler.cs
Outdated
Show resolved
Hide resolved
src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationHandler.cs
Outdated
Show resolved
Hide resolved
src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationOptions.cs
Outdated
Show resolved
Hide resolved
src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationOptions.cs
Outdated
Show resolved
Hide resolved
src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationOptionsExtensions.cs
Outdated
Show resolved
Hide resolved
| /// <summary> | ||
| /// The internal identifier for Alipay users will no longer be independently available going forward and will be replaced by OpenID. | ||
| /// </summary> | ||
| public const string UserId = "urn:alipay:user_id"; |
There was a problem hiding this comment.
On reflection, if this is going to be deprecated, it would be better not to expose it as a public member. Otherwise it feels like we're adding a new API that's immediately obsolete.
There was a problem hiding this comment.
UserId cannot be modified to private because applications created before OpenId or legacy code still require it. For newly created applications, OpenId should be used unless a support ticket is submitted to request the platform to enable legacy UserId. I have updated the code and added the ObsoleteAttribute.
There was a problem hiding this comment.
Adding a new public API that is immediately obsolete serves no useful purpose to the user and adds maintenance burden for us to remove it in the future (which is then itself a breaking change).
There was a problem hiding this comment.
My intention was to delete the property entirely, not just to remove the [Obsolete] attribute.
src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationHandler.cs
Outdated
Show resolved
Hide resolved
src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationHandler.cs
Outdated
Show resolved
Hide resolved
| namespace Microsoft.Extensions.DependencyInjection; | ||
|
|
||
| /// <summary> | ||
| /// Extension methods to configure Sign in with Alipay authentication capabilities for an HTTP application pipeline. |
There was a problem hiding this comment.
Is it actually called "Sign in with Alipay", or is this just copy-paste where "Apple" has been changed to "Alipay"?
There was a problem hiding this comment.
is correct, see https://auth.alipay.com/login/global.htm
There was a problem hiding this comment.
So it's called "Sign In Alipay", not "Sign In with Alipay"?
There was a problem hiding this comment.
This should be “Sign in with Alipay” because, like Apple, it uses a third-party platform account for login. This will redirect you to an Alipay webpage displaying a QR code. Use the Alipay mobile app to scan the code and log in.
There was a problem hiding this comment.
"Sign In with Apple" is the name of the product (docs), "Sign in with Apple" is the description of what the user does.
"Sign In Alipay" appears to be the name, as it is not grammatically correct English to be a description of what the user is doing.
src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationOptionsExtensions.cs
Outdated
Show resolved
Hide resolved
|
|
||
| Span<byte> hash = stackalloc byte[MD5.HashSizeInBytes]; | ||
| #pragma warning disable CA5351 | ||
| MD5.HashData(bytes, hash); |
There was a problem hiding this comment.
The return value should be checked.
There was a problem hiding this comment.
The MD5 algorithm has a fixed length, so there is no need to check the returned result. If the input array is too short, it will throw an exception.
| /// </summary> | ||
| private const int StackallocByteThreshold = 256; | ||
|
|
||
| private static string CalculateMd5(ReadOnlySpan<char> chars) |
There was a problem hiding this comment.
I think this is still overcomplicated really. This isn't a hot path.
The whole thing could just be:
var buffer = Encoding.UTF8.GetBytes(chars);
return MD5.HashData(buffer);There was a problem hiding this comment.
I have balanced high performance with code conciseness. The return value here should be a lowercase hex string. The updated code uses stackalloc instead of byte[] to avoid fragmented memory.
There was a problem hiding this comment.
Technically yes, but I don't think it's of importance here against a simpler implementation.
There was a problem hiding this comment.
The latest submission has been simplified.
|
Please don't resolve comments where no code changes have been made - otherwise it makes things harder to review as I have to uncollapse the comments in the UI, and if I disagree I just have to unresolve them anyway. |
| #pragma warning disable CS0618 | ||
| ClaimActions.MapJsonKey(Claims.UserId, "user_id"); | ||
| #pragma warning restore CS0618 |
There was a problem hiding this comment.
If it's going to be obsolete, just hard-code the value here without the need for the constant. Then we can just delete it in the future without having to also change the public API surface.
| public Func<string, CancellationToken, Task<ReadOnlyMemory<char>>>? PublicKey { get; set; } | ||
|
|
||
| /// <inheritdoc /> | ||
| public override void Validate() |
There was a problem hiding this comment.
Shouldn't this also validate that PublicKey is not null?
This comment has been minimized.
This comment has been minimized.
- Removed the [Obsolete] marker from AlipayAuthenticationConstants.UserId while retaining explanatory comments. - ClaimActions now directly maps “urn:alipay:user_id” to “user_id” and removes the obsolete mapping for Claims.UserId. - Added non-null validation for PublicKey in certificate mode.
… certificate resolution This submission simplifies Alipay certificate signing configurations by directly passing the certificate serial number (SN) string. It removes the ApplicationCertificateSnKeyId, RootCertificateSnKeyId, and PublicKey delegate properties, with corresponding methods adjusted to directly read the SN. The certificate SN calculation utility class and extension methods for reading public keys via files have been eliminated. This removes the complexity of dynamic certificate resolution, enhancing configuration intuitiveness and usability.
|
Based on aicodeguard's comment, there is indeed no need to parse the PEM certificate file with every request. I removed the certificate-related content and simplified all changes by using fixed configuration values. |
| /// <summary> | ||
| /// The internal identifier for Alipay users will no longer be independently available going forward and will be replaced by OpenID. | ||
| /// </summary> | ||
| public const string UserId = "urn:alipay:user_id"; |
There was a problem hiding this comment.
My intention was to delete the property entirely, not just to remove the [Obsolete] attribute.
| namespace Microsoft.Extensions.DependencyInjection; | ||
|
|
||
| /// <summary> | ||
| /// Extension methods to configure Sign in with Alipay authentication capabilities for an HTTP application pipeline. |
There was a problem hiding this comment.
"Sign In with Apple" is the name of the product (docs), "Sign in with Apple" is the description of what the user does.
"Sign In Alipay" appears to be the name, as it is not grammatically correct English to be a description of what the user is doing.
| ArgumentNullException.ThrowIfNull(Options.ApplicationCertificateSn); | ||
| ArgumentNullException.ThrowIfNull(Options.RootCertificateSn); |
There was a problem hiding this comment.
These aren't arguments to the method. They were already validated in the options. If they are subsequently messed with by the integrator that's user error.
| ArgumentNullException.ThrowIfNull(Options.ApplicationCertificateSn); | |
| ArgumentNullException.ThrowIfNull(Options.RootCertificateSn); |
3 participants
improve #968