Skip to content

Commit

Permalink
Typo/language fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
AndersAbel committed Apr 11, 2024
1 parent d277132 commit 3ea2d7d
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions IdentityServer/v7/docs/content/troubleshooting/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,17 @@ When troubleshooting an IdentityServer setup we have some tips and tricks to sha
## General debugging advice
Duende IdentityServer is a security product and by design the error messages returned to a user or client application are very short. The actual error message is always written to the logs. The very first step in any troubleshooting should be to review the IdentityServer logs.

Another common issue is that the logs are redacted and that the interesting/relevant information is overwritten with **'[PII is hidden]'**. (For example *The '[PII is hidden]' for signing cannot be smaller than '[PII is hidden]' bits*). This is a privacy securing feature of th Microsoft.IdentityModel libraries that we use for token handling. The definition of possible PII in those libraries is very generous and includes key sizes, URLs etc.
Another common issue is that the logs are redacted and that the interesting/relevant information is overwritten with **'[PII is hidden]'**. (For example *The '[PII is hidden]' for signing cannot be smaller than '[PII is hidden]' bits*). This is a privacy feature of the Microsoft.IdentityModel libraries that we use for token handling. The definition of possible PII in those libraries is very generous and includes key sizes, URLs etc.

There is a static property that can be set to disable the redacting.
```
IdentityModelEventSource.ShowPII = true;
```

We recommend to always set this flag to true in any development and test environment that does not contain real personal data.

## Data protection
Asp.Net Core Data Protection is an encryption mechanism that is heavily used by Duende.IdentityServer and the Asp.Net Core Authentication libraries. If it is not correctly configured it migth result in issues such as
Asp.Net Core Data Protection is an encryption mechanism that is heavily used by Duende.IdentityServer and the Asp.Net Core Authentication libraries. If it is not correctly configured it might result in issues such as
* Unable to unprotect the message.State.
* The key {xxxxx-xxxx-xxx-xxx-xxxxxxx} was not found in the key ring.

Expand All @@ -34,14 +36,14 @@ TaskCancellationExceptions occur when the incoming HTTP connection is terminated

To help alleviate that, in version 6.2 of IdentityServer, we added a configurable filter to our logging to remove some of these unnecessary logs. Unfortunately the log messages that are written by EF itself are outside our control. Microsoft is in the process of updating EF to not log task cancellation so aggressively. In .NET 7, they were able to update the core EF but not the providers.

Since we know that these task cancellations are expected and safe, another thing you could do is to filter them out of your logs. I would expect most logging tools to allow you to put filters in place. For example, in serilog, adding something like this to your configuration should do the trick:
Since we know that these task cancellations are expected and safe, another thing you could do is to filter them out of your logs. Most logging tools should allow you to put filters in place. For example, in serilog, adding something like this to your configuration should do the trick:

Log.Logger = new LoggerConfiguration()
.Filter
.ByExcluding(logEvent => logEvent.Exception is OperationCanceledException)

## WAF Rules
Data protected data can contain --, and some firewalls disallow that because it looks like a sql comment/injection. This is not an IdentityServer issue but something that should be fixed on the firewall.
Data protected data can contain '--' (two dashes) and some firewalls disallow that because it looks like a sql comment/injection. This is not an IdentityServer issue but something that should be fixed on the firewall.

## Microsoft.IdentityModel Version Conflicts
The Microsoft.IdentityModel.\* libraries used by Duende IdentityServer all have to be of exactly the same version. If they are not it can cause unexpected issues reading configuration data and tokens, i.e. **IDX10500: Signature validation failed. No security keys were provided to validate the signature.** or **System.MissingMethodException: Method not found 'Boolean Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableConfiguration(...)'**
Expand Down

0 comments on commit 3ea2d7d

Please sign in to comment.