Orchard Core 1.8.2, migrate the OpenID module to OpenIddict 5 - This week in Orchard (19/01/2024)

Gábor Domonkos's avatar
Announcement, This week in Orchard, Security

Migrate the OpenID module to OpenIddict 5, fixing FormatException when the login screen is posted with values other than true/false for RememberMe, and announcing Orchard Core 1.8.2! Without any further ado, let's get started!

Orchard Core updates

Migrate the OpenID module to OpenIddict 5

This is about updating the OpenID module to use OpenIddict 5.0, which shipped in December. With OpenIddict 5.0 being now generally available, the previous version, OpenIddict 4.0, stops being supported and won't receive bug fixes or security updates. As such, it is recommended to migrate to OpenIddict 5.0 to continue receiving bug and security fixes. So, this change reacts to the breaking changes introduced by this new major version by adding new store methods are updating the ones whose signature has changed. Note that while OpenIddict 5.0 supports new features, this change doesn't expose them via the Orchard Core admin UI. If you want to know more about the latest version of OpenIddict, check out this great post from Kévin Chalet!

Blog post about the OpenIddict 5.0 general availability

Fixing FormatException when the login screen is posted with values other than true/false for RememberMe

If on the login screen, any non-boolean value (e.g., "1", "cicaisahungarianword") is set for the RememberMe input field, then you'll get an exception. This is of course not what a normal user would do, but is surfaced by the pentest attacks of Zed Attack Proxy (ZAP). This is a very popular open-source project, which is a security scanner. It can check your application for security issues. If you don't know ZAP and would like to know more about it, check out our post from last month, where you can learn more about it.

So, adding input validation here would be necessary to avoid 500s. And you can easily reproduce this issue by following these steps:

  1. Go to /Login.
  2. Set the value attribute of RememberMe to anything but "true" or "false" from e.g., the Dev Tools of Google Chrome.
  3. Tick the checkbox.
  4. Click Log in.
  5. See the HTTP 500 error page.

From now on, a validation error appears instead of a 5xxx one.

The new SafeBoolModelBinder to produce a validation error when a Boolean field contains an invalid value

News from the community

Orchard Core 1.8.2

Orchard Core 1.8.2 was released a few days after the 1.8.1 one to address two issues of the 1.8.1 release.

The first issue was that the admin language switcher (admin culture picker) was not working. It stayed in the same language regardless of what you chose.

The second is about fixing the display name of the content fields. Let's just add a boolean field to a content type as follows. Let's use the name MyBooleanField as the technical name and My Boolean Field as the display name. As you can see in the screen below, the Display Name was equal to the Technical Name.

Issue with the content field's display name

If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the newest released version of Orchard Core! Upgrade your solution to 1.8.2 now! Feel free to drop on the dedicated Gitter chat or use the Discussions on GitHub and ask questions!

Orchard Core 1.8.2

As we mentioned, Orchard Core is available as a NuGet package which you can easily add to your ASP.NET Core solution. Here's how you can get started with Orchard Core.

Orchard Dojo Newsletter

Lombiq's Orchard Dojo Newsletter has 480 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course.

Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here!

If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

No Comments

Add a Comment