Secret Management Updates, ChallengeOrForbid() in Api controllers - This week in Orchard (18/09/2020)

Gábor Domonkos's avatar
Documentation, This week in Orchard, Theme, Recipes

This week you could see two great demos: one is about showing you how you can manage and import/export your secrets between servers, the other is about using Blazor WebAssembly with Orchard Core!

Orchard Core updates

ChallengeOrForbid() in Api controllers

Most of the API controllers are configured to use the Api scheme for authentication but return ChallengeOrForbid(), which ultimately uses the default challenge scheme (which is typically the cookie handler when the Users module is enabled).

To fix that, the API controllers are updated to do ChallengeOrForbid("Api") instead of ChallengeOrForbid(), so that challenges are properly handled by OpenIddict when the OpenID token validation feature is enabled.

Now there is a new override for the ChallengeOrForbid() extension method that accepts the authentication schemes to challenge. And now you can use this extension method in your API controller just by passing the Api, like: return this.ChallengeOrForbid("Api");.

A new override for the ChallengeOrForbid extension method

Include ContentsMetadata (PageTitle) in Blog Theme Category Taxonomy

If you use the Blog recipe, a taxonomy Category with entry Travel is created by default. However, the title for the Travel page was not correct. If you created a site name Blogging using the Blog recipe, the expected title would be: Travel - Blogging, but you got a title: Blogging. The fix was to include the ContentsMetadata in the Content-Category.liquid file.

Include ContentsMetadata in Blog Theme Category Taxonomy

Link to GitHub Discussions in Contributing

If you open the GitHub repository of Orchard Core you will find a file in the root of the repository. Now this markdown file has a direct link to GitHub Discussions. But what is GitHub Discussions? GitHub only offered issues and pull requests as places to have these conversations. But issues and pull requests both have a linear format - well suited for merging code, but not for creating a community knowledge base. Conversations need their own place - that’s what GitHub Discussions is for. If you have a question and need an answer, just visit the Discussions page and if you haven't find the answer for your issue, let's ask it there. Here you can find detailed and valuable answers for questions like what is a shape?

Updated Contributing documentation with GitHub Discussions


Secret Management Updates

Head to the GitHub repository of Orchard Core and checkout to the deanmarcussen/secrets branch to be able to try out this upcoming feature! After you set up your Orchard Core site, head to Configuration -> Features and enable these features:

  • Configuration Secrets Store: The secrets configuration store is a read-only store for secrets.
  • Database Secrets Store: The secrets database stores encrypted secrets in the database.
  • Secrets: The secrets feature manages secrets that other modules can contribute to.

After you will find a new option under Configuration called Secrets. Here you can add two kinds of secrets:

  • Authorization Secret: A secret used to manage a secure password or authorization key.
  • Rsa Secret: A public / private RSA key pair used for encryption.

Let's add a new Authorization Secret now and see what are Secret Bindings exactly? Secret Bindings can be used to enter secrets, like SMTP passwords. And you can choose where it's gonna come from. Right now they can be stored either in the database or in the configuration. But there is a plan to support the Key Vault provider as well.

Let's use the smtp_password as the name and store it now in the Database Secret Store. And add the password into the Authentication String textbox.

Creating a new Authorization secret

But how can use that secret? If you enable the Email feature, you can navigate to Configuration -> Settings -> Smtp and set up the network delivery options. If you put a tick on the Require credentials checkbox, you have to provide a user name and a password for authentication. If you would like to use your secret, you can use a Liquid filter to access the password stored in it. Here you can see that we entered the following Liquid expression to retrieve the password: {{ "smtp_password" | auth_secret }}. Remember, the smtp_password was the name of our secret.

Setting the SMTP password from a secret using a Liquid filter

When we added our secret, we had the option to choose to create an Authorization Secret or an Rsa Secret. We created an Authorization Secret, so let's create an Rsa Secret this time! The RSA key pair is what we could use to actually crypt secrets when transmitting them to another server. At the moment the private key is in the editor, the idea is that once you created the private key you will never see it again. You can use the public key as an encryption key.

Creating a new RSA secret

Now let's create a new Deployment Plan and call it Secrets RSA! Add the All Secrets deployment step to it then hit Execute! After you will end up with a recipe that looks like the following. Here you can see the encriptionKey used for this particular recipe. It's a symmetric encryption key that is encrypted with the public key from the RSA key pair. Then all of the bindings that are available are here in the recipe. You will also find a decryptor here (js: decrypt()) which will use the encriptionKey and the private key on the other end to decrypt them. And when you run this recipe on your remote server - assuming you have installed the private key on the remote server - it will unencrypt your secrets correctly.

The recipe generated by the all secrets deployment step recipe

But it's not all! If you would like to know more about this great upcoming feature, don't hesitate to watch the recording of it!

Blazor WebAssembly with Orchard Core

In this demo, you will see how to use a Blazor WebAssembly application that queries a blog post content through a REST API call using GraphQL. A JWT token used as a bearer token when calling the REST API GraphQL endpoint. Head to YouTube now to see the full demo!

News from the community

Orchard Dojo Newsletter

Now we have 159 subscribers of the Lombiq's Orchard Dojo Newsletter! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post published to Orchard Dojo, including This week in Orchard of course.

Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here!

If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this week's Orchard meeting!

No Comments

Add a Comment