Add `UseAbpOpenIddictValidation` and `DisableAccessTokenEncryption` by default.

3 years ago · 4c20947196
parent cdc83c014f
commit 4c20947196
24 changed files with 84 additions and 262 deletions
--- a/modules/openiddict/app/OpenIddict.Demo.API/Program.cs
+++ b/modules/openiddict/app/OpenIddict.Demo.API/Program.cs
@ -18,10 +18,6 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    {
        options.Authority = "https://localhost:44301";
        options.Audience = "AbpAPIResource";
-
-        // See OpenIddictServerModule`s PreConfigureServices method.
-        options.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_C40DBB176E78"));
-        options.TokenValidationParameters.TokenDecryptionKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_87E33FC57D80"));
    });

 var app = builder.Build();
--- a/modules/openiddict/app/OpenIddict.Demo.Client.Mvc/Pages/Index.cshtml
+++ b/modules/openiddict/app/OpenIddict.Demo.Client.Mvc/Pages/Index.cshtml
@ -30,14 +30,37 @@
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", await HttpContext.GetTokenAsync("access_token"));

        var response = await client.SendAsync(request);
-        response.EnsureSuccessStatusCode();
+
+
+        <code style="display: block; white-space: pre-wrap; text-align: left">
+            @{
+                var apiResponse = response.StatusCode.ToString();
+                if (response.IsSuccessStatusCode)
+                {
+                    apiResponse = JsonSerializer.Serialize(JsonDocument.Parse(await response.Content.ReadAsStringAsync()), new JsonSerializerOptions
+                    {
+                        WriteIndented = true
+                    });
+                }
+            }
+            @apiResponse;
+        </code>
+
+        request = new HttpRequestMessage(HttpMethod.Get, "https://localhost:44301/api/claims");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", await HttpContext.GetTokenAsync("access_token"));
+
+        response = await client.SendAsync(request);

        <code style="display: block; white-space: pre-wrap; text-align: left">
            @{
-                var apiResponse = JsonSerializer.Serialize(JsonDocument.Parse(await response.Content.ReadAsStringAsync()), new JsonSerializerOptions
+                apiResponse = response.StatusCode.ToString();
+                if (response.IsSuccessStatusCode)
                {
-                    WriteIndented = true
-                });
+                    apiResponse = JsonSerializer.Serialize(JsonDocument.Parse(await response.Content.ReadAsStringAsync()), new JsonSerializerOptions
+                    {
+                        WriteIndented = true
+                    });
+                }
            }
            @apiResponse;
        </code>
--- a/modules/openiddict/app/OpenIddict.Demo.Server/Controllers/ClaimsController.cs
+++ b/modules/openiddict/app/OpenIddict.Demo.Server/Controllers/ClaimsController.cs
@ -0,0 +1,16 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace OpenIddict.Demo.Server.Controllers;
+
+[ApiController]
+[Authorize]
+[Route("api/claims")]
+public class ClaimsController : Controller
+{
+    [HttpGet]
+    public JsonResult Get()
+    {
+        return Json(User.Claims.Select(x => new {Type = x.Type, Value = x.Value}));
+    }
+}
--- a/modules/openiddict/app/OpenIddict.Demo.Server/OpenIddictServerModule.cs
+++ b/modules/openiddict/app/OpenIddict.Demo.Server/OpenIddictServerModule.cs
@ -1,10 +1,7 @@
-using System.Text;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using Microsoft.EntityFrameworkCore;
-using Microsoft.IdentityModel.Tokens;
-using OpenIddict.Abstractions;
 using OpenIddict.Demo.Server.EntityFrameworkCore;
-using OpenIddict.Server.AspNetCore;
-using OpenIddict.Validation.AspNetCore;
 using Volo.Abp;
 using Volo.Abp.Account;
 using Volo.Abp.Account.Web;
@ -81,12 +78,32 @@ public class OpenIddictServerModule : AbpModule
 {
    public override void PreConfigureServices(ServiceConfigurationContext context)
    {
+        PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
+        {
+            //https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
+            options.AddDevelopmentEncryptionAndSigningCertificate = false;
+        });
+
        PreConfigure<OpenIddictServerBuilder>(builder =>
        {
-            //https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
            //https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
-            builder.AddSigningKey(new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_C40DBB176E78")));
-            builder.AddEncryptionKey(new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_87E33FC57D80")));
+            using (var algorithm = RSA.Create(keySizeInBits: 2048))
+            {
+                var subject = new X500DistinguishedName("CN=Fabrikam Encryption Certificate");
+                var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+                request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
+                var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2));
+                builder.AddSigningCertificate(certificate);
+            }
+
+            using (var algorithm = RSA.Create(keySizeInBits: 2048))
+            {
+                var subject = new X500DistinguishedName("CN=Fabrikam Signing Certificate");
+                var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+                request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));
+                var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2));
+                builder.AddEncryptionCertificate(certificate);
+            }
        });

        PreConfigure<AbpOpenIddictWildcardDomainOptions>(options =>
@ -110,18 +127,6 @@ public class OpenIddictServerModule : AbpModule

    public override void ConfigureServices(ServiceConfigurationContext context)
    {
-        context.Services.ConfigureApplicationCookie(options =>
-        {
-            options.ForwardDefaultSelector = ctx => ctx.Request.Path.StartsWithSegments("/api")
-                ? OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme
-                : null;
-        });
-
-        Configure<AbpOpenIddictAspNetCoreOptions>(options =>
-        {
-            options.AddDevelopmentEncryptionAndSigningCertificate = false;
-        });
-
        context.Services.AddAbpDbContext<ServerDbContext>(options =>
        {
            options.AddDefaultRepositories(includeAllEntities: true);
--- a/modules/openiddict/app/OpenIddict.Demo.Server/Program.cs
+++ b/modules/openiddict/app/OpenIddict.Demo.Server/Program.cs
@ -27,20 +27,6 @@ builder.Services.Configure<AbpLocalizationOptions>(options =>
    options.Languages.Add(new LanguageInfo("zh-Hant", "zh-Hant", "繁體中文"));
 });

-// Use Microsoft.AspNetCore.Authentication.JwtBearer instead of OpenIddict.Validation.AspNetCore
-// builder.Services.AddAuthentication()
-//     .AddJwtBearer(options =>
-//     {
-//         options.Authority = "https://localhost:44301";
-//         options.Audience = "AbpAPIResource";
-//
-//         options.MapInboundClaims = false;
-//
-//         // See OpenIddictServerModule`s PreConfigureServices method.
-//         options.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_C40DBB176E78"));
-//         options.TokenValidationParameters.TokenDecryptionKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_87E33FC57D80"));
-//     });
-
 await builder.AddApplicationAsync<OpenIddictServerModule>();

 var app = builder.Build();
@ -70,6 +56,7 @@ app.UseCors();
 //app.UseJwtTokenMiddleware();

 app.UseAuthentication();
+app.UseAbpOpenIddictValidation();
 app.UseMultiTenancy();
 app.UseAuthorization();

--- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Microsoft/AspNetCore/Builder/ApplicationBuilderAbpOpenIddictMiddlewareExtension.cs
+++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Microsoft/AspNetCore/Builder/ApplicationBuilderAbpOpenIddictMiddlewareExtension.cs
@ -1,13 +1,11 @@
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Builder;
+using OpenIddict.Validation.AspNetCore;

-namespace Volo.Abp.OpenIddict.Jwt;
+namespace Microsoft.AspNetCore.Builder;

-//TODO: Should we move this to another package..?
-
-public static class JwtTokenMiddleware
+public static class ApplicationBuilderAbpOpenIddictMiddlewareExtension
 {
-    public static IApplicationBuilder UseJwtTokenMiddleware(this IApplicationBuilder app, string schema = "Bearer")
+    public static IApplicationBuilder UseAbpOpenIddictValidation(this IApplicationBuilder app, string schema = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme)
    {
        return app.Use(async (ctx, next) =>
        {
--- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictAspNetCoreModule.cs
+++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictAspNetCoreModule.cs
@ -104,6 +104,8 @@ public class AbpOpenIddictAspNetCoreModule : AbpModule
                        .AddDevelopmentSigningCertificate();
                }

+                builder.DisableAccessTokenEncryption();
+
                var wildcardDomainsOptions = services.ExecutePreConfiguredActions<AbpOpenIddictWildcardDomainOptions>();
                if (wildcardDomainsOptions.EnableWildcardDomainSupport)
                {
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/MyProjectNameModule.cs
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/MyProjectNameModule.cs
@ -117,13 +117,6 @@ public class MyProjectNameModule : AbpModule
            );
        });

-		PreConfigure<OpenIddictServerBuilder>(builder =>
-		{
-			// https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
-			// In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing.
-			builder.DisableAccessTokenEncryption();
-		});
-
 		PreConfigure<OpenIddictBuilder>(builder =>
 		{
 			builder.AddValidation(options =>
@ -150,7 +143,6 @@ public class MyProjectNameModule : AbpModule
        ConfigureAutoApiControllers();
        ConfigureBlazorise(context);
        ConfigureRouter(context);
-        ConfigureAuthentication(context, configuration);
        ConfigureMongoDB(context);
    }

@ -189,17 +181,6 @@ public class MyProjectNameModule : AbpModule
        });
    }

-    private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
-    {
-        context.Services.AddAuthentication()
-            .AddJwtBearer(options =>
-            {
-                options.Authority = configuration["AuthServer:Authority"];
-                options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
-                options.Audience = "MyProjectName";
-            });
-    }
-
    private void ConfigureLocalizationServices()
    {
        Configure<AbpLocalizationOptions>(options =>
@ -338,7 +319,7 @@ public class MyProjectNameModule : AbpModule
        app.UseStaticFiles();
        app.UseRouting();
        app.UseAuthentication();
-        app.UseJwtTokenMiddleware();
+        app.UseAbpOpenIddictValidation();

        if (IsMultiTenant)
        {
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/appsettings.json
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/appsettings.json
@ -6,10 +6,6 @@
  "ConnectionStrings": {
    "Default": "mongodb://localhost:27017/MyProjectName",
  },
-  "AuthServer": {
-    "Authority": "https://localhost:44300",
-    "RequireHttpsMetadata": "false"
-  },
  "StringEncryption": {
    "DefaultPassPhrase": "gsKnGZ041HLL4IM8"
  }
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameModule.cs
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameModule.cs
@ -118,13 +118,6 @@ public class MyProjectNameModule : AbpModule
            );
        });

-		PreConfigure<OpenIddictServerBuilder>(builder =>
-		{
-			// https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
-			// In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing.
-			builder.DisableAccessTokenEncryption();
-		});
-
 		PreConfigure<OpenIddictBuilder>(builder =>
 		{
 			builder.AddValidation(options =>
@ -151,7 +144,6 @@ public class MyProjectNameModule : AbpModule
        ConfigureAutoApiControllers();
        ConfigureBlazorise(context);
        ConfigureRouter(context);
-        ConfigureAuthentication(context, configuration);
        ConfigureEfCore(context);
    }

@ -190,17 +182,6 @@ public class MyProjectNameModule : AbpModule
        });
    }

-    private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
-    {
-        context.Services.AddAuthentication()
-            .AddJwtBearer(options =>
-            {
-                options.Authority = configuration["AuthServer:Authority"];
-                options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
-                options.Audience = "MyProjectName";
-            });
-    }
-
    private void ConfigureLocalizationServices()
    {
        Configure<AbpLocalizationOptions>(options =>
@ -346,7 +327,7 @@ public class MyProjectNameModule : AbpModule
        app.UseStaticFiles();
        app.UseRouting();
        app.UseAuthentication();
-        app.UseJwtTokenMiddleware();
+        app.UseAbpOpenIddictValidation();

        if (IsMultiTenant)
        {
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/appsettings.json
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/appsettings.json
@ -6,10 +6,6 @@
  "ConnectionStrings": {
    "Default": "Server=(LocalDb)\\MSSQLLocalDB;Database=MyProjectName;Trusted_Connection=True"
  },
-  "AuthServer": {
-    "Authority": "https://localhost:44300",
-    "RequireHttpsMetadata": "false"
-  },
  "StringEncryption": {
    "DefaultPassPhrase": "gsKnGZ041HLL4IM8"
  }
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/MyProjectNameModule.cs
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/MyProjectNameModule.cs
@ -108,13 +108,6 @@ public class MyProjectNameModule : AbpModule
            );
        });

-		PreConfigure<OpenIddictServerBuilder>(builder =>
-		{
-			// https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
-			// In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing.
-			builder.DisableAccessTokenEncryption();
-		});
-
 		PreConfigure<OpenIddictBuilder>(builder =>
 		{
 			builder.AddValidation(options =>
@ -139,7 +132,6 @@ public class MyProjectNameModule : AbpModule
        ConfigureAutoApiControllers();
        ConfigureVirtualFiles(hostingEnvironment);
        ConfigureLocalization();
-        ConfigureAuthentication(context.Services, configuration);
        ConfigureCors(context, configuration);
        ConfigureDataProtection(context, configuration, hostingEnvironment);
        ConfigureMongoDB(context);
@ -176,17 +168,6 @@ public class MyProjectNameModule : AbpModule
        });
    }

-    private void ConfigureAuthentication(IServiceCollection services, IConfiguration configuration)
-    {
-        services.AddAuthentication()
-            .AddJwtBearer(options =>
-            {
-                options.Authority = configuration["AuthServer:Authority"];
-                options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
-                options.Audience = "MyProjectName";
-            });
-    }
-
    private void ConfigureLocalization()
    {
        Configure<AbpLocalizationOptions>(options =>
@ -341,7 +322,7 @@ public class MyProjectNameModule : AbpModule
        app.UseRouting();
        app.UseCors();
        app.UseAuthentication();
-        app.UseJwtTokenMiddleware();
+        app.UseAbpOpenIddictValidation();

        if (IsMultiTenant)
        {
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/appsettings.json
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/appsettings.json
@ -11,11 +11,6 @@
  "Redis": {
    "Configuration": "127.0.0.1"
  },
-  "AuthServer": {
-    "Authority": "https://localhost:44300",
-    "RequireHttpsMetadata": "false",
-    "SwaggerClientId": "MyProjectName_Swagger"
-  },
  "StringEncryption": {
    "DefaultPassPhrase": "gsKnGZ041HLL4IM8"
  },
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/MyProjectNameModule.cs
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/MyProjectNameModule.cs
@ -110,13 +110,6 @@ public class MyProjectNameModule : AbpModule
            );
        });

-		PreConfigure<OpenIddictServerBuilder>(builder =>
-		{
-			// https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
-			// In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing.
-			builder.DisableAccessTokenEncryption();
-		});
-
 		PreConfigure<OpenIddictBuilder>(builder =>
 		{
 			builder.AddValidation(options =>
@ -141,7 +134,6 @@ public class MyProjectNameModule : AbpModule
        ConfigureAutoApiControllers();
        ConfigureVirtualFiles(hostingEnvironment);
        ConfigureLocalization();
-        ConfigureAuthentication(context.Services, configuration);
        ConfigureCors(context, configuration);
        ConfigureDataProtection(context, configuration, hostingEnvironment);
        ConfigureEfCore(context);
@ -178,17 +170,6 @@ public class MyProjectNameModule : AbpModule
        });
    }

-    private void ConfigureAuthentication(IServiceCollection services, IConfiguration configuration)
-    {
-        services.AddAuthentication()
-            .AddJwtBearer(options =>
-            {
-                options.Authority = configuration["AuthServer:Authority"];
-                options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
-                options.Audience = "MyProjectName";
-            });
-    }
-
    private void ConfigureLocalization()
    {
        Configure<AbpLocalizationOptions>(options =>
@ -350,7 +331,7 @@ public class MyProjectNameModule : AbpModule
        app.UseRouting();
        app.UseCors();
        app.UseAuthentication();
-        app.UseJwtTokenMiddleware();
+        app.UseAbpOpenIddictValidation();

        if (IsMultiTenant)
        {
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/appsettings.json
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/appsettings.json
@ -11,11 +11,6 @@
  "Redis": {
    "Configuration": "127.0.0.1"
  },
-  "AuthServer": {
-    "Authority": "https://localhost:44300",
-    "RequireHttpsMetadata": "false",
-    "SwaggerClientId": "MyProjectName_Swagger"
-  },
  "StringEncryption": {
    "DefaultPassPhrase": "gsKnGZ041HLL4IM8"
  },
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/MyProjectNameModule.cs
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/MyProjectNameModule.cs
@ -110,13 +110,6 @@ public class MyProjectNameModule : AbpModule
            );
        });

-		PreConfigure<OpenIddictServerBuilder>(builder =>
-		{
-			// https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
-			// In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing.
-			builder.DisableAccessTokenEncryption();
-		});
-
 		PreConfigure<OpenIddictBuilder>(builder =>
 		{
 			builder.AddValidation(options =>
@ -142,7 +135,6 @@ public class MyProjectNameModule : AbpModule
        ConfigureAutoApiControllers();
        ConfigureVirtualFiles(hostingEnvironment);
        ConfigureLocalization();
-        ConfigureAuthentication(context.Services, configuration);
        ConfigureMongoDB(context);
    }

@ -176,17 +168,6 @@ public class MyProjectNameModule : AbpModule
        });
    }

-    private void ConfigureAuthentication(IServiceCollection services, IConfiguration configuration)
-    {
-        services.AddAuthentication()
-            .AddJwtBearer(options =>
-            {
-                options.Authority = configuration["AuthServer:Authority"];
-                options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
-                options.Audience = "MyProjectName";
-            });
-    }
-
    private void ConfigureLocalization()
    {
        Configure<AbpLocalizationOptions>(options =>
@ -314,7 +295,7 @@ public class MyProjectNameModule : AbpModule
        app.UseStaticFiles();
        app.UseRouting();
        app.UseAuthentication();
-        app.UseJwtTokenMiddleware();
+        app.UseAbpOpenIddictValidation();

        if (IsMultiTenant)
        {
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/appsettings.json
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/appsettings.json
@ -5,10 +5,6 @@
  "ConnectionStrings": {
    "Default": "mongodb://localhost:27017/MyProjectName"
  },
-  "AuthServer": {
-    "Authority": "https://localhost:44300",
-    "RequireHttpsMetadata": "false"
-  },
  "StringEncryption": {
    "DefaultPassPhrase": "gsKnGZ041HLL4IM8"
  }
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/MyProjectNameModule.cs
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/MyProjectNameModule.cs
@ -112,13 +112,6 @@ public class MyProjectNameModule : AbpModule
            );
        });

-		PreConfigure<OpenIddictServerBuilder>(builder =>
-		{
-			// https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
-			// In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing.
-			builder.DisableAccessTokenEncryption();
-		});
-
 		PreConfigure<OpenIddictBuilder>(builder =>
 		{
 			builder.AddValidation(options =>
@ -144,7 +137,6 @@ public class MyProjectNameModule : AbpModule
        ConfigureAutoApiControllers();
        ConfigureVirtualFiles(hostingEnvironment);
        ConfigureLocalization();
-        ConfigureAuthentication(context.Services, configuration);
        ConfigureEfCore(context);
    }

@ -179,17 +171,6 @@ public class MyProjectNameModule : AbpModule
        });
    }

-    private void ConfigureAuthentication(IServiceCollection services, IConfiguration configuration)
-    {
-        services.AddAuthentication()
-            .AddJwtBearer(options =>
-            {
-                options.Authority = configuration["AuthServer:Authority"];
-                options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
-                options.Audience = "MyProjectName";
-            });
-    }
-
    private void ConfigureLocalization()
    {
        Configure<AbpLocalizationOptions>(options =>
@ -323,7 +304,7 @@ public class MyProjectNameModule : AbpModule
        app.UseStaticFiles();
        app.UseRouting();
        app.UseAuthentication();
-        app.UseJwtTokenMiddleware();
+        app.UseAbpOpenIddictValidation();

        if (IsMultiTenant)
        {
--- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/appsettings.json
+++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/appsettings.json
@ -5,10 +5,6 @@
  "ConnectionStrings": {
    "Default": "Server=(LocalDb)\\MSSQLLocalDB;Database=MyProjectName;Trusted_Connection=True"
  },
-  "AuthServer": {
-    "Authority": "https://localhost:44300",
-    "RequireHttpsMetadata": "false"
-  },
  "StringEncryption": {
    "DefaultPassPhrase": "gsKnGZ041HLL4IM8"
  }
--- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs
+++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs
@ -48,13 +48,6 @@ public class MyProjectNameAuthServerModule : AbpModule
 {
    public override void PreConfigureServices(ServiceConfigurationContext context)
    {
-        PreConfigure<OpenIddictServerBuilder>(builder =>
-        {
-            // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
-            // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing.
-            builder.DisableAccessTokenEncryption();
-        });
-
        PreConfigure<OpenIddictBuilder>(builder =>
        {
            builder.AddValidation(options =>
--- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameBlazorModule.cs
+++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameBlazorModule.cs
@ -1,4 +1,3 @@
-using System;
 using System.IO;
 using Blazorise.Bootstrap5;
 using Blazorise.Icons.FontAwesome;
@ -74,13 +73,6 @@ public class MyProjectNameBlazorModule : AbpModule
            );
        });

-        PreConfigure<OpenIddictServerBuilder>(builder =>
-        {
-            // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
-            // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing.
-            builder.DisableAccessTokenEncryption();
-        });
-
        PreConfigure<OpenIddictBuilder>(builder =>
        {
            builder.AddValidation(options =>
@ -99,7 +91,6 @@ public class MyProjectNameBlazorModule : AbpModule

        ConfigureUrls(configuration);
        ConfigureBundles();
-        ConfigureAuthentication(context, configuration);
        ConfigureAutoMapper();
        ConfigureVirtualFileSystem(hostingEnvironment);
        ConfigureLocalizationServices();
@ -145,17 +136,6 @@ public class MyProjectNameBlazorModule : AbpModule
        });
    }

-    private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
-    {
-        context.Services.AddAuthentication()
-            .AddJwtBearer(options =>
-            {
-                options.Authority = configuration["AuthServer:Authority"];
-                options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
-                options.Audience = "MyProjectName";
-            });
-    }
-
    private void ConfigureVirtualFileSystem(IWebHostEnvironment hostingEnvironment)
    {
        if (hostingEnvironment.IsDevelopment())
@ -283,7 +263,7 @@ public class MyProjectNameBlazorModule : AbpModule
        app.UseStaticFiles();
        app.UseRouting();
        app.UseAuthentication();
-        app.UseJwtTokenMiddleware();
+        app.UseAbpOpenIddictValidation();

        if (MultiTenancyConsts.IsEnabled)
        {
--- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs
+++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs
@ -50,13 +50,6 @@ public class MyProjectNameHttpApiHostModule : AbpModule
 {
    public override void PreConfigureServices(ServiceConfigurationContext context)
    {
-        PreConfigure<OpenIddictServerBuilder>(builder =>
-        {
-            // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption
-            // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing.
-            builder.DisableAccessTokenEncryption();
-        });
-
        PreConfigure<OpenIddictBuilder>(builder =>
        {
            builder.AddValidation(options =>
@ -76,7 +69,6 @@ public class MyProjectNameHttpApiHostModule : AbpModule
        ConfigureBundles();
        ConfigureUrls(configuration);
        ConfigureConventionalControllers();
-        ConfigureAuthentication(context, configuration);
        ConfigureLocalization();
        ConfigureVirtualFileSystem(context);
        ConfigureCors(context, configuration);
@ -138,23 +130,6 @@ public class MyProjectNameHttpApiHostModule : AbpModule
        });
    }

-    private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
-    {
-        context.Services.AddAuthentication()
-            .AddJwtBearer(options =>
-            {
-                options.Authority = configuration["AuthServer:Authority"];
-                options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
-                options.Audience = "MyProjectName";
-                options.BackchannelHttpHandler = new HttpClientHandler
-                {
-                    ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
-                };
-
-                options.MapInboundClaims = false;
-            });
-    }
-
    private static void ConfigureSwaggerServices(ServiceConfigurationContext context, IConfiguration configuration)
    {
        context.Services.AddAbpSwaggerGenWithOAuth(
@ -241,7 +216,7 @@ public class MyProjectNameHttpApiHostModule : AbpModule
        app.UseRouting();
        app.UseCors();
        app.UseAuthentication();
-        app.UseJwtTokenMiddleware();
+        app.UseAbpOpenIddictValidation();

        if (MultiTenancyConsts.IsEnabled)
        {
--- a/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs
+++ b/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs
@ -156,14 +156,6 @@ public class MyProjectNameAuthServerModule : AbpModule
            options.Applications["MVC"].RootUrl = configuration["App:SelfUrl"];
        });

-        context.Services.AddAuthentication()
-            .AddJwtBearer(options =>
-            {
-                options.Authority = configuration["AuthServer:Authority"];
-                options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
-                options.Audience = configuration["AuthServer:ApiName"];
-            });
-
        Configure<AbpDistributedCacheOptions>(options =>
        {
            options.KeyPrefix = "MyProjectName:";
@ -226,7 +218,7 @@ public class MyProjectNameAuthServerModule : AbpModule
        app.UseRouting();
        app.UseCors();
        app.UseAuthentication();
-        app.UseJwtTokenMiddleware();
+        app.UseAbpOpenIddictValidation();

        if (MultiTenancyConsts.IsEnabled)
        {
--- a/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/appsettings.json
+++ b/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/appsettings.json
@ -10,11 +10,6 @@
  "Redis": {
    "Configuration": "127.0.0.1"
  },
-  "AuthServer": {
-    "Authority": "https://localhost:44301/",
-    "RequireHttpsMetadata": "false",
-    "ApiName": "MyProjectName"
-  },
  "OpenIddict": {
    "Applications": {
      "MyProjectName_Web": {