configure openid connect (#809)

* attempt to add openid connect support * update dotnet ef tool version * disable openId in production using a config option. This lets us figure out how to we want to do key storage in production * fix redirect loop trying to send the user to the login page, if that's handled by aspnet it'll result in a redirect loop * trim down claims check list since most aren't used, allow name claim to end up in ID token for testing purposes * correct vite proxy to send traces to the collector and not dotnet. * configure the login page to handle return urls * allow application manager to be null in seeding data to allow for case where openId is disabled * require pkce and disable implicit flow, enable oauth to work over http and with proper CORS headers * create approval flow for oauth login * correct vite proxy so https isn't used incorrectly when the backend redirects somewhere * pass redirect uri along via google login, fix bug where redirect url was always null in `CompleteGoogleLogin` due to using the wrong property. * Redesign authorize page * extract oauth code out of LoginController.cs and into OauthController.cs, revert some changes made to vite.config.ts --------- Co-authored-by: Tim Haasdyk <[email protected]>
sillsdev · May 28, 2024 · e3d7d16 · e3d7d16
1 parent 1ce357a
commit e3d7d16
Show file tree

Hide file tree

Showing 30 changed files with 2,392 additions and 102 deletions.
diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "dotnet-ef": {
-      "version": "7.0.10",
+      "version": "8.0.5",
       "commands": [
         "dotnet-ef"
       ]

diff --git a/.idea/.idea.LexBox/.idea/.gitignore b/.idea/.idea.LexBox/.idea/.gitignore
diff --git a/.idea/.idea.LexBox/.idea/dataSources.xml b/.idea/.idea.LexBox/.idea/dataSources.xml
diff --git a/.idea/.idea.LexBox/.idea/indexLayout.xml b/.idea/.idea.LexBox/.idea/indexLayout.xml
diff --git a/.idea/.idea.LexBox/.idea/vcs.xml b/.idea/.idea.LexBox/.idea/vcs.xml
diff --git a/backend/LexBoxApi/Auth/AuthKernel.cs b/backend/LexBoxApi/Auth/AuthKernel.cs
@@ -1,16 +1,19 @@
+using System.Collections.ObjectModel;
 using System.Diagnostics.CodeAnalysis;
 using System.Net.Http.Headers;
 using System.Text;
 using LexBoxApi.Auth.Attributes;
 using LexBoxApi.Auth.Requirements;
 using LexBoxApi.Controllers;
 using LexCore.Auth;
+using LexData;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.Logging;
 using Microsoft.OpenApi.Models;
+using OpenIddict.Validation.AspNetCore;
 
 namespace LexBoxApi.Auth;
 
@@ -66,6 +69,8 @@ public static void AddLexBoxAuth(IServiceCollection services,
             .BindConfiguration("Authentication:Jwt")
             .ValidateDataAnnotations()
             .ValidateOnStart();
+        services.AddOptions<OpenIdOptions>()
+            .BindConfiguration("Authentication:OpenId");
         services.AddAuthentication(options =>
             {
                 options.DefaultScheme = DefaultScheme;
@@ -78,7 +83,13 @@ public static void AddLexBoxAuth(IServiceCollection services,
                 {
                     options.ForwardDefaultSelector = context =>
                     {
-
+                        if (context.Request.Headers.ContainsKey("Authorization") &&
+                            context.Request.Headers.Authorization.ToString().StartsWith("Bearer") &&
+                            context.RequestServices.GetService<IOptions<OpenIdOptions>>()?.Value.Enable == true)
+                        {
+                            //fow now this will use oauth
+                            return OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
+                        }
                         if (context.Request.IsJwtRequest())
                         {
                             return JwtBearerDefaults.AuthenticationScheme;
@@ -101,9 +112,9 @@ public static void AddLexBoxAuth(IServiceCollection services,
             .AddCookie(options =>
             {
                 configuration.Bind("Authentication:Cookie", options);
-                options.LoginPath = "/api/login";
+                options.LoginPath = "/login";
                 options.Cookie.Name = AuthCookieName;
-                options.ForwardChallenge = JwtBearerDefaults.AuthenticationScheme;
+                // options.ForwardChallenge = JwtBearerDefaults.AuthenticationScheme;
                 options.ForwardForbid = JwtBearerDefaults.AuthenticationScheme;
             })
             .AddJwtBearer(options =>
@@ -152,7 +163,8 @@ public static void AddLexBoxAuth(IServiceCollection services,
                     context.HandleResponse();
                     var loginController = context.HttpContext.RequestServices.GetRequiredService<LoginController>();
                     loginController.ControllerContext.HttpContext = context.HttpContext;
-                    var redirectTo = await loginController.CompleteGoogleLogin(context.Principal, context.Properties?.RedirectUri);
+                    //using context.ReturnUri and not context.Properties.RedirectUri because the latter is null
+                    var redirectTo = await loginController.CompleteGoogleLogin(context.Principal, context.ReturnUri);
                     context.HttpContext.Response.Redirect(redirectTo);
                 };
             });
@@ -185,6 +197,65 @@ public static void AddLexBoxAuth(IServiceCollection services,
                 }
             });
         });
+
+        var openIdOptions = configuration.GetSection("Authentication:OpenId").Get<OpenIdOptions>();
+        if (openIdOptions?.Enable == true) AddOpenId(services, environment);
+    }
+
+    private static void AddOpenId(IServiceCollection services, IWebHostEnvironment environment)
+    {
+        services.Add(ScopeRequestFixer.Descriptor.ServiceDescriptor);
+        //openid server
+        services.AddOpenIddict()
+            .AddCore(options =>
+            {
+                options.UseEntityFrameworkCore().UseDbContext<LexBoxDbContext>();
+                options.UseQuartz();
+            })
+            .AddServer(options =>
+            {
+                options.RegisterScopes("openid", "profile", "email");
+                //todo add application claims
+                options.RegisterClaims("aud", "email", "exp", "iss", "iat", "sub", "name");
+                options.SetAuthorizationEndpointUris("api/oauth/open-id-auth");
+                options.SetTokenEndpointUris("api/oauth/token");
+                options.SetIntrospectionEndpointUris("api/oauth/introspect");
+                options.SetUserinfoEndpointUris("api/oauth/userinfo");
+                options.Configure(serverOptions => serverOptions.Handlers.Add(ScopeRequestFixer.Descriptor));
+
+                options.AllowAuthorizationCodeFlow()
+                    .AllowRefreshTokenFlow();
+
+                options.RequireProofKeyForCodeExchange();//best practice to use PKCE with auth code flow and no implicit flow
+
+                options.IgnoreResponseTypePermissions();
+                options.IgnoreScopePermissions();
+                if (environment.IsDevelopment())
+                {
+                    options.AddDevelopmentEncryptionCertificate();
+                    options.AddDevelopmentSigningCertificate();
+                }
+                else
+                {
+                    //see docs: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
+                    throw new NotImplementedException("need to implement loading keys from a file");
+                }
+
+                var aspnetCoreBuilder = options.UseAspNetCore()
+                    .EnableAuthorizationEndpointPassthrough()
+                    .EnableTokenEndpointPassthrough();
+                if (environment.IsDevelopment())
+                {
+                    aspnetCoreBuilder.DisableTransportSecurityRequirement();
+                }
+            })
+            .AddValidation(options =>
+            {
+                options.UseLocalServer();
+                options.UseAspNetCore();
+                options.AddAudiences(Enum.GetValues<LexboxAudience>().Where(a => a != LexboxAudience.Unknown).Select(a => a.ToString()).ToArray());
+                options.EnableAuthorizationEntryValidation();
+            });
     }
 
     public static AuthorizationPolicyBuilder RequireDefaultLexboxAuth(this AuthorizationPolicyBuilder builder)

diff --git a/backend/LexBoxApi/Auth/OpenIdOptions.cs b/backend/LexBoxApi/Auth/OpenIdOptions.cs
@@ -0,0 +1,9 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace LexBoxApi.Auth;
+
+public class OpenIdOptions
+{
+    [Required]
+    public required bool Enable { get; set; }
+}
diff --git a/backend/LexBoxApi/Auth/ScopeRequestFixer.cs b/backend/LexBoxApi/Auth/ScopeRequestFixer.cs
@@ -0,0 +1,28 @@
+using OpenIddict.Abstractions;
+using OpenIddict.Server;
+
+namespace LexBoxApi.Auth;
+
+/// <summary>
+/// the MSAL library makes requests with the scope parameter, which is invalid, this attempts to remove the scope before it's rejected
+/// </summary>
+public sealed class ScopeRequestFixer : IOpenIddictServerHandler<OpenIddictServerEvents.ValidateTokenRequestContext>
+{
+    public static OpenIddictServerHandlerDescriptor Descriptor { get; }
+        = OpenIddictServerHandlerDescriptor.CreateBuilder<OpenIddictServerEvents.ValidateTokenRequestContext>()
+            .UseSingletonHandler<ScopeRequestFixer>()
+            .SetOrder(OpenIddictServerHandlers.Exchange.ValidateResourceOwnerCredentialsParameters.Descriptor.Order + 1)
+            .SetType(OpenIddictServerHandlerType.Custom)
+            .Build();
+
+    public ValueTask HandleAsync(OpenIddictServerEvents.ValidateTokenRequestContext context)
+    {
+        if (!string.IsNullOrEmpty(context.Request.Scope) && (context.Request.IsAuthorizationCodeGrantType() ||
+                                                             context.Request.IsDeviceCodeGrantType()))
+        {
+            context.Request.Scope = null;
+        }
+
+        return default;
+    }
+}
diff --git a/backend/LexBoxApi/Controllers/LoginController.cs b/backend/LexBoxApi/Controllers/LoginController.cs
@@ -8,13 +8,9 @@
 using LexCore.Auth;
 using LexData;
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.ModelBinding;
-using Microsoft.EntityFrameworkCore;
-using Microsoft.AspNetCore.Http;
-using LexCore.Entities;
 using System.Security.Claims;
 using Microsoft.AspNetCore.Authentication.Google;
 
@@ -28,8 +24,7 @@ public class LoginController(
     LoggedInContext loggedInContext,
     EmailService emailService,
     UserService userService,
-    TurnstileService turnstileService,
-    ProjectService projectService)
+    TurnstileService turnstileService)
     : ControllerBase
 {
     /// <summary>
@@ -38,7 +33,6 @@ public class LoginController(
     /// </summary>
     [HttpGet("loginRedirect")]
     [AllowAnyAudience]
-
     public async Task<ActionResult> LoginRedirect(
         string jwt, // This is required because auth looks for a jwt in the query string
         string returnTo)
@@ -53,6 +47,7 @@ public async Task<ActionResult> LoginRedirect(
                 return await EmailLinkExpired();
             }
         }
+
         await HttpContext.SignInAsync(User,
             new AuthenticationProperties { IsPersistent = true });
         return Redirect(returnTo);
@@ -87,6 +82,7 @@ public async Task<string> CompleteGoogleLogin(ClaimsPrincipal? principal, string
         {
             (authUser, userEntity) = await lexAuthService.GetUser(googleEmail);
         }
+
         if (authUser is null)
         {
             authUser = new LexAuthUser()
@@ -102,19 +98,20 @@ public async Task<string> CompleteGoogleLogin(ClaimsPrincipal? principal, string
                 Locale = locale ?? LexCore.Entities.User.DefaultLocalizationCode,
                 Locked = null,
             };
-            var queryParams = new Dictionary<string, string?>() {
-                {"email", googleEmail},
-                {"name", googleName},
-                {"returnTo", returnTo},
+            var queryParams = new Dictionary<string, string?>()
+            {
+                { "email", googleEmail }, { "name", googleName }, { "returnTo", returnTo },
             };
             var queryString = QueryString.Create(queryParams);
             returnTo = "/register" + queryString.ToString();
         }
+
         if (userEntity is not null && !foundGoogleId)
         {
             userEntity.GoogleId = googleId;
             await lexBoxDbContext.SaveChangesAsync();
         }
+
         await HttpContext.SignInAsync(authUser.GetPrincipal("google"),
             new AuthenticationProperties { IsPersistent = true });
         return returnTo;
@@ -158,6 +155,7 @@ public async Task<ActionResult<LexAuthUser>> VerifyEmail(
         return Redirect(returnTo);
     }
 
+
     [HttpPost]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
@@ -219,7 +217,9 @@ public async Task<ActionResult> ForgotPassword(ForgotPasswordInput input)
         return Ok();
     }
 
-    public record ResetPasswordRequest([Required(AllowEmptyStrings = false)] string PasswordHash, int? PasswordStrength);
+    public record ResetPasswordRequest(
+        [Required(AllowEmptyStrings = false)] string PasswordHash,
+        int? PasswordStrength);
 
     [HttpPost("resetPassword")]
     [RequireAudience(LexboxAudience.ForgotPassword)]