configure openid connect

.config/dotnet-tools.json

@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "dotnet-ef": {
-      "version": "7.0.10",
+      "version": "8.0.5",
       "commands": [
         "dotnet-ef"
       ]

backend/LexBoxApi/Auth/AuthKernel.cs

@@ -5,12 +5,14 @@
 using LexBoxApi.Auth.Requirements;
 using LexBoxApi.Controllers;
 using LexCore.Auth;
+using LexData;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.Logging;
 using Microsoft.OpenApi.Models;
+using OpenIddict.Validation.AspNetCore;
 
 namespace LexBoxApi.Auth;
 
@@ -66,6 +68,8 @@ public static void AddLexBoxAuth(IServiceCollection services,
             .BindConfiguration("Authentication:Jwt")
             .ValidateDataAnnotations()
             .ValidateOnStart();
+        services.AddOptions<OpenIdOptions>()
+            .BindConfiguration("Authentication:OpenId");
         services.AddAuthentication(options =>
             {
                 options.DefaultScheme = DefaultScheme;
@@ -78,7 +82,13 @@ public static void AddLexBoxAuth(IServiceCollection services,
                 {
                     options.ForwardDefaultSelector = context =>
                     {
-
+                        if (context.Request.Headers.ContainsKey("Authorization") &&
+                            context.Request.Headers.Authorization.ToString().StartsWith("Bearer") &&
+                            context.RequestServices.GetService<IOptions<OpenIdOptions>>()?.Value.Enable == true)
+                        {
+                            //fow now this will use oauth
+                            return OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
+                        }
                         if (context.Request.IsJwtRequest())
                         {
                             return JwtBearerDefaults.AuthenticationScheme;
@@ -101,9 +111,9 @@ public static void AddLexBoxAuth(IServiceCollection services,
             .AddCookie(options =>
             {
                 configuration.Bind("Authentication:Cookie", options);
-                options.LoginPath = "/api/login";
+                options.LoginPath = "/login";
                 options.Cookie.Name = AuthCookieName;
-                options.ForwardChallenge = JwtBearerDefaults.AuthenticationScheme;
+                // options.ForwardChallenge = JwtBearerDefaults.AuthenticationScheme;
                 options.ForwardForbid = JwtBearerDefaults.AuthenticationScheme;
             })
             .AddJwtBearer(options =>
@@ -152,7 +162,8 @@ public static void AddLexBoxAuth(IServiceCollection services,
                     context.HandleResponse();
                     var loginController = context.HttpContext.RequestServices.GetRequiredService<LoginController>();
                     loginController.ControllerContext.HttpContext = context.HttpContext;
-                    var redirectTo = await loginController.CompleteGoogleLogin(context.Principal, context.Properties?.RedirectUri);
+                    //using context.ReturnUri and not context.Properties.RedirectUri because the latter is null
+                    var redirectTo = await loginController.CompleteGoogleLogin(context.Principal, context.ReturnUri);
                     context.HttpContext.Response.Redirect(redirectTo);
                 };
             });
@@ -185,6 +196,65 @@ public static void AddLexBoxAuth(IServiceCollection services,
                 }
             });
         });
+
+        var openIdOptions = configuration.GetSection("Authentication:OpenId").Get<OpenIdOptions>();
+        if (openIdOptions?.Enable == true) AddOpenId(services, environment);
+    }
+
+    private static void AddOpenId(IServiceCollection services, IWebHostEnvironment environment)
+    {
+        services.Add(ScopeRequestFixer.Descriptor.ServiceDescriptor);
+
+        //openid server
+        services.AddOpenIddict()
+            .AddCore(options =>
+            {
+                options.UseEntityFrameworkCore().UseDbContext<LexBoxDbContext>();
+                options.UseQuartz();
+            })
+            .AddServer(options =>
+            {
+                options.RegisterScopes("openid", "profile", "email");
+                options.RegisterClaims("aud", "email", "exp", "iss", "iat", "sub", "name");
+                options.SetAuthorizationEndpointUris("api/login/open-id-auth");
+                options.SetTokenEndpointUris("api/login/token");
+                options.SetIntrospectionEndpointUris("api/connect/introspect");
+                options.SetUserinfoEndpointUris("api/connect/userinfo");
+                options.Configure(serverOptions => serverOptions.Handlers.Add(ScopeRequestFixer.Descriptor));
+
+                options.AllowAuthorizationCodeFlow()
+                    .AllowRefreshTokenFlow();
+
+                options.RequireProofKeyForCodeExchange();//best practice to use PKCE with auth code flow and no implicit flow
+
+                options.IgnoreResponseTypePermissions();
+                options.IgnoreScopePermissions();
+                if (environment.IsDevelopment())
+                {
+                    options.AddDevelopmentEncryptionCertificate();
+                    options.AddDevelopmentSigningCertificate();
+                }
+                else
+                {
+                    //see docs: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
+                    throw new NotImplementedException("need to implement loading keys from a file");
+                }
+
+                var aspnetCoreBuilder = options.UseAspNetCore()
+                    .EnableAuthorizationEndpointPassthrough()
+                    .EnableTokenEndpointPassthrough();
+                if (environment.IsDevelopment())
+                {
+                    aspnetCoreBuilder.DisableTransportSecurityRequirement();
+                }
+            })
+            .AddValidation(options =>
+            {
+                options.UseLocalServer();
+                options.UseAspNetCore();
+                options.AddAudiences(Enum.GetValues<LexboxAudience>().Where(a => a != LexboxAudience.Unknown).Select(a => a.ToString()).ToArray());
+                options.EnableAuthorizationEntryValidation();
+            });
     }
 
     public static AuthorizationPolicyBuilder RequireDefaultLexboxAuth(this AuthorizationPolicyBuilder builder)

backend/LexBoxApi/Auth/OpenIdOptions.cs

@@ -0,0 +1,9 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace LexBoxApi.Auth;
+
+public class OpenIdOptions
+{
+    [Required]
+    public required bool Enable { get; set; }
+}

backend/LexBoxApi/Auth/ScopeRequestFixer.cs

@@ -0,0 +1,28 @@
+using OpenIddict.Abstractions;
+using OpenIddict.Server;
+
+namespace LexBoxApi.Auth;
+
+/// <summary>
+/// the MSAL library makes requests with the scope parameter, which is invalid, this attempts to remove the scope before it's rejected
+/// </summary>
+public sealed class ScopeRequestFixer : IOpenIddictServerHandler<OpenIddictServerEvents.ValidateTokenRequestContext>
+{
+    public static OpenIddictServerHandlerDescriptor Descriptor { get; }
+        = OpenIddictServerHandlerDescriptor.CreateBuilder<OpenIddictServerEvents.ValidateTokenRequestContext>()
+            .UseSingletonHandler<ScopeRequestFixer>()
+            .SetOrder(OpenIddictServerHandlers.Exchange.ValidateResourceOwnerCredentialsParameters.Descriptor.Order + 1)
+            .SetType(OpenIddictServerHandlerType.Custom)
+            .Build();
+
+    public ValueTask HandleAsync(OpenIddictServerEvents.ValidateTokenRequestContext context)
+    {
+        if (!string.IsNullOrEmpty(context.Request.Scope) && (context.Request.IsAuthorizationCodeGrantType() ||
+                                                             context.Request.IsDeviceCodeGrantType()))
+        {
+            context.Request.Scope = null;
+        }
+
+        return default;
+    }
+}