Merge pull request 'Forcing login https proto on redirect' (#77) from payments into master

Reviewed-on: #77

LiteCharms.Features/Api/Configuration/AuthentikSettings.cs

@@ -4,11 +4,15 @@ public sealed class AuthentikSettings
 {
     public string? Authority { get; set; }
 
-    public string? IntrospectionUrl { get; set; }
+    public string? IntrospectionEndpoint { get; set; }
 
-    public string? ApiResourceName { get; set; }
+    public string? MetadataEndpoint { get; set; }
 
-    public string? ApiResourceSecret { get; set; }
+    public string? RevokationEndpoint { get; set; }
+
+    public string? ClientId { get; set; }
+
+    public string? ClientSecret { get; set; }
 
     public string? RequiredClaimName { get; set; }
 

LiteCharms.Features/Extensions/Api.cs

@@ -9,7 +9,62 @@ public static class Api
     public const string Books = nameof(Books);
     public const string Payments = nameof(Payments);
 
-    public static IServiceCollection AddAuthentic(this IServiceCollection services, IConfiguration configuration)
+    public static IServiceCollection AddAuthentikUiSecurity(this IServiceCollection services, IConfiguration configuration)
+    {
+        var configSection = configuration.GetSection(nameof(AuthentikSettings));
+
+        var authOptions = new AuthentikSettings();
+        configSection.Bind(authOptions);
+
+        services.Configure<AuthentikSettings>(configSection);
+
+        services.AddAuthentication(options =>
+        {
+            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
+        })
+        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
+        .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
+        {
+            options.Authority = authOptions.Authority;
+            options.MetadataAddress = authOptions.MetadataEndpoint;
+
+            options.ClientId = authOptions.ClientId;
+            options.ClientSecret = authOptions.ClientSecret;
+            options.SignedOutCallbackPath = "/signout-callback-oidc";
+
+            options.ResponseType = "code";
+            options.SaveTokens = true;
+            options.GetClaimsFromUserInfoEndpoint = true;
+
+            options.Scope.Clear();
+            options.Scope.Add("openid");
+            options.Scope.Add("profile");
+            options.Scope.Add("email");
+
+            options.Events = new OpenIdConnectEvents
+            {
+                OnRedirectToIdentityProvider = context =>
+                {
+                    if (!string.IsNullOrEmpty(context.ProtocolMessage.RedirectUri) && context.ProtocolMessage.RedirectUri.StartsWith("http://", StringComparison.OrdinalIgnoreCase))
+                    {
+                        var uriBuilder = new UriBuilder(context.ProtocolMessage.RedirectUri)
+                        {
+                            Scheme = "https"
+                        };
+
+                        context.ProtocolMessage.RedirectUri = uriBuilder.Uri.ToString();
+                    }
+
+                    return Task.CompletedTask;
+                },
+            };
+        });
+
+        return services;
+    }
+
+    public static IServiceCollection AddAuthentikApiSecurity(this IServiceCollection services, IConfiguration configuration)
     {
         var configSection = configuration.GetSection(nameof(AuthentikSettings));
 
@@ -22,21 +77,69 @@ public static class Api
             .AddOAuth2Introspection(OAuth2IntrospectionDefaults.AuthenticationScheme, options =>
             {
                 options.Authority = authOptions.Authority;
-                options.IntrospectionEndpoint = authOptions.IntrospectionUrl;
+                options.IntrospectionEndpoint = authOptions.IntrospectionEndpoint;
-                options.ClientId = authOptions.ApiResourceName;
+                options.ClientId = authOptions.ClientId;
-                options.ClientSecret = authOptions.ApiResourceSecret;
+                options.ClientSecret = authOptions.ClientSecret;
 
                 options.NameClaimType = "sub";
                 options.DiscoveryPolicy.RequireHttps = authOptions.RequireHttpsMetadata;
                 options.DiscoveryPolicy.ValidateEndpoints = false;
-                options.EnableCaching = false;                
+                options.EnableCaching = false;
             });
 
-        services.AddAuthorization();
+        if (!string.IsNullOrWhiteSpace(authOptions.RequiredClaimName) && !string.IsNullOrWhiteSpace(authOptions.RequiredClaimNameValue))
+        {
+            services.AddAuthorizationBuilder()
+                .AddPolicy("RequiredScope", policy =>
+                    policy.RequireClaim(authOptions.RequiredClaimName, authOptions.RequiredClaimNameValue));
+        }
+        else
+            services.AddAuthorization();
 
         return services;
     }
 
+    public static WebApplication AddSecurityEndpoints(this WebApplication app)
+    {
+        app.MapGet("/login", async (HttpContext context, string redirectUri = "/") =>
+        {
+            await context.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties
+            {
+                RedirectUri = redirectUri,
+            });
+        });
+
+        app.MapGet("/logout", async (HttpContext context, IHttpClientFactory httpClientFactory, IOptions<AuthentikSettings> settings) =>
+        {
+            var authOptions = settings.Value;
+            var accessToken = await context.GetTokenAsync("access_token");
+
+            if (!string.IsNullOrEmpty(accessToken))
+            {
+                try
+                {
+                    var client = httpClientFactory.CreateClient();
+
+                    var requestContent = new FormUrlEncodedContent(new Dictionary<string, string>(StringComparer.Ordinal)
+                    {
+                        { "token", accessToken },
+                        { "client_id", authOptions.ClientId! },
+                        { "client_secret", authOptions.ClientSecret! },
+                    });
+
+                    await client.PostAsync(authOptions.RevokationEndpoint, requestContent, context.RequestAborted);
+                }
+                catch { }
+            }
+
+            await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+
+            return Results.Redirect($"{authOptions.Authority}end-session/");
+        });
+
+        return app;
+    }
+
     public static IServiceCollection AddApiServices(this IServiceCollection services, IConfiguration configuration)
     {
         services.AddHttpClient();
@@ -124,5 +227,4 @@ public static class Api
 
     public static string ToEndpointName(this Type target, string? annotation = "") =>
         $"{target.Name.Replace("Endpoint", string.Empty)}{annotation}".ToLower(CultureInfo.CurrentCulture);
-
 }

LiteCharms.Features/LiteCharms.Features.csproj

@@ -38,6 +38,9 @@
     <PackageReference Include="Microsoft.AspNetCore.Authentication.Certificate" Version="10.0.8" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.8" />
 
+    <Using Include="Microsoft.AspNetCore.Authentication"/>
+    <Using Include="Microsoft.AspNetCore.Authentication.OpenIdConnect"/>
+    <Using Include="Microsoft.AspNetCore.Authentication.Cookies"/>
     <Using Include="IdentityModel.AspNetCore.OAuth2Introspection"/>
   </ItemGroup>