Merge pull request 'Updated API to use LiteCharms Security' (#83) from payments into master

Reviewed-on: #83

LiteCharms.Features.Tests/http/litecharms/app.http

@@ -1,6 +1,6 @@
 ### Authentik Token Request (Service Account Explicit)
-POST {{authority}}
+POST {{authority}}/connect/token
 Content-Type: application/x-www-form-urlencoded
 Accept-Encoding: identity
 
-grant_type={{grantType}}&client_id={{clientId}}&username={{username}}&password={{password}}&scope={{scope}}
+grant_type={{grantType}}&client_id={{clientId}}&client_secret={{clientSecret}}&scope={{scope}}

LiteCharms.Features.Tests/http/litecharms/http-client.env.json

@@ -0,0 +1,9 @@
+{
+  "uat": {
+    "authority": "https://sts.security.khongisa.co.za",
+    "grantType": "client_credentials",
+    "clientId": "midrandbooks-api-uat",
+    "clientSecret": "secret_5a36d0024980544c875447a4b052938becc3fbbb10b8b2c097310c1a53ba3c0a",
+    "scope": "midrandbooks-api"
+  }
+}

LiteCharms.Features/Api/Configuration/LiteCharmsSettings.cs

@@ -1,22 +1,16 @@
 namespace LiteCharms.Features.Api.Configuration;
 
-public sealed class AuthentikSettings
+public sealed class LiteCharmsSettings
 {
     public string? Authority { get; set; }
 
-    public string? IntrospectionEndpoint { get; set; }
-
-    public string? MetadataEndpoint { get; set; }
-
-    public string? RevokationEndpoint { get; set; }
-
     public string? ClientId { get; set; }
 
     public string? ClientSecret { get; set; }
 
+    public string? Audience { get; set; }
+
     public string? RequiredClaimName { get; set; }
 
     public string? RequiredClaimNameValue { get; set; }
-
-    public bool RequireHttpsMetadata { get; set; }
 }

LiteCharms.Features/Extensions/Api.cs

@@ -1,6 +1,7 @@
 using LiteCharms.Features.Abstractions;
 using LiteCharms.Features.Api;
 using LiteCharms.Features.Api.Configuration;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 
 namespace LiteCharms.Features.Extensions;
 
@@ -9,14 +10,14 @@ public static class Api
     public const string Books = nameof(Books);
     public const string Payments = nameof(Payments);
 
-    public static IServiceCollection AddAuthentikUiSecurity(this IServiceCollection services, IConfiguration configuration)
+    public static IServiceCollection AddLiteCharmsUiSecurity(this IServiceCollection services, IConfiguration configuration)
     {
-        var configSection = configuration.GetSection(nameof(AuthentikSettings));
+        var configSection = configuration.GetSection(nameof(LiteCharmsSettings));
 
-        var authOptions = new AuthentikSettings();
+        var authOptions = new LiteCharmsSettings();
         configSection.Bind(authOptions);
 
-        services.Configure<AuthentikSettings>(configSection);
+        services.Configure<LiteCharmsSettings>(configSection);
 
         services.AddAuthentication(options =>
         {
@@ -27,7 +28,6 @@ public static class Api
         .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
         {
             options.Authority = authOptions.Authority;           
-            options.MetadataAddress = authOptions.MetadataEndpoint;
 
             options.ClientId = authOptions.ClientId;
             options.ClientSecret = authOptions.ClientSecret;
@@ -42,49 +42,38 @@ public static class Api
             options.Scope.Add("profile");
             options.Scope.Add("email");
 
-            options.Events = new OpenIdConnectEvents
+            options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
-            {
+            options.CorrelationCookie.SameSite = SameSiteMode.None;
-                OnRedirectToIdentityProvider = context =>
+            options.CorrelationCookie.HttpOnly = true;
-                {
-                    if (!string.IsNullOrEmpty(context.ProtocolMessage.RedirectUri) && context.ProtocolMessage.RedirectUri.StartsWith("http://", StringComparison.OrdinalIgnoreCase))
-                    {
-                        var uriBuilder = new UriBuilder(context.ProtocolMessage.RedirectUri)
-                        {
-                            Scheme = "https"
-                        };
 
-                        context.ProtocolMessage.RedirectUri = uriBuilder.Uri.ToString();
+            options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
-                    }
+            options.NonceCookie.SameSite = SameSiteMode.None;
-
+            options.NonceCookie.HttpOnly = true;
-                    return Task.CompletedTask;
-                },
-            };
         });
 
         return services;
     }
 
-    public static IServiceCollection AddAuthentikApiSecurity(this IServiceCollection services, IConfiguration configuration)
+    public static IServiceCollection AddLiteCharmsApiSecurity(this IServiceCollection services, IConfiguration configuration)
     {
-        var configSection = configuration.GetSection(nameof(AuthentikSettings));
+        var configSection = configuration.GetSection(nameof(LiteCharmsSettings));
 
-        var authOptions = new AuthentikSettings();
+        var authOptions = new LiteCharmsSettings();
         configSection.Bind(authOptions);
 
-        services.Configure<AuthentikSettings>(configSection);
+        services.Configure<LiteCharmsSettings>(configSection);
 
-        services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
+        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-            .AddOAuth2Introspection(OAuth2IntrospectionDefaults.AuthenticationScheme, options =>
+            .AddJwtBearer(options =>
             {
                 options.Authority = authOptions.Authority;
-                options.IntrospectionEndpoint = authOptions.IntrospectionEndpoint;
+                options.Audience = authOptions.Audience;
-                options.ClientId = authOptions.ClientId;
+                options.TokenValidationParameters = new TokenValidationParameters
-                options.ClientSecret = authOptions.ClientSecret;
+                {
-
+                    ValidIssuer = authOptions.Authority,
-                options.NameClaimType = "sub";
+                    ValidateAudience = true,
-                options.DiscoveryPolicy.RequireHttps = authOptions.RequireHttpsMetadata;
+                    ValidateIssuer = true,
-                options.DiscoveryPolicy.ValidateEndpoints = false;
+                };
-                options.EnableCaching = false;
             });
 
         if (!string.IsNullOrWhiteSpace(authOptions.RequiredClaimName) && !string.IsNullOrWhiteSpace(authOptions.RequiredClaimNameValue))
@@ -109,32 +98,16 @@ public static class Api
             });
         });
 
-        app.MapGet("/logout", async (HttpContext context, IHttpClientFactory httpClientFactory, IOptions<AuthentikSettings> settings) =>
+        app.MapGet("/logout", async (HttpContext context, IHttpClientFactory httpClientFactory, IOptions<LiteCharmsSettings> settings) =>
         {
-            var authOptions = settings.Value;
-            var accessToken = await context.GetTokenAsync("access_token");
-
-            if (!string.IsNullOrEmpty(accessToken))
-            {
-                try
-                {
-                    var client = httpClientFactory.CreateClient();
-
-                    var requestContent = new FormUrlEncodedContent(new Dictionary<string, string>(StringComparer.Ordinal)
-                    {
-                        { "token", accessToken },
-                        { "client_id", authOptions.ClientId! },
-                        { "client_secret", authOptions.ClientSecret! },
-                    });
-
-                    await client.PostAsync(authOptions.RevokationEndpoint, requestContent, context.RequestAborted);
-                }
-                catch { }
-            }
-
             await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
 
-            return Results.Redirect($"{authOptions.Authority}end-session/");
+            string currentBaseUrl = $"https://{context.Request.Host}{context.Request.PathBase}/";
+
+            await context.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties
+            {
+                RedirectUri = currentBaseUrl
+            });
         });
 
         return app;