Merge pull request 'Updated API to use LiteCharms Security' (#83 ) from payments into master

Reviewed-on: #83
Updated API to use LiteCharms Security
2026-06-06 16:27:16 +02:00 · 2026-06-06 16:26:27 +02:00 · 2026-06-05 09:20:17 +02:00 · 2026-06-05 09:19:32 +02:00 · 2026-06-05 08:56:17 +02:00 · 2026-06-05 08:55:31 +02:00
4 changed files with 40 additions and 43 deletions
@@ -1,6 +1,6 @@
 ### Authentik Token Request (Service Account Explicit)
-POST {{authority}}
+POST {{authority}}/connect/token
 Content-Type: application/x-www-form-urlencoded
 Accept-Encoding: identity

-grant_type={{grantType}}&client_id={{clientId}}&username={{username}}&password={{password}}&scope={{scope}}
+grant_type={{grantType}}&client_id={{clientId}}&client_secret={{clientSecret}}&scope={{scope}}
@@ -0,0 +1,9 @@
+{
+  "uat": {
+    "authority": "https://sts.security.khongisa.co.za",
+    "grantType": "client_credentials",
+    "clientId": "midrandbooks-api-uat",
+    "clientSecret": "secret_5a36d0024980544c875447a4b052938becc3fbbb10b8b2c097310c1a53ba3c0a",
+    "scope": "midrandbooks-api"
+  }
+}
@@ -1,22 +1,16 @@
 namespace LiteCharms.Features.Api.Configuration;

-public sealed class AuthentikSettings
+public sealed class LiteCharmsSettings
 {
    public string? Authority { get; set; }

-    public string? IntrospectionEndpoint { get; set; }
-
-    public string? MetadataEndpoint { get; set; }
-
-    public string? RevokationEndpoint { get; set; }
-
    public string? ClientId { get; set; }

    public string? ClientSecret { get; set; }

+    public string? Audience { get; set; }
+
    public string? RequiredClaimName { get; set; }

    public string? RequiredClaimNameValue { get; set; }
-
-    public bool RequireHttpsMetadata { get; set; }
 }
@@ -1,6 +1,7 @@
 using LiteCharms.Features.Abstractions;
 using LiteCharms.Features.Api;
 using LiteCharms.Features.Api.Configuration;
+using Microsoft.AspNetCore.Authentication.JwtBearer;

 namespace LiteCharms.Features.Extensions;

@@ -9,14 +10,14 @@ public static class Api
    public const string Books = nameof(Books);
    public const string Payments = nameof(Payments);

-    public static IServiceCollection AddAuthentikUiSecurity(this IServiceCollection services, IConfiguration configuration)
+    public static IServiceCollection AddLiteCharmsUiSecurity(this IServiceCollection services, IConfiguration configuration)
    {
-        var configSection = configuration.GetSection(nameof(AuthentikSettings));
+        var configSection = configuration.GetSection(nameof(LiteCharmsSettings));

-        var authOptions = new AuthentikSettings();
+        var authOptions = new LiteCharmsSettings();
        configSection.Bind(authOptions);

-        services.Configure<AuthentikSettings>(configSection);
+        services.Configure<LiteCharmsSettings>(configSection);

        services.AddAuthentication(options =>
        {
@@ -26,8 +27,7 @@ public static class Api
        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
        {
-            options.Authority = authOptions.Authority;
-            options.MetadataAddress = authOptions.MetadataEndpoint;
+            options.Authority = authOptions.Authority;           

            options.ClientId = authOptions.ClientId;
            options.ClientSecret = authOptions.ClientSecret;
@@ -42,44 +42,38 @@ public static class Api
            options.Scope.Add("profile");
            options.Scope.Add("email");

-            options.Events = new OpenIdConnectEvents
-            {
-                OnRedirectToIdentityProvider = context =>
-                {
-                    var fallbackUri = context.ProtocolMessage.RedirectUri;
+            options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.CorrelationCookie.SameSite = SameSiteMode.None;
+            options.CorrelationCookie.HttpOnly = true;

-                    if (fallbackUri.StartsWith("http://", StringComparison.OrdinalIgnoreCase))
-                        context.ProtocolMessage.RedirectUri = fallbackUri.Replace("http://", "https://", StringComparison.OrdinalIgnoreCase);
-
-                    return Task.CompletedTask;
-                }
-            };
+            options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.NonceCookie.SameSite = SameSiteMode.None;
+            options.NonceCookie.HttpOnly = true;
        });

        return services;
    }

-    public static IServiceCollection AddAuthentikApiSecurity(this IServiceCollection services, IConfiguration configuration)
+    public static IServiceCollection AddLiteCharmsApiSecurity(this IServiceCollection services, IConfiguration configuration)
    {
-        var configSection = configuration.GetSection(nameof(AuthentikSettings));
+        var configSection = configuration.GetSection(nameof(LiteCharmsSettings));

-        var authOptions = new AuthentikSettings();
+        var authOptions = new LiteCharmsSettings();
        configSection.Bind(authOptions);

-        services.Configure<AuthentikSettings>(configSection);
+        services.Configure<LiteCharmsSettings>(configSection);

-        services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
-            .AddOAuth2Introspection(OAuth2IntrospectionDefaults.AuthenticationScheme, options =>
+        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer(options =>
            {
                options.Authority = authOptions.Authority;
-                options.IntrospectionEndpoint = authOptions.IntrospectionEndpoint;
-                options.ClientId = authOptions.ClientId;
-                options.ClientSecret = authOptions.ClientSecret;
-
-                options.NameClaimType = "sub";
-                options.DiscoveryPolicy.RequireHttps = authOptions.RequireHttpsMetadata;
-                options.DiscoveryPolicy.ValidateEndpoints = false;
-                options.EnableCaching = false;
+                options.Audience = authOptions.Audience;
+                options.TokenValidationParameters = new TokenValidationParameters
+                {
+                    ValidIssuer = authOptions.Authority,
+                    ValidateAudience = true,
+                    ValidateIssuer = true,
+                };
            });

        if (!string.IsNullOrWhiteSpace(authOptions.RequiredClaimName) && !string.IsNullOrWhiteSpace(authOptions.RequiredClaimNameValue))
@@ -104,7 +98,7 @@ public static class Api
            });
        });

-        app.MapGet("/logout", async (HttpContext context, IHttpClientFactory httpClientFactory, IOptions<AuthentikSettings> settings) =>
+        app.MapGet("/logout", async (HttpContext context, IHttpClientFactory httpClientFactory, IOptions<LiteCharmsSettings> settings) =>
        {
            await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
Author	SHA1	Message	Date
khwezi	e2d29261da	Merge pull request 'Updated API to use LiteCharms Security' (#83 ) from payments into master Reviewed-on: #83	2026-06-06 16:27:16 +02:00
Khwezi Mngoma	5d5b59d610	Updated API to use LiteCharms Security continuous-integration/drone/pr Build is passing Details	2026-06-06 16:26:27 +02:00
khwezi	f001b02633	Merge pull request 'Refactored to deal with cookie hell' (#82 ) from payments into master Reviewed-on: #82	2026-06-05 09:20:17 +02:00
Khwezi Mngoma	90a11dc65e	Refactored to deal with cookie hell continuous-integration/drone/pr Build is passing Details	2026-06-05 09:19:32 +02:00
khwezi	de955a96a8	Merge pull request 'Removed login proto handling' (#81 ) from payments into master Reviewed-on: #81	2026-06-05 08:56:17 +02:00
Khwezi Mngoma	cdf5cfb5cd	Removed login proto handling continuous-integration/drone/pr Build is passing Details	2026-06-05 08:55:31 +02:00