Add google authentication

Core.Thalos.BFF.Api/Services/Constant.cs

@@ -0,0 +1,7 @@
+namespace Core.Thalos.BFF.Api.Services
+{
+    public static class Constant
+    {
+        public const string Scheme = "GoogleAccessToken";
+    }
+}

Core.Thalos.BFF.Api/Services/GoogleAccessTokenAuthenticationHandler.cs

@@ -0,0 +1,61 @@
+using Google.Apis.Auth;
+using Google.Apis.Auth.OAuth2.Flows;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Options;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+
+namespace Core.Thalos.BFF.Api.Services
+{
+    public class GoogleAccessTokenAuthenticationHandler(IOptionsMonitor<AuthenticationSchemeOptions> options,
+         ILoggerFactory logger,
+         UrlEncoder encoder,
+         IConfiguration config) : AuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder)
+    {
+        protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            if (!Request.Headers.ContainsKey("Authorization"))
+                return AuthenticateResult.Fail("Missing Authorization header");
+
+            var authHeader = Request.Headers.Authorization.ToString();
+            if (!authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
+                return AuthenticateResult.Fail("Invalid Authorization header");
+
+            var idToken = authHeader["Bearer ".Length..].Trim();
+
+            GoogleJsonWebSignature.Payload payload;
+            try
+            {
+                payload = await GoogleJsonWebSignature.ValidateAsync(
+                    idToken,
+                    new GoogleJsonWebSignature.ValidationSettings
+                    {
+                        Audience = new[] { config["Authentication:Google:ClientId"]! }
+                    });
+            }
+            catch (InvalidJwtException)
+            {
+                return AuthenticateResult.Fail("Invalid Google token");
+            }
+
+            var claims = new List<Claim>
+            {
+                new Claim(ClaimTypes.NameIdentifier, payload.Subject),
+                new Claim(ClaimTypes.Email,          payload.Email),
+                new Claim(ClaimTypes.Name,           payload.Name ?? "")
+            };
+
+            var identity = new ClaimsIdentity(claims, Constant.Scheme);
+            var principal = new ClaimsPrincipal(identity);
+
+            var userEmail = principal.FindFirst(ClaimTypes.Email)?.Value;
+
+            if (string.IsNullOrEmpty(userEmail) || 
+                !userEmail.EndsWith("@agilewebs.com", StringComparison.OrdinalIgnoreCase))
+                return AuthenticateResult.Fail("Unauthorized Access");
+
+            var ticket = new AuthenticationTicket(principal, Constant.Scheme);
+            return AuthenticateResult.Success(ticket);
+        }
+    }
+}

Core.Thalos.BFF.Api/Services/IGoogleAuthHelper.cs

@@ -0,0 +1,37 @@
+using Google.Apis.Auth.OAuth2;
+using Google.Apis.Oauth2.v2;
+
+namespace Core.Thalos.BFF.Api.Services
+{
+    public interface IGoogleAuthHelper
+    {
+        string[] GetScopes();
+        string ScopeToString();
+        ClientSecrets GetClientSecrets();
+    }
+
+    public class GoogleAuthHelperService(IConfiguration config) : IGoogleAuthHelper
+    {
+        public ClientSecrets GetClientSecrets()
+        {
+            string clientId = config["Authentication:Google:ClientId"]!;
+            string clientSecret = config["Authentication:Google:ClientSecret"]!;
+
+            return new() { ClientId = clientId, ClientSecret = clientSecret };
+        }
+
+        public string[] GetScopes()
+        {
+            var scopes = new[]
+            {
+                Oauth2Service.Scope.Openid,
+                Oauth2Service.Scope.UserinfoEmail,
+                Oauth2Service.Scope.UserinfoProfile
+            };
+
+            return scopes;
+        }
+
+        public string ScopeToString() => string.Join(", ", GetScopes());
+    }
+}

Core.Thalos.BFF.Api/Services/IGoogleAuthorization.cs

@@ -0,0 +1,42 @@
+using Google.Apis.Auth.OAuth2;
+using Google.Apis.Auth.OAuth2.Flows;
+
+namespace Core.Thalos.BFF.Api.Services
+{
+    public interface IGoogleAuthorization
+    {
+        string GetAuthorizationUrl();
+        Task<UserCredential> ExchangeCodeForToken(string code);
+    }
+
+    public class GoogleAuthorizationService(
+        IGoogleAuthHelper googleHelper, IConfiguration config) : IGoogleAuthorization
+    {
+        private string RedirectUrl = config["Authentication:Google:RedirectUri"]!;
+
+        public async Task<UserCredential> ExchangeCodeForToken(string code)
+        {
+            var flow = new GoogleAuthorizationCodeFlow(
+                new GoogleAuthorizationCodeFlow.Initializer
+                {
+                    ClientSecrets = googleHelper.GetClientSecrets(),
+                    Scopes = googleHelper.GetScopes()
+                });
+
+            var token = await flow.ExchangeCodeForTokenAsync(
+                "user", code, RedirectUrl, CancellationToken.None);
+
+            return new UserCredential(flow, "user", token);
+        }
+
+        public string GetAuthorizationUrl() =>
+            new GoogleAuthorizationCodeFlow(
+                new GoogleAuthorizationCodeFlow.Initializer
+                {
+
+                    ClientSecrets = googleHelper.GetClientSecrets(),
+                    Scopes = googleHelper.GetScopes(),
+                    Prompt = "consent"
+                }).CreateAuthorizationCodeRequest(RedirectUrl).Build().ToString();
+    }
+}

Core.Thalos.BFF.Api/Services/Token.cs

@@ -0,0 +1,4 @@
+namespace Core.Thalos.BFF.Api.Services
+{
+    public record Token(string IdToken);
+}