Add google authentication

Core.Thalos.BFF.Api/Controllers/AuthenticationController.cs

@@ -3,10 +3,16 @@ using Core.Thalos.Adapters;
 using Core.Thalos.Adapters.Common.Constants;
 using Core.Thalos.Adapters.Contracts;
 using Core.Thalos.Application.UseCases.Users.Input;
+using Core.Thalos.BFF.Api.Services;
 using Core.Thalos.External.Clients.Thalos.Requests.Users;
+using Google.Apis.Auth.OAuth2;
 using LSA.Dashboard.External.Clients.Dashboard;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Graph;
+using Newtonsoft.Json.Linq;
+using System.Reflection;
+using System.Text.Json;
 
 namespace Core.Thalos.BFF.Api.Controllers
 {
@@ -18,8 +24,23 @@ namespace Core.Thalos.BFF.Api.Controllers
     [Produces(MimeTypes.ApplicationJson)]
     [Consumes(MimeTypes.ApplicationJson)]
     [ApiController]
-    public class AuthenticationController(IThalosServiceClient thalosServiceClient, ILogger<AuthenticationController> logger, ITokenService tokenService) : BaseController(logger)
+    public class AuthenticationController(
+        IThalosServiceClient thalosServiceClient, 
+        ILogger<AuthenticationController> logger, 
+        ITokenService tokenService,
+        IGoogleAuthorization googleAuthorization) : BaseController(logger)
     {
+        [HttpGet]
+        public IActionResult Authorize() => Ok(googleAuthorization.GetAuthorizationUrl());
+
+        [HttpGet("callback")]
+        public async Task<IActionResult> Callback(string code)
+        {
+            var userCredential = await googleAuthorization.ExchangeCodeForToken(code);
+
+            return Ok(new Token(userCredential!.Token.IdToken));
+        }
+
         /// <summary>
         /// Get token for user.
         /// </summary>
@@ -30,7 +51,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [HttpGet]
         [Route(Routes.GenerateToken)]
         [ProducesResponseType(typeof(UserAdapter), StatusCodes.Status200OK)]
-        [Authorize(AuthenticationSchemes = Schemes.AzureScheme)]
+        [Authorize]
         public async Task<IActionResult> GenerateTokenService(CancellationToken cancellationToken)
         {
             try

Core.Thalos.BFF.Api/Controllers/ModuleController.cs

@@ -2,6 +2,7 @@
 using Core.Thalos.Adapters;
 using Core.Thalos.Adapters.Attributes;
 using Core.Thalos.Adapters.Common.Constants;
+using Core.Thalos.BFF.Api.Services;
 using Core.Thalos.External.Clients.Thalos.Requests.Permissions;
 using Lib.Architecture.BuildingBlocks;
 using LSA.Dashboard.External.Clients.Dashboard;
@@ -32,6 +33,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status412PreconditionFailed)]
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
+        [Authorize(AuthenticationSchemes = Constant.Scheme)]
         //[Permission("ModuleManagement.Read, RoleManagement.Read")]
         public async Task<IActionResult> GetAllModulesService(CancellationToken cancellationToken)
         {
@@ -65,6 +67,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(StatusCodes.Status400BadRequest)]
         [ProducesResponseType(StatusCodes.Status401Unauthorized)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
+        [AllowAnonymous]
         //[Permission("ModuleManagement.Read")]
         public async Task<IActionResult> GetAllModulesByListAsync([FromBody] GetAllModulesByListRequest request, CancellationToken cancellationToken)
         {
@@ -98,6 +101,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status412PreconditionFailed)]
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
+        [AllowAnonymous]
         //[Permission("ModuleManagement.Write")]
         public async Task<IActionResult> CreateModuleService(CreateModuleRequest newModule, CancellationToken cancellationToken)
         {

Core.Thalos.BFF.Api/Controllers/PermissionController.cs

@@ -33,7 +33,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status412PreconditionFailed)]
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
-        [Permission("PermissionManagement.Read, RoleManagement.Read")]
+        ////[Permission("PermissionManagement.Read, RoleManagement.Read")]
         public async Task<IActionResult> GetAllPermissionsService(CancellationToken cancellationToken)
         {
             try
@@ -66,7 +66,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(StatusCodes.Status400BadRequest)]
         [ProducesResponseType(StatusCodes.Status401Unauthorized)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
-        [Permission("PermissionManagement.Read")]
+        //[Permission("PermissionManagement.Read")]
         public async Task<IActionResult> GetAllPermissionsByListAsync([FromBody] GetAllPermissionsByListRequest request, CancellationToken cancellationToken)
         {
             try
@@ -99,7 +99,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status412PreconditionFailed)]
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
-        [Permission("PermissionManagement.Write")]
+        //[Permission("PermissionManagement.Write")]
         public async Task<IActionResult> CreatePermissionService(CreatePermissionRequest newPermission, CancellationToken cancellationToken)
         {
             try
@@ -131,7 +131,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status412PreconditionFailed)]
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
-        [Permission("PermissionManagement.Read")]
+        //[Permission("PermissionManagement.Read")]
         public async Task<IActionResult> GetPermissionByIdService(GetPermissionRequest request, CancellationToken cancellationToken)
         {
             try
@@ -159,7 +159,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status412PreconditionFailed)]
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
-        [Permission("PermissionManagement.Write")]
+        //[Permission("PermissionManagement.Write")]
         public async Task<IActionResult> UpdatePermissionService(UpdatePermissionRequest newPermission, CancellationToken cancellationToken)
         {
             try
@@ -193,7 +193,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status412PreconditionFailed)]
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
-        [Permission("PermissionManagement.Write")]
+        //[Permission("PermissionManagement.Write")]
         public async Task<IActionResult> ChangePermissionStatusService([FromBody] ChangePermissionStatusRequest request, CancellationToken cancellationToken)
         {
             try

Core.Thalos.BFF.Api/Controllers/UserController.cs

@@ -32,7 +32,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         //[Authorize(AuthenticationSchemes = Schemes.DefaultScheme)]
-        [Permission("UserManagement.Read")]
+        //[Permission("UserManagement.Read")]
         public async Task<IActionResult> GetAllUsersService(CancellationToken cancellationToken)
         {
             try
@@ -59,7 +59,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         //[Authorize(AuthenticationSchemes = Schemes.DefaultScheme)]
-        [Permission("UserManagement.Write")]
+        //[Permission("UserManagement.Write")]
         public async Task<IActionResult> CreateUserService(CreateUserRequest newUser, CancellationToken cancellationToken)
         {
             try
@@ -98,7 +98,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         //[Authorize(AuthenticationSchemes = Schemes.DefaultScheme)]
-        [Permission("UserManagement.Read")]
+        //[Permission("UserManagement.Read")]
         public async Task<IActionResult> GetUserByIdService(GetUserRequest request, CancellationToken cancellationToken)
         {
             try
@@ -127,7 +127,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         //[Authorize(AuthenticationSchemes = Schemes.DefaultScheme)]
-        [Permission("UserManagement.Read")]
+        //[Permission("UserManagement.Read")]
         public async Task<IActionResult> GetUserByEmailService(GetUserByEmailRequest request, CancellationToken cancellationToken)
         {
             try
@@ -156,7 +156,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         //[Authorize(AuthenticationSchemes = Schemes.DefaultScheme)]
-        [Permission("UserManagement.Write")]
+        //[Permission("UserManagement.Write")]
         public async Task<IActionResult> UpdateUserService(UpdateUserRequest request, CancellationToken cancellationToken)
         {
             try
@@ -194,7 +194,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status412PreconditionFailed)]
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
-        [Authorize(AuthenticationSchemes = $"{Schemes.AzureScheme}, {Schemes.DefaultScheme}")]
+        //[Authorize(AuthenticationSchemes = $"{Schemes.AzureScheme}, {Schemes.DefaultScheme}")]
         public async Task<IActionResult> LoginUserService([FromBody] LoginUserRequest request, CancellationToken cancellationToken)
         {
             try
@@ -222,7 +222,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status412PreconditionFailed)]
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
-        [Authorize(AuthenticationSchemes = $"{Schemes.AzureScheme}, {Schemes.DefaultScheme}")]
+        //[Authorize(AuthenticationSchemes = $"{Schemes.AzureScheme}, {Schemes.DefaultScheme}")]
         public async Task<IActionResult> LogoutUserService([FromBody] LogoutUserRequest request, CancellationToken cancellationToken)
         {
             try
@@ -253,7 +253,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         //[Authorize(AuthenticationSchemes = Schemes.DefaultScheme)]
-        [Permission("UserManagement.Write")]
+        //[Permission("UserManagement.Write")]
         public async Task<IActionResult> ChangeUserStatusService([FromBody] ChangeUserStatusRequest request, CancellationToken cancellationToken)
         {
             try
@@ -284,7 +284,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         //[Authorize(AuthenticationSchemes = Schemes.DefaultScheme)]
-        [Permission("UserManagement.Write")]
+        //[Permission("UserManagement.Write")]
         public async Task<IActionResult> AddCompanyToUserService([FromBody] AddCompanyToUserRequest request, CancellationToken cancellationToken)
         {
             try
@@ -316,7 +316,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         //[Authorize(AuthenticationSchemes = Schemes.DefaultScheme)]
-        [Permission("UserManagement.Write")]
+        //[Permission("UserManagement.Write")]
         public async Task<IActionResult> RemoveCompanyFromUserService([FromBody] RemoveCompanyFromUserRequest request, CancellationToken cancellationToken)
         {
             try
@@ -348,7 +348,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         //[Authorize(AuthenticationSchemes = Schemes.DefaultScheme)]
-        [Permission("UserManagement.Write")]
+        //[Permission("UserManagement.Write")]
 
         public async Task<IActionResult> AddProjectToUserService([FromBody] AddProjectToUserRequest request, CancellationToken cancellationToken)
         {
@@ -381,7 +381,7 @@ namespace Core.Thalos.BFF.Api.Controllers
         [ProducesResponseType(typeof(Notification), StatusCodes.Status422UnprocessableEntity)]
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         //[Authorize(AuthenticationSchemes = Schemes.DefaultScheme)]
-        [Permission("UserManagement.Write")]
+        //[Permission("UserManagement.Write")]
         public async Task<IActionResult> RemoveProjectFromUserService([FromBody] RemoveProjectFromUserRequest request, CancellationToken cancellationToken)
         {
             try

Core.Thalos.BFF.Api/Core.Thalos.BFF.Api.csproj

@@ -10,6 +10,12 @@
   <ItemGroup>
     <PackageReference Include="Asp.Versioning.Mvc" Version="8.1.0" />
     <PackageReference Include="Core.Blueprint.Logging" Version="1.0.0" />
+    <PackageReference Include="Google.Apis.Auth" Version="1.70.0" />
+    <PackageReference Include="Google.Apis.Oauth2.v2" Version="1.68.0.1869" />
+    <PackageReference Include="Google.Protobuf" Version="3.31.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.Google" Version="8.0.17" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.17" />
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="8.1.4" />
   </ItemGroup>
 
   <ItemGroup>

Core.Thalos.BFF.Api/Program.cs

@@ -1,127 +1,192 @@
-using Asp.Versioning;
+using Asp.Versioning;
 using Azure.Identity;
 using Core.Blueprint.Logging.Configuration;
+using Core.Thalos.Adapters.Contracts;
 using Core.Thalos.Adapters.Extensions;
+using Core.Thalos.Adapters.Services;
+using Core.Thalos.BFF.Api.Services;
 using Core.Thalos.External.ClientConfiguration;
+using Google.Protobuf.WellKnownTypes;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.ResponseCompression;
 using Microsoft.Extensions.Configuration.AzureAppConfiguration;
+using Microsoft.IdentityModel.Tokens;
+using Microsoft.OpenApi.Any;
+using Microsoft.OpenApi.Interfaces;
+using Microsoft.OpenApi.Models;
 using OpenTelemetry.Logs;
 using OpenTelemetry.Resources;
 using Swashbuckle.AspNetCore.SwaggerUI;
 using System.IO.Compression;
 using System.Reflection;
+using System.Security.Claims;
 
 var builder = WebApplication.CreateBuilder(args);
 
-builder.Services.AddEndpointsApiExplorer();
 builder.Configuration
     .AddUserSecrets(Assembly.GetExecutingAssembly())
     .AddEnvironmentVariables();
 
+// 🔑 Google Auth config
+var googleClientId = builder.Configuration["Authentication:Google:ClientId"];
+var googleClientSecret = builder.Configuration["Authentication:Google:ClientSecret"];
+var redirectUri = builder.Configuration["Authentication:Google:RedirectUri"];
+
+// 🧩 Authentication
+builder.Services.AddAuthentication(options =>
+{
+    options.DefaultAuthenticateScheme = Constant.Scheme;
+    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+})
+.AddScheme<AuthenticationSchemeOptions,
+GoogleAccessTokenAuthenticationHandler>(Constant.Scheme, null)
+.AddGoogle(options =>
+{
+    options.ClientId = googleClientId!;
+    options.ClientSecret = googleClientSecret!;
+    //options.SaveTokens = true;
+    options.CallbackPath = $"/{redirectUri}";
+});
+
+builder.Services.AddAuthorization();
+builder.Services.AddScoped<IGoogleAuthHelper, GoogleAuthHelperService>();
+builder.Services.AddScoped<IGoogleAuthorization, GoogleAuthorizationService>();
+builder.Services.AddEndpointsApiExplorer();
+
+// 🧩 Swagger + OAuth2
+builder.Services.AddSwaggerGen(opts =>
+{
+    const string schemeName = "oauth2";
+
+    opts.SwaggerDoc("v1",
+        new OpenApiInfo { Title = "Core.Thalos.BFF", Version = "v1" });
+
+    opts.AddSecurityDefinition(schemeName, new OpenApiSecurityScheme
+    {
+        Type = SecuritySchemeType.OAuth2,
+        Scheme = "bearer",              // tells Swagger-UI to build an Authorization header
+        BearerFormat = "JWT",
+        Name = "Authorization",
+        In = ParameterLocation.Header,
+
+        /* ⚠️  The key line – tell Swagger-UI to pick id_token instead of access_token */
+        Extensions = new Dictionary<string, IOpenApiExtension>
+        {
+            ["x-tokenName"] = new OpenApiString("id_token")
+        },
+
+        Flows = new OpenApiOAuthFlows
+        {
+            AuthorizationCode = new OpenApiOAuthFlow
+            {
+                AuthorizationUrl = new Uri("https://accounts.google.com/o/oauth2/v2/auth"),
+                TokenUrl = new Uri("https://oauth2.googleapis.com/token"),
+                Scopes = new Dictionary<string, string>
+                {
+                    { "openid",  "OpenID Connect" },
+                    { "email",   "Access email"   },
+                    { "profile", "Access profile" }
+                }
+            }
+        }
+    });
+
+    // every operation requires the scheme
+    opts.AddSecurityRequirement(new OpenApiSecurityRequirement
+    {
+        [new OpenApiSecurityScheme
+        {
+            Reference = new OpenApiReference
+            { Type = ReferenceType.SecurityScheme, Id = schemeName }
+        }
+        ] = new[] { "openid", "email", "profile" }
+    });
+});
+
+// 🎯 Existing configs (unchanged)
 builder.Services.AddResponseCompression();
 builder.Services.AddProblemDetails();
 builder.Services.AddLogs(builder);
 builder.Services.AddMemoryCache();
-builder.Services.AddResponseCaching(configureOptions => { configureOptions.UseCaseSensitivePaths = true; });
+builder.Services.AddResponseCaching(options => { options.UseCaseSensitivePaths = true; });
-builder.Logging.AddOpenTelemetry(options =>
+
+builder.Logging.AddOpenTelemetry(logging =>
 {
-    options.IncludeScopes = true;
+    logging.IncludeScopes = true;
-    options.SetResourceBuilder(ResourceBuilder.CreateDefault().AddService("core.thalos.bff.api")).AddConsoleExporter();
+    logging.SetResourceBuilder(ResourceBuilder.CreateDefault().AddService("core.thalos.bff.api"))
+           .AddConsoleExporter();
 });
 
 builder.Host.ConfigureServices((context, services) =>
 {
-    builder.Services.AddHsts(options =>
+    services.AddHsts(options =>
     {
         options.Preload = true;
         options.IncludeSubDomains = true;
         options.MaxAge = TimeSpan.FromDays(60);
     });
-    builder.Services.AddResponseCaching(configureOptions =>
-    {
-        configureOptions.UseCaseSensitivePaths = true;
-        configureOptions.MaximumBodySize = 2048;
-    });
-    builder.Services.AddHttpsRedirection(options =>
-    {
-        options.RedirectStatusCode = 308;
-    });
 
-    services.AddHttpLogging(http =>
+    services.AddHttpsRedirection(options => { options.RedirectStatusCode = 308; });
-    {
-        http.CombineLogs = true;
-    });
     services.AddAntiforgery();
+    services.AddHttpLogging(http => http.CombineLogs = true);
+    services.AddCors(options => options.AddPolicy("AllowAll", policy => policy.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod()));
 
-    services.AddCors(options =>
+    services.AddMvc().AddJsonOptions(opt =>
     {
-        options.AddPolicy("AllowAll", policyBuilder =>
+        opt.JsonSerializerOptions.WriteIndented = true;
-            policyBuilder.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod());
+        opt.JsonSerializerOptions.MaxDepth = 20;
+        opt.JsonSerializerOptions.NumberHandling = System.Text.Json.Serialization.JsonNumberHandling.AllowNamedFloatingPointLiterals;
     });
-    services.AddMvc().AddJsonOptions(options =>
+
+    services.Configure<BrotliCompressionProviderOptions>(opt => opt.Level = CompressionLevel.SmallestSize);
+    services.Configure<GzipCompressionProviderOptions>(opt => opt.Level = CompressionLevel.SmallestSize);
+    services.AddResponseCompression(opt =>
     {
-        options.JsonSerializerOptions.WriteIndented = true;
+        opt.EnableForHttps = true;
-        options.JsonSerializerOptions.MaxDepth = 20;
+        opt.Providers.Add<BrotliCompressionProvider>();
-        options.JsonSerializerOptions.NumberHandling = System.Text.Json.Serialization.JsonNumberHandling.AllowNamedFloatingPointLiterals;
+        opt.Providers.Add<GzipCompressionProvider>();
     });
-    services.Configure<BrotliCompressionProviderOptions>(options =>
+
-    {
-        options.Level = CompressionLevel.SmallestSize;
-    });
-    services.Configure<GzipCompressionProviderOptions>(options =>
-    {
-        options.Level = CompressionLevel.SmallestSize;
-    });
-    services.AddResponseCompression(options =>
-    {
-        options.EnableForHttps = true;
-        options.Providers.Add<BrotliCompressionProvider>();
-        options.Providers.Add<GzipCompressionProvider>();
-    });
-    services.AddResponseCaching();
     services.AddControllers();
-    services.AddEndpointsApiExplorer();
-    services.AddSwaggerGen();
-    services.AddLogging();
-    services.AddProblemDetails();
     services.AddHttpContextAccessor();
-    services.AddTransient<TrackingMechanismExtension>(); // Register the TrackingIdHandler
+    services.AddTransient<TrackingMechanismExtension>();
     services.RegisterExternalLayer(builder.Configuration);
 
     services.AddApiVersioning(options => options.ReportApiVersions = true)
-                   .AddApiExplorer(options =>
+           .AddApiExplorer(opt =>
-                   {
+           {
-                       options.GroupNameFormat = "'v'VVV";
+               opt.GroupNameFormat = "'v'VVV";
-                       options.SubstituteApiVersionInUrl = true;
+               opt.SubstituteApiVersionInUrl = true;
-                   });
+           });
 });
 
-builder.Services.AddCors(options =>
+builder.Services.AddScoped<ITokenService, TokenService>();
-{
-    options.AddDefaultPolicy(
-        builder =>
-        {
-            builder.AllowAnyOrigin()
-                                .AllowAnyHeader()
-                                .AllowAnyMethod();
-        });
-});
 
-//*************************************************************************//
 var app = builder.Build();
 
+app.UseDeveloperExceptionPage();
 
-app.UseCors(options => options.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin());
 app.UseSwagger();
+
+app.UseCors(options => options.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod().WithOrigins("https://localhost:7239"));
 app.UseSwaggerUI(options =>
 {
-    foreach (var version in app.DescribeApiVersions().Select(version => version.GroupName))
+    foreach (var version in app.DescribeApiVersions().Select(v => v.GroupName))
         options.SwaggerEndpoint($"/swagger/{version}/swagger.json", version);
 
     options.DisplayRequestDuration();
     options.EnableTryItOutByDefault();
     options.DocExpansion(DocExpansion.None);
+
+    options.OAuthClientId(googleClientId);
+    options.OAuthClientSecret(googleClientSecret);
+    options.OAuthUsePkce();
+    options.OAuthScopes("openid", "email", "profile");
 });
+
 app.UseResponseCompression();
 app.UseResponseCaching();
 app.UseHttpsRedirection();
@@ -132,5 +197,4 @@ app.MapControllers();
 app.UseHsts();
 app.UseAntiforgery();
 app.UseLogging(builder.Configuration);
-
+app.Run();
-app.Run();

Core.Thalos.BFF.Api/Services/Constant.cs

@@ -0,0 +1,7 @@
+namespace Core.Thalos.BFF.Api.Services
+{
+    public static class Constant
+    {
+        public const string Scheme = "GoogleAccessToken";
+    }
+}

Core.Thalos.BFF.Api/Services/GoogleAccessTokenAuthenticationHandler.cs

@@ -0,0 +1,61 @@
+using Google.Apis.Auth;
+using Google.Apis.Auth.OAuth2.Flows;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Options;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+
+namespace Core.Thalos.BFF.Api.Services
+{
+    public class GoogleAccessTokenAuthenticationHandler(IOptionsMonitor<AuthenticationSchemeOptions> options,
+         ILoggerFactory logger,
+         UrlEncoder encoder,
+         IConfiguration config) : AuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder)
+    {
+        protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            if (!Request.Headers.ContainsKey("Authorization"))
+                return AuthenticateResult.Fail("Missing Authorization header");
+
+            var authHeader = Request.Headers.Authorization.ToString();
+            if (!authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
+                return AuthenticateResult.Fail("Invalid Authorization header");
+
+            var idToken = authHeader["Bearer ".Length..].Trim();
+
+            GoogleJsonWebSignature.Payload payload;
+            try
+            {
+                payload = await GoogleJsonWebSignature.ValidateAsync(
+                    idToken,
+                    new GoogleJsonWebSignature.ValidationSettings
+                    {
+                        Audience = new[] { config["Authentication:Google:ClientId"]! }
+                    });
+            }
+            catch (InvalidJwtException)
+            {
+                return AuthenticateResult.Fail("Invalid Google token");
+            }
+
+            var claims = new List<Claim>
+            {
+                new Claim(ClaimTypes.NameIdentifier, payload.Subject),
+                new Claim(ClaimTypes.Email,          payload.Email),
+                new Claim(ClaimTypes.Name,           payload.Name ?? "")
+            };
+
+            var identity = new ClaimsIdentity(claims, Constant.Scheme);
+            var principal = new ClaimsPrincipal(identity);
+
+            var userEmail = principal.FindFirst(ClaimTypes.Email)?.Value;
+
+            if (string.IsNullOrEmpty(userEmail) || 
+                !userEmail.EndsWith("@agilewebs.com", StringComparison.OrdinalIgnoreCase))
+                return AuthenticateResult.Fail("Unauthorized Access");
+
+            var ticket = new AuthenticationTicket(principal, Constant.Scheme);
+            return AuthenticateResult.Success(ticket);
+        }
+    }
+}

Core.Thalos.BFF.Api/Services/IGoogleAuthHelper.cs

@@ -0,0 +1,37 @@
+using Google.Apis.Auth.OAuth2;
+using Google.Apis.Oauth2.v2;
+
+namespace Core.Thalos.BFF.Api.Services
+{
+    public interface IGoogleAuthHelper
+    {
+        string[] GetScopes();
+        string ScopeToString();
+        ClientSecrets GetClientSecrets();
+    }
+
+    public class GoogleAuthHelperService(IConfiguration config) : IGoogleAuthHelper
+    {
+        public ClientSecrets GetClientSecrets()
+        {
+            string clientId = config["Authentication:Google:ClientId"]!;
+            string clientSecret = config["Authentication:Google:ClientSecret"]!;
+
+            return new() { ClientId = clientId, ClientSecret = clientSecret };
+        }
+
+        public string[] GetScopes()
+        {
+            var scopes = new[]
+            {
+                Oauth2Service.Scope.Openid,
+                Oauth2Service.Scope.UserinfoEmail,
+                Oauth2Service.Scope.UserinfoProfile
+            };
+
+            return scopes;
+        }
+
+        public string ScopeToString() => string.Join(", ", GetScopes());
+    }
+}

Core.Thalos.BFF.Api/Services/IGoogleAuthorization.cs

@@ -0,0 +1,42 @@
+using Google.Apis.Auth.OAuth2;
+using Google.Apis.Auth.OAuth2.Flows;
+
+namespace Core.Thalos.BFF.Api.Services
+{
+    public interface IGoogleAuthorization
+    {
+        string GetAuthorizationUrl();
+        Task<UserCredential> ExchangeCodeForToken(string code);
+    }
+
+    public class GoogleAuthorizationService(
+        IGoogleAuthHelper googleHelper, IConfiguration config) : IGoogleAuthorization
+    {
+        private string RedirectUrl = config["Authentication:Google:RedirectUri"]!;
+
+        public async Task<UserCredential> ExchangeCodeForToken(string code)
+        {
+            var flow = new GoogleAuthorizationCodeFlow(
+                new GoogleAuthorizationCodeFlow.Initializer
+                {
+                    ClientSecrets = googleHelper.GetClientSecrets(),
+                    Scopes = googleHelper.GetScopes()
+                });
+
+            var token = await flow.ExchangeCodeForTokenAsync(
+                "user", code, RedirectUrl, CancellationToken.None);
+
+            return new UserCredential(flow, "user", token);
+        }
+
+        public string GetAuthorizationUrl() =>
+            new GoogleAuthorizationCodeFlow(
+                new GoogleAuthorizationCodeFlow.Initializer
+                {
+
+                    ClientSecrets = googleHelper.GetClientSecrets(),
+                    Scopes = googleHelper.GetScopes(),
+                    Prompt = "consent"
+                }).CreateAuthorizationCodeRequest(RedirectUrl).Build().ToString();
+    }
+}

Core.Thalos.BFF.Api/Services/Token.cs

@@ -0,0 +1,4 @@
+namespace Core.Thalos.BFF.Api.Services
+{
+    public record Token(string IdToken);
+}

Core.Thalos.BFF.Api/appsettings.Local.json

@@ -7,6 +7,14 @@
   },
   "LocalGateways": {
     "ThalosService": "https://localhost:7253/api"
+  },
+  "Authentication": {
+    "Google": {
+      "ClientId": "128345072002-mtfdgpcur44o9tbd7q6e0bb9qnp2crfp.apps.googleusercontent.com",
+      "ClientSecret": "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",
+      "ApplicationName": "Thalos",
+      "RedirectUri": "https://localhost:7239/api/v1/Authentication/callback"
+    }
   }
 }