Compare commits
2 Commits
feature/fi
...
feature/ad
| Author | SHA1 | Date | |
|---|---|---|---|
|
aeab9548b8 | ||
| 3eb6bfc60f |
24
Core.Cerberos.Adapters/Common/Constants/Policies.cs
Normal file
24
Core.Cerberos.Adapters/Common/Constants/Policies.cs
Normal file
@@ -0,0 +1,24 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
namespace Core.Thalos.BuildingBlocks.Common.Constants
|
||||
{
|
||||
/// <summary>
|
||||
/// Constants for policy.
|
||||
/// </summary>
|
||||
public class Policies
|
||||
{
|
||||
/// <summary>
|
||||
/// Defines the access policy for reading mobile-related data.
|
||||
/// This policy grants read-only permissions for retrieving mobile device information,
|
||||
/// user mobile settings, or related data as per the application's authorization scope.
|
||||
/// </summary>
|
||||
public const string Read = "Read";
|
||||
|
||||
/// <summary>
|
||||
/// Defines the access policy for writing mobile-related data.
|
||||
/// This policy grants permissions to modify, update, or store mobile device information,
|
||||
/// user mobile settings, or related data as per the application's authorization scope.
|
||||
/// </summary>
|
||||
public const string Write = "Write";
|
||||
}
|
||||
}
|
||||
15
Core.Cerberos.Adapters/Common/Constants/Roles.cs
Normal file
15
Core.Cerberos.Adapters/Common/Constants/Roles.cs
Normal file
@@ -0,0 +1,15 @@
|
||||
namespace Core.Thalos.BuildingBlocks.Common.Constants
|
||||
{
|
||||
public class Roles
|
||||
{
|
||||
/// <summary>
|
||||
/// The role for Guest.
|
||||
/// </summary>
|
||||
public const string Guest = "684909c4826cd093b4f61c11";
|
||||
|
||||
/// <summary>
|
||||
/// The role for Admin.
|
||||
/// </summary>
|
||||
public const string Admin = "68407642ec46a0e6fe1e8ec9";
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,38 @@
|
||||
using Core.Thalos.BuildingBlocks.Authentication.Helpers;
|
||||
using Google.Apis.Auth.OAuth2;
|
||||
using Google.Apis.Auth.OAuth2.Flows;
|
||||
using Microsoft.Extensions.Configuration;
|
||||
|
||||
namespace Core.Thalos.BuildingBlocks.Authentication.Authorization.Google
|
||||
{
|
||||
public class GoogleAuthorization(
|
||||
IGoogleAuthHelper googleHelper, IConfiguration config) : IGoogleAuthorization
|
||||
{
|
||||
private string RedirectUrl = config["Authentication:Google:RedirectUri"]!;
|
||||
|
||||
public async Task<UserCredential> ExchangeCodeForToken(string code)
|
||||
{
|
||||
var flow = new GoogleAuthorizationCodeFlow(
|
||||
new GoogleAuthorizationCodeFlow.Initializer
|
||||
{
|
||||
ClientSecrets = googleHelper.GetClientSecrets(),
|
||||
Scopes = googleHelper.GetScopes()
|
||||
});
|
||||
|
||||
var token = await flow.ExchangeCodeForTokenAsync(
|
||||
"user", code, RedirectUrl, CancellationToken.None);
|
||||
|
||||
return new UserCredential(flow, "user", token);
|
||||
}
|
||||
|
||||
public string GetAuthorizationUrl() =>
|
||||
new GoogleAuthorizationCodeFlow(
|
||||
new GoogleAuthorizationCodeFlow.Initializer
|
||||
{
|
||||
|
||||
ClientSecrets = googleHelper.GetClientSecrets(),
|
||||
Scopes = googleHelper.GetScopes(),
|
||||
Prompt = "consent"
|
||||
}).CreateAuthorizationCodeRequest(RedirectUrl).Build().ToString();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
using Google.Apis.Auth.OAuth2;
|
||||
|
||||
namespace Core.Thalos.BuildingBlocks.Authentication.Authorization.Google
|
||||
{
|
||||
public interface IGoogleAuthorization
|
||||
{
|
||||
string GetAuthorizationUrl();
|
||||
Task<UserCredential> ExchangeCodeForToken(string code);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
|
||||
namespace Core.Thalos.BuildingBlocks.Authentication.Authorization.Jwt
|
||||
{
|
||||
public class PermissionAuthorizationAdapter(string[] permission) : IAuthorizationRequirement
|
||||
{
|
||||
public string[] Permission { get; } = permission ?? throw new ArgumentNullException(nameof(permission));
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
|
||||
namespace Core.Thalos.BuildingBlocks.Authentication.Authorization.Jwt
|
||||
{
|
||||
public class PermissionsAuthorizationHandler : AuthorizationHandler<PermissionAuthorizationAdapter>
|
||||
{
|
||||
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionAuthorizationAdapter requirement)
|
||||
{
|
||||
PermissionAuthorizationAdapter requirement2 = requirement;
|
||||
if (context.User.Claims.Any((x) => x.Type == "roleId" && requirement2.Permission.Contains(x.Value)))
|
||||
{
|
||||
context.Succeed(requirement2);
|
||||
}
|
||||
|
||||
return Task.CompletedTask;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,92 @@
|
||||
using Core.Thalos.Adapters.Common.Constants;
|
||||
using Core.Thalos.Adapters.Options;
|
||||
using Core.Thalos.BuildingBlocks.Authentication.Authorization.Google;
|
||||
using Core.Thalos.BuildingBlocks.Authentication.Authorization.Jwt;
|
||||
using Core.Thalos.BuildingBlocks.Authentication.Handlers;
|
||||
using Core.Thalos.BuildingBlocks.Authentication.Helpers;
|
||||
using Core.Thalos.BuildingBlocks.Common.Constants;
|
||||
using Microsoft.AspNetCore.Authentication;
|
||||
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.Extensions.Configuration;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.IdentityModel.Tokens;
|
||||
using System.Text;
|
||||
|
||||
namespace Core.Thalos.BuildingBlocks.Authentication.Extensions
|
||||
{
|
||||
/// <summary>
|
||||
/// Extension methods for configuring authentication with various Google and JWT setups.
|
||||
/// </summary>
|
||||
public static class AuthenticationExtension
|
||||
{
|
||||
/// <summary>
|
||||
/// Configures authentication using Google Auth for an API that requires downstream API access.
|
||||
/// </summary>
|
||||
/// <param name="services">The <see cref="IServiceCollection"/> to add the services to.</param>
|
||||
/// <param name="configuration">The <see cref="IConfiguration"/> containing Google Auth configuration settings.</param>
|
||||
public static void ConfigureAuthentication(this IServiceCollection services, IConfiguration configuration)
|
||||
{
|
||||
var secretKey = configuration.GetSection("SecretKey").Value ?? string.Empty;
|
||||
var _signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey));
|
||||
var jwtAppSettingsOptions = configuration.GetSection(nameof(JwtIssuerOptions));
|
||||
var jwtIssuerOptions = jwtAppSettingsOptions.Get<JwtIssuerOptions>();
|
||||
|
||||
var googleClientId = configuration["Authentication:Google:ClientId"];
|
||||
var googleClientSecret = configuration["Authentication:Google:ClientSecret"];
|
||||
var redirectUri = configuration["Authentication:Google:RedirectUri"];
|
||||
|
||||
services.AddAuthentication(options =>
|
||||
{
|
||||
options.DefaultAuthenticateScheme = Schemes.GoogleScheme;
|
||||
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
|
||||
})
|
||||
.AddScheme<AuthenticationSchemeOptions,
|
||||
GoogleAccessTokenAuthenticationHandler>(Schemes.GoogleScheme, null)
|
||||
.AddGoogle(options =>
|
||||
{
|
||||
options.ClientId = googleClientId!;
|
||||
options.ClientSecret = googleClientSecret!;
|
||||
//options.SaveTokens = true;
|
||||
options.CallbackPath = $"/{redirectUri}";
|
||||
})
|
||||
.AddJwtBearer(Schemes.DefaultScheme, x =>
|
||||
{
|
||||
x.TokenValidationParameters = new TokenValidationParameters
|
||||
{
|
||||
ValidIssuer = jwtIssuerOptions?.Issuer,
|
||||
ValidateIssuer = true,
|
||||
ValidateAudience = true,
|
||||
ValidateLifetime = true,
|
||||
ValidateIssuerSigningKey = true,
|
||||
ValidAudience = jwtIssuerOptions?.Audience,
|
||||
IssuerSigningKey = new SymmetricSecurityKey(
|
||||
Encoding.UTF8.GetBytes(configuration["SecretKey"] ?? string.Empty))
|
||||
};
|
||||
});
|
||||
|
||||
services.Configure<JwtIssuerOptions>(options =>
|
||||
{
|
||||
options.Issuer = jwtAppSettingsOptions[nameof(jwtIssuerOptions.Issuer)] ?? string.Empty;
|
||||
options.Audience = jwtAppSettingsOptions[nameof(jwtIssuerOptions.Audience)] ?? string.Empty;
|
||||
options.SigningCredentials = new SigningCredentials(_signingKey, SecurityAlgorithms.HmacSha256);
|
||||
});
|
||||
|
||||
services.AddSingleton(jwtAppSettingsOptions);
|
||||
|
||||
string[] roles = { Roles.Guest, Roles.Admin };
|
||||
|
||||
services.AddAuthorization(options =>
|
||||
{
|
||||
options.AddPolicy(Policies.Read, policy => policy.Requirements.Add(new PermissionAuthorizationAdapter(roles)));
|
||||
options.AddPolicy(Policies.Write, policy => policy.Requirements.Add(new PermissionAuthorizationAdapter(roles)));
|
||||
});
|
||||
|
||||
services.AddTransient<IAuthorizationHandler, PermissionsAuthorizationHandler>();
|
||||
|
||||
services.AddAuthorization();
|
||||
services.AddScoped<IGoogleAuthHelper, GoogleAuthHelper>();
|
||||
services.AddScoped<IGoogleAuthorization, GoogleAuthorization>();
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,84 @@
|
||||
using Microsoft.Extensions.Configuration;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.OpenApi.Any;
|
||||
using Microsoft.OpenApi.Interfaces;
|
||||
using Microsoft.OpenApi.Models;
|
||||
|
||||
namespace Core.Thalos.BuildingBlocks.Authentication.Extensions
|
||||
{
|
||||
public static class SwaggerExtension
|
||||
{
|
||||
public static void AddSwaggerGen(this IServiceCollection services, IConfiguration configuration)
|
||||
{
|
||||
services.AddSwaggerGen(opts =>
|
||||
{
|
||||
const string schemeName = "oauth2";
|
||||
|
||||
opts.AddSecurityDefinition(schemeName, new OpenApiSecurityScheme
|
||||
{
|
||||
Type = SecuritySchemeType.OAuth2,
|
||||
Scheme = "bearer",
|
||||
BearerFormat = "JWT",
|
||||
Name = "Authorization",
|
||||
In = ParameterLocation.Header,
|
||||
|
||||
Extensions = new Dictionary<string, IOpenApiExtension>
|
||||
{
|
||||
["x-tokenName"] = new OpenApiString("id_token")
|
||||
},
|
||||
|
||||
Flows = new OpenApiOAuthFlows
|
||||
{
|
||||
AuthorizationCode = new OpenApiOAuthFlow
|
||||
{
|
||||
AuthorizationUrl = new Uri("https://accounts.google.com/o/oauth2/v2/auth"),
|
||||
TokenUrl = new Uri("https://oauth2.googleapis.com/token"),
|
||||
Scopes = new Dictionary<string, string>
|
||||
{
|
||||
{ "openid", "OpenID Connect" },
|
||||
{ "email", "Access email" },
|
||||
{ "profile", "Access profile" }
|
||||
}
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
// every operation requires the scheme
|
||||
opts.AddSecurityRequirement(new OpenApiSecurityRequirement
|
||||
{
|
||||
[new OpenApiSecurityScheme
|
||||
{
|
||||
Reference = new OpenApiReference
|
||||
{ Type = ReferenceType.SecurityScheme, Id = schemeName }
|
||||
}
|
||||
] = new[] { "openid", "email", "profile" }
|
||||
});
|
||||
|
||||
opts.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
|
||||
{
|
||||
Description = "JWT Authorization header using the Bearer scheme",
|
||||
Name = "Authorization",
|
||||
In = ParameterLocation.Header,
|
||||
Type = SecuritySchemeType.Http,
|
||||
Scheme = "bearer",
|
||||
BearerFormat = "JWT"
|
||||
});
|
||||
|
||||
opts.AddSecurityRequirement(new OpenApiSecurityRequirement
|
||||
{
|
||||
{
|
||||
new OpenApiSecurityScheme
|
||||
{
|
||||
Reference = new OpenApiReference
|
||||
{
|
||||
Type = ReferenceType.SecurityScheme,
|
||||
Id = "Bearer"
|
||||
}
|
||||
},
|
||||
Array.Empty<string>()
|
||||
}
|
||||
});
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,63 @@
|
||||
using Core.Thalos.Adapters.Common.Constants;
|
||||
using Google.Apis.Auth;
|
||||
using Microsoft.AspNetCore.Authentication;
|
||||
using Microsoft.Extensions.Configuration;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Options;
|
||||
using System.Security.Claims;
|
||||
using System.Text.Encodings.Web;
|
||||
|
||||
namespace Core.Thalos.BuildingBlocks.Authentication.Handlers
|
||||
{
|
||||
public class GoogleAccessTokenAuthenticationHandler(IOptionsMonitor<AuthenticationSchemeOptions> options,
|
||||
ILoggerFactory logger,
|
||||
UrlEncoder encoder,
|
||||
IConfiguration config) : AuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder)
|
||||
{
|
||||
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
|
||||
{
|
||||
if (!Request.Headers.ContainsKey("Authorization"))
|
||||
return AuthenticateResult.Fail("Missing Authorization header");
|
||||
|
||||
var authHeader = Request.Headers.Authorization.ToString();
|
||||
if (!authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
|
||||
return AuthenticateResult.Fail("Invalid Authorization header");
|
||||
|
||||
var idToken = authHeader["Bearer ".Length..].Trim();
|
||||
|
||||
GoogleJsonWebSignature.Payload payload;
|
||||
try
|
||||
{
|
||||
payload = await GoogleJsonWebSignature.ValidateAsync(
|
||||
idToken,
|
||||
new GoogleJsonWebSignature.ValidationSettings
|
||||
{
|
||||
Audience = new[] { config["Authentication:Google:ClientId"]! }
|
||||
});
|
||||
}
|
||||
catch (InvalidJwtException)
|
||||
{
|
||||
return AuthenticateResult.Fail("Invalid Google token");
|
||||
}
|
||||
|
||||
var claims = new List<Claim>
|
||||
{
|
||||
new Claim(ClaimTypes.NameIdentifier, payload.Subject),
|
||||
new Claim(ClaimTypes.Email, payload.Email),
|
||||
new Claim(ClaimTypes.Name, payload.Name ?? "")
|
||||
};
|
||||
|
||||
var identity = new ClaimsIdentity(claims, Schemes.GoogleScheme);
|
||||
var principal = new ClaimsPrincipal(identity);
|
||||
|
||||
var userEmail = principal.FindFirst(ClaimTypes.Email)?.Value;
|
||||
|
||||
if (string.IsNullOrEmpty(userEmail) ||
|
||||
!userEmail.EndsWith("@agilewebs.com", StringComparison.OrdinalIgnoreCase))
|
||||
return AuthenticateResult.Fail("Unauthorized Access");
|
||||
|
||||
var ticket = new AuthenticationTicket(principal, Schemes.GoogleScheme);
|
||||
return AuthenticateResult.Success(ticket);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
using Google.Apis.Auth.OAuth2;
|
||||
using Google.Apis.Oauth2.v2;
|
||||
using Microsoft.Extensions.Configuration;
|
||||
|
||||
namespace Core.Thalos.BuildingBlocks.Authentication.Helpers
|
||||
{
|
||||
public class GoogleAuthHelper(IConfiguration config) : IGoogleAuthHelper
|
||||
{
|
||||
public ClientSecrets GetClientSecrets()
|
||||
{
|
||||
string clientId = config["Authentication:Google:ClientId"]!;
|
||||
string clientSecret = config["Authentication:Google:ClientSecret"]!;
|
||||
|
||||
return new() { ClientId = clientId, ClientSecret = clientSecret };
|
||||
}
|
||||
|
||||
public string[] GetScopes()
|
||||
{
|
||||
var scopes = new[]
|
||||
{
|
||||
Oauth2Service.Scope.Openid,
|
||||
Oauth2Service.Scope.UserinfoEmail,
|
||||
Oauth2Service.Scope.UserinfoProfile
|
||||
};
|
||||
|
||||
return scopes;
|
||||
}
|
||||
|
||||
public string ScopeToString() => string.Join(", ", GetScopes());
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
using Google.Apis.Auth.OAuth2;
|
||||
|
||||
namespace Core.Thalos.BuildingBlocks.Authentication.Helpers
|
||||
{
|
||||
public interface IGoogleAuthHelper
|
||||
{
|
||||
string[] GetScopes();
|
||||
string ScopeToString();
|
||||
ClientSecrets GetClientSecrets();
|
||||
}
|
||||
}
|
||||
24
Core.Thalos.BuildingBlocks/Common/Constants/Policies.cs
Normal file
24
Core.Thalos.BuildingBlocks/Common/Constants/Policies.cs
Normal file
@@ -0,0 +1,24 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
namespace Core.Thalos.BuildingBlocks.Common.Constants
|
||||
{
|
||||
/// <summary>
|
||||
/// Constants for policy.
|
||||
/// </summary>
|
||||
public class Policies
|
||||
{
|
||||
/// <summary>
|
||||
/// Defines the access policy for reading mobile-related data.
|
||||
/// This policy grants read-only permissions for retrieving mobile device information,
|
||||
/// user mobile settings, or related data as per the application's authorization scope.
|
||||
/// </summary>
|
||||
public const string Read = "Read";
|
||||
|
||||
/// <summary>
|
||||
/// Defines the access policy for writing mobile-related data.
|
||||
/// This policy grants permissions to modify, update, or store mobile device information,
|
||||
/// user mobile settings, or related data as per the application's authorization scope.
|
||||
/// </summary>
|
||||
public const string Write = "Write";
|
||||
}
|
||||
}
|
||||
15
Core.Thalos.BuildingBlocks/Common/Constants/Roles.cs
Normal file
15
Core.Thalos.BuildingBlocks/Common/Constants/Roles.cs
Normal file
@@ -0,0 +1,15 @@
|
||||
namespace Core.Thalos.BuildingBlocks.Common.Constants
|
||||
{
|
||||
public class Roles
|
||||
{
|
||||
/// <summary>
|
||||
/// The role for Guest.
|
||||
/// </summary>
|
||||
public const string Guest = "684909c4826cd093b4f61c11";
|
||||
|
||||
/// <summary>
|
||||
/// The role for Admin.
|
||||
/// </summary>
|
||||
public const string Admin = "68407642ec46a0e6fe1e8ec9";
|
||||
}
|
||||
}
|
||||
@@ -14,5 +14,10 @@
|
||||
/// The azure scheme.
|
||||
/// </summary>
|
||||
public const string AzureScheme = "AzureScheme";
|
||||
|
||||
/// <summary>
|
||||
/// The google scheme.
|
||||
/// </summary>
|
||||
public const string GoogleScheme = "GoogleScheme";
|
||||
}
|
||||
}
|
||||
|
||||
@@ -8,13 +8,16 @@
|
||||
<TargetFramework>net8.0</TargetFramework>
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
<Nullable>enable</Nullable>
|
||||
<VersionPrefix>1.0.2</VersionPrefix>
|
||||
<VersionPrefix>1.0.5</VersionPrefix>
|
||||
<VersionSuffix>$(Date:yyyyMMddHHmm)</VersionSuffix>
|
||||
</PropertyGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<PackageReference Include="Asp.Versioning.Mvc.ApiExplorer" Version="8.1.0" />
|
||||
<PackageReference Include="Core.Blueprint.Mongo" Version="1.0.0" />
|
||||
<PackageReference Include="Google.Apis.Auth" Version="1.70.0" />
|
||||
<PackageReference Include="Google.Apis.Oauth2.v2" Version="1.68.0.1869" />
|
||||
<PackageReference Include="Microsoft.AspNetCore.Authentication.Google" Version="8.0.18" />
|
||||
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
|
||||
<PackageReference Include="Microsoft.Extensions.Configuration.AzureAppConfiguration" Version="8.2.0" />
|
||||
<PackageReference Include="Microsoft.Identity.Web" Version="3.9.1" />
|
||||
|
||||
Reference in New Issue
Block a user