diff --git a/src/ApiGateways/Mobile.Bff.Shopping/aggregator/Startup.cs b/src/ApiGateways/Mobile.Bff.Shopping/aggregator/Startup.cs index 78512c140..1945cebaa 100644 --- a/src/ApiGateways/Mobile.Bff.Shopping/aggregator/Startup.cs +++ b/src/ApiGateways/Mobile.Bff.Shopping/aggregator/Startup.cs @@ -1,4 +1,7 @@ -namespace Microsoft.eShopOnContainers.Mobile.Shopping.HttpAggregator; +using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Authentication.OpenIdConnect; + +namespace Microsoft.eShopOnContainers.Mobile.Shopping.HttpAggregator; public class Startup { @@ -151,6 +154,18 @@ public static class ServiceCollectionExtensions return services; } + public static IServiceCollection AddCustomAuthorization(this IServiceCollection services, IConfiguration configuration) + { + services.AddAuthorization(options => + { + options.AddPolicy("ApiScope", policy => + { + policy.RequireAuthenticatedUser(); + policy.RequireClaim("scope", "mobileshoppingagg"); + }); + }); + return services; + } public static IServiceCollection AddHttpServices(this IServiceCollection services) { diff --git a/src/ApiGateways/Web.Bff.Shopping/aggregator/Startup.cs b/src/ApiGateways/Web.Bff.Shopping/aggregator/Startup.cs index 2e7c203d0..272ab3587 100644 --- a/src/ApiGateways/Web.Bff.Shopping/aggregator/Startup.cs +++ b/src/ApiGateways/Web.Bff.Shopping/aggregator/Startup.cs @@ -1,4 +1,7 @@ -namespace Microsoft.eShopOnContainers.Web.Shopping.HttpAggregator; +using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Authentication.OpenIdConnect; + +namespace Microsoft.eShopOnContainers.Web.Shopping.HttpAggregator; public class Startup { @@ -22,6 +25,7 @@ public class Startup services.AddCustomMvc(Configuration) .AddCustomAuthentication(Configuration) + //.AddCustomAuthorization(Configuration) .AddDevspaces() .AddApplicationServices() .AddGrpcServices(); @@ -83,12 +87,7 @@ public static class ServiceCollectionExtensions JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("sub"); var identityUrl = configuration.GetValue("urls:identity"); - services.AddAuthentication(options => - { - options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; - options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; - - }) + services.AddAuthentication("Bearer") .AddJwtBearer(options => { options.Authority = identityUrl; @@ -102,7 +101,6 @@ public static class ServiceCollectionExtensions return services; } - public static IServiceCollection AddCustomMvc(this IServiceCollection services, IConfiguration configuration) { services.AddOptions(); diff --git a/src/Services/Basket/Basket.API/Startup.cs b/src/Services/Basket/Basket.API/Startup.cs index 049baf03e..89b8934e9 100644 --- a/src/Services/Basket/Basket.API/Startup.cs +++ b/src/Services/Basket/Basket.API/Startup.cs @@ -1,3 +1,6 @@ +using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Authentication.OpenIdConnect; + namespace Microsoft.eShopOnContainers.Services.Basket.API; public class Startup { @@ -214,20 +217,20 @@ public class Startup var identityUrl = Configuration.GetValue("IdentityUrl"); - services.AddAuthentication(options => - { - options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; - options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; - - }).AddJwtBearer(options => + services.AddAuthentication("Bearer").AddJwtBearer(options => { options.Authority = identityUrl; options.RequireHttpsMetadata = false; options.Audience = "basket"; - options.TokenValidationParameters = new TokenValidationParameters + options.TokenValidationParameters.ValidateAudience = false; + }); + services.AddAuthorization(options => + { + options.AddPolicy("ApiScope", policy => { - ValidateAudience = false - }; + policy.RequireAuthenticatedUser(); + policy.RequireClaim("scope", "basket"); + }); }); } diff --git a/src/Services/Identity/Identity.API/Configuration/Config.cs b/src/Services/Identity/Identity.API/Configuration/Config.cs index 4ce93966c..a8f3b1a40 100644 --- a/src/Services/Identity/Identity.API/Configuration/Config.cs +++ b/src/Services/Identity/Identity.API/Configuration/Config.cs @@ -110,7 +110,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration new Secret("secret".Sha256()) }, ClientUri = $"{configuration["MvcClient"]}", // public uri of the client - AllowedGrantTypes = GrantTypes.Hybrid, + AllowedGrantTypes = GrantTypes.Code, AllowAccessTokensViaBrowser = false, RequireConsent = false, AllowOfflineAccess = true, @@ -147,7 +147,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration new Secret("secret".Sha256()) }, ClientUri = $"{configuration["WebhooksWebClient"]}", // public uri of the client - AllowedGrantTypes = GrantTypes.Hybrid, + AllowedGrantTypes = GrantTypes.Code, AllowAccessTokensViaBrowser = false, RequireConsent = false, AllowOfflineAccess = true, @@ -179,7 +179,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration new Secret("secret".Sha256()) }, ClientUri = $"{configuration["Mvc"]}", // public uri of the client - AllowedGrantTypes = GrantTypes.Hybrid, + AllowedGrantTypes = GrantTypes.Code, AllowAccessTokensViaBrowser = true, RequireConsent = false, AllowOfflineAccess = true, diff --git a/src/Services/Identity/Identity.API/ProgramExtensions.cs b/src/Services/Identity/Identity.API/ProgramExtensions.cs index c7b25b66c..729295570 100644 --- a/src/Services/Identity/Identity.API/ProgramExtensions.cs +++ b/src/Services/Identity/Identity.API/ProgramExtensions.cs @@ -55,7 +55,7 @@ public static class ProgramExtensions { var identityServerBuilder = builder.Services.AddIdentityServer(options => { - options.IssuerUri = builder.Configuration["IssuerUrl"]; + options.IssuerUri = "null"; options.Authentication.CookieLifetime = TimeSpan.FromHours(2); options.Events.RaiseErrorEvents = true; diff --git a/src/Services/Identity/Identity.API/keys/is-signing-key-3139DF3FF07C8E3881CFA9743F89A787.json b/src/Services/Identity/Identity.API/keys/is-signing-key-3139DF3FF07C8E3881CFA9743F89A787.json new file mode 100644 index 000000000..30deeccf4 --- /dev/null +++ b/src/Services/Identity/Identity.API/keys/is-signing-key-3139DF3FF07C8E3881CFA9743F89A787.json @@ -0,0 +1 @@ +{"Version":1,"Id":"3139DF3FF07C8E3881CFA9743F89A787","Created":"2022-12-13T11:30:03.9474661Z","Algorithm":"RS256","IsX509Certificate":false,"Data":"CfDJ8LWRXnsATcxOsVa-h-Gywwx7S1URlnPkv5vJtTle9xG_ytf2YXKlRsyey8qFhmrfLZ9uixxUmHTLywyrhUV6-gdvwyirWsUU8qn3SNe4rlPgNYHESkjYwWHERmwrMQIjRell8Xnot5UU1tfIvdpX9AbruzjEuAtYg668fBiXv338XfZ-2DW2RlYxT2TsPAak5ZsGXuIojYCLC3S4uGRz8AhSoko_DSl2KXQqXsqJWTNqAmiEHkVtHeFzc_o2gJIbegzqi7l4F2jDxM0-gkkRZYk6AZlN25wYb90xYaM82bKbzEnqPhLEIkuM-3QTGnjLZIF9jFp1qftq6dDm0feovXXM3SQCsgQPvZ6rKHR_8f-Z072t8PiRxDTgVQKywQ5bCS3u3Mq89hOZf_o_IBNT4uO_hDBqv4eFhj_AAy1Kk2K_QJZhF94bPLsujkkoFjWlNXvm6-Layr9chiY7ZQGxb5QtJr03Y5CT7w6hO2LsdsYEyJLs4kWBdlILT5FjrB4LCVHJlVDGxPBNuGzZL75rSGDa38FCKsUhoBvu7T5XFTm37FaBYrgY7MASQrlHQjGPwyRrjGe-M2ZwTCrtd_MwAHJnJsLoYs6SLQLpQa4sII2qgjRr2UmfDlXP12E6wJrpWfSL6QV13CoCy4hEko4LAy4tG2Yz0HzsqFzPYL142UeJC5z-d9JNdJr9Ya8TqVc7biOJCdY47jeOF5wJpM_BWTzT584w5HRs_1LVNsmjm9l6w1v5I04uNxbpopfRS0B1J2NPS3bfpS2lGuQlyPsZJwNgkZNwxDwCQMa8cgwREnaKWXOeKNksWmS6-ve2M5DguPaKVYF30AyJ1ECqWLX-CLJScBym-ZwVM-2pdfKw3pucfXXUqsXK1lTZSWi7A8gFtnsUZFUC2lkltBT80xuw7f9ojIfoYZjGSwl1mwM5LN5IuwUyppToU7vct9GueMaBjNP5bTrWS1XwiU_oOJbjIx8gNdN-DWNG8-5VmdgXoaJDcd_ZRLaM2XpWcpB5R2MwodIe3HGdpieTDxdqh9Nd1TzQO3FivfxcW0K21CQC-xYaRsx8Ii3djek6k90C304VFRF_QLe4lTOIaAjxxDSFVKbn8tVOZyINRI3FRAXOOaVBoGR1Wsn7bXVGNGbM5eN6wCPOzE-g5_489Sq2MWgczq33_GHW8rGc840OXiqJVu7fL4LVIuG7hPzaVZD3Q-jCu3xG3rYmr2ophVP3HNhl7QDgtpHLYNAIdzZNXz7ROKJU7ws0uZq34plYnLhXEzNe8ntV1N3qCbv1lMk7RjfffZxRwE0OM0mbIC--SPqKG_Cm0cD2k04vS36N9mr1LCmDNiFQRcOqzqxgk8mJdl0Vna-IYycviWyUBs63y6n7bDU3RAifVTSVPUrrrAIMTT5uk4ZVLbO_tGKvKWaSsi7TMypJXd993tut8SPwCl8iNZS3qPwIUXx8IpStnAmJmqcWLZcldZa1bfOWqXW2s22xLNgexft7Xosp-gPNPsICPwtux_tXN-XbbgopGnWgrsyrXctm95OcfEUOVYna73ZA5cukdUbfftGVBitwe7DkG1Jb3MJLZbo2ykiqW71mLgDqvQ2KD_PHw410v-51jsXkUPNknyeSuHiRXomo2HqUf-y0xvx2S73v58yM39XadMJUMYrQlw9lnWBqCDcYoutAVakgWAXSPYELDX2BbmpZsa099h6HlKJptmSLqp2D3J7fHGGWZpdBr9hxVQ56TkMDUNCEd5W1Bc5ecT7b1R5u6IuM16A5aEGOa_phaGuqc9cUhD0UmRBDO6FE-LbfjCnzhjroAOYEujJloOcAYEAL1zx3wUHd_-0hVkmffPWC_Wu2uV8EyQQwlj8bVgCEz6R6bqxl8TN5993C2joikVDCcFYSi8RingP-ItGC5TVTxx0kWweImuBA9s6eoqUZ7TMLKOAQHTxjx5g8mBkLs94RVWhChIUif513Br0aJGxwjBvhN_NBWDFJSbP-l581YNCrmALfS4IX2jeV81bnOAAde53Yplaski3eoR2Z3daNdAJNVqOBe32gHf1eTwDCXrgqd5wYsXxW_YJ-P2kKN2CpuPE-so6tdoCLqFmXu4-3q3vGGE_nVvp-MnhHwLP50U6-h7_MDh105qlIxduM91AT7I3XPTQGrOeIv_eBrng3vULA_ohah-OzbPxpPmYSNFS8YUlGChhPgmMWHKnaYbirh-Df4rc6sK5OFEyRVlCzeKon8hFsmwIEEk7uAR2AysF1PJWjoObQkM-3vqJphkTBBYsZEmngjvQlV8TnGY6P0GRe5gNOaT0BZ71SIlKQY1iLq5NmzEGM1iIOEJI-JA3VHhXs2mw7WDKpsE_k5kbFDlgdachB778jMTSs8xWjESxyidPz-tjqvWaDg482VjoOVYBQOGyUuFRMKVJ9xZBE03nVLG29cKVCNJ_KylBUy0O4LkHskJRzrbZE_HlcoCafl1z1","DataProtected":true} \ No newline at end of file diff --git a/src/Services/Ordering/Ordering.API/Startup.cs b/src/Services/Ordering/Ordering.API/Startup.cs index cde722819..153f74ea1 100644 --- a/src/Services/Ordering/Ordering.API/Startup.cs +++ b/src/Services/Ordering/Ordering.API/Startup.cs @@ -1,3 +1,6 @@ +using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Authentication.OpenIdConnect; + namespace Microsoft.eShopOnContainers.Services.Ordering.API; public class Startup @@ -22,10 +25,11 @@ public class Startup .AddHealthChecks(Configuration) .AddCustomDbContext(Configuration) .AddCustomSwagger(Configuration) + .AddCustomAuthentication(Configuration) + .AddCustomAuthorization(Configuration) .AddCustomIntegrations(Configuration) .AddCustomConfiguration(Configuration) - .AddEventBus(Configuration) - .AddCustomAuthentication(Configuration); + .AddEventBus(Configuration); //configure autofac var container = new ContainerBuilder(); @@ -372,20 +376,12 @@ static class CustomExtensionsMethods var identityUrl = configuration.GetValue("IdentityUrl"); - services.AddAuthentication(options => - { - options.DefaultAuthenticateScheme = AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme; - options.DefaultChallengeScheme = AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme; - - }).AddJwtBearer(options => + services.AddAuthentication("Bearer").AddJwtBearer(options => { options.Authority = identityUrl; options.RequireHttpsMetadata = false; options.Audience = "orders"; - options.TokenValidationParameters = new TokenValidationParameters - { - ValidateAudience = false - }; + options.TokenValidationParameters.ValidateAudience = false; }); return services; @@ -397,7 +393,7 @@ static class CustomExtensionsMethods options.AddPolicy("ApiScope", policy => { policy.RequireAuthenticatedUser(); - policy.RequireClaim("scope", "ordering"); + policy.RequireClaim("scope", "orders"); }); }); return services; diff --git a/src/Services/Ordering/Ordering.SignalrHub/Startup.cs b/src/Services/Ordering/Ordering.SignalrHub/Startup.cs index b57f4477e..608220bcd 100644 --- a/src/Services/Ordering/Ordering.SignalrHub/Startup.cs +++ b/src/Services/Ordering/Ordering.SignalrHub/Startup.cs @@ -1,3 +1,6 @@ +using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Authentication.OpenIdConnect; + namespace Microsoft.eShopOnContainers.Services.Ordering.SignalrHub; public class Startup @@ -151,16 +154,12 @@ public class Startup var identityUrl = Configuration.GetValue("IdentityUrl"); - services.AddAuthentication(options => - { - options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; - options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; - - }).AddJwtBearer(options => + services.AddAuthentication("Bearer").AddJwtBearer(options => { options.Authority = identityUrl; options.RequireHttpsMetadata = false; options.Audience = "orders.signalrhub"; + options.TokenValidationParameters.ValidateAudience = false; options.Events = new JwtBearerEvents { OnMessageReceived = context => @@ -176,6 +175,14 @@ public class Startup } }; }); + services.AddAuthorization(options => + { + options.AddPolicy("ApiScope", policy => + { + policy.RequireAuthenticatedUser(); + policy.RequireClaim("scope", "orders.signalrhub"); + }); + }); } private void RegisterEventBus(IServiceCollection services) diff --git a/src/Services/Webhooks/Webhooks.API/Startup.cs b/src/Services/Webhooks/Webhooks.API/Startup.cs index 9ad3a834a..54ed81de8 100644 --- a/src/Services/Webhooks/Webhooks.API/Startup.cs +++ b/src/Services/Webhooks/Webhooks.API/Startup.cs @@ -1,3 +1,6 @@ +using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Authentication.OpenIdConnect; + namespace Webhooks.API; public class Startup { @@ -303,12 +306,23 @@ internal static class CustomExtensionMethods options.Authority = identityUrl; options.RequireHttpsMetadata = false; options.Audience = "webhooks"; - options.TokenValidationParameters = new TokenValidationParameters - { - ValidateAudience = false - }; + options.TokenValidationParameters.ValidateAudience = false; }); return services; } + + + public static IServiceCollection AddCustomAuthorization(this IServiceCollection services, IConfiguration configuration) + { + services.AddAuthorization(options => + { + options.AddPolicy("ApiScope", policy => + { + policy.RequireAuthenticatedUser(); + policy.RequireClaim("scope", "webhooks"); + }); + }); + return services; + } } diff --git a/src/Web/WebMVC/Startup.cs b/src/Web/WebMVC/Startup.cs index 43e85b1db..004959d38 100644 --- a/src/Web/WebMVC/Startup.cs +++ b/src/Web/WebMVC/Startup.cs @@ -164,7 +164,7 @@ static class ServiceCollectionExtensions options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; }) .AddCookie(setup => setup.ExpireTimeSpan = TimeSpan.FromMinutes(sessionCookieLifetime)) - .AddOpenIdConnect(options => + .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => { options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.Authority = identityUrl.ToString(); @@ -181,6 +181,7 @@ static class ServiceCollectionExtensions options.Scope.Add("basket"); options.Scope.Add("webshoppingagg"); options.Scope.Add("orders.signalrhub"); + options.Scope.Add("webhooks"); }); return services; diff --git a/src/Web/WebhookClient/Startup.cs b/src/Web/WebhookClient/Startup.cs index cee8309cc..af68fa66f 100644 --- a/src/Web/WebhookClient/Startup.cs +++ b/src/Web/WebhookClient/Startup.cs @@ -121,7 +121,7 @@ static class ServiceExtensions options.SignedOutRedirectUri = callBackUrl.ToString(); options.ClientId = "webhooksclient"; options.ClientSecret = "secret"; - options.ResponseType = "code id_token"; + options.ResponseType = "code"; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.RequireHttpsMetadata = false;