Sidecar: add per-route override gating and harden BaseUrl handling (#3794)

Adds an opt-in/opt-out configuration for whether 'optionsOverride.*'

query parameters are applied to a resolved DownstreamApiOptions on each

of the four sidecar routes:

  Sidecar:AllowOverrides:GetAuthorizationHeader              (default: true)

  Sidecar:AllowOverrides:GetAuthorizationHeaderUnauthenticated (default: false)

  Sidecar:AllowOverrides:CallDownstreamApi                   (default: true)

  Sidecar:AllowOverrides:CallDownstreamApiUnauthenticated     (default: false)

When the flag for a route is false, any 'optionsOverride.*' query

parameters are ignored and a single warning is logged.

'optionsOverride.BaseUrl' is now unconditionally ignored on every route

regardless of the flag, since the downstream BaseUrl is fixed by host

configuration. The OpenAPI document marks the parameter as deprecated.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: iNinja

src/Microsoft.Identity.Web.Sidecar/Configuration/SidecarOptions.cs

@@ -0,0 +1,50 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Web.Sidecar.Configuration;
+
+/// <summary>
+/// Top-level configuration for the sidecar host. Bound from the
+/// <c>Sidecar</c> configuration section.
+/// </summary>
+public class SidecarOptions
+{
+    /// <summary>
+    /// Per-route gating for caller-supplied <c>optionsOverride.*</c> query
+    /// parameters. When the corresponding flag is <c>false</c>, any
+    /// <c>optionsOverride.*</c> parameters supplied by the caller are
+    /// ignored on that route and a warning is logged.
+    /// </summary>
+    public AllowOverridesOptions AllowOverrides { get; set; } = new();
+}
+
+/// <summary>
+/// Per-route flags controlling whether the sidecar will honour
+/// <c>optionsOverride.*</c> query parameters.
+/// </summary>
+public class AllowOverridesOptions
+{
+    /// <summary>
+    /// Allow overrides on <c>GET /AuthorizationHeader/{apiName}</c>.
+    /// Defaults to <c>true</c>.
+    /// </summary>
+    public bool GetAuthorizationHeader { get; set; } = true;
+
+    /// <summary>
+    /// Allow overrides on <c>GET /AuthorizationHeaderUnauthenticated/{apiName}</c>.
+    /// Defaults to <c>false</c>.
+    /// </summary>
+    public bool GetAuthorizationHeaderUnauthenticated { get; set; }
+
+    /// <summary>
+    /// Allow overrides on <c>POST /DownstreamApi/{apiName}</c>.
+    /// Defaults to <c>true</c>.
+    /// </summary>
+    public bool CallDownstreamApi { get; set; } = true;
+
+    /// <summary>
+    /// Allow overrides on <c>POST /DownstreamApiUnauthenticated/{apiName}</c>.
+    /// Defaults to <c>false</c>.
+    /// </summary>
+    public bool CallDownstreamApiUnauthenticated { get; set; }
+}

src/Microsoft.Identity.Web.Sidecar/DownstreamApiOptionsMerger.cs

@@ -27,10 +27,9 @@ public static DownstreamApiOptions MergeOptions(DownstreamApiOptions left, Downs
             res.RequestAppToken = right.RequestAppToken;
         }
 
-        if (!string.IsNullOrEmpty(right.BaseUrl))
-        {
-            res.BaseUrl = right.BaseUrl;
-        }
+        // BaseUrl from the override is intentionally not merged. The downstream
+        // BaseUrl is fixed by host configuration and cannot be overridden through
+        // the optionsOverride channel.
 
         if (!string.IsNullOrEmpty(right.RelativePath))
         {

src/Microsoft.Identity.Web.Sidecar/Endpoints/AuthorizationHeaderEndpoint.cs

@@ -7,39 +7,69 @@
 using Microsoft.Extensions.Options;
 using Microsoft.Identity.Abstractions;
 using Microsoft.Identity.Client;
+using Microsoft.Identity.Web.Sidecar.Configuration;
 using Microsoft.Identity.Web.Sidecar.Logging;
 using Microsoft.Identity.Web.Sidecar.Models;
 
 namespace Microsoft.Identity.Web.Sidecar.Endpoints;
 
 public static class AuthorizationHeaderEndpoint
 {
+    internal const string AuthenticatedRouteName = "AuthorizationHeader";
+    internal const string UnauthenticatedRouteName = "AuthorizationHeaderUnauthenticated";
+
     public static void AddAuthorizationHeaderRequestEndpoints(this WebApplication app)
     {
-        app.MapGet("/AuthorizationHeader/{apiName}", AuthorizationHeaderAsync).
-            WithName("AuthorizationHeader").
+        app.MapGet("/AuthorizationHeader/{apiName}",
+                (HttpContext httpContext, [Description("The downstream API to acquire an authorization header for.")][FromRoute] string apiName,
+                    [AsParameters] AuthorizationHeaderRequest requestParameters,
+                    BindableDownstreamApiOptions optionsOverride,
+                    [FromServices] IAuthorizationHeaderProvider headerProvider,
+                    [FromServices] IOptionsMonitor<DownstreamApiOptions> optionsMonitor,
+                    [FromServices] IOptions<SidecarOptions> sidecarOptions,
+                    [FromServices] ILogger<Program> logger,
+                    CancellationToken cancellationToken) =>
+                AuthorizationHeaderAsync(
+                    httpContext, apiName, requestParameters, optionsOverride, headerProvider, optionsMonitor,
+                    sidecarOptions.Value.AllowOverrides.GetAuthorizationHeader, AuthenticatedRouteName, logger, cancellationToken)).
+            WithName(AuthenticatedRouteName).
             RequireAuthorization().
             ProducesProblem(StatusCodes.Status400BadRequest).
             ProducesProblem(StatusCodes.Status401Unauthorized).
             WithSummary("Get an authorization header for a configured downstream API.").
             WithDescription(
                 "This endpoint will use the identity of the authenticated request to acquire an authorization header." +
                 "Use dotted query parameters prefixed with 'optionsOverride.' to override call settings with respect to the configuration. " +
+                "Whether overrides are honoured is controlled by 'Sidecar:AllowOverrides:GetAuthorizationHeader' (default: true). " +
+                "'optionsOverride.BaseUrl' is always ignored. " +
                 "Examples:\n" +
                 "  ?optionsOverride.Scopes=User.Read&optionsOverride.Scopes=Mail.Read\n" +
                 "  ?optionsOverride.RequestAppToken=true&optionsOverride.Scopes=https://graph.microsoft.com/.default\n" +
                 "  ?optionsOverride.AcquireTokenOptions.Tenant=GUID\n" +
                 "Repeat parameters like 'optionsOverride.Scopes' to add multiple scopes.");
 
-        app.MapGet("/AuthorizationHeaderUnauthenticated/{apiName}", AuthorizationHeaderAsync).
-            WithName("AuthorizationHeaderUnauthenticated").
+        app.MapGet("/AuthorizationHeaderUnauthenticated/{apiName}",
+                (HttpContext httpContext, [Description("The downstream API to acquire an authorization header for.")][FromRoute] string apiName,
+                    [AsParameters] AuthorizationHeaderRequest requestParameters,
+                    BindableDownstreamApiOptions optionsOverride,
+                    [FromServices] IAuthorizationHeaderProvider headerProvider,
+                    [FromServices] IOptionsMonitor<DownstreamApiOptions> optionsMonitor,
+                    [FromServices] IOptions<SidecarOptions> sidecarOptions,
+                    [FromServices] ILogger<Program> logger,
+                    CancellationToken cancellationToken) =>
+                AuthorizationHeaderAsync(
+                    httpContext, apiName, requestParameters, optionsOverride, headerProvider, optionsMonitor,
+                    sidecarOptions.Value.AllowOverrides.GetAuthorizationHeaderUnauthenticated, UnauthenticatedRouteName, logger, cancellationToken)).
+            WithName(UnauthenticatedRouteName).
             AllowAnonymous().
             ProducesProblem(StatusCodes.Status400BadRequest).
             ProducesProblem(StatusCodes.Status401Unauthorized).
             WithSummary("Get an authorization header for a configured downstream API using this configured client credentials.").
             WithDescription(
                 "This endpoint will use the configured client credentials to acquire an authorization header." +
                 "Use dotted query parameters prefixed with 'optionsOverride.' to override call settings with respect to the configuration. " +
+                "Whether overrides are honoured is controlled by 'Sidecar:AllowOverrides:GetAuthorizationHeaderUnauthenticated' (default: false). " +
+                "'optionsOverride.BaseUrl' is always ignored. " +
                 "Examples:\n" +
                 "  ?optionsOverride.Scopes=User.Read&optionsOverride.Scopes=Mail.Read\n" +
                 "  ?optionsOverride.RequestAppToken=true&optionsOverride.Scopes=https://graph.microsoft.com/.default\n" +
@@ -49,14 +79,14 @@ public static void AddAuthorizationHeaderRequestEndpoints(this WebApplication ap
 
     private static async Task<Results<Ok<Models.AuthorizationHeaderResult>, ProblemHttpResult>> AuthorizationHeaderAsync(
         HttpContext httpContext,
-        [Description("The downstream API to acquire an authorization header for.")]
-        [FromRoute]
         string apiName,
-        [AsParameters] AuthorizationHeaderRequest requestParameters,
+        AuthorizationHeaderRequest requestParameters,
         BindableDownstreamApiOptions optionsOverride,
-        [FromServices] IAuthorizationHeaderProvider headerProvider,
-        [FromServices] IOptionsMonitor<DownstreamApiOptions> optionsMonitor,
-        [FromServices] ILogger<Program> logger,
+        IAuthorizationHeaderProvider headerProvider,
+        IOptionsMonitor<DownstreamApiOptions> optionsMonitor,
+        bool allowOverrides,
+        string routeName,
+        ILogger<Program> logger,
         CancellationToken cancellationToken)
     {
         DownstreamApiOptions? options = optionsMonitor.Get(apiName);
@@ -70,7 +100,14 @@ public static void AddAuthorizationHeaderRequestEndpoints(this WebApplication ap
 
         if (optionsOverride.HasAny)
         {
-            options = DownstreamApiOptionsMerger.MergeOptions(options, optionsOverride);
+            if (allowOverrides)
+            {
+                options = DownstreamApiOptionsMerger.MergeOptions(options, optionsOverride);
+            }
+            else
+            {
+                logger.OverridesIgnored(routeName);
+            }
         }
 
         if (options.Scopes is null)

src/Microsoft.Identity.Web.Sidecar/Endpoints/DownstreamApiEndpoint.cs

@@ -9,37 +9,67 @@
 using Microsoft.Extensions.Options;
 using Microsoft.Identity.Abstractions;
 using Microsoft.Identity.Client;
+using Microsoft.Identity.Web.Sidecar.Configuration;
 using Microsoft.Identity.Web.Sidecar.Logging;
 using Microsoft.Identity.Web.Sidecar.Models;
 
 namespace Microsoft.Identity.Web.Sidecar.Endpoints;
 
 public static class DownstreamApiEndpoint
 {
+    internal const string AuthenticatedRouteName = "DownstreamApi";
+    internal const string UnauthenticatedRouteName = "DownstreamApiUnauthenticated";
+
     public static void AddDownstreamApiRequestEndpoints(this WebApplication app)
     {
-        app.MapPost("/DownstreamApi/{apiName}", DownstreamApiAsync).
-            WithName("DownstreamApi").
+        app.MapPost("/DownstreamApi/{apiName}",
+                (HttpContext httpContext, [Description("The downstream API to call")][FromRoute] string apiName,
+                    [AsParameters] DownstreamApiRequest requestParameters,
+                    BindableDownstreamApiOptions optionsOverride,
+                    [FromServices] IDownstreamApi downstreamApi,
+                    [FromServices] IOptionsMonitor<DownstreamApiOptions> optionsMonitor,
+                    [FromServices] IOptions<SidecarOptions> sidecarOptions,
+                    [FromServices] ILogger<Program> logger,
+                    CancellationToken cancellationToken) =>
+                DownstreamApiAsync(
+                    httpContext, apiName, requestParameters, optionsOverride, downstreamApi, optionsMonitor,
+                    sidecarOptions.Value.AllowOverrides.CallDownstreamApi, AuthenticatedRouteName, logger, cancellationToken)).
+            WithName(AuthenticatedRouteName).
             RequireAuthorization().
             ProducesProblem(StatusCodes.Status400BadRequest).
             ProducesProblem(StatusCodes.Status401Unauthorized).
             WithSummary("Invoke a configured downstream API through the sidecar using the authenticated identity.").
             WithDescription(
                 "Override downstream call options using dotted query parameters prefixed with 'optionsOverride.'. " +
+                "Whether overrides are honoured is controlled by 'Sidecar:AllowOverrides:CallDownstreamApi' (default: true). " +
+                "'optionsOverride.BaseUrl' is always ignored. " +
                 "Examples:\n" +
                 "  ?optionsOverride.Scopes=User.Read\n" +
                 "  ?optionsOverride.Scopes=User.Read&optionsOverride.Scopes=Mail.Read\n" +
                 "  ?optionsOverride.AcquireTokenOptions.Tenant=GUID\n" +
                 "  ?optionsOverride.RequestAppToken=true&optionsOverride.Scopes=https://graph.microsoft.com/.default");
 
-        app.MapPost("/DownstreamApiUnauthenticated/{apiName}", DownstreamApiAsync).
-            WithName("DownstreamApiUnauthenticated").
+        app.MapPost("/DownstreamApiUnauthenticated/{apiName}",
+                (HttpContext httpContext, [Description("The downstream API to call")][FromRoute] string apiName,
+                    [AsParameters] DownstreamApiRequest requestParameters,
+                    BindableDownstreamApiOptions optionsOverride,
+                    [FromServices] IDownstreamApi downstreamApi,
+                    [FromServices] IOptionsMonitor<DownstreamApiOptions> optionsMonitor,
+                    [FromServices] IOptions<SidecarOptions> sidecarOptions,
+                    [FromServices] ILogger<Program> logger,
+                    CancellationToken cancellationToken) =>
+                DownstreamApiAsync(
+                    httpContext, apiName, requestParameters, optionsOverride, downstreamApi, optionsMonitor,
+                    sidecarOptions.Value.AllowOverrides.CallDownstreamApiUnauthenticated, UnauthenticatedRouteName, logger, cancellationToken)).
+            WithName(UnauthenticatedRouteName).
             AllowAnonymous().
             ProducesProblem(StatusCodes.Status400BadRequest).
             ProducesProblem(StatusCodes.Status401Unauthorized).
             WithSummary("Invoke a configured downstream API through the sidecar using the configured client credentials.").
             WithDescription(
                 "Override downstream call options using dotted query parameters prefixed with 'optionsOverride.'. " +
+                "Whether overrides are honoured is controlled by 'Sidecar:AllowOverrides:CallDownstreamApiUnauthenticated' (default: false). " +
+                "'optionsOverride.BaseUrl' is always ignored. " +
                 "Examples:\n" +
                 "  ?optionsOverride.Scopes=User.Read\n" +
                 "  ?optionsOverride.Scopes=User.Read&optionsOverride.Scopes=Mail.Read\n" +
@@ -49,14 +79,14 @@ public static void AddDownstreamApiRequestEndpoints(this WebApplication app)
 
     private static async Task<Results<Ok<DownstreamApiResult>, ProblemHttpResult>> DownstreamApiAsync(
         HttpContext httpContext,
-        [Description("The downstream API to call")]
-        [FromRoute]
         string apiName,
-        [AsParameters] DownstreamApiRequest requestParameters,
+        DownstreamApiRequest requestParameters,
         BindableDownstreamApiOptions optionsOverride,
-        [FromServices] IDownstreamApi downstreamApi,
-        [FromServices] IOptionsMonitor<DownstreamApiOptions> optionsMonitor,
-        [FromServices] ILogger<Program> logger,
+        IDownstreamApi downstreamApi,
+        IOptionsMonitor<DownstreamApiOptions> optionsMonitor,
+        bool allowOverrides,
+        string routeName,
+        ILogger<Program> logger,
         CancellationToken cancellationToken)
     {
         DownstreamApiOptions? options = optionsMonitor.Get(apiName);
@@ -70,7 +100,14 @@ private static async Task<Results<Ok<DownstreamApiResult>, ProblemHttpResult>> D
 
         if (optionsOverride.HasAny)
         {
-            options = DownstreamApiOptionsMerger.MergeOptions(options, optionsOverride);
+            if (allowOverrides)
+            {
+                options = DownstreamApiOptionsMerger.MergeOptions(options, optionsOverride);
+            }
+            else
+            {
+                logger.OverridesIgnored(routeName);
+            }
         }
 
         if (options.Scopes is null || !options.Scopes.Any())

src/Microsoft.Identity.Web.Sidecar/Logging/Logging.cs

@@ -18,4 +18,18 @@ public static partial class LoggerMessageExtensions
         Message = "An error occurred while parsing the token.",
         EventName = "ValidateRequest_UnableToParseToken")]
     public static partial void UnableToParseToken(this ILogger logger, Exception? exception);
+
+    [LoggerMessage(
+        EventId = 3,
+        Level = LogLevel.Warning,
+        Message = "Caller-supplied 'optionsOverride.*' parameters were ignored on route '{RouteName}' because overrides are not allowed for it by configuration.",
+        EventName = "OverridesIgnored")]
+    public static partial void OverridesIgnored(this ILogger logger, string routeName);
+
+    [LoggerMessage(
+        EventId = 4,
+        Level = LogLevel.Warning,
+        Message = "Caller-supplied 'optionsOverride.BaseUrl' was ignored. The downstream BaseUrl is fixed by the host configuration and cannot be overridden by the caller.",
+        EventName = "BaseUrlOverrideIgnored")]
+    public static partial void BaseUrlOverrideIgnored(this ILogger logger);
 }

src/Microsoft.Identity.Web.Sidecar/Models/BindableDownstreamApiOptions.cs

@@ -4,7 +4,10 @@
 using System.Reflection;
 using Microsoft.AspNetCore.Http.Metadata;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Web.Sidecar.Logging;
 
 namespace Microsoft.Identity.Web.Sidecar.Models;
 
@@ -28,8 +31,25 @@ public BindableDownstreamApiOptions()
     public static ValueTask<BindableDownstreamApiOptions?> BindAsync(HttpContext ctx, ParameterInfo parameter)
     {
         var paramName = parameter.Name ?? "optionsOverride";
-        bool hasAny = ctx.Request.Query.Keys.Any(k =>
-            k.StartsWith(paramName + ".", StringComparison.OrdinalIgnoreCase));
+        var prefix = paramName + ".";
+        var baseUrlKey = paramName + ".BaseUrl";
+
+        bool hasAny = false;
+        bool hasNonBaseUrlOverride = false;
+        foreach (var k in ctx.Request.Query.Keys)
+        {
+            if (!k.StartsWith(prefix, StringComparison.OrdinalIgnoreCase))
+            {
+                continue;
+            }
+
+            hasAny = true;
+            if (!k.Equals(baseUrlKey, StringComparison.OrdinalIgnoreCase))
+            {
+                hasNonBaseUrlOverride = true;
+                break;
+            }
+        }
 
         var result = new BindableDownstreamApiOptions();
 
@@ -38,7 +58,10 @@ public BindableDownstreamApiOptions()
             return ValueTask.FromResult<BindableDownstreamApiOptions?>(result);
         }
 
-        result.HasAny = true;
+        // HasAny only reflects non-BaseUrl overrides because BaseUrl is always
+        // ignored. This avoids a misleading "OverridesIgnored" warning at the
+        // route layer when the caller only supplied an (already-rejected) BaseUrl.
+        result.HasAny = hasNonBaseUrlOverride;
 
         var query = ctx.Request.Query;
 
@@ -103,7 +126,12 @@ public BindableDownstreamApiOptions()
             }
             else if (path.Equals("BaseUrl", StringComparison.OrdinalIgnoreCase))
             {
-                result.BaseUrl = values.LastOrDefault();
+                // Caller-supplied BaseUrl is unconditionally rejected: the downstream
+                // BaseUrl is fixed by the host configuration and cannot be overridden
+                // through optionsOverride. Log a warning and ignore the value.
+                var loggerFactory = ctx.RequestServices.GetService<ILoggerFactory>();
+                loggerFactory?.CreateLogger(typeof(BindableDownstreamApiOptions).FullName!)
+                    .BaseUrlOverrideIgnored();
             }
             else if (path.Equals("RelativePath", StringComparison.OrdinalIgnoreCase))
             {