-
Notifications
You must be signed in to change notification settings - Fork 28
Expand file tree
/
Copy pathProgram.cs
More file actions
157 lines (122 loc) · 5.31 KB
/
Program.cs
File metadata and controls
157 lines (122 loc) · 5.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
using System.Security.Claims;
using JwtBearerSample.Authentication;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Http.HttpResults;
using Microsoft.OpenApi;
using SimpleAuthentication;
using SimpleAuthentication.JwtBearer;
using SimpleAuthentication.Permissions;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddHttpContextAccessor();
builder.Services.AddProblemDetails();
// Add authentication services.
builder.Services.AddSimpleAuthentication(builder.Configuration);
// Enable permission-based authorization.
builder.Services.AddScopePermissions(); // This is equivalent to builder.Services.AddPermissions<ScopeClaimPermissionHandler>();
// Define a custom handler for permission handling.
//builder.Services.AddPermissions<CustomPermissionHandler>();
builder.Services.AddAuthorizationBuilder()
// Define permissions using a policy.
.AddPolicy("PeopleRead", builder => builder.RequirePermission(Permissions.PeopleRead, Permissions.PeopleAdmin))
//.AddPolicy("Bearer", builder => builder.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme).RequireAuthenticatedUser())
//.SetDefaultPolicy(new AuthorizationPolicyBuilder()
// .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
// .RequireAuthenticatedUser()
// .Build())
//.SetFallbackPolicy(new AuthorizationPolicyBuilder()
// .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
// .RequireAuthenticatedUser()
// .Build())
;
// Uncomment the following line if you have multiple authentication schemes and
// you need to determine the authentication scheme at runtime (for example, you don't want to use the default authentication scheme).
//builder.Services.AddSingleton<IAuthenticationSchemeProvider, ApplicationAuthenticationSchemeProvider>();
builder.Services.AddTransient<IClaimsTransformation, ClaimsTransformer>();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen(options =>
{
options.AddSimpleAuthentication(builder.Configuration);
});
var app = builder.Build();
// Configure the HTTP request pipeline.
app.UseHttpsRedirection();
app.UseExceptionHandler();
app.UseStatusCodePages();
app.UseSwagger(options =>
{
options.OpenApiVersion = OpenApiSpecVersion.OpenApi3_1;
});
app.UseSwaggerUI();
app.UseAuthentication();
app.UseAuthorization();
var authApiGroup = app.MapGroup("api/auth");
authApiGroup.MapPost("login", async (LoginRequest loginRequest, DateTime? expiration, IJwtBearerService jwtBearerService) =>
{
// Check for login rights...
// Add custom claims (optional).
var claims = new List<Claim>();
if (!string.IsNullOrWhiteSpace(loginRequest.Scopes))
{
claims.Add(new("scp", loginRequest.Scopes));
}
var token = await jwtBearerService.CreateTokenAsync(loginRequest.UserName, claims, absoluteExpiration: expiration);
return TypedResults.Ok(new LoginResponse(token));
})
.WithDescription("Insert permissions in the scope property (for example: 'profile people:admin')");
authApiGroup.MapPost("validate", async Task<Results<Ok<User>, BadRequest>> (string token, bool validateLifetime, IJwtBearerService jwtBearerService) =>
{
var result = await jwtBearerService.TryValidateTokenAsync(token, validateLifetime);
if (!result.IsValid)
{
return TypedResults.BadRequest();
}
return TypedResults.Ok(new User(result.Principal.Identity!.Name));
});
authApiGroup.MapPost("refresh", async (string token, bool validateLifetime, DateTime? expiration, IJwtBearerService jwtBearerService) =>
{
var newToken = await jwtBearerService.RefreshTokenAsync(token, validateLifetime, expiration);
return TypedResults.Ok(new LoginResponse(newToken));
});
app.MapGet("api/me", (ClaimsPrincipal user) =>
{
return TypedResults.Ok(new User(user.Identity!.Name));
})
.RequireAuthorization()
.RequirePermission("profile")
.WithDescription("This endpoint requires the 'profile' permission");
app.MapGet("api/people", () =>
{
return TypedResults.NoContent();
})
.RequireAuthorization(policyNames: "PeopleRead")
.WithDescription($"This endpoint requires the '{Permissions.PeopleRead}' or '{Permissions.PeopleAdmin}' permissions");
app.Run();
public record class User(string? UserName);
public record class LoginRequest(string UserName, string Password, string? Scopes);
public record class LoginResponse(string Token);
public class CustomPermissionHandler : IPermissionHandler
{
public Task<bool> IsGrantedAsync(ClaimsPrincipal user, IEnumerable<string> permissions)
{
bool isGranted;
if (!permissions?.Any() ?? true)
{
isGranted = true;
}
else
{
var permissionClaim = user.FindFirstValue("permissions");
var userPermissions = permissionClaim?.Split(",", StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries) ?? Enumerable.Empty<string>();
isGranted = userPermissions.Intersect(permissions!).Any();
}
return Task.FromResult(isGranted);
}
}
public static class Permissions
{
public const string PeopleRead = "people:read";
public const string PeopleWrite = "people:write";
public const string PeopleAdmin = "people:admin";
}