Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1184 from DuendeSoftware/brock/dpop
First draft of DPoP support
- Loading branch information
Showing
113 changed files
with
43,100 additions
and
71 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
<Project Sdk="Microsoft.NET.Sdk.Web"> | ||
|
||
<PropertyGroup> | ||
<TargetFramework>net6.0</TargetFramework> | ||
</PropertyGroup> | ||
|
||
<ItemGroup> | ||
<ProjectReference Include="..\..\Constants\Constants.csproj" /> | ||
</ItemGroup> | ||
|
||
<ItemGroup> | ||
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.0" /> | ||
<PackageReference Include="Serilog.AspNetCore" Version="4.1.0" /> | ||
</ItemGroup> | ||
|
||
</Project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
using Microsoft.AspNetCore.Mvc; | ||
using Microsoft.Extensions.Logging; | ||
using System.Linq; | ||
|
||
namespace DPoPApi.Controllers | ||
{ | ||
[Route("identity")] | ||
public class IdentityController : ControllerBase | ||
{ | ||
private readonly ILogger<IdentityController> _logger; | ||
|
||
public IdentityController(ILogger<IdentityController> logger) | ||
{ | ||
_logger = logger; | ||
} | ||
|
||
[HttpGet] | ||
public ActionResult Get() | ||
{ | ||
var claims = User.Claims.Select(c => new { c.Type, c.Value }); | ||
_logger.LogInformation("claims: {claims}", claims); | ||
|
||
return new JsonResult(claims); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
using System; | ||
using Microsoft.AspNetCore; | ||
using Microsoft.AspNetCore.Hosting; | ||
using Microsoft.Extensions.Hosting; | ||
using Serilog; | ||
using Serilog.Events; | ||
using Serilog.Sinks.SystemConsole.Themes; | ||
|
||
namespace DPoPApi | ||
{ | ||
public class Program | ||
{ | ||
public static void Main(string[] args) | ||
{ | ||
Console.Title = "DPoP API"; | ||
|
||
BuildWebHost(args).Run(); | ||
} | ||
|
||
public static IHost BuildWebHost(string[] args) | ||
{ | ||
Log.Logger = new LoggerConfiguration() | ||
.MinimumLevel.Verbose() | ||
.MinimumLevel.Override("Microsoft", LogEventLevel.Warning) | ||
.MinimumLevel.Override("System", LogEventLevel.Warning) | ||
.MinimumLevel.Override("Microsoft.AspNetCore.Authentication", LogEventLevel.Information) | ||
.Enrich.FromLogContext() | ||
.WriteTo.Console(outputTemplate: "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message:lj}{NewLine}{Exception}{NewLine}", theme: AnsiConsoleTheme.Code) | ||
.CreateLogger(); | ||
|
||
return Host.CreateDefaultBuilder(args) | ||
.ConfigureWebHostDefaults(webBuilder => | ||
{ | ||
webBuilder.UseStartup<Startup>(); | ||
}) | ||
.UseSerilog() | ||
.Build(); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"profiles": { | ||
"Api": { | ||
"commandName": "Project", | ||
"environmentVariables": { | ||
"ASPNETCORE_ENVIRONMENT": "Development" | ||
}, | ||
"applicationUrl": "https://localhost:5005" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
using System.IdentityModel.Tokens.Jwt; | ||
using Clients; | ||
using Microsoft.AspNetCore.Builder; | ||
using Microsoft.Extensions.DependencyInjection; | ||
|
||
namespace DPoPApi | ||
{ | ||
public class Startup | ||
{ | ||
public void ConfigureServices(IServiceCollection services) | ||
{ | ||
services.AddControllers(); | ||
|
||
services.AddCors(); | ||
services.AddDistributedMemoryCache(); | ||
|
||
// this API will accept any access token from the authority | ||
services.AddAuthentication("token") | ||
.AddJwtBearer("token", options => | ||
{ | ||
options.Authority = Constants.Authority; | ||
options.TokenValidationParameters.ValidateAudience = false; | ||
options.MapInboundClaims = false; | ||
options.TokenValidationParameters.ValidTypes = new[] { "at+jwt" }; | ||
}); | ||
} | ||
|
||
public void Configure(IApplicationBuilder app) | ||
{ | ||
app.UseCors(policy => | ||
{ | ||
policy.WithOrigins( | ||
"https://localhost:44300"); | ||
policy.AllowAnyHeader(); | ||
policy.AllowAnyMethod(); | ||
policy.WithExposedHeaders("WWW-Authenticate"); | ||
}); | ||
|
||
app.UseRouting(); | ||
app.UseAuthentication(); | ||
app.UseAuthorization(); | ||
|
||
app.UseEndpoints(endpoints => | ||
{ | ||
endpoints.MapControllers().RequireAuthorization(); | ||
}); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 5 additions & 1 deletion
6
clients/src/MvcAutomaticTokenManagement/Views/Home/Secure.cshtml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
using Microsoft.AspNetCore.Authorization; | ||
using Microsoft.AspNetCore.Mvc; | ||
using System.Text.Json; | ||
using System.Net.Http; | ||
using System.Threading.Tasks; | ||
using Clients; | ||
using Microsoft.AspNetCore.Authentication; | ||
using Duende.AccessTokenManagement.OpenIdConnect; | ||
|
||
namespace MvcDPoP.Controllers | ||
{ | ||
public class HomeController : Controller | ||
{ | ||
private readonly IHttpClientFactory _httpClientFactory; | ||
|
||
public HomeController(IHttpClientFactory httpClientFactory) | ||
{ | ||
_httpClientFactory = httpClientFactory; | ||
} | ||
|
||
[AllowAnonymous] | ||
public IActionResult Index() => View(); | ||
|
||
public IActionResult Secure() => View(); | ||
|
||
public async Task<IActionResult> Renew() | ||
{ | ||
await HttpContext.GetUserAccessTokenAsync(new UserTokenRequestParameters { ForceRenewal = true }); | ||
return RedirectToAction(nameof(Secure)); | ||
} | ||
|
||
public IActionResult Logout() => SignOut("oidc"); | ||
|
||
public async Task<IActionResult> CallApi() | ||
{ | ||
var client = _httpClientFactory.CreateClient("client"); | ||
|
||
var response = await client.GetStringAsync("identity"); | ||
ViewBag.Json = response.PrettyPrintJson(); | ||
|
||
return View(); | ||
} | ||
|
||
|
||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
using Clients; | ||
using IdentityModel; | ||
using Microsoft.AspNetCore.Authentication.OpenIdConnect; | ||
using System.Threading.Tasks; | ||
|
||
namespace MvcDPoP; | ||
|
||
public class DPoPOpenIdConnectEvents : OpenIdConnectEvents | ||
{ | ||
public override Task RedirectToIdentityProvider(RedirectContext context) | ||
{ | ||
// create the dpop key | ||
var key = DPoPProof.CreateProofKey(); | ||
|
||
// we store the proof key here to avoid server side and load balancing storage issues | ||
context.Properties.SetProofKey(key); | ||
|
||
// pass jkt to authorize endpoint | ||
context.ProtocolMessage.Parameters[OidcConstants.AuthorizeRequest.DPoPKeyThumbprint] = key.CreateJkt(); | ||
|
||
return base.RedirectToIdentityProvider(context); | ||
} | ||
|
||
public override async Task AuthorizationCodeReceived(AuthorizationCodeReceivedContext context) | ||
{ | ||
// get key from storage | ||
var key = context.Properties.GetProofKey(); | ||
|
||
// create proof token for token endpoint | ||
var proofToken = key.CreateProofToken("POST", $"{Constants.Authority}/connect/token"); | ||
|
||
// set it so the OIDC message handler can find it | ||
context.HttpContext.SetOutboundProofToken(proofToken); | ||
|
||
await base.AuthorizationCodeReceived(context); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
using IdentityModel; | ||
using Microsoft.AspNetCore.Http; | ||
using System.Net.Http; | ||
using System.Threading; | ||
using System.Threading.Tasks; | ||
|
||
namespace MvcDPoP; | ||
|
||
public class DPoPProofApiMessageHandler : DelegatingHandler | ||
{ | ||
private IHttpContextAccessor _http; | ||
|
||
public DPoPProofApiMessageHandler(IHttpContextAccessor httpContextAccessor) | ||
{ | ||
_http = httpContextAccessor; | ||
} | ||
|
||
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) | ||
{ | ||
var proofKey = await _http.HttpContext?.GetProofKeyAsync(); | ||
if (proofKey != null) | ||
{ | ||
var proofToken = proofKey.CreateProofToken(request.Method.ToString(), request.RequestUri.ToString()); | ||
request.Headers.Add(OidcConstants.HttpHeaders.DPoP, proofToken); | ||
} | ||
|
||
return await base.SendAsync(request, cancellationToken); | ||
} | ||
} |
Oops, something went wrong.