feat(Programm): Konfiguriert für Auth.API

DigitalData.UserManager.API/Models/AuthTokenKeys.cs

@@ -0,0 +1,12 @@
+namespace DigitalData.UserManager.API.Models;
+
+public class AuthTokenKeys
+{
+    public string Cookie { get; init; } = "AuthToken";
+
+    public string QueryString { get; init; } = "AuthToken";
+
+    public string Issuer { get; init; } = "auth.digitaldata.works";
+
+    public string Audience { get; init; } = "work-flow.digitaldata.works";
+}

DigitalData.UserManager.API/Program.cs

@@ -13,6 +13,12 @@ using Newtonsoft.Json;
 using Microsoft.IdentityModel.Tokens;
 using DigitalData.UserManager.Application.DTOs.User;
 using DigitalData.UserManager.API.Models;
+using DigitalData.Auth.Client;
+using DigitalData.UserManager.API;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.Extensions.Options;
+using DigitalData.Core.Abstractions.Security.Extensions;
+using Microsoft.OpenApi.Models;
 
 var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
 logger.Debug("init main");
@@ -92,10 +98,85 @@ try {
         Claims = user.ToClaimList().ToDictionary(claim => claim.Type, claim => claim.Value as object)
     });
 
+    var lazyProvider = new LazyServiceProvider();
+
+    builder.Services.AddAuthHubClient(config.GetSection("AuthClientParams"));
+
+    var authTokenKeys = config.GetSection(nameof(AuthTokenKeys)).Get<AuthTokenKeys>() ?? new();
+
+    builder.Services
+        .AddAuthentication(options =>
+        {
+            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
+            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+        })
+        .AddJwtBearer(opt =>
+        {
+            opt.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateIssuerSigningKey = true,
+                IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
+                {
+                    var clientParams = lazyProvider.GetRequiredService<IOptions<ClientParams>>()?.Value;
+                    var publicKey = clientParams!.PublicKeys.Get(authTokenKeys.Issuer, authTokenKeys.Audience);
+                    return new List<SecurityKey>() { publicKey.SecurityKey };
+                },
+                ValidateIssuer = true,
+                ValidIssuer = authTokenKeys.Issuer,
+                ValidateAudience = true,
+                ValidAudience = authTokenKeys.Audience,
+            };
+
+            opt.Events = new JwtBearerEvents
+            {
+                OnMessageReceived = context =>
+                {
+                    // if there is no token read related cookie or query string
+                    if (context.Token is null)   // if there is no token
+                    {
+                        if (context.Request.Cookies.TryGetValue(authTokenKeys.Cookie, out var cookieToken) && cookieToken is not null)
+                            context.Token = cookieToken;
+                        else if (context.Request.Query.TryGetValue(authTokenKeys.QueryString, out var queryStrToken))
+                            context.Token = queryStrToken;
+                    }
+                    return Task.CompletedTask;
+                }
+            };
+        });
+
+    builder.Services.AddSwaggerGen(setupAct =>
+    {
+        setupAct.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
+        {
+            Description = "JWT Authorization header using the Bearer scheme. Example: \"Bearer {token}\"",
+            Name = "Authorization",
+            In = ParameterLocation.Header,
+            Type = SecuritySchemeType.Http,
+            Scheme = "Bearer"
+        });
+
+        setupAct.AddSecurityRequirement(new OpenApiSecurityRequirement
+        {
+            {
+                new OpenApiSecurityScheme
+                {
+                    Reference = new OpenApiReference
+                    {
+                        Type = ReferenceType.SecurityScheme,
+                        Id = "Bearer"
+                    }
+                },
+                Array.Empty<string>()
+            }
+        });
+    });
+
     builder.Services.AddCookieBasedLocalizer();
 
     var app = builder.Build();
 
+    lazyProvider.Factory = () => app.Services;
+
     cnn_str = new(() =>
     {
         var encryptor = app.Services.GetRequiredService<Encryptor>();

DigitalData.UserManager.API/appsettings.json

@@ -75,5 +75,16 @@
   "DateTimeZoneHandling": "Local",
   // Delete below in production
   "UseEncryptor": true,
-  "UseSwagger": true
+  "UseSwagger": true,
+  "AuthClientParams": {
+    "Url": "http://172.24.11.75:8088/auth-hub",
+    "PublicKeys": [
+      {
+        "Issuer": "auth.digitaldata.works",
+        "Audience": "user-manager.digitaldata.works",
+        "Content": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3QCd7dH/xOUITFZbitMa/xnh8a0LyL6ZBvSRAwkI9ceplTRSHJXoM1oB+xtjWE1kOuHVLe941Tm03szS4+/rHIm0Ejva/KKlv7sPFAHE/pWuoPS303vOHgI4HAFcuwywA8CghUWzaaK5LU/Hl8srWwxBHv5hKIUjJFJygeAIENvFOZ1gFbB3MPEC99PiPOwAmfl4tMQUmSsFyspl/RWVi7bTv26ZE+m3KPcWppmvmYjXlSitxRaySxnfFvpca/qWfd/uUUg2KWKtpAwWVkqr0qD9v3TyKSgHoGDsrFpwSx8qufUJSinmZ1u/0iKl6TXeHubYS4C4SUSVjOWXymI2ZQIDAQAB-----END PUBLIC KEY-----"
+      }
+    ],
+    "RetryDelay": "00:00:05"
+  }
 }