Add JWT Bearer authentication support

- Integrated JWT Bearer authentication for API security. - Replaced previous CookieAuthenticationDefaults with JwtBearerDefaults as the default authentication scheme. - Configured JWT token validation with issuer, audience, and signing key parameters. - Added handling for token retrieval from cookies or query strings when missing in the header. - Updated the authentication configuration to support both Cookie and JWT authentication schemes. - Enhanced security by validating JWT tokens against provided public keys.
2025-04-28 16:18:31 +02:00
parent 875ff95278
commit 2d3987b81e
8 changed files with 49 additions and 7 deletions
--- a/EnvelopeGenerator.GeneratorAPI/EnvelopeGenerator.GeneratorAPI.csproj
+++ b/EnvelopeGenerator.GeneratorAPI/EnvelopeGenerator.GeneratorAPI.csproj
@@ -25,7 +25,7 @@
    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="9.0.4" />
    <PackageReference Include="Scalar.AspNetCore" Version="2.2.1" />
    <PackageReference Include="Swashbuckle.AspNetCore" Version="8.1.1" />
-    <PackageReference Include="DigitalData.Core.Abstractions" Version="3.5.0" />
+    <PackageReference Include="DigitalData.Core.Abstractions" Version="3.6.0" />
    <PackageReference Include="DigitalData.Core.Application" Version="3.2.1" />
    <PackageReference Include="DigitalData.Core.DTO" Version="2.0.1" />
    <PackageReference Include="DigitalData.EmailProfilerDispatcher.Abstraction" Version="3.0.0" />
--- a/EnvelopeGenerator.GeneratorAPI/Program.cs
+++ b/EnvelopeGenerator.GeneratorAPI/Program.cs
@@ -12,6 +12,9 @@ using EnvelopeGenerator.Application;
 using DigitalData.Auth.Client;
 using DigitalData.Core.Abstractions;
 using EnvelopeGenerator.GeneratorAPI.Models;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.IdentityModel.Tokens;
+using DigitalData.Core.Abstractions.Security.Extensions;

 var builder = WebApplication.CreateBuilder(args);

@@ -93,6 +96,45 @@ builder.Services.AddAuthHubClient(config.GetSection("AuthClientParams"));

 var authTokenKeys = config.GetOrDefault<AuthTokenKeys>();

+builder.Services.AddAuthentication(options =>
+{
+    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
+    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+})
+    .AddJwtBearer(opt =>
+    {
+        opt.TokenValidationParameters = new TokenValidationParameters
+        {
+            ValidateIssuerSigningKey = true,
+            IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
+            {
+                var clientParams = deferredProvider.GetOptions<ClientParams>();
+                var publicKey = clientParams!.PublicKeys.Get(authTokenKeys.Issuer, authTokenKeys.Audience);
+                return new List<SecurityKey>() { publicKey.SecurityKey };
+            },
+            ValidateIssuer = true,
+            ValidIssuer = authTokenKeys.Issuer,
+            ValidateAudience = true,
+            ValidAudience = authTokenKeys.Audience,
+        };
+
+        opt.Events = new JwtBearerEvents
+        {
+            OnMessageReceived = context =>
+            {
+                // if there is no token read related cookie or query string
+                if (context.Token is null)   // if there is no token
+                {
+                    if (context.Request.Cookies.TryGetValue(authTokenKeys.Cookie, out var cookieToken) && cookieToken is not null)
+                        context.Token = cookieToken;
+                    else if (context.Request.Query.TryGetValue(authTokenKeys.QueryString, out var queryStrToken))
+                        context.Token = queryStrToken;
+                }
+                return Task.CompletedTask;
+            }
+        };
+    });
+
 // Authentication
 builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
 .AddCookie(options =>