diff --git a/WorkFlow.API/Program.cs b/WorkFlow.API/Program.cs index 8dfa9ad..c92b190 100644 --- a/WorkFlow.API/Program.cs +++ b/WorkFlow.API/Program.cs @@ -13,6 +13,7 @@ using NLog.Web; using WorkFlow.API.Extensions; using WorkFlow.API.Filters; using Microsoft.OpenApi.Models; +using DigitalData.Auth.Client; var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger(); logger.Info("Logging initialized."); @@ -26,7 +27,7 @@ try builder.Logging.ClearProviders(); builder.Host.UseNLog(); - // Add services to the container. + // Add services to the container var cnn_str = config.GetConnectionString("Default") ?? throw new("Default connection string not found."); builder.Services.AddDbContext(options => options.UseSqlServer(cnn_str).EnableDetailedErrors()); builder.Services.AddWorkFlow().AddUserManager(); @@ -41,34 +42,41 @@ try bool disableAPIKeyAuth = config.GetValue("DisableAPIKeyAuth") && builder.IsDevOrDiP(); if (disableAPIKeyAuth) builder.Services.AddAPIKeyAuth(new APIKeyAuthOptions()); - else + else if (config.GetSection("APIKeyAuth").Get() is APIKeyAuthOptions options) - builder.Services.AddAPIKeyAuth(options); - else - throw new("The API Key Authorization configuration is not available in the app settings, even though the app is not in development or DiP mode and API Key Authorization is not disabled."); + builder.Services.AddAPIKeyAuth(options); + else + throw new("The API Key Authorization configuration is not available in the app settings, even though the app is not in development or DiP mode and API Key Authorization is not disabled."); + + var authPublicKey = config.GetSection("AuthPublicKey").Get() ?? throw new InvalidOperationException("The AuthPublicKey configuration is missing or invalid."); + + builder.Services.AddAuthHubClient(config, opt => + { + opt.PublicKeys.Add(authPublicKey); + }); builder.Services.AddControllers(); builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) - .AddCookie(options => + .AddJwtBearer(opt => { - options.Cookie.HttpOnly = true; // Makes the cookie inaccessible to client-side scripts for security - options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Ensures cookies are sent over HTTPS only - options.Cookie.SameSite = SameSiteMode.Strict; // Protects against CSRF attacks by restricting how cookies are sent with requests from external sites - options.LoginPath = "/api/auth/login"; - options.LogoutPath = "/api/auth/logout"; - options.ExpireTimeSpan = TimeSpan.FromMinutes(60); // timeout. - options.SlidingExpiration = true; //refreshes the expiration time on each request. - options.Cookie.Name = "AuthSession"; + opt.TokenValidationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = true, + IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => + { + return [authPublicKey.SecurityKey]; + } + }; }); builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen(setupAct => { - if(!disableAPIKeyAuth) + if (!disableAPIKeyAuth) setupAct.OperationFilter(); - if(config.GetSection("OpenApiInfo").Get() is OpenApiInfo openApiInfo) + if (config.GetSection("OpenApiInfo").Get() is OpenApiInfo openApiInfo) setupAct.SwaggerDoc(openApiInfo?.Version ?? "v1", openApiInfo); }); diff --git a/WorkFlow.API/WorkFlow.API.csproj b/WorkFlow.API/WorkFlow.API.csproj index 9140633..a12de09 100644 --- a/WorkFlow.API/WorkFlow.API.csproj +++ b/WorkFlow.API/WorkFlow.API.csproj @@ -12,7 +12,9 @@ + + diff --git a/WorkFlow.API/appsettings.json b/WorkFlow.API/appsettings.json index 615ac6c..df43ba2 100644 --- a/WorkFlow.API/appsettings.json +++ b/WorkFlow.API/appsettings.json @@ -76,5 +76,12 @@ "Name": "Digital Data GmbH", "Url": "https://digitaldata.works/" } + }, + "AuthClientParams": { + "Url": "https://localhost:7192" + }, + "AuthPublicKey": { + "Issuer": "auth.digitaldata.works", + "Audience": "work-flow.digitaldata.works" } } \ No newline at end of file