feat(auth): Integration von AuthHubClient und JWT-basierter Authentifizierung

- Abhängigkeit `DigitalData.Auth.Client` hinzugefügt
- `AuthHubClient` mit konfigurierbarem öffentlichen Schlüssel für Authentifizierung integriert
- Cookie-basierte Authentifizierung durch JWT-Bearer-Authentifizierung ersetzt
- Token-Validierung so konfiguriert, dass dynamisch auflösbare Signaturschlüssel verwendet werden

WorkFlow.API/Program.cs

@@ -13,6 +13,7 @@ using NLog.Web;
 using WorkFlow.API.Extensions;
 using WorkFlow.API.Filters;
 using Microsoft.OpenApi.Models;
+using DigitalData.Auth.Client;
 
 var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
 logger.Info("Logging initialized.");
@@ -26,7 +27,7 @@ try
     builder.Logging.ClearProviders();
     builder.Host.UseNLog();
 
-    // Add services to the container.
+    // Add services to the container
     var cnn_str = config.GetConnectionString("Default") ?? throw new("Default connection string not found.");
     builder.Services.AddDbContext<WFDBContext>(options => options.UseSqlServer(cnn_str).EnableDetailedErrors());
     builder.Services.AddWorkFlow().AddUserManager<WFDBContext>();
@@ -47,19 +48,26 @@ try
     else
         throw new("The API Key Authorization configuration is not available in the app settings, even though the app is not in development or DiP mode and API Key Authorization is not disabled.");
 
+    var authPublicKey = config.GetSection("AuthPublicKey").Get<ClientPublicKey>() ?? throw new InvalidOperationException("The AuthPublicKey configuration is missing or invalid.");
+
+    builder.Services.AddAuthHubClient(config, opt =>
+    {
+        opt.PublicKeys.Add(authPublicKey);
+    });
+
     builder.Services.AddControllers();
 
     builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
-        .AddCookie(options =>
+        .AddJwtBearer(opt =>
         {
-            options.Cookie.HttpOnly = true;  // Makes the cookie inaccessible to client-side scripts for security
+            opt.TokenValidationParameters = new TokenValidationParameters
-            options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Ensures cookies are sent over HTTPS only
+            {
-            options.Cookie.SameSite = SameSiteMode.Strict; // Protects against CSRF attacks by restricting how cookies are sent with requests from external sites
+                ValidateIssuerSigningKey = true,
-            options.LoginPath = "/api/auth/login";
+                IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
-            options.LogoutPath = "/api/auth/logout";
+                {
-            options.ExpireTimeSpan = TimeSpan.FromMinutes(60); // timeout.
+                    return [authPublicKey.SecurityKey];
-            options.SlidingExpiration = true; //refreshes the expiration time on each request.
+                }
-            options.Cookie.Name = "AuthSession";
+            };
         });
 
     builder.Services.AddEndpointsApiExplorer();

WorkFlow.API/WorkFlow.API.csproj

@@ -12,7 +12,9 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="DigitalData.Auth.Client" Version="1.1.4.1" />
     <PackageReference Include="DigitalData.Core.API" Version="2.0.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.13" />
     <PackageReference Include="NLog" Version="5.3.4" />
     <PackageReference Include="NLog.Web.AspNetCore" Version="5.3.14" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="6.4.0" />

WorkFlow.API/appsettings.json

@@ -76,5 +76,12 @@
       "Name": "Digital Data GmbH",
       "Url": "https://digitaldata.works/"
     }
+  },
+  "AuthClientParams": {
+    "Url": "https://localhost:7192"
+  },
+  "AuthPublicKey": {
+    "Issuer": "auth.digitaldata.works",
+    "Audience": "work-flow.digitaldata.works"
   }
 }