feat(auth): Integration von AuthHubClient und JWT-basierter Authentifizierung

- Abhängigkeit `DigitalData.Auth.Client` hinzugefügt - `AuthHubClient` mit konfigurierbarem öffentlichen Schlüssel für Authentifizierung integriert - Cookie-basierte Authentifizierung durch JWT-Bearer-Authentifizierung ersetzt - Token-Validierung so konfiguriert, dass dynamisch auflösbare Signaturschlüssel verwendet werden
2025-03-07 16:10:10 +01:00 · 2025-03-07 16:10:10 +01:00 · 97d5156bbb
commit 97d5156bbb
parent 40cf8f3f10
3 changed files with 33 additions and 16 deletions
--- a/WorkFlow.API/Program.cs
+++ b/WorkFlow.API/Program.cs
@ -13,6 +13,7 @@ using NLog.Web;
 using WorkFlow.API.Extensions;
 using WorkFlow.API.Filters;
 using Microsoft.OpenApi.Models;
+using DigitalData.Auth.Client;

 var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
 logger.Info("Logging initialized.");
@ -26,7 +27,7 @@ try
    builder.Logging.ClearProviders();
    builder.Host.UseNLog();

-    // Add services to the container.
+    // Add services to the container
    var cnn_str = config.GetConnectionString("Default") ?? throw new("Default connection string not found.");
    builder.Services.AddDbContext<WFDBContext>(options => options.UseSqlServer(cnn_str).EnableDetailedErrors());
    builder.Services.AddWorkFlow().AddUserManager<WFDBContext>();
@ -41,34 +42,41 @@ try
    bool disableAPIKeyAuth = config.GetValue<bool>("DisableAPIKeyAuth") && builder.IsDevOrDiP();
    if (disableAPIKeyAuth)
        builder.Services.AddAPIKeyAuth(new APIKeyAuthOptions());
-    else        
+    else
        if (config.GetSection("APIKeyAuth").Get<APIKeyAuthOptions>() is APIKeyAuthOptions options)
-            builder.Services.AddAPIKeyAuth(options);        
-        else
-            throw new("The API Key Authorization configuration is not available in the app settings, even though the app is not in development or DiP mode and API Key Authorization is not disabled.");
+        builder.Services.AddAPIKeyAuth(options);
+    else
+        throw new("The API Key Authorization configuration is not available in the app settings, even though the app is not in development or DiP mode and API Key Authorization is not disabled.");
+
+    var authPublicKey = config.GetSection("AuthPublicKey").Get<ClientPublicKey>() ?? throw new InvalidOperationException("The AuthPublicKey configuration is missing or invalid.");
+
+    builder.Services.AddAuthHubClient(config, opt =>
+    {
+        opt.PublicKeys.Add(authPublicKey);
+    });

    builder.Services.AddControllers();

    builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
-        .AddCookie(options =>
+        .AddJwtBearer(opt =>
        {
-            options.Cookie.HttpOnly = true;  // Makes the cookie inaccessible to client-side scripts for security
-            options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Ensures cookies are sent over HTTPS only
-            options.Cookie.SameSite = SameSiteMode.Strict; // Protects against CSRF attacks by restricting how cookies are sent with requests from external sites
-            options.LoginPath = "/api/auth/login";
-            options.LogoutPath = "/api/auth/logout";
-            options.ExpireTimeSpan = TimeSpan.FromMinutes(60); // timeout.
-            options.SlidingExpiration = true; //refreshes the expiration time on each request.
-            options.Cookie.Name = "AuthSession";
+            opt.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateIssuerSigningKey = true,
+                IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
+                {
+                    return [authPublicKey.SecurityKey];
+                }
+            };
        });

    builder.Services.AddEndpointsApiExplorer();
    builder.Services.AddSwaggerGen(setupAct =>
    {
-        if(!disableAPIKeyAuth)
+        if (!disableAPIKeyAuth)
            setupAct.OperationFilter<APIKeyAuthHeaderOpFilter>();

-        if(config.GetSection("OpenApiInfo").Get<OpenApiInfo>() is OpenApiInfo openApiInfo)
+        if (config.GetSection("OpenApiInfo").Get<OpenApiInfo>() is OpenApiInfo openApiInfo)
            setupAct.SwaggerDoc(openApiInfo?.Version ?? "v1", openApiInfo);
    });

--- a/WorkFlow.API/WorkFlow.API.csproj
+++ b/WorkFlow.API/WorkFlow.API.csproj
@ -12,7 +12,9 @@
  </PropertyGroup>

  <ItemGroup>
+    <PackageReference Include="DigitalData.Auth.Client" Version="1.1.4.1" />
    <PackageReference Include="DigitalData.Core.API" Version="2.0.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.13" />
    <PackageReference Include="NLog" Version="5.3.4" />
    <PackageReference Include="NLog.Web.AspNetCore" Version="5.3.14" />
    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.4.0" />
--- a/WorkFlow.API/appsettings.json
+++ b/WorkFlow.API/appsettings.json
@ -76,5 +76,12 @@
      "Name": "Digital Data GmbH",
      "Url": "https://digitaldata.works/"
    }
+  },
+  "AuthClientParams": {
+    "Url": "https://localhost:7192"
+  },
+  "AuthPublicKey": {
+    "Issuer": "auth.digitaldata.works",
+    "Audience": "work-flow.digitaldata.works"
  }
 }