-
Notifications
You must be signed in to change notification settings - Fork 166
/
SimpleAuthWebApiExtension.cs
91 lines (79 loc) · 3.99 KB
/
SimpleAuthWebApiExtension.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authorization;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Identity.Client;
using Microsoft.TeamsFx.SimpleAuth.Components.Auth;
using Microsoft.TeamsFx.SimpleAuth.Components.Auth.Models;
using Microsoft.TeamsFx.SimpleAuth.Controllers;
using System;
using System.Linq;
namespace Microsoft.TeamsFx.SimpleAuth
{
public static class SimpleAuthWebApiExtension
{
public static IServiceCollection AddTeamsFxSimpleAuth(
this IServiceCollection services, IConfiguration configuration,
Action<JwtBearerOptions> configureJwtBearerOptions = null)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
// Add auth controller to an existing ASP.NET Core project
services.AddControllers().AddApplicationPart(typeof(AuthController).Assembly);
ConfigureTeamsFxSimipleAuth(services, configuration, configureJwtBearerOptions);
return services;
}
internal static void ConfigureTeamsFxSimipleAuth(IServiceCollection services, IConfiguration configuration,
Action<JwtBearerOptions> configureJwtBearerOptions = null)
{
// Add authentication
if (configureJwtBearerOptions == null)
{
configureJwtBearerOptions = options =>
{
options.TokenValidationParameters = new IdentityModel.Tokens.TokenValidationParameters()
{
ValidateAudience = true, // only accept token issued to Teams app client id
ValidateIssuer = true,
ValidAudiences = new string[] { configuration[ConfigurationName.ClientId], configuration[ConfigurationName.IdentifierUri] },
};
options.MetadataAddress = configuration[ConfigurationName.AadMetadataAddress];
};
}
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(configureJwtBearerOptions);
services.AddAuthorization(options =>
{
options.AddPolicy("ValidateTokenVersion", policy => policy.RequireClaim(JWTClaims.Version, new string[] { JWTVersion.Ver1, JWTVersion.Ver2 }));
options.AddPolicy("ValidateAppId", policy =>
{
var allowedAppIdsFromConfig = configuration[ConfigurationName.AllowedAppIds]?.Split(";", StringSplitOptions.RemoveEmptyEntries);
var allowedAppIds = allowedAppIdsFromConfig.Append(configuration[ConfigurationName.ClientId]).ToArray();
policy.Requirements.Add(new AppIdRequirement(allowedAppIds));
});
options.AddPolicy("ValidateUserIdentity", policy =>
{
policy.Requirements.Add(new IdentityRequirement(JWTIdentityType.UserIdentity));
});
options.AddPolicy("RequireAccessAsUserScope", policy =>
{
policy.RequireAssertion(
context => context.User.HasClaim(
claim => (claim.Type == JWTClaims.Scope && claim.Value.Split(' ').Contains(RequiredScope.AccessAsUser)) ||
(claim.Type == JWTClaims.Scp && claim.Value.Split(' ').Contains(RequiredScope.AccessAsUser))
)
);
});
});
// DI for AuthHandler
services.AddScoped<AuthHandler>();
services.AddScoped<SimpleAuthExceptionFilter>();
services.AddSingleton<IAuthorizationHandler, AppIdAuthorizationHandler>();
services.AddSingleton<IAuthorizationHandler, IdentityAuthorizationHandler>();
}
}
}