Removing OpenIddict.Validation.AspNetCore, version 4.3.0 breaks the J…

…WT auth from other schemes
damienbod · Apr 29, 2023 · 5bc5162 · 5bc5162
1 parent 27bfea4
commit 5bc5162
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 45 deletions.
diff --git a/MultiIdentityProvider/IdentityProvider/usersdatabase.sqlite b/MultiIdentityProvider/IdentityProvider/usersdatabase.sqlite
diff --git a/MultiIdentityProvider/WebApi/Consts.cs b/MultiIdentityProvider/WebApi/Consts.cs
@@ -1,23 +1,21 @@
-using OpenIddict.Validation.AspNetCore;
+namespace WebApi;
 
-namespace WebApi
+public static class Consts
 {
-    public static class Consts
-    {
-        public const string MY_AAD_SCHEME = "myAadScheme";
-        public const string MY_AUTH0_SCHEME = "myAuth0Scheme";
-        // OpenIddict scheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
+    public const string MY_AAD_SCHEME = "myAadScheme";
+    public const string MY_AUTH0_SCHEME = "myAuth0Scheme";
+    public const string MY_OPENIDDICT_SCHEME = "myOpenIddictScheme";
+    // OpenIddict scheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
 
-        public const string ALL_MY_SCHEMES = MY_AAD_SCHEME + "," + MY_AUTH0_SCHEME + "," + OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
+    public const string ALL_MY_SCHEMES = MY_AAD_SCHEME + "," + MY_AUTH0_SCHEME + "," + MY_OPENIDDICT_SCHEME;
 
-        public const string MY_AAD_POLICY = "myAadPolicy";
-        public const string MY_AUTH0_POLICY = "myAuth0Policy";
-        public const string MY_OPENIDDICT_POLICY = "myOpenIddictPolicy";
+    public const string MY_AAD_POLICY = "myAadPolicy";
+    public const string MY_AUTH0_POLICY = "myAuth0Policy";
+    public const string MY_OPENIDDICT_POLICY = "myOpenIddictPolicy";
 
-        public const string MY_POLICY_ALL_IDP = "myPolicyForAllIdp";
+    public const string MY_POLICY_ALL_IDP = "myPolicyForAllIdp";
 
-        public const string MY_AAD_ISS = "https://login.microsoftonline.com/7ff95b15-dc21-4ba6-bc92-824856578fc1/v2.0";
-        public const string MY_AUTH0_ISS = "https://dev-damienbod.eu.auth0.com/";
-        public const string MY_OPENIDDICT_ISS = "https://localhost:44318/";
-    }
+    public const string MY_AAD_ISS = "https://login.microsoftonline.com/7ff95b15-dc21-4ba6-bc92-824856578fc1/v2.0";
+    public const string MY_AUTH0_ISS = "https://dev-damienbod.eu.auth0.com/";
+    public const string MY_OPENIDDICT_ISS = "https://localhost:44318/";
 }
diff --git a/MultiIdentityProvider/WebApi/Startup.cs b/MultiIdentityProvider/WebApi/Startup.cs
@@ -3,7 +3,6 @@
 using Microsoft.IdentityModel.Logging;
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.Net.Http.Headers;
-using OpenIddict.Validation.AspNetCore;
 
 namespace WebApi;
 
@@ -51,6 +50,19 @@ public void ConfigureServices(IServiceCollection services)
                 ValidIssuers = Configuration.GetSection("ValidIssuers").Get<string[]>()
             };
         })
+        .AddJwtBearer(Consts.MY_OPENIDDICT_SCHEME, options =>
+        {
+            options.Authority = Consts.MY_OPENIDDICT_ISS;
+            options.Audience = "rs_dataEventRecordsApi";
+            options.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateIssuer = true,
+                ValidateAudience = true,
+                ValidateIssuerSigningKey = true,
+                ValidAudiences = Configuration.GetSection("ValidAudiences").Get<string[]>(),
+                ValidIssuers = Configuration.GetSection("ValidIssuers").Get<string[]>()
+            };
+        })
         .AddPolicyScheme("UNKNOWN", "UNKNOWN", options =>
         {
             options.ForwardDefaultSelector = context =>
@@ -67,7 +79,7 @@ public void ConfigureServices(IServiceCollection services)
                         var issuer = jwtHandler.ReadJwtToken(token).Issuer;
                         if(issuer == Consts.MY_OPENIDDICT_ISS) // OpenIddict
                         {
-                            return OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
+                            return Consts.MY_OPENIDDICT_SCHEME;
                         }
 
                         if (issuer == Consts.MY_AUTH0_ISS) // Auth0
@@ -87,30 +99,31 @@ public void ConfigureServices(IServiceCollection services)
             };
         });
 
+        // Remove this if using multiple schemes, version 4.3.0 breaks other JWT
         // Register the OpenIddict validation components.
-        services.AddOpenIddict() // Scheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme
-            .AddValidation(options =>
-            {
-                // Note: the validation handler uses OpenID Connect discovery
-                // to retrieve the address of the introspection endpoint.
-                options.SetIssuer("https://localhost:44318/");
-                options.AddAudiences("rs_dataEventRecordsApi");
-
-                // Configure the validation handler to use introspection and register the client
-                // credentials used when communicating with the remote introspection endpoint.
-                //options.UseIntrospection()
-                //        .SetClientId("rs_dataEventRecordsApi")
-                //        .SetClientSecret("dataEventRecordsSecret");
-
-                // disable access token encryption for this
-                options.UseAspNetCore();
-
-                // Register the System.Net.Http integration.
-                options.UseSystemNetHttp();
-
-                // Register the ASP.NET Core host.
-                options.UseAspNetCore();
-            });
+        //services.AddOpenIddict() // Scheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme
+        //    .AddValidation(options =>
+        //    {
+        //        // Note: the validation handler uses OpenID Connect discovery
+        //        // to retrieve the address of the introspection endpoint.
+        //        options.SetIssuer("https://localhost:44318/");
+        //        options.AddAudiences("rs_dataEventRecordsApi");
+
+        //        // Configure the validation handler to use introspection and register the client
+        //        // credentials used when communicating with the remote introspection endpoint.
+        //        //options.UseIntrospection()
+        //        //        .SetClientId("rs_dataEventRecordsApi")
+        //        //        .SetClientSecret("dataEventRecordsSecret");
+
+        //        // disable access token encryption for this
+        //        options.UseAspNetCore();
+
+        //        // Register the System.Net.Http integration.
+        //        options.UseSystemNetHttp();
+
+        //        // Register the ASP.NET Core host.
+        //        options.UseAspNetCore();
+        //    });
 
         services.AddSingleton<IAuthorizationHandler, AllSchemesHandler>();
 

diff --git a/MultiIdentityProvider/WebApi/WebApi.csproj b/MultiIdentityProvider/WebApi/WebApi.csproj
@@ -8,8 +8,6 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="7.0.5" />
-	  <PackageReference Include="OpenIddict.Validation.AspNetCore" Version="4.1.0" />
-	  <PackageReference Include="OpenIddict.Validation.SystemNetHttp" Version="4.1.0" />
     <PackageReference Include="Serilog" Version="2.12.0" />
     <PackageReference Include="Serilog.AspNetCore" Version="6.1.0" />
     <PackageReference Include="Serilog.Settings.Configuration" Version="3.4.0" />

diff --git a/MultiIdentityProvider/WebApi/appsettings.json b/MultiIdentityProvider/WebApi/appsettings.json
@@ -11,11 +11,13 @@
   },
   "ValidAudiences": [
     "b2a09168-54e2-4bc4-af92-a710a64ef1fa",
-    "https://auth0-api1"
+    "https://auth0-api1",
+    "rs_dataEventRecordsApi" // OpenIddict
   ],
   "ValidIssuers": [
     "https://login.microsoftonline.com/7ff95b15-dc21-4ba6-bc92-824856578fc1/v2.0",
-    "https://dev-damienbod.eu.auth0.com/"
+    "https://dev-damienbod.eu.auth0.com/",
+    "https://localhost:44318/"
   ],
   "Logging": {
     "Debug": {