Extends CrudApiPlugin to support Entra auth. Closes #556

[waldekmastykarz]

Extends CrudApiPlugin to support Entra auth. Closes #556

To test, you can use the northwind db sample

Update orders-api.json for example to:

{
  "$schema": "https://raw.githubusercontent.com/microsoft/dev-proxy/main/schemas/v1.0/crudapiplugin.schema.json",
  "baseUrl": "https://api.northwind.com/orders",
  "auth": "Entra",
  "entraAuthConfig": {
    "validateSigningKey": true
  },
  "dataFile": "orders-data.json",
  "actions": [
    {
      "action": "getAll"
    },
    {
      "action": "getOne",
      "url": "/{order-id}",
      "query": "$.[?(@.OrderID == {order-id})]"
    },
    {
      "action": "create"
    },
    {
      "action": "merge",
      "url": "/{order-id}",
      "query": "$.[?(@.OrderID == {order-id})]"
    },
    {
      "action": "delete",
      "url": "/{order-id}",
      "query": "$.[?(@.OrderID == {order-id})]"
    }
  ]
}

Call the API from curl by passing a valid Entra token:

curl -ix http://127.0.0.1:8000 -H "authorization:Bearer eyJ0eXAiOiJKV1QiLCJhbG...." https://api.northwind.com/orders

In entraAuthConfig you can specify several options as to what parts of the token you want the API to validate:

• audience: set to the audience string from the token to validate the audience, eg. https://manage.office.com
• issuer: set to the ID of the IdP that issued the token, eg. https://sts.windows.net/06fde681-d710-4b73-8bc6-90585c5630e9/
• scopes: set to define the list of scopes for all actions. The token must have at least one of the scopes
• roles: set to define the list of roles for all actions. The token must have at least of the roles
• validateLifetime: set to true for the API to validate if the token hasn't expired
• validateSigningKey: set to true for the API to validate if the token signature is valid. Requires you to specify a valid and untempered with token issued by Entra

All these properties can be overriden on each action, which allows you to for example specify unique scopes/roles for each action:

{
  "$schema": "https://raw.githubusercontent.com/microsoft/dev-proxy/main/schemas/v1.0/crudapiplugin.schema.json",
  "baseUrl": "https://api.northwind.com/orders",
  "auth": "Entra",
  "entraAuthConfig": {
    "validateSigningKey": true
  },
  "dataFile": "orders-data.json",
  "actions": [
    {
      "action": "getAll",
      "auth": "Entra",
      "entraAuthConfig": {
        "scopes": [
          "orders.read"
        ]
      }
    },
    {
      "action": "getOne",
      "url": "/{order-id}",
      "query": "$.[?(@.OrderID == {order-id})]",
      "auth": "Entra",
      "entraAuthConfig": {
        "scopes": [
          "orders.read"
        ]
      }
    },
    {
      "action": "create",
      "auth": "Entra",
      "entraAuthConfig": {
        "scopes": [
          "orders.write"
        ]
      }
    },
    {
      "action": "merge",
      "url": "/{order-id}",
      "query": "$.[?(@.OrderID == {order-id})]",
      "auth": "Entra",
      "entraAuthConfig": {
        "scopes": [
          "orders.write"
        ]
      }
    },
    {
      "action": "delete",
      "url": "/{order-id}",
      "query": "$.[?(@.OrderID == {order-id})]",
      "auth": "Entra",
      "entraAuthConfig": {
        "scopes": [
          "orders.write"
        ]
      }
    }
  ]
}

[garrytrinder]

When running the curl command after updating orders-api.json file and passing a valid token (generated using Graph Explorer calling the /me endpoint) I get the following error.

curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - The revocation function was unable to check revocation for the certificate.

[waldekmastykarz]

Does calling other endpoints work? Seems odd that curl would do something with the access token. What's the command you're using? Is the cert trusted on your box?