(#188) Use Multiple Authentication Schemes

phongnguyend · May 14, 2023 · dbbffab · dbbffab
1 parent a94bfc5
commit dbbffab
Show file tree

Hide file tree

Showing 17 changed files with 356 additions and 99 deletions.
diff --git a/src/Microservices/Services.AuditLog/ClassifiedAds.Services.AuditLog.Api/Startup.cs b/src/Microservices/Services.AuditLog/ClassifiedAds.Services.AuditLog.Api/Startup.cs
@@ -9,6 +9,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.IdentityModel.Tokens;
 using Polly;
 using System;
 using System.Reflection;
@@ -63,13 +64,30 @@ public void ConfigureServices(IServiceCollection services)
         services.AddAuditLogModule(AppSettings);
         services.AddHostedServicesAuditLogModule();
 
-        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-            .AddJwtBearer(options =>
+        services.AddAuthentication(options =>
+        {
+            options.DefaultScheme = AppSettings.IdentityServerAuthentication.Provider switch
             {
-                options.Authority = AppSettings.IdentityServerAuthentication.Authority;
-                options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
-                options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
-            });
+                "OpenIddict" => "OpenIddict",
+                _ => JwtBearerDefaults.AuthenticationScheme
+            };
+        })
+        .AddJwtBearer(options =>
+        {
+            options.Authority = AppSettings.IdentityServerAuthentication.Authority;
+            options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
+            options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
+        })
+        .AddJwtBearer("OpenIddict", options =>
+        {
+            options.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateAudience = false,
+                ValidIssuer = AppSettings.IdentityServerAuthentication.OpenIddict.IssuerUri,
+                TokenDecryptionKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.TokenDecryptionCertificate.FindCertificate()),
+                IssuerSigningKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.IssuerSigningCertificate.FindCertificate()),
+            };
+        });
 
         services.AddRateLimiter(options =>
         {

diff --git a/src/Microservices/Services.AuditLog/ClassifiedAds.Services.AuditLog.Grpc/Startup.cs b/src/Microservices/Services.AuditLog/ClassifiedAds.Services.AuditLog.Grpc/Startup.cs
@@ -8,6 +8,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.IdentityModel.Tokens;
 
 namespace ClassifiedAds.Services.AuditLog.Grpc;
 
@@ -38,13 +39,31 @@ public void ConfigureServices(IServiceCollection services)
 
         services.AddAuditLogModule(AppSettings);
 
-        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-                .AddJwtBearer(options =>
-                {
-                    options.Authority = AppSettings.IdentityServerAuthentication.Authority;
-                    options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
-                    options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
-                });
+        services.AddAuthentication(options =>
+        {
+            options.DefaultScheme = AppSettings.IdentityServerAuthentication.Provider switch
+            {
+                "OpenIddict" => "OpenIddict",
+                _ => JwtBearerDefaults.AuthenticationScheme
+            };
+        })
+        .AddJwtBearer(options =>
+        {
+            options.Authority = AppSettings.IdentityServerAuthentication.Authority;
+            options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
+            options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
+        })
+        .AddJwtBearer("OpenIddict", options =>
+        {
+            options.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateAudience = false,
+                ValidIssuer = AppSettings.IdentityServerAuthentication.OpenIddict.IssuerUri,
+                TokenDecryptionKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.TokenDecryptionCertificate.FindCertificate()),
+                IssuerSigningKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.IssuerSigningCertificate.FindCertificate()),
+            };
+        });
+
         services.AddAuthorization();
 
         services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();

diff --git a/...ces/Services.AuditLog/ClassifiedAds.Services.AuditLog/ConfigurationOptions/AppSettings.cs b/...ces/Services.AuditLog/ClassifiedAds.Services.AuditLog/ConfigurationOptions/AppSettings.cs
@@ -5,6 +5,7 @@
 using ClassifiedAds.Infrastructure.Monitoring;
 using ClassifiedAds.Infrastructure.Notification;
 using ClassifiedAds.Infrastructure.Storages;
+using CryptographyHelper.Certificates;
 
 namespace ClassifiedAds.Services.AuditLog.ConfigurationOptions;
 
@@ -38,9 +39,22 @@ public class ConnectionStrings
 
 public class IdentityServerAuthentication
 {
+    public string Provider { get; set; }
+
     public string Authority { get; set; }
 
     public string ApiName { get; set; }
 
     public bool RequireHttpsMetadata { get; set; }
+
+    public OpenIddictOptions OpenIddict { get; set; }
+}
+
+public class OpenIddictOptions
+{
+    public string IssuerUri { get; set; }
+
+    public CertificateOption TokenDecryptionCertificate { get; set; }
+
+    public CertificateOption IssuerSigningCertificate { get; set; }
 }
diff --git a/...onfiguration/ClassifiedAds.Services.Configuration.Api/ConfigurationOptions/AppSettings.cs b/...onfiguration/ClassifiedAds.Services.Configuration.Api/ConfigurationOptions/AppSettings.cs
@@ -2,6 +2,7 @@
 using ClassifiedAds.Infrastructure.Interceptors;
 using ClassifiedAds.Infrastructure.Logging;
 using ClassifiedAds.Infrastructure.Monitoring;
+using CryptographyHelper.Certificates;
 
 namespace ClassifiedAds.Services.Configuration.ConfigurationOptions;
 
@@ -31,9 +32,22 @@ public class ConnectionStrings
 
 public class IdentityServerAuthentication
 {
+    public string Provider { get; set; }
+
     public string Authority { get; set; }
 
     public string ApiName { get; set; }
 
     public bool RequireHttpsMetadata { get; set; }
+
+    public OpenIddictOptions OpenIddict { get; set; }
+}
+
+public class OpenIddictOptions
+{
+    public string IssuerUri { get; set; }
+
+    public CertificateOption TokenDecryptionCertificate { get; set; }
+
+    public CertificateOption IssuerSigningCertificate { get; set; }
 }
diff --git a/src/Microservices/Services.Configuration/ClassifiedAds.Services.Configuration.Api/Startup.cs b/src/Microservices/Services.Configuration/ClassifiedAds.Services.Configuration.Api/Startup.cs
@@ -7,6 +7,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.IdentityModel.Tokens;
 using Polly;
 using System;
 using System.Reflection;
@@ -61,13 +62,30 @@ public void ConfigureServices(IServiceCollection services)
 
         services.AddConfigurationModule(AppSettings);
 
-        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-                .AddJwtBearer(options =>
-                {
-                    options.Authority = AppSettings.IdentityServerAuthentication.Authority;
-                    options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
-                    options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
-                });
+        services.AddAuthentication(options =>
+        {
+            options.DefaultScheme = AppSettings.IdentityServerAuthentication.Provider switch
+            {
+                "OpenIddict" => "OpenIddict",
+                _ => JwtBearerDefaults.AuthenticationScheme
+            };
+        })
+        .AddJwtBearer(options =>
+        {
+            options.Authority = AppSettings.IdentityServerAuthentication.Authority;
+            options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
+            options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
+        })
+        .AddJwtBearer("OpenIddict", options =>
+        {
+            options.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateAudience = false,
+                ValidIssuer = AppSettings.IdentityServerAuthentication.OpenIddict.IssuerUri,
+                TokenDecryptionKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.TokenDecryptionCertificate.FindCertificate()),
+                IssuerSigningKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.IssuerSigningCertificate.FindCertificate()),
+            };
+        });
     }
 
     // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.

diff --git a/src/Microservices/Services.Identity/ClassifiedAds.Services.Identity.Api/Startup.cs b/src/Microservices/Services.Identity/ClassifiedAds.Services.Identity.Api/Startup.cs
@@ -10,6 +10,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.IdentityModel.Tokens;
 using Polly;
 using System;
 using System.Reflection;
@@ -66,13 +67,30 @@ public void ConfigureServices(IServiceCollection services)
                 .PersistKeysToDbContext<IdentityDbContext>()
                 .SetApplicationName("ClassifiedAds");
 
-        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-                .AddJwtBearer(options =>
-                {
-                    options.Authority = AppSettings.IdentityServerAuthentication.Authority;
-                    options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
-                    options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
-                });
+        services.AddAuthentication(options =>
+        {
+            options.DefaultScheme = AppSettings.IdentityServerAuthentication.Provider switch
+            {
+                "OpenIddict" => "OpenIddict",
+                _ => JwtBearerDefaults.AuthenticationScheme
+            };
+        })
+        .AddJwtBearer(options =>
+        {
+            options.Authority = AppSettings.IdentityServerAuthentication.Authority;
+            options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
+            options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
+        })
+        .AddJwtBearer("OpenIddict", options =>
+        {
+            options.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateAudience = false,
+                ValidIssuer = AppSettings.IdentityServerAuthentication.OpenIddict.IssuerUri,
+                TokenDecryptionKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.TokenDecryptionCertificate.FindCertificate()),
+                IssuerSigningKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.IssuerSigningCertificate.FindCertificate()),
+            };
+        });
 
         services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
     }

diff --git a/src/Microservices/Services.Identity/ClassifiedAds.Services.Identity.Grpc/Startup.cs b/src/Microservices/Services.Identity/ClassifiedAds.Services.Identity.Grpc/Startup.cs
@@ -10,6 +10,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.IdentityModel.Tokens;
 
 namespace ClassifiedAds.Services.Identity.Grpc;
 
@@ -44,13 +45,31 @@ public void ConfigureServices(IServiceCollection services)
                 .PersistKeysToDbContext<IdentityDbContext>()
                 .SetApplicationName("ClassifiedAds");
 
-        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-                .AddJwtBearer(options =>
-                {
-                    options.Authority = AppSettings.IdentityServerAuthentication.Authority;
-                    options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
-                    options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
-                });
+        services.AddAuthentication(options =>
+        {
+            options.DefaultScheme = AppSettings.IdentityServerAuthentication.Provider switch
+            {
+                "OpenIddict" => "OpenIddict",
+                _ => JwtBearerDefaults.AuthenticationScheme
+            };
+        })
+        .AddJwtBearer(options =>
+        {
+            options.Authority = AppSettings.IdentityServerAuthentication.Authority;
+            options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
+            options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
+        })
+        .AddJwtBearer("OpenIddict", options =>
+        {
+            options.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateAudience = false,
+                ValidIssuer = AppSettings.IdentityServerAuthentication.OpenIddict.IssuerUri,
+                TokenDecryptionKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.TokenDecryptionCertificate.FindCertificate()),
+                IssuerSigningKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.IssuerSigningCertificate.FindCertificate()),
+            };
+        });
+
         services.AddAuthorization();
     }
 

diff --git a/...ces/Services.Identity/ClassifiedAds.Services.Identity/ConfigurationOptions/AppSettings.cs b/...ces/Services.Identity/ClassifiedAds.Services.Identity/ConfigurationOptions/AppSettings.cs
@@ -3,6 +3,7 @@
 using ClassifiedAds.Infrastructure.Logging;
 using ClassifiedAds.Infrastructure.Monitoring;
 using ClassifiedAds.Infrastructure.Notification;
+using CryptographyHelper.Certificates;
 
 namespace ClassifiedAds.Services.Identity.ConfigurationOptions;
 
@@ -32,9 +33,22 @@ public class ConnectionStrings
 
 public class IdentityServerAuthentication
 {
+    public string Provider { get; set; }
+
     public string Authority { get; set; }
 
     public string ApiName { get; set; }
 
     public bool RequireHttpsMetadata { get; set; }
+
+    public OpenIddictOptions OpenIddict { get; set; }
+}
+
+public class OpenIddictOptions
+{
+    public string IssuerUri { get; set; }
+
+    public CertificateOption TokenDecryptionCertificate { get; set; }
+
+    public CertificateOption IssuerSigningCertificate { get; set; }
 }
diff --git a/src/Microservices/Services.Notification/ClassifiedAds.Services.Notification.Api/Startup.cs b/src/Microservices/Services.Notification/ClassifiedAds.Services.Notification.Api/Startup.cs
@@ -9,6 +9,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.IdentityModel.Tokens;
 using Polly;
 using System;
 using System.Reflection;
@@ -69,13 +70,30 @@ public void ConfigureServices(IServiceCollection services)
 
         services.AddNotificationModule(AppSettings);
 
-        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-                .AddJwtBearer(options =>
-                {
-                    options.Authority = AppSettings.IdentityServerAuthentication.Authority;
-                    options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
-                    options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
-                });
+        services.AddAuthentication(options =>
+        {
+            options.DefaultScheme = AppSettings.IdentityServerAuthentication.Provider switch
+            {
+                "OpenIddict" => "OpenIddict",
+                _ => JwtBearerDefaults.AuthenticationScheme
+            };
+        })
+        .AddJwtBearer(options =>
+        {
+            options.Authority = AppSettings.IdentityServerAuthentication.Authority;
+            options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
+            options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
+        })
+        .AddJwtBearer("OpenIddict", options =>
+        {
+            options.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateAudience = false,
+                ValidIssuer = AppSettings.IdentityServerAuthentication.OpenIddict.IssuerUri,
+                TokenDecryptionKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.TokenDecryptionCertificate.FindCertificate()),
+                IssuerSigningKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.IssuerSigningCertificate.FindCertificate()),
+            };
+        });
 
         services.AddHostedService<PushNotificationHostedService>();
     }