Merge pull request #9 from myusrn/master

collaboration on updates to address issue #7

Author: kirkone

KK.AspNetCore.EasyAuthAuthentication.sln

@@ -1,4 +1,4 @@
-
+
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 15
 VisualStudioVersion = 15.0.26124.0

README.md

@@ -106,9 +106,10 @@ For example:
 
 ## Authors
 
-* **Kirsten Kluge** - *Initial work* - [kirkone](https://github.com/kirkone)
-* **paule96** - *Refactoring* - [paule96](https://github.com/paule96)
-* **Christoph Sonntag** - *Made things even more uber* - [Compufreak345](https://github.com/Compufreak345)
+-   **Kirsten Kluge** - _Initial work_ - [kirkone](https://github.com/kirkone)
+-   **paule96** - _Refactoring_ - [paule96](https://github.com/paule96)
+-   **Christoph Sonntag** - _Made things even more uber_ - [Compufreak345](https://github.com/Compufreak345)
+-   **myusrn** - _Dropped some knowledge about making IsInRoles work_ - [myusrn](https://github.com/myusrn)
 
 See also the list of [contributors](https://github.com/kirkone/KK.AspNetCore.EasyAuthAuthentication/graphs/contributors) who participated in this project.
 
@@ -118,4 +119,4 @@ This project is licensed under the MIT License - see the [LICENSE.md](LICENSE.md
 
 ## Acknowledgments
 
-* Inspired by this [StackOverflow post](https://stackoverflow.com/a/42402163/6526640) and this [GitHub](https://github.com/lpunderscore/azureappservice-authentication-middleware) repo
+-   Inspired by this [StackOverflow post](https://stackoverflow.com/a/42402163/6526640) and this [GitHub](https://github.com/lpunderscore/azureappservice-authentication-middleware) repo

src/KK.AspNetCore.EasyAuthAuthentication/AuthTokenHeaderNames.cs

@@ -0,0 +1,37 @@
+namespace KK.AspNetCore.EasyAuthAuthentication
+{
+    /// <summary>
+    /// This class contains all header names that are possible to make an authentication.
+    /// The source of the list can find here: https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#retrieve-tokens-in-app-code
+    /// </summary>
+    public static class AuthTokenHeaderNames
+    {
+        #region AzureAd
+        public const string AADIdToken = "X-MS-TOKEN-AAD-ID-TOKEN";
+        public const string AADAccessToken = "X-MS-TOKEN-AAD-ACCESS-TOKEN";
+        public const string AADExpiresOn = "X-MS-TOKEN-AAD-EXPIRES-ON";
+        public const string AADRefreshToken = "X-MS-TOKEN-AAD-REFRESH-TOKEN";
+        #endregion
+        #region Facebook
+        public const string FacebookAccessToken = "X-MS-TOKEN-FACEBOOK-ACCESS-TOKEN";
+        public const string FacebookExpiresOn = "X-MS-TOKEN-FACEBOOK-EXPIRES-ON";
+        #endregion
+        #region Google
+        public const string GoogleIdToken = "X-MS-TOKEN-GOOGLE-ID-TOKEN";
+        public const string GoogleAccessToken = "X-MS-TOKEN-GOOGLE-ACCESS-TOKEN";
+        public const string GoogleExpiresOn = "X-MS-TOKEN-GOOGLE-EXPIRES-ON";
+        public const string GoogleRefreshToken = "X-MS-TOKEN-GOOGLE-REFRESH-TOKEN";
+
+        #endregion
+        #region Microsoft Account
+        public const string MicrosoftAccessToken = "X-MS-TOKEN-MICROSOFTACCOUNT-ACCESS-TOKEN";
+        public const string MicrosoftExpiresOn = "X-MS-TOKEN-MICROSOFTACCOUNT-EXPIRES-ON";
+        public const string MicrosoftAuthenticationToken = "X-MS-TOKEN-MICROSOFTACCOUNT-AUTHENTICATION-TOKEN";
+        public const string MicrosoftRefreshToken = "X-MS-TOKEN-MICROSOFTACCOUNT-REFRESH-TOKEN";
+        #endregion
+        #region Twitter
+        public const string TwitterAccessToken = "X-MS-TOKEN-TWITTER-ACCESS-TOKEN";
+        public const string TwitterAccessTokenSecret = "X-MS-TOKEN-TWITTER-ACCESS-TOKEN-SECRET";
+        #endregion
+    }
+}

src/KK.AspNetCore.EasyAuthAuthentication/AuthenticationTicketBuilder.cs

@@ -0,0 +1,77 @@
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using System.Security.Principal;
+using Microsoft.AspNetCore.Authentication;
+using Newtonsoft.Json.Linq;
+
+namespace KK.AspNetCore.EasyAuthAuthentication
+{
+    public static class AuthenticationTicketBuilder
+    {
+        /// <summary>
+        /// Build a `AuthenticationTicket` from the given payload, the principal name and the provider name
+        /// </summary>
+        /// <param name="claimsPayload">A array of JObjects that have a `type` and a `val` property</param>
+        /// <param name="providerName">The provider name of the current auth provider.</param>
+        /// <returns>A `AuthenticationTicket`</returns>
+        public static AuthenticationTicket Build(IEnumerable<JObject> claimsPayload, string providerName)
+        {
+            var identity = new ClaimsIdentity(
+                createClaims(claimsPayload),
+                // setting ClaimsIdentity.AuthenticationType to value that Azure AD non-EasyAuth setups use
+                AuthenticationTypesNames.Federation
+            );
+
+            addScopeClaim(identity);
+            addProviderNameClaim(identity, providerName);
+            var genericPrincipal = new ClaimsPrincipal(identity);
+
+            return new AuthenticationTicket(genericPrincipal, EasyAuthAuthenticationDefaults.AuthenticationScheme);
+        }
+
+        private static IEnumerable<Claim> createClaims(IEnumerable<JObject> claimsAsJson)
+        {
+            foreach (var claim in claimsAsJson)
+            {
+                var claimType = claim["typ"].ToString();
+                switch (claimType)
+                {
+                    case Schemas.AuthMethod:
+                        foreach (var item in claim["val"].ToString().Split(','))
+                        {
+                            yield return new Claim(ClaimTypes.Authentication, item);
+                        }
+                        break;
+                    case "roles":
+                        foreach (var item in claim["val"].ToString().Split(','))
+                        {
+                            yield return new Claim(ClaimTypes.Role, item);
+                        }
+                        break;
+                    default:
+                        yield return new Claim(claimType, claim["val"].ToString());
+                        break;
+                }
+            }
+        }
+
+        private static void addScopeClaim(ClaimsIdentity identity)
+        {
+            if (!identity.Claims.Any(claim => claim.Type == "scp"))
+            {
+                // We are not sure if we should add this in to match what non-EasyAuth authenticated result would look like
+                // with EasyAuth + Express based application configurations the scope claim will always be `user_impersonation`
+                identity.AddClaim(new Claim("scp", "user_impersonation"));
+            }
+        }
+
+        private static void addProviderNameClaim(ClaimsIdentity identity, string providerName)
+        {
+            if (!identity.Claims.Any(claim => claim.Type == "provider_name"))
+            {
+                identity.AddClaim(new Claim("provider_name", providerName));
+            }
+        }
+    }
+}

src/KK.AspNetCore.EasyAuthAuthentication/AuthenticationTypesNames.cs

@@ -0,0 +1,18 @@
+namespace KK.AspNetCore.EasyAuthAuthentication
+{
+    /// <summary>
+    /// This class contains all Authentication type names.
+    /// Source of this is: https://docs.microsoft.com/en-us/dotnet/api/system.security.claims.authenticationtypes?view=netframework-4.7.2
+    /// </summary>
+    public class AuthenticationTypesNames
+    {
+        public const string Basic = "AuthenticationTypes.Basic";
+        public const string Federation = "AuthenticationTypes.Federation";
+        public const string Kerberos = "AuthenticationTypes.Kerberos";
+        public const string Negotiate = "AuthenticationTypes.Negotiate";
+        public const string Password = "AuthenticationTypes.Password";
+        public const string Signature = "AuthenticationTypes.Signature";
+        public const string Windows = "AuthenticationTypes.Windows";
+        public const string X509 = "AuthenticationTypes.X509";
+    }
+}

src/KK.AspNetCore.EasyAuthAuthentication/EasyAuthAuthenticationHandler.cs

@@ -2,13 +2,18 @@ namespace KK.AspNetCore.EasyAuthAuthentication
 {
     using System;
     using System.Collections.Generic;
+    using System.IdentityModel.Tokens.Jwt;
+    using System.Linq; // required by Children<JObject>.FirstOrDefault requires using System.Linq;
     using System.Net;
     using System.Net.Http;
     using System.Security.Claims;
     using System.Security.Principal;
+    using System.Text;
     using System.Text.Encodings.Web;
     using System.Threading.Tasks;
+    using KK.AspNetCore.EasyAuthAuthentication.Services;
     using Microsoft.AspNetCore.Authentication;
+    using Microsoft.AspNetCore.Http;
     using Microsoft.Extensions.Logging;
     using Microsoft.Extensions.Options;
     using Newtonsoft.Json;
@@ -34,142 +39,44 @@ public EasyAuthAuthenticationHandler(
         {
         }
 
+        private static Func<ClaimsPrincipal, bool> isContextUserNotAuthenticated =
+            user => (user == null || user.Identity == null || user.Identity.IsAuthenticated == false);
+        private static Func<IHeaderDictionary, string, bool> isHeaderSet =
+            (headers, headerName) => !string.IsNullOrEmpty(headers[headerName].ToString());
+        private Func<IHeaderDictionary, ClaimsPrincipal, bool> canUseHeaderAuth =
+            (headers, user) => isContextUserNotAuthenticated(user) &&
+            isHeaderSet(headers, AuthTokenHeaderNames.AADIdToken);
+        private static Func<IHeaderDictionary, ClaimsPrincipal, HttpRequest, string, bool> canUseEasyAuthJson =
+            (headers, user, request, authEndpoint) =>
+                isContextUserNotAuthenticated(user)
+                && !isHeaderSet(headers, AuthTokenHeaderNames.AADIdToken)
+                && request.Path != "/" + $"{authEndpoint}";
+
         /// <inheritdoc/>
         protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
         {
             this.Logger.LogInformation("starting authentication handler for app service authentication");
 
-            if (
-                (this.Context.User == null ||
-                this.Context.User.Identity == null ||
-                this.Context.User.Identity.IsAuthenticated == false)
-                && this.Context.Request.Path != "/" + $"{this.Options.AuthEndpoint}")
+            if (canUseHeaderAuth(this.Context.Request.Headers, this.Context.User))
             {
-                var cookieContainer = new CookieContainer();
-                var handler = this.CreateHandler(ref cookieContainer);
-                var httpRequest = this.CreateAuthRequest(ref cookieContainer);
-
-                JArray payload = null;
-                try
-                {
-                    payload = await this.GetAuthMe(handler, httpRequest);
-                }
-                catch (Exception ex)
-                {
-                    return AuthenticateResult.Fail(ex.Message);
-                }
-
-                // build up identity from json...
-                var ticket = this.BuildIdentityFromJsonPayload((JObject)payload[0]);
-
-                this.Logger.LogInformation("Set identity to user context object.");
-                this.Context.User = ticket.Principal;
-
-                this.Logger.LogInformation("identity build was a success, returning ticket");
-                return AuthenticateResult.Success(ticket);
+                return EasyAuthWithHeaderService.AuthUser(this.Logger, this.Context);
             }
-            else
+            else if (canUseEasyAuthJson(this.Context.Request.Headers, this.Context.User, this.Context.Request, this.Options.AuthEndpoint))
             {
-                this.Logger.LogInformation("identity already set, skipping middleware");
-                return AuthenticateResult.NoResult();
+                return await EasyAuthWithAuthMeService.AuthUser(this.Logger, this.Context, this.Options.AuthEndpoint);
             }
-        }
-
-        private AuthenticationTicket BuildIdentityFromJsonPayload(JObject payload)
-        {
-            var id = payload["user_id"].Value<string>();
-            var idToken = payload["id_token"].Value<string>();
-            var providerName = payload["provider_name"].Value<string>();
-
-            this.Logger.LogDebug("payload was fetched from endpoint. id: {0}", id);
-
-            var identity = new GenericIdentity(id);
-
-            this.Logger.LogInformation("building claims from payload...");
-
-            var claims = new List<Claim>();
-            foreach (var claim in payload["user_claims"])
-            {
-                claims.Add(new Claim(claim["typ"].ToString(), claim["val"].ToString()));
-            }
-
-            this.Logger.LogInformation("Add claims to new identity");
-
-            identity.AddClaims(claims);
-            identity.AddClaim(new Claim("id_token", idToken));
-            identity.AddClaim(new Claim("provider_name", providerName));
-            var p = new GenericPrincipal(identity, null);
-            return new AuthenticationTicket(
-                p,
-                EasyAuthAuthenticationDefaults.AuthenticationScheme);
-        }
-
-        private HttpRequestMessage CreateAuthRequest(ref CookieContainer cookieContainer)
-        {
-            this.Logger.LogInformation($"identity not found, attempting to fetch from auth endpoint '/{this.Options.AuthEndpoint}'");
-
-            var uriString = $"{this.Context.Request.Scheme}://{this.Context.Request.Host}";
-
-            this.Logger.LogDebug("host uri: {0}", uriString);
-
-            foreach (var c in this.Context.Request.Cookies)
-            {
-                cookieContainer.Add(new Uri(uriString), new Cookie(c.Key, c.Value));
-            }
-
-            this.Logger.LogDebug("found {0} cookies in request", cookieContainer.Count);
-
-            foreach (var cookie in this.Context.Request.Cookies)
-            {
-                this.Logger.LogDebug(cookie.Key);
-            }
-
-            // fetch value from endpoint
-            var request = new HttpRequestMessage(HttpMethod.Get, $"{uriString}/{this.Options.AuthEndpoint}");
-            foreach (var header in this.Context.Request.Headers)
-            {
-                if (header.Key.StartsWith("X-ZUMO-"))
-                {
-                    request.Headers.Add(header.Key, header.Value[0]);
-                }
-            }
-
-            return request;
-        }
-
-        private HttpClientHandler CreateHandler(ref CookieContainer container)
-        {
-            var handler = new HttpClientHandler()
-            {
-                CookieContainer = container
-            };
-            return handler;
-        }
-
-        private async Task<JArray> GetAuthMe(HttpClientHandler handler, HttpRequestMessage httpRequest)
-        {
-            JArray payload = null;
-            using (var client = new HttpClient(handler))
+            else
             {
-                var response = await client.SendAsync(httpRequest);
-                if (!response.IsSuccessStatusCode)
-                {
-                    this.Logger.LogDebug("auth endpoint was not sucessful. Status code: {0}, reason {1}", response.StatusCode, response.ReasonPhrase);
-                    throw new WebException("Unable to fetch user information from auth endpoint.");
-                }
-
-                var content = await response.Content.ReadAsStringAsync();
-                try
+                if (isContextUserNotAuthenticated(this.Context.User))
                 {
-                    payload = JArray.Parse(content);
+                    this.Logger.LogInformation("The identity isn't set by easy auth.");
                 }
-                catch (Exception)
+                else
                 {
-                    throw new JsonSerializationException("Could not retreive json from /me endpoint.");
+                    this.Logger.LogInformation("identity already set, skipping middleware");
                 }
+                return AuthenticateResult.NoResult();
             }
-
-            return payload;
         }
     }
-}
+}

src/KK.AspNetCore.EasyAuthAuthentication/KK.AspNetCore.EasyAuthAuthentication.csproj

@@ -16,7 +16,8 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Authentication" Version="2.1.2" />
     <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.1" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="12.0.1" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.3.0" />
   </ItemGroup>
 
   <!-- StyleCop Settings -->
@@ -25,6 +26,6 @@
     <CodeAnalysisRuleSet>..\..\StyleCop.ruleset</CodeAnalysisRuleSet>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="StyleCop.Analyzers" Version="1.1.0-beta009" privateassets="all" />
+    <PackageReference Include="StyleCop.Analyzers" Version="1.1.1-beta.61" privateassets="all" />
   </ItemGroup>
 </Project>

src/KK.AspNetCore.EasyAuthAuthentication/Schemas.cs

@@ -0,0 +1,7 @@
+namespace KK.AspNetCore.EasyAuthAuthentication
+{
+    public class Schemas
+    {
+        public const string AuthMethod = "http://schemas.microsoft.com/claims/authnmethodsreferences";
+    }
+}