refactor the middelware.

now the business logik for the different methods are
in seperate services.

Author: paule96

src/KK.AspNetCore.EasyAuthAuthentication/AuthTokenHeaderNames.cs

@@ -0,0 +1,37 @@
+namespace KK.AspNetCore.EasyAuthAuthentication
+{
+    /// <summary>
+    /// This class contains all header names that are possible to make an authentication.
+    /// The source of the list can find here: https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#retrieve-tokens-in-app-code
+    /// </summary>
+    public static class AuthTokenHeaderNames
+    {
+        #region AzureAd
+        public const string AADIdToken = "X-MS-TOKEN-AAD-ID-TOKEN";
+        public const string AADAccessToken = "X-MS-TOKEN-AAD-ACCESS-TOKEN";
+        public const string AADExpiresOn = "X-MS-TOKEN-AAD-EXPIRES-ON";
+        public const string AADRefreshToken = "X-MS-TOKEN-AAD-REFRESH-TOKEN";
+        #endregion
+        #region Facebook
+        public const string FacebookAccessToken = "X-MS-TOKEN-FACEBOOK-ACCESS-TOKEN";
+        public const string FacebookExpiresOn = "X-MS-TOKEN-FACEBOOK-EXPIRES-ON";
+        #endregion
+        #region Google
+        public const string GoogleIdToken = "X-MS-TOKEN-GOOGLE-ID-TOKEN";
+        public const string GoogleAccessToken = "X-MS-TOKEN-GOOGLE-ACCESS-TOKEN";
+        public const string GoogleExpiresOn = "X-MS-TOKEN-GOOGLE-EXPIRES-ON";
+        public const string GoogleRefreshToken = "X-MS-TOKEN-GOOGLE-REFRESH-TOKEN";
+
+        #endregion
+        #region Microsoft Account
+        public const string MicrosoftAccessToken = "X-MS-TOKEN-MICROSOFTACCOUNT-ACCESS-TOKEN";
+        public const string MicrosoftExpiresOn = "X-MS-TOKEN-MICROSOFTACCOUNT-EXPIRES-ON";
+        public const string MicrosoftAuthenticationToken = "X-MS-TOKEN-MICROSOFTACCOUNT-AUTHENTICATION-TOKEN";
+        public const string MicrosoftRefreshToken = "X-MS-TOKEN-MICROSOFTACCOUNT-REFRESH-TOKEN";
+        #endregion
+        #region Twitter
+        public const string TwitterAccessToken = "X-MS-TOKEN-TWITTER-ACCESS-TOKEN";
+        public const string TwitterAccessTokenSecret = "X-MS-TOKEN-TWITTER-ACCESS-TOKEN-SECRET";
+        #endregion
+    }
+}

src/KK.AspNetCore.EasyAuthAuthentication/AuthenticationTicketBuilder.cs

@@ -0,0 +1,68 @@
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using System.Security.Principal;
+using Microsoft.AspNetCore.Authentication;
+using Newtonsoft.Json.Linq;
+
+namespace KK.AspNetCore.EasyAuthAuthentication
+{
+    public static class AuthenticationTicketBuilder
+    {
+        /// <summary>
+        /// Build a `AuthenticationTicket` from the given payload, the principal name and the provider name
+        /// </summary>
+        /// <param name="claimsPayload">A array of JObjects that have a `type` and a `val` property</param>
+        /// <param name="principalName">The principal name of the user.</param>
+        /// /// <param name="providerName">The provider name of the current auth provider.</param>
+        /// <returns>A `AuthenticationTicket`</returns>
+        public static AuthenticationTicket Build(IEnumerable<JObject> claimsPayload, string principalName, string providerName)
+        {
+            var identity = new GenericIdentity(principalName, AuthenticationTypesNames.Federation); // setting ClaimsIdentity.AuthenticationType to value that azuread non-easyauth setups use
+            identity.AddClaims(createClaims(claimsPayload));
+            addScpClaim(identity);
+            identity.AddClaim(new Claim("provider_name", providerName));
+            var genericPrincipal = new GenericPrincipal(identity, null);
+            return new AuthenticationTicket(genericPrincipal, EasyAuthAuthenticationDefaults.AuthenticationScheme);
+        }
+
+        private static IEnumerable<JObject> getTheClaimsNodeFromPayload(JObject payload)
+        {
+            return payload["user_claims"].Children<JObject>();
+        }
+
+        private static IEnumerable<Claim> createClaims(IEnumerable<JObject> claimsAsJson)
+        {
+            foreach (var claim in claimsAsJson)
+            {
+                var claimType = claim["typ"].ToString();
+                switch (claimType)
+                {
+                    case Schemas.AuthMethod:
+                        foreach (var item in claim["val"].ToString().Split(','))
+                        {
+                            yield return new Claim(ClaimTypes.Authentication, item);
+                        }
+                        break;
+                    case "roles":
+                        foreach (var item in claim["val"].ToString().Split(','))
+                        {
+                            yield return new Claim(ClaimTypes.Role, item);
+                        }
+                        break;
+                    default:
+                        yield return new Claim(claimType, claim["val"].ToString());
+                        break;
+                }
+            }
+        }
+
+        private static void addScpClaim(ClaimsIdentity identity)
+        {
+            if (!identity.Claims.Any(claim => claim.Type == "scp"))
+            {
+                identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth is dropping this
+            }
+        }
+    }
+}

src/KK.AspNetCore.EasyAuthAuthentication/AuthenticationTypesNames.cs

@@ -0,0 +1,18 @@
+namespace KK.AspNetCore.EasyAuthAuthentication
+{
+    /// <summary>
+    /// This class contains all Authentication type names.
+    /// Source of this is: https://docs.microsoft.com/en-us/dotnet/api/system.security.claims.authenticationtypes?view=netframework-4.7.2
+    /// </summary>
+    public class AuthenticationTypesNames
+    {
+        public const string Basic = "AuthenticationTypes.Basic";
+        public const string Federation = "AuthenticationTypes.Federation";
+        public const string Kerberos = "AuthenticationTypes.Kerberos";
+        public const string Negotiate = "AuthenticationTypes.Negotiate";
+        public const string Password = "AuthenticationTypes.Password";
+        public const string Signature = "AuthenticationTypes.Signature";
+        public const string Windows = "AuthenticationTypes.Windows";
+        public const string X509 = "AuthenticationTypes.X509";
+    }
+}

src/KK.AspNetCore.EasyAuthAuthentication/EasyAuthAuthenticationHandler.cs

@@ -11,7 +11,9 @@ namespace KK.AspNetCore.EasyAuthAuthentication
     using System.Text;
     using System.Text.Encodings.Web;
     using System.Threading.Tasks;
+    using KK.AspNetCore.EasyAuthAuthentication.Services;
     using Microsoft.AspNetCore.Authentication;
+    using Microsoft.AspNetCore.Http;
     using Microsoft.Extensions.Logging;
     using Microsoft.Extensions.Options;
     using Newtonsoft.Json;
@@ -37,219 +39,40 @@ public EasyAuthAuthenticationHandler(
         {
         }
 
+        private static Func<ClaimsPrincipal, bool> isContextUserNotAuthenticated = user => (user == null || user.Identity == null || user.Identity.IsAuthenticated == false);
+        private static Func<IHeaderDictionary, bool> isAADIdTokenNotSet = headers => !string.IsNullOrEmpty(headers[AuthTokenHeaderNames.AADIdToken].ToString());
+        private Func<IHeaderDictionary, ClaimsPrincipal, bool> canUseHeaderAuth => (headers, user) => isContextUserNotAuthenticated(user) && !isAADIdTokenNotSet(headers);
+        private Func<IHeaderDictionary, ClaimsPrincipal, HttpRequest, bool> canUseEasyAuthJson => (headers, user, request) =>
+            isContextUserNotAuthenticated(user)
+            && isAADIdTokenNotSet(headers)
+            && request.Path != "/" + $"{this.Options.AuthEndpoint}";
+
         /// <inheritdoc/>
         protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
         {
             this.Logger.LogInformation("starting authentication handler for app service authentication");
 
-            if ((this.Context.User == null || this.Context.User.Identity == null || this.Context.User.Identity.IsAuthenticated == false)
-                && !string.IsNullOrEmpty(this.Context.Request.Headers["X-MS-TOKEN-AAD-ID-TOKEN"].ToString()))
+            if (canUseHeaderAuth(this.Context.Request.Headers, this.Context.User))
             {
-                // build up identity from X-MS-TOKEN-AAD-ID-TOKEN header set by EasyAuth filters if user openid connect session cookie or oauth bearer token authenticated ...
-                var ticket = this.BuildIdentityFromEasyAuthRequestHeaders(this.Context.Request.Headers);
-
-                this.Logger.LogInformation("Set identity to user context object.");
-                this.Context.User = ticket.Principal;
-
-                this.Logger.LogInformation("identity build was a success, returning ticket");
-                return AuthenticateResult.Success(ticket);
+                return EasyAuthWithHeaderService.AuthUser(this.Logger, this.Context);
             }
-            else if ((this.Context.User == null || this.Context.User.Identity == null || this.Context.User.Identity.IsAuthenticated == false)
-                && string.IsNullOrEmpty(this.Context.Request.Headers["X-MS-TOKEN-AAD-ID-TOKEN"].ToString())
-                && (this.Context.Request.Host.Value.StartsWith("localhost") && this.Context.Request.Path != "/" + $"{this.Options.AuthEndpoint}"))
+            else if (canUseEasyAuthJson(this.Context.Request.Headers, this.Context.User, this.Context.Request))
             {
-                var cookieContainer = new CookieContainer();
-                var handler = this.CreateHandler(ref cookieContainer);
-                var httpRequest = this.CreateAuthRequest(ref cookieContainer);
-
-                JArray payload = null;
-                try
-                {
-                    payload = await this.GetAuthMe(handler, httpRequest);
-                }
-                catch (Exception ex)
-                {
-                    return AuthenticateResult.Fail(ex.Message);
-                }
-
-                // build up identity from json...
-                var ticket = this.BuildIdentityFromEasyAuthMeJson((JObject)payload[0]);
-
-                this.Logger.LogInformation("Set identity to user context object.");
-                this.Context.User = ticket.Principal;
-
-                this.Logger.LogInformation("identity build was a success, returning ticket");
-                return AuthenticateResult.Success(ticket);
+                return await EasyAuthWithAuthMeService.AuthUser(this.Logger, this.Context, this.Options.AuthEndpoint);
             }
             else
             {
-                this.Logger.LogInformation("identity already set, skipping middleware");
-                return AuthenticateResult.NoResult();
-            }
-        }
-
-        private AuthenticationTicket BuildIdentityFromEasyAuthRequestHeaders(Microsoft.AspNetCore.Http.IHeaderDictionary requestHeaders)
-        {
-            var name = requestHeaders["X-MS-CLIENT-PRINCIPAL-NAME"][0];
-            this.Logger.LogDebug("payload was fetched from easyauth headers, name: {0}", name);
-
-            var identity = new GenericIdentity(name, "AuthenticationTypes.Federation"); // setting ClaimsIdentity.AuthenticationType to value that azuread non-easyauth setups use
-
-            this.Logger.LogInformation("building claims from payload...");
-
-            var xMsClientPrincipal = JObject.Parse(Encoding.UTF8.GetString(Convert.FromBase64String(requestHeaders["X-MS-CLIENT-PRINCIPAL"][0])));
-            //var nameidentifier = xMsClientPrincipal["claims"].Children<JObject>().FirstOrDefault(c => c["typ"].ToString() == ClaimTypes.NameIdentifier)?["val"].ToString();
-            var claims = new List<Claim>();
-            foreach (var claim in xMsClientPrincipal["claims"].Children<JObject>())
-            {
-                if (claim["typ"].ToString() == "http://schemas.microsoft.com/claims/authnmethodsreferences")
-                {
-                    foreach (var item in claim["val"].ToString().Split(','))
-                    {
-                        claims.Add(new Claim(ClaimTypes.Authentication, item));
-                    }
-                }
-                else if (claim["typ"].ToString() == "roles")
-                {
-                    foreach (var item in claim["val"].ToString().Split(','))
-                    {
-                        //(User.Identity as ClaimsIdentity).RoleClaimType must match type that role claims are assigned to for Authorization and IsInRole to work
-                        claims.Add(new Claim(ClaimTypes.Role, item));
-                    }
-                }
-                else
-                {
-                    //(User.Identity as ClaimsIdentity).NameClaimType must be what name claim is assigned to for User.Identity.Name to work
-                    claims.Add(new Claim(claim["typ"].ToString(), claim["val"].ToString()));
-                }
-            }
-
-            this.Logger.LogInformation("Add claims to new identity");
-
-            identity.AddClaims(claims);
-            //identity.AddClaim(new Claim("id_token", idToken)); // don't think we should be including this
-            //identity.AddClaim(new Claim("http://schemas.microsoft.com/claims/authnclassreference", 1)); // don't think we need to add this
-            if (!(identity.Claims as List<Claim>).Exists(claim => claim.Type == "scp")) identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth is dropping this
-            identity.AddClaim(new Claim("provider_name", requestHeaders["X-MS-CLIENT-PRINCIPAL-IDP"][0]));
-            var genericPrincipal = new GenericPrincipal(identity, null);
-            return new AuthenticationTicket(genericPrincipal, EasyAuthAuthenticationDefaults.AuthenticationScheme);
-        }
-
-        private AuthenticationTicket BuildIdentityFromEasyAuthMeJson(JObject payload)
-        {
-            var name = payload["user_id"].Value<string>(); // X-MS-CLIENT-PRINCIPAL-NAME
-            this.Logger.LogDebug("payload was fetched from easyauth me json, name: {0}", name);
-
-            var identity = new GenericIdentity(name, "AuthenticationTypes.Federation"); // setting ClaimsIdentity.AuthenticationType to value that azuread non-easyauth setups use
-
-            this.Logger.LogInformation("building claims from payload...");
-
-            var claims = new List<Claim>();
-            foreach (var claim in payload["user_claims"])
-            {
-                if (claim["typ"].ToString() == "http://schemas.microsoft.com/claims/authnmethodsreferences")
-                {
-                    foreach (var item in claim["val"].ToString().Split(','))
-                    {
-                        claims.Add(new Claim(ClaimTypes.Authentication, item));
-                    }
-                }
-                else if (claim["typ"].ToString() == "roles")
+                if (isContextUserNotAuthenticated(this.Context.User))
                 {
-                    foreach (var item in claim["val"].ToString().Split(','))
-                    {
-                        //(User.Identity as ClaimsIdentity).RoleClaimType must match type that role claims are assigned to for Authorization and IsInRole to work
-                        claims.Add(new Claim(ClaimTypes.Role, item));
-                    }
+                    // TODO: If this the only auth middleware we maybe must return a `AuthenticateResult.Fail()`
+                    this.Logger.LogInformation("The identity isn't set by easy auth.");
                 }
                 else
                 {
-                    //(User.Identity as ClaimsIdentity).NameClaimType must be what name claim is assigned to for User.Identity.Name to work
-                    claims.Add(new Claim(claim["typ"].ToString(), claim["val"].ToString()));
-                }
-            }
-
-            this.Logger.LogInformation("Add claims to new identity");
-
-            identity.AddClaims(claims);
-            //identity.AddClaim(new Claim("id_token", idToken)); // don't think we should be including this
-            //identity.AddClaim(new Claim("http://schemas.microsoft.com/claims/authnclassreference", 1)); // don't think we need to add this
-            if (!(identity.Claims as List<Claim>).Exists(claim => claim.Type == "scp")) identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth is dropping this
-            identity.AddClaim(new Claim("provider_name", payload["provider_name"].Value<string>())); // X-MS-CLIENT-PRINCIPAL-IDP
-            var genericPrincipal = new GenericPrincipal(identity, null);
-            return new AuthenticationTicket(genericPrincipal, EasyAuthAuthenticationDefaults.AuthenticationScheme);
-        }
-
-        private HttpRequestMessage CreateAuthRequest(ref CookieContainer cookieContainer)
-        {
-            this.Logger.LogInformation($"identity not found, attempting to fetch from auth endpoint '/{this.Options.AuthEndpoint}'");
-
-            var uriString = $"{this.Context.Request.Scheme}://{this.Context.Request.Host}";
-
-            this.Logger.LogDebug("host uri: {0}", uriString);
-
-            foreach (var c in this.Context.Request.Cookies)
-            {
-                cookieContainer.Add(new Uri(uriString), new Cookie(c.Key, c.Value));
-            }
-
-            this.Logger.LogDebug("found {0} cookies in request", cookieContainer.Count);
-
-            foreach (var cookie in this.Context.Request.Cookies)
-            {
-                this.Logger.LogDebug(cookie.Key);
-            }
-
-            // fetch value from endpoint
-            var authMeEndpoint = string.Empty;
-            if (this.Options.AuthEndpoint.StartsWith("http")) authMeEndpoint = this.Options.AuthEndpoint; // enable pulling from places like storage account public blob container
-            else authMeEndpoint = $"{uriString}/{this.Options.AuthEndpoint}"; // localhost relative path, e.g. wwwroot/.auth/me.json
-            
-            var request = new HttpRequestMessage(HttpMethod.Get, authMeEndpoint);
-            foreach (var header in this.Context.Request.Headers)
-            {
-                if (header.Key.StartsWith("X-ZUMO-"))
-                {
-                    request.Headers.Add(header.Key, header.Value[0]);
-                }
-            }
-
-            return request;
-        }
-
-        private HttpClientHandler CreateHandler(ref CookieContainer container)
-        {
-            var handler = new HttpClientHandler()
-            {
-                CookieContainer = container
-            };
-            return handler;
-        }
-
-        private async Task<JArray> GetAuthMe(HttpClientHandler handler, HttpRequestMessage httpRequest)
-        {
-            JArray payload = null;
-            using (var client = new HttpClient(handler))
-            {
-                var response = await client.SendAsync(httpRequest);
-                if (!response.IsSuccessStatusCode)
-                {
-                    this.Logger.LogDebug("auth endpoint was not sucessful. Status code: {0}, reason {1}", response.StatusCode, response.ReasonPhrase);
-                    throw new WebException("Unable to fetch user information from auth endpoint.");
-                }
-
-                var content = await response.Content.ReadAsStringAsync();
-                try
-                {
-                    payload = JArray.Parse(content);
-                }
-                catch (Exception)
-                {
-                    throw new JsonSerializationException("Could not retreive json from /me endpoint.");
+                    this.Logger.LogInformation("identity already set, skipping middleware");
                 }
+                return AuthenticateResult.NoResult();
             }
-
-            return payload;
         }
     }
 }

src/KK.AspNetCore.EasyAuthAuthentication/Schemas.cs

@@ -0,0 +1,7 @@
+namespace KK.AspNetCore.EasyAuthAuthentication
+{
+    public class Schemas
+    {
+        public const string AuthMethod = "http://schemas.microsoft.com/claims/authnmethodsreferences";
+    }
+}