Fixes .well-known/smart-configuration, and update test app (#5407)

Fix .well-known/smart-configuration endpoint, and update SMART test app

Refs  AB#184176

Author: feordin

samples/apps/SmartLauncher/Models/SmartLauncherConfig.cs

@@ -5,6 +5,11 @@
 
 namespace Microsoft.Health.Internal.SmartLauncher.Models
 {
+    /// <summary>
+    /// Configuration that is safe to expose to the browser via /config.
+    /// Secret values (ClientSecret, CertificatePath, etc.) are read directly
+    /// from IConfiguration in the token proxy and are never serialized here.
+    /// </summary>
     internal class SmartLauncherConfig
     {
 #pragma warning disable CA1056 // URI-like properties should not be strings
@@ -14,5 +19,9 @@ internal class SmartLauncherConfig
 
 #pragma warning restore CA1056 // URI-like properties should not be strings
         public string ClientId { get; set; }
+
+        public string ClientType { get; set; } = "public";
+
+        public string Scopes { get; set; } = string.Empty;
     }
 }

samples/apps/SmartLauncher/Program.cs

@@ -1,22 +1,177 @@
-// -------------------------------------------------------------------------------------------------
+// -------------------------------------------------------------------------------------------------
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License (MIT). See LICENSE in the repo root for license information.
 // -------------------------------------------------------------------------------------------------
 
-using Microsoft.AspNetCore;
-using Microsoft.AspNetCore.Hosting;
+using System;
+using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
+using System.Net.Http;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Health.Internal.SmartLauncher.Models;
+using Microsoft.IdentityModel.Tokens;
+
+var builder = WebApplication.CreateBuilder(args);
+builder.Services.AddHttpClient();
+
+var app = builder.Build();
+string cachedTokenEndpoint = null;
+
+app.UseDefaultFiles();
+app.UseStaticFiles();
+
+// GET /config — serves public configuration (no secrets)
+app.MapGet("/config", (IConfiguration configuration) =>
+{
+    var config = new SmartLauncherConfig();
+    configuration.Bind(config);
+    return Results.Ok(config);
+});
+
+// POST /token-proxy — proxies token exchange for confidential clients
+app.MapPost("/token-proxy", async (HttpRequest request, IConfiguration configuration, IHttpClientFactory httpClientFactory) =>
+{
+    var form = await request.ReadFormAsync();
+    var grantType = form["grant_type"].ToString();
+    var code = form["code"].ToString();
+    var redirectUri = form["redirect_uri"].ToString();
+    var codeVerifier = form["code_verifier"].ToString();
+    var clientId = configuration["ClientId"] ?? string.Empty;
+    var clientType = configuration["ClientType"] ?? "public";
+
+    // Derive the token endpoint server-side from the configured FHIR server's
+    // SMART configuration to prevent SSRF via a client-supplied URL.
+    var fhirServerUrl = configuration["FhirServerUrl"];
+    if (string.IsNullOrEmpty(fhirServerUrl))
+    {
+        return Results.BadRequest(new { error = "FhirServerUrl is not configured on the server." });
+    }
+
+    string tokenEndpoint;
+    try
+    {
+        if (string.IsNullOrEmpty(cachedTokenEndpoint))
+        {
+            using var discoveryClient = httpClientFactory.CreateClient();
+            var smartConfigUrl = fhirServerUrl.TrimEnd('/') + "/.well-known/smart-configuration";
+            var smartResponse = await discoveryClient.GetAsync(new Uri(smartConfigUrl));
+            smartResponse.EnsureSuccessStatusCode();
+            var smartJson = await smartResponse.Content.ReadAsStringAsync();
+            var smartConfig = System.Text.Json.JsonDocument.Parse(smartJson);
+            cachedTokenEndpoint = smartConfig.RootElement.GetProperty("token_endpoint").GetString()
+                ?? throw new InvalidOperationException("token_endpoint not found in SMART configuration.");
+        }
+
+        tokenEndpoint = cachedTokenEndpoint;
+    }
+    catch (HttpRequestException ex)
+    {
+        return Results.Problem($"Failed to discover token endpoint from {fhirServerUrl}: {ex.Message}", statusCode: 502);
+    }
+    catch (System.Text.Json.JsonException ex)
+    {
+        return Results.Problem($"Failed to parse SMART configuration from {fhirServerUrl}: {ex.Message}", statusCode: 502);
+    }
+    catch (InvalidOperationException ex)
+    {
+        return Results.Problem($"Invalid SMART configuration from {fhirServerUrl}: {ex.Message}", statusCode: 502);
+    }
+
+    var tokenRequestParams = new Dictionary<string, string>
+    {
+        ["grant_type"] = grantType,
+        ["code"] = code,
+        ["redirect_uri"] = redirectUri,
+        ["client_id"] = clientId,
+    };
+
+    if (!string.IsNullOrEmpty(codeVerifier))
+    {
+        tokenRequestParams["code_verifier"] = codeVerifier;
+    }
+
+    using var httpClient = httpClientFactory.CreateClient();
+    using var tokenRequest = new HttpRequestMessage(HttpMethod.Post, tokenEndpoint)
+    {
+        Content = new FormUrlEncodedContent(tokenRequestParams),
+    };
+
+    if (clientType.Equals("confidential-symmetric", StringComparison.OrdinalIgnoreCase))
+    {
+        var clientSecret = configuration["ClientSecret"] ?? string.Empty;
+        var credentials = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{clientId}:{clientSecret}"));
+        tokenRequest.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", credentials);
+    }
+    else if (clientType.Equals("confidential-asymmetric", StringComparison.OrdinalIgnoreCase))
+    {
+        var assertion = GenerateClientAssertion(clientId, tokenEndpoint, configuration);
+        tokenRequestParams["client_assertion_type"] = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+        tokenRequestParams["client_assertion"] = assertion;
+        tokenRequest.Content = new FormUrlEncodedContent(tokenRequestParams);
+    }
+
+    var response = await httpClient.SendAsync(tokenRequest);
+    var content = await response.Content.ReadAsStringAsync();
+
+    return Results.Content(content, "application/json", statusCode: (int)response.StatusCode);
+});
+
+app.Run();
 
-namespace Microsoft.Health.Internal.SmartLauncher
+static string GenerateClientAssertion(string clientId, string tokenEndpoint, IConfiguration configuration)
 {
-    internal static class Program
+    X509Certificate2 cert = LoadCertificate(configuration);
+
+    var securityKey = new X509SecurityKey(cert);
+    var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256);
+
+    var now = DateTime.UtcNow;
+    var token = new JwtSecurityToken(
+        issuer: clientId,
+        audience: tokenEndpoint,
+        claims: new[]
+        {
+            new System.Security.Claims.Claim("sub", clientId),
+            new System.Security.Claims.Claim("jti", Guid.NewGuid().ToString()),
+        },
+        notBefore: now,
+        expires: now.AddMinutes(5),
+        signingCredentials: signingCredentials);
+
+    return new JwtSecurityTokenHandler().WriteToken(token);
+}
+
+static X509Certificate2 LoadCertificate(IConfiguration configuration)
+{
+    var certPath = configuration["CertificatePath"];
+    var certPassword = configuration["CertificatePassword"];
+    var certThumbprint = configuration["CertificateThumbprint"];
+
+    if (!string.IsNullOrEmpty(certPath))
+    {
+#pragma warning disable SYSLIB0057 // X509Certificate2 constructor is obsolete in .NET 9+
+        return new X509Certificate2(certPath, certPassword);
+#pragma warning restore SYSLIB0057
+    }
+
+    if (!string.IsNullOrEmpty(certThumbprint))
     {
-        public static void Main(string[] args)
+        using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
+        store.Open(OpenFlags.ReadOnly);
+        var certs = store.Certificates.Find(X509FindType.FindByThumbprint, certThumbprint, validOnly: false);
+        if (certs.Count == 0)
         {
-            CreateWebHostBuilder(args).Build().Run();
+            throw new InvalidOperationException($"Certificate with thumbprint '{certThumbprint}' not found in CurrentUser\\My store.");
         }
 
-        public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
-            WebHost.CreateDefaultBuilder(args)
-                .UseStartup<Startup>();
+        return certs[0];
     }
+
+    throw new InvalidOperationException("No certificate configured. Set either CertificatePath or CertificateThumbprint in appsettings.json.");
 }

samples/apps/SmartLauncher/README.md

@@ -0,0 +1,95 @@
+# SMART on FHIR v2 Sample Launcher
+
+A sample web app that demonstrates SMART on FHIR v2 standalone launch with OAuth2/PKCE authentication against a FHIR server. It supports multiple client types and two OAuth flow patterns.
+
+## Quick Start
+
+1. Configure `appsettings.json` with your FHIR server URL and client ID.
+2. Run the app:
+   ```bash
+   dotnet run --project samples/apps/SmartLauncher
+   ```
+3. Open `https://localhost:<port>` in a browser.
+4. Select your auth mode, scopes, and click **Launch App**.
+
+## Configuration
+
+All settings are in `appsettings.json`:
+
+| Key | Required | Description |
+|-----|----------|-------------|
+| `FhirServerUrl` | Yes | Base URL of the FHIR server |
+| `ClientId` | Yes | OAuth2 client/application ID |
+| `ClientType` | No | `public` (default), `confidential-symmetric`, or `confidential-asymmetric` |
+| `Scopes` | No | Default scopes (space-separated). Defaults to common SMART v2 scopes if empty |
+| `DefaultSmartAppUrl` | No | Launch target path. Defaults to `/sampleapp/launch.html` |
+| `ClientSecret` | No | Client secret (for `confidential-symmetric` only) |
+| `CertificatePath` | No | Path to .pfx certificate file (for `confidential-asymmetric` token proxy) |
+| `CertificatePassword` | No | Password for the certificate file |
+| `CertificateThumbprint` | No | Alternative to `CertificatePath`: thumbprint to load from the Windows cert store |
+
+## Client Types
+
+### Public
+
+No credentials required. The browser exchanges the authorization code directly with the token endpoint using PKCE. Suitable for SPAs and environments where secrets cannot be stored securely.
+
+### Confidential-Symmetric (Client Secret)
+
+Uses a shared secret (`ClientSecret`) for authentication. In the **token proxy** flow, the server adds an HTTP Basic `Authorization` header when exchanging the code. In the **fhirclient** flow, the secret is passed to the fhirclient library in the browser (less secure).
+
+### Confidential-Asymmetric (Private Key JWT)
+
+Uses a signed JWT assertion (`private_key_jwt`) to prove client identity. No secret is transmitted.
+
+- **Token proxy flow (recommended for Entra ID):** The server signs the JWT using an X.509 certificate configured via `CertificatePath` or `CertificateThumbprint`. Uses RS256, which is compatible with Entra ID.
+- **fhirclient flow:** The browser signs the JWT using a private JWK (RS384 or ES384 per SMART v2 spec). The launcher UI includes tools to generate key pairs and export certificates.
+
+> **Entra ID note:** Entra ID requires RS256 for client assertions, not the RS384/ES384 algorithms in the SMART v2 spec. Use the token proxy flow for Entra ID compatibility.
+
+## OAuth Flows
+
+### Standard Flow (fhirclient library)
+
+Uses the [fhirclient.js](https://github.com/smart-on-fhir/client-js) library to handle the full OAuth2 flow in the browser.
+
+1. `launch.html` loads fhirclient.js and calls `FHIR.oauth2.authorize()`.
+2. The user authenticates and grants scopes at the authorization server.
+3. The browser is redirected back to `index.html` with an authorization code.
+4. fhirclient.js exchanges the code for tokens (adding credentials for confidential clients).
+5. The sample app displays the token response and fetches the patient resource.
+
+**When to use:** Standard SMART v2 servers, public clients, or when you don't need Entra ID asymmetric auth.
+
+### Token Proxy Flow
+
+Uses a server-side proxy (`/token-proxy`) to exchange the authorization code. Secrets and certificates never leave the server.
+
+1. `launch.html` manually generates a PKCE pair and redirects to the authorization endpoint.
+2. The user authenticates and grants scopes.
+3. The browser is redirected back to `index.html` with an authorization code.
+4. The browser sends the code to the `/token-proxy` server endpoint.
+5. The server discovers the token endpoint from the FHIR server's `/.well-known/smart-configuration`, attaches client credentials, and forwards the token request.
+6. The token response is returned to the browser.
+
+**When to use:** Confidential clients (especially asymmetric with Entra ID), or any scenario where credentials should not be exposed to the browser.
+
+## Launcher UI
+
+The launcher page (`/`) provides:
+
+- **Auth mode selection** — public, symmetric, or asymmetric, with conditional credential fields.
+- **OAuth flow selection** — standard (fhirclient) or token proxy.
+- **Scope picker** — checkboxes for common SMART v2 scopes with an editable text field.
+- **Key generation tools** (asymmetric only) — generate ES384/RS384 key pairs in the browser, export public JWKS for app registration, and export X.509 certificates for Entra ID.
+
+## Server Endpoints
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/config` | GET | Returns public configuration (FHIR server URL, client ID, client type, scopes). No secrets. |
+| `/token-proxy` | POST | Proxies the authorization code token exchange. Discovers the token endpoint server-side to prevent SSRF. |
+
+## Automated Setup
+
+`Setup-SmartOnFhirEntraClient.ps1` is a PowerShell script that automates Entra ID app registration, certificate generation, and configuration.