From 70d317f3be5a12918986f56943894f5bb848dc4a Mon Sep 17 00:00:00 2001 From: Sebastian Date: Mon, 18 May 2020 11:41:19 +0200 Subject: [PATCH] Auth fixed. --- backend/src/Squidex.Web/Constants.cs | 2 +- .../Pipeline/AccessTokenQueryMiddleware.cs | 7 +- ...rleansDashboardAuthenticationMiddleware.cs | 4 +- .../Authentication/IdentityServerServices.cs | 78 ++++++++++--------- 4 files changed, 50 insertions(+), 41 deletions(-) diff --git a/backend/src/Squidex.Web/Constants.cs b/backend/src/Squidex.Web/Constants.cs index 708d49b37..870af9691 100644 --- a/backend/src/Squidex.Web/Constants.cs +++ b/backend/src/Squidex.Web/Constants.cs @@ -18,7 +18,7 @@ namespace Squidex.Web public static readonly string ApiScope = "squidex-api"; - public static readonly string ApiSecurityScheme = "identity-server"; + public static readonly string ApiSecurityScheme = "custom"; public static readonly string OrleansClusterId = "squidex-v2"; diff --git a/backend/src/Squidex.Web/Pipeline/AccessTokenQueryMiddleware.cs b/backend/src/Squidex.Web/Pipeline/AccessTokenQueryMiddleware.cs index 51e09bf01..54be754df 100644 --- a/backend/src/Squidex.Web/Pipeline/AccessTokenQueryMiddleware.cs +++ b/backend/src/Squidex.Web/Pipeline/AccessTokenQueryMiddleware.cs @@ -24,12 +24,17 @@ namespace Squidex.Web.Pipeline { var request = context.Request; - if (!string.IsNullOrWhiteSpace(request.Headers[HeaderNames.Authorization]) && request.Query.TryGetValue("access_token", out var token)) + if (HasNoAuthHeader(request) && request.Query.TryGetValue("access_token", out var token)) { request.Headers[HeaderNames.Authorization] = token; } return next(context); } + + private static bool HasNoAuthHeader(HttpRequest request) + { + return string.IsNullOrWhiteSpace(request.Headers[HeaderNames.Authorization]); + } } } diff --git a/backend/src/Squidex/Areas/OrleansDashboard/Middlewares/OrleansDashboardAuthenticationMiddleware.cs b/backend/src/Squidex/Areas/OrleansDashboard/Middlewares/OrleansDashboardAuthenticationMiddleware.cs index ce9ae44a4..c563b20b9 100644 --- a/backend/src/Squidex/Areas/OrleansDashboard/Middlewares/OrleansDashboardAuthenticationMiddleware.cs +++ b/backend/src/Squidex/Areas/OrleansDashboard/Middlewares/OrleansDashboardAuthenticationMiddleware.cs @@ -44,9 +44,11 @@ namespace Squidex.Areas.OrleansDashboard.Middlewares } else { + var redirectUri = context.Request.PathBase + context.Request.Path; + await context.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties { - RedirectUri = context.Request.PathBase + context.Request.Path + RedirectUri = redirectUri }); } } diff --git a/backend/src/Squidex/Config/Authentication/IdentityServerServices.cs b/backend/src/Squidex/Config/Authentication/IdentityServerServices.cs index e75da07fa..ed186189b 100644 --- a/backend/src/Squidex/Config/Authentication/IdentityServerServices.cs +++ b/backend/src/Squidex/Config/Authentication/IdentityServerServices.cs @@ -5,14 +5,13 @@ // All rights reserved. Licensed under the MIT license. // ========================================================================== -using IdentityModel.AspNetCore.OAuth2Introspection; +using IdentityServer4; using IdentityServer4.AccessTokenValidation; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Builder; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; -using Squidex.Infrastructure; using Squidex.Web; namespace Squidex.Config.Authentication @@ -21,23 +20,21 @@ namespace Squidex.Config.Authentication { public static AuthenticationBuilder AddSquidexIdentityServerAuthentication(this AuthenticationBuilder authBuilder, MyIdentityOptions identityOptions, IConfiguration config) { - var apiScope = Constants.ApiScope; + var apiAuthorityUrl = identityOptions.AuthorityUrl; - var urlsOptions = config.GetSection("urls").Get(); + var useCustomAuthorityUrl = !string.IsNullOrWhiteSpace(apiAuthorityUrl); - if (!string.IsNullOrWhiteSpace(urlsOptions.BaseUrl)) + if (!useCustomAuthorityUrl) { - string apiAuthorityUrl; + var urlsOptions = config.GetSection("urls").Get(); - if (!string.IsNullOrWhiteSpace(identityOptions.AuthorityUrl)) - { - apiAuthorityUrl = identityOptions.AuthorityUrl.BuildFullUrl(Constants.IdentityServerPrefix); - } - else - { - apiAuthorityUrl = urlsOptions.BuildUrl(Constants.IdentityServerPrefix); - } + apiAuthorityUrl = urlsOptions.BuildUrl(Constants.IdentityServerPrefix); + } + + var apiScope = Constants.ApiScope; + if (useCustomAuthorityUrl) + { authBuilder.AddIdentityServerAuthentication(options => { options.Authority = apiAuthorityUrl; @@ -45,36 +42,41 @@ namespace Squidex.Config.Authentication options.ApiSecret = null; options.RequireHttpsMetadata = identityOptions.RequiresHttps; options.SupportedTokens = SupportedTokens.Jwt; - - var fromHeader = TokenRetrieval.FromAuthorizationHeader(); - var fromQuery = TokenRetrieval.FromQueryString(); - - options.TokenRetriever = request => - { - var result = fromHeader(request) ?? fromQuery(request); - - return result; - }; }); - - authBuilder.AddOpenIdConnect(options => + } + else + { + authBuilder.AddLocalApi(options => { - options.Authority = apiAuthorityUrl; - options.ClientId = Constants.InternalClientId; - options.ClientSecret = Constants.InternalClientSecret; - options.CallbackPath = "/signin-internal"; - options.RequireHttpsMetadata = identityOptions.RequiresHttps; - options.SaveTokens = true; - options.Scope.Add(Constants.PermissionsScope); - options.Scope.Add(Constants.ProfileScope); - options.Scope.Add(Constants.RoleScope); - options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; + options.ExpectedScope = apiScope; }); } - authBuilder.AddLocalApi(Constants.ApiSecurityScheme, options => + authBuilder.AddOpenIdConnect(options => { - options.ExpectedScope = Constants.ApiScope; + options.Authority = apiAuthorityUrl; + options.ClientId = Constants.InternalClientId; + options.ClientSecret = Constants.InternalClientSecret; + options.CallbackPath = "/signin-internal"; + options.RequireHttpsMetadata = identityOptions.RequiresHttps; + options.SaveTokens = true; + options.Scope.Add(Constants.PermissionsScope); + options.Scope.Add(Constants.ProfileScope); + options.Scope.Add(Constants.RoleScope); + options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; + }); + + authBuilder.AddPolicyScheme(Constants.ApiSecurityScheme, Constants.ApiSecurityScheme, options => + { + options.ForwardDefaultSelector = context => + { + if (useCustomAuthorityUrl) + { + return IdentityServerAuthenticationDefaults.AuthenticationScheme; + } + + return IdentityServerConstants.LocalApi.PolicyName; + }; }); return authBuilder;