Changed from Maskinporten token to Altinn token (#304)

* Changed from Maskinporten token to Altinn token

* Remove Maskinporten Options

* Updated to use Altinn.Common.PEP for scope handling

Author: Ceredron

src/Altinn.Broker.API/Altinn.Broker.API.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
@@ -7,6 +7,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Altinn.Common.PEP" Version="1.3.0" />
     <PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.3.0" />
     <PackageReference Include="Hangfire.AspNetCore" Version="1.8.9" />
     <PackageReference Include="Hangfire.MemoryStorage" Version="1.8.0" />
@@ -24,6 +25,7 @@
     <PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="Azure.Messaging.EventGrid" Version="4.21.0" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.3.1" />
   </ItemGroup>
 
   <ItemGroup>

src/Altinn.Broker.API/Configuration/AuthorizationConstants.cs

@@ -0,0 +1,15 @@
+namespace Altinn.Broker.API.Configuration;
+
+public static class AuthorizationConstants
+{
+    public const string Sender = "Sender";
+    public const string Recipient = "Recipient";
+    public const string SenderOrRecipient = "SenderOrRecipient";
+    public const string Legacy = "Legacy";
+    public const string ResourceOwner = "ResourceOwner";
+
+    public const string SenderScope = "altinn:broker.write";
+    public const string RecipientScope = "altinn:broker.read";
+    public const string AdminScope = "altinn:broker.admin";
+    public const string LegacyScope = "altinn:broker.legacy";
+}

src/Altinn.Broker.API/Controllers/FileController.cs

@@ -1,3 +1,4 @@
+using Altinn.Broker.API.Configuration;
 using Altinn.Broker.Application;
 using Altinn.Broker.Application.ConfirmDownloadCommand;
 using Altinn.Broker.Application.DownloadFileQuery;
@@ -38,7 +39,7 @@ public FileController(ILogger<FileController> logger)
         /// </summary>
         /// <returns></returns>
         [HttpPost]
-        [Authorize(Policy = "Sender")]
+        [Authorize(Policy = AuthorizationConstants.Sender)]
         public async Task<ActionResult<Guid>> InitializeFile(FileInitalizeExt initializeExt, [ModelBinder(typeof(MaskinportenModelBinder))] CallerIdentity token, [FromServices] InitializeFileCommandHandler handler)
         {
             LogContextHelpers.EnrichLogsWithInitializeFile(initializeExt);
@@ -59,7 +60,7 @@ public async Task<ActionResult<Guid>> InitializeFile(FileInitalizeExt initialize
         [HttpPost]
         [Route("{fileId}/upload")]
         [Consumes("application/octet-stream")]
-        [Authorize(Policy = "Sender")]
+        [Authorize(Policy = AuthorizationConstants.Sender)]
         public async Task<ActionResult> UploadFileStreamed(
             Guid fileId,
             [ModelBinder(typeof(MaskinportenModelBinder))] CallerIdentity token,
@@ -88,7 +89,7 @@ [FromServices] UploadFileCommandHandler handler
         [HttpPost]
         [Route("upload")]
         [RequestFormLimits(MultipartBodyLengthLimit = long.MaxValue)]
-        [Authorize(Policy = "Sender")]
+        [Authorize(Policy = AuthorizationConstants.Sender)]
         public async Task<ActionResult> InitializeAndUpload(
             [FromForm] FileInitializeAndUploadExt form,
             [ModelBinder(typeof(MaskinportenModelBinder))] CallerIdentity token,
@@ -126,7 +127,7 @@ [FromServices] UploadFileCommandHandler uploadFileCommandHandler
         /// <returns></returns>
         [HttpGet]
         [Route("{fileId}")]
-        [Authorize(Policy = "SenderOrRecipient")]
+        [Authorize(Policy = AuthorizationConstants.SenderOrRecipient)]
         public async Task<ActionResult<FileOverviewExt>> GetFileOverview(
             Guid fileId,
             [ModelBinder(typeof(MaskinportenModelBinder))] CallerIdentity token,
@@ -151,7 +152,7 @@ public async Task<ActionResult<FileOverviewExt>> GetFileOverview(
         /// <returns></returns>
         [HttpGet]
         [Route("{fileId}/details")]
-        [Authorize(Policy = "SenderOrRecipient")]
+        [Authorize(Policy = AuthorizationConstants.SenderOrRecipient)]
         public async Task<ActionResult<FileStatusDetailsExt>> GetFileDetails(
             Guid fileId,
             [ModelBinder(typeof(MaskinportenModelBinder))] CallerIdentity token,
@@ -175,7 +176,7 @@ public async Task<ActionResult<FileStatusDetailsExt>> GetFileDetails(
         /// </summary>
         /// <returns></returns>
         [HttpGet]
-        [Authorize(Policy = "SenderOrRecipient")]
+        [Authorize(Policy = AuthorizationConstants.SenderOrRecipient)]
         public async Task<ActionResult<List<Guid>>> GetFiles(
             [FromQuery] string resourceId,
             [FromQuery] FileStatusExt? status,
@@ -208,7 +209,7 @@ public async Task<ActionResult<List<Guid>>> GetFiles(
         /// <returns></returns>
         [HttpGet]
         [Route("{fileId}/download")]
-        [Authorize(Policy = "Recipient")]
+        [Authorize(Policy = AuthorizationConstants.Recipient)]
         public async Task<ActionResult> DownloadFile(
             Guid fileId,
             [ModelBinder(typeof(MaskinportenModelBinder))] CallerIdentity token,
@@ -233,7 +234,7 @@ public async Task<ActionResult> DownloadFile(
         /// <returns></returns>
         [HttpPost]
         [Route("{fileId}/confirmdownload")]
-        [Authorize(Policy = "Recipient")]
+        [Authorize(Policy = AuthorizationConstants.Recipient)]
         public async Task<ActionResult> ConfirmDownload(
             Guid fileId,
             [ModelBinder(typeof(MaskinportenModelBinder))] CallerIdentity token,

src/Altinn.Broker.API/Controllers/LegacyFileController.cs

@@ -1,3 +1,4 @@
+using Altinn.Broker.API.Configuration;
 using Altinn.Broker.Application;
 using Altinn.Broker.Application.ConfirmDownloadCommand;
 using Altinn.Broker.Application.DownloadFileQuery;
@@ -27,7 +28,7 @@ namespace Altinn.Broker.Controllers
     [ApiController]
     [Route("broker/api/legacy/v1/file")]
     [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
-    [Authorize(Policy = "Legacy")]
+    [Authorize(Policy = AuthorizationConstants.Legacy)]
     public class LegacyFileController : Controller
     {
         private readonly ILogger<LegacyFileController> _logger;

src/Altinn.Broker.API/Controllers/ResourceController.cs

@@ -1,10 +1,10 @@
 using System.Net;
 
+using Altinn.Broker.API.Configuration;
 using Altinn.Broker.Core.Domain;
 using Altinn.Broker.Core.Repositories;
 using Altinn.Broker.Middlewares;
 using Altinn.Broker.Models.Service;
-using Altinn.Broker.Persistence.Repositories;
 
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
@@ -15,6 +15,7 @@ namespace Altinn.Broker.Controllers;
 [ApiController]
 [Route("broker/api/v1/resource")]
 [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
+[Authorize(Policy = AuthorizationConstants.ResourceOwner)]
 public class ResourceController : Controller
 {
     private readonly IResourceRepository _resourceRepository;
@@ -29,7 +30,6 @@ public ResourceController(IResourceRepository resourceRepository, IResourceOwner
     }
 
     [HttpPost]
-    [Authorize(Policy = "ResourceOwner")]
     public async Task<ActionResult> RegisterResource([ModelBinder(typeof(MaskinportenModelBinder))] CallerIdentity token, ResourceInitializeExt resourceInitializeExt)
     {
         var resourceOwner = await _resourceOwnerRepository.GetResourceOwner(token.Consumer);
@@ -54,7 +54,6 @@ public async Task<ActionResult> RegisterResource([ModelBinder(typeof(Maskinporte
 
     [HttpGet]
     [Route("{resourceId}")]
-    [Authorize(Policy = "ResourceOwner")]
     public async Task<ActionResult<ResourceOverviewExt>> GetResourceConfiguration(string resourceId)
     {
         var resource = await _resourceRepository.GetResource(resourceId);
@@ -72,7 +71,6 @@ public async Task<ActionResult<ResourceOverviewExt>> GetResourceConfiguration(st
     }
 
     [HttpGet]
-    [Authorize(Policy = "ResourceOwner")]
     public async Task<ActionResult<List<string>>> GetAllResources([ModelBinder(typeof(MaskinportenModelBinder))] CallerIdentity token)
     {
         var resources = await _resourceRepository.SearchResources(token.Consumer);

src/Altinn.Broker.API/Models/AltinnOptions.cs

@@ -0,0 +1,6 @@
+namespace Altinn.Broker.API.Models;
+
+public class AltinnOptions
+{
+    public string OpenIdWellKnown { get; set; }
+}

src/Altinn.Broker.API/Models/Maskinporten/MaskinportenOptions.cs

@@ -1,22 +1,23 @@
 using System.Text.Json.Serialization;
 
+using Altinn.Broker.API.Configuration;
+using Altinn.Broker.API.Models;
 using Altinn.Broker.Application;
-using Altinn.Broker.Helpers;
 using Altinn.Broker.Integrations;
 using Altinn.Broker.Integrations.Azure;
 using Altinn.Broker.Integrations.Hangfire;
 using Altinn.Broker.Middlewares;
-using Altinn.Broker.Models.Maskinporten;
 using Altinn.Broker.Persistence;
 using Altinn.Broker.Persistence.Options;
+using Altinn.Common.PEP.Authorization;
 
 using Hangfire;
 
 using Microsoft.ApplicationInsights.Extensibility;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
-using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Tokens;
 
 using Serilog;
@@ -97,7 +98,7 @@ static void ConfigureServices(IServiceCollection services, IConfiguration config
 
     services.Configure<DatabaseOptions>(config.GetSection(key: nameof(DatabaseOptions)));
     services.Configure<AzureResourceManagerOptions>(config.GetSection(key: nameof(AzureResourceManagerOptions)));
-    services.Configure<MaskinportenOptions>(config.GetSection(key: nameof(MaskinportenOptions)));
+    services.Configure<AltinnOptions>(config.GetSection(key: nameof(AltinnOptions)));
 
     services.AddHttpClient();
     services.AddProblemDetails();
@@ -106,47 +107,29 @@ static void ConfigureServices(IServiceCollection services, IConfiguration config
 
     services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
     {
-        var maskinportenOptions = new MaskinportenOptions();
-        config.GetSection(nameof(MaskinportenOptions)).Bind(maskinportenOptions);
+        var altinnOptions = new AltinnOptions();
+        config.GetSection(nameof(AltinnOptions)).Bind(altinnOptions);
         options.SaveToken = true;
-        options.MetadataAddress = $"{maskinportenOptions.Issuer}.well-known/oauth-authorization-server";
-        if (hostEnvironment.IsDevelopment())
+        options.MetadataAddress = altinnOptions.OpenIdWellKnown;
+        options.TokenValidationParameters = new TokenValidationParameters
         {
-            options.TokenValidationParameters = new TokenValidationParameters
-            {
-                ValidateIssuer = false,
-                ValidateAudience = false,
-                ValidateLifetime = false,
-                RequireExpirationTime = false,
-                RequireSignedTokens = false,
-                SignatureValidator = delegate (string token, TokenValidationParameters parameters)
-                {
-                    var jwt = new JsonWebToken(token);
-                    return jwt;
-                }
-            };
-        }
-        else
-        {
-            options.TokenValidationParameters = new TokenValidationParameters
-            {
-                ValidIssuer = maskinportenOptions.Issuer,
-                ValidateIssuer = true,
-                ValidateAudience = false,
-                ValidateLifetime = true,
-                RequireExpirationTime = true,
-                RequireSignedTokens = true
-            };
-        }
+            ValidateIssuerSigningKey = true,
+            ValidateIssuer = false,
+            ValidateAudience = false,
+            RequireExpirationTime = true,
+            ValidateLifetime = true,
+            ClockSkew = TimeSpan.Zero
+        };
     });
 
+    services.AddTransient<IAuthorizationHandler, ScopeAccessHandler>();
     services.AddAuthorization(options =>
     {
-        options.AddPolicy("ResourceOwner", policy => policy.RequireClaim("scope", ["altinn:broker.admin"]));
-        options.AddPolicy("Sender", policy => policy.RequireClaim("scope", ["altinn:broker.write", "altinn:broker.write altinn:broker.read"]));
-        options.AddPolicy("Recipient", policy => policy.RequireClaim("scope", ["altinn:broker.read", "altinn:broker.write altinn:broker.read"]));
-        options.AddPolicy("SenderOrRecipient", policy => policy.RequireClaim("scope", ["altinn:broker.read", "altinn:broker.write", "altinn:broker.write altinn:broker.read"]));
-        options.AddPolicy("Legacy", policy => policy.RequireClaim("scope", ["altinn:broker.legacy"]));
+        options.AddPolicy(AuthorizationConstants.Sender, policy => policy.AddRequirements(new ScopeAccessRequirement(AuthorizationConstants.SenderScope)));
+        options.AddPolicy(AuthorizationConstants.ResourceOwner, policy => policy.AddRequirements(new ScopeAccessRequirement(AuthorizationConstants.AdminScope)));
+        options.AddPolicy(AuthorizationConstants.Recipient, policy => policy.AddRequirements(new ScopeAccessRequirement(AuthorizationConstants.RecipientScope)));
+        options.AddPolicy(AuthorizationConstants.SenderOrRecipient, policy => policy.AddRequirements(new ScopeAccessRequirement([AuthorizationConstants.SenderScope, AuthorizationConstants.RecipientScope])));
+        options.AddPolicy(AuthorizationConstants.Legacy, policy => policy.AddRequirements(new ScopeAccessRequirement(AuthorizationConstants.LegacyScope)));
     });
 
     services.Configure<KestrelServerOptions>(options =>

src/Altinn.Broker.API/Program.cs

@@ -16,7 +16,7 @@
     "ClientSecret": "",
     "SubscriptionId": ""
   },
-  "MaskinportenOptions": {
-    "Issuer": "https://test.maskinporten.no/"
+  "AltinnOptions": {
+    "OpenIdWellKnown": "https://platform.at21.altinn.cloud/authentication/api/v1/openid/.well-known/openid-configuration"
   }
 }