Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eurofurence Identity Integration #43

Merged
merged 13 commits into from
Jun 12, 2024
Merged

Eurofurence Identity Integration #43

merged 13 commits into from
Jun 12, 2024

Conversation

Rain336
Copy link
Member

@Rain336 Rain336 commented May 6, 2024
edited
Loading

I ended up using the IdentityModel.AspNetCore.OAuth2Introspection to implement the OAuth2 introspection based authentication. Not my favorite library, but it's the best that works for our use case. It even caches the introspection results, as long as the token is still valid.
Client id and endpoints can be configured in the Identity section of the appsettings.json
It cannot query the user info endpoint though, so I added that feature manually and merge the claims from the user info endpoint into the ClaimsIdentity.
Currently I configured the authorization policy so that every endpoint just requires a valid token, if not configured otherwise. Endpoints require a Authorize attribute like always.
A few endpoints require cretin roles and they don't really map to anything right now, so calling these endpoints is currently impossible.
Closes #36

@Rain336 Rain336 added the enhancement Improvements to existing features with relevant impact label May 6, 2024
@Rain336 Rain336 added this to the EF28 (2024) milestone May 6, 2024
@Rain336 Rain336 self-assigned this May 6, 2024
@Rain336 Rain336 linked an issue May 6, 2024 that may be closed by this pull request
Migrate to new Identity Provider #36
Closed
@Metawolve Metawolve self-requested a review May 13, 2024 19:45
@Metawolve
Copy link
Member

Looks good so far! I think it's fine to use an existing library if we can't get it working well easily with the default Microsoft libraries.

Just one thing - I think we should rework the currently existing AuthenticationHandler or remove it if it is not needed anymore. There is also a "WhoAmI" endpoint, which I think won't work with the new authentication yet (correct me if I'm wrong).
Could you maybe check if this can be reworked or removed?
Other than that, it looks good to me!

Rain336 added 5 commits May 15, 2024 23:32
@Rain336
Merge branch 'refs/heads/main' into feature/36-migrate-to-new-identit…
a70fb07 
…y-provider

# Conflicts:
#	src/Eurofurence.App.Server.Web/Startup.cs
#	src/Eurofurence.App.Server.Web/appsettings.sample.json
@Rain336
Remove old token generation
457b0b9
@Rain336
Merge branch 'refs/heads/main' into feature/36-migrate-to-new-identit…
f2c4d61 
…y-provider
@Rain336
Merge branch 'refs/heads/main' into feature/36-migrate-to-new-identit…
dede8ea 
…y-provider

# Conflicts:
#	src/Eurofurence.App.Server.Web/Eurofurence.App.Server.Web.csproj
#	src/Eurofurence.App.Server.Web/Startup.cs
#	src/Eurofurence.App.Tools.CliToolBox/Commands/CreateTokenCommand.cs
#	src/Eurofurence.App.Tools.CliToolBox/Commands/RegSysCommand.cs
#	test/Eurofurence.App.Server.Services.Tests/Eurofurence.App.Server.Services.Tests.csproj
@Rain336
Remove empty files
c6ab4a4
@Rain336
Copy link
Member Author

Rain336 commented May 15, 2024

I removed the AuthenticationHandler and anything related to the old token generation system, this also includes the telegram bot and toolbox commands for creating a RegSys Pin and displaying Pin usage information.

Metawolve
Metawolve reviewed Jun 9, 2024
View reviewed changes
src/Eurofurence.App.Server.Services/Abstractions/Security/PrincipalExtensions.cs
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could set the principal name using the property "NameClaimType" along with the RoleClaimType in the ConfigureOAuth2IntrospectionOptions class? I know that the TokenValidationOptions of the JwtBearerOptions from Microsoft support this at least. This way we can set the Name property of the ClaimsPrincipal, instead of using an extension method. If it is not supported by the authentication library, then maybe in a claims transformation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The NameClaimType property exists, but it's default value is already name, so we don't need to change it.
I changed the code to use the Name property of the primary claims identity now.

Rain336 added 3 commits June 12, 2024 01:29
@Rain336
Use User.Identity.Name to get the display name of a user
e097764
@Rain336
Merge branch 'refs/heads/main' into feature/36-migrate-to-new-identit…
bd5998f 
…y-provider

# Conflicts:
#	src/Eurofurence.App.Server.Web/Eurofurence.App.Server.Web.csproj
#	src/Eurofurence.App.Server.Web/Startup.cs
#	src/Eurofurence.App.Server.Web/appsettings.sample.json
#	test/Eurofurence.App.Server.Services.Tests/Eurofurence.App.Server.Services.Tests.csproj
@Rain336
Remove merge garbage
251a0ff
@Metawolve Metawolve merged commit 6ccdac5 into main Jun 12, 2024
1 check passed
@Rain336 Rain336 deleted the feature/36-migrate-to-new-identity-provider branch June 12, 2024 23:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Metawolve Metawolve Metawolve approved these changes

Assignees

@Rain336 Rain336

Labels
enhancement Improvements to existing features with relevant impact
Projects
None yet
Milestone
EF28 (2024)
Development

Successfully merging this pull request may close these issues.

Migrate to new Identity Provider
2 participants
@Rain336 @Metawolve