maucaro · June 16, 2021 00:15 · maucaro · Jun 13, 2021
diff --git a/appsettings.json b/appsettings.json
 {
  "OidcOptions": {
    "TrustedAudiences": [ "[YOUR_GCP_PROJECT_ID]" ],
    "CertificatesUrl": "https://www.googleapis.com/service_accounts/v1/jwk/[email protected]" 
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "AllowedHosts": "*"
 }
diff --git a/OIDCAuthenticationHandler.cs b/OIDCAuthenticationHandler.cs
 using System;
 using System.Security.Claims;
 using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Google.Apis.Auth;
 using System.Linq;
 using System.Text;
 using Microsoft.AspNetCore.WebUtilities;
 using System.Text.Json;

 namespace OIDCAuthentication
 {
    public static class OIDCAuthenticationDefaults
    {
        public const string AuthenticationScheme = "OIDCAuthentication";
    }

    public static class AuthenticationBuilderExtensions
    {
        public static AuthenticationBuilder AddCustomAuth(this AuthenticationBuilder builder, Action<ValidateOIDCAuthenticationSchemeOptions> configureOptions)
        {
            return builder.AddScheme<ValidateOIDCAuthenticationSchemeOptions, ValidateOIDCAuthenticationHandler>
                (OIDCAuthenticationDefaults.AuthenticationScheme, configureOptions);
        }
    }
    public class ValidateOIDCAuthenticationSchemeOptions: AuthenticationSchemeOptions
    {
        public SignedTokenVerificationOptions TokenVerificationOptions { get; set; }
    }

    public class ValidateOIDCAuthenticationHandler: AuthenticationHandler<ValidateOIDCAuthenticationSchemeOptions>
    {
        public ValidateOIDCAuthenticationHandler(
            IOptionsMonitor<ValidateOIDCAuthenticationSchemeOptions> options,
            ILoggerFactory logger,
            UrlEncoder encoder,
            ISystemClock clock)
            : base(options, logger, encoder, clock) { }

        protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
        {
            if (!Request.Headers.ContainsKey("Authorization"))
            {
                return AuthenticateResult.Fail("Authorization header missing");
            }
            var rawToken = ExtractRawToken(Request.Headers["Authorization"].ToString());
            if (string.IsNullOrWhiteSpace(rawToken))
            {
                return AuthenticateResult.Fail("Bearer token missing");
            }
            try
             {
                // Payload returned by JsonWebSignature.VerifySignedTokenAsync does not include the email claim
                // Will decode it using WebEncoders.Base64UrlDecode 
                // JsonWebSignature.Payload payload = await JsonWebSignature.VerifySignedTokenAsync(token, Options.TokenVerificationOptions);
                var generalValidationTask = JsonWebSignature.VerifySignedTokenAsync(rawToken, Options.TokenVerificationOptions);
                var payload = rawToken.Split('.').ElementAtOrDefault(1);    // A token has the form 'header.payload.signature'
                JsonDocument payloadJson = JsonDocument.Parse(Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(payload)));
                var sub = payloadJson.RootElement.GetString("sub");
                var email = payloadJson.RootElement.GetString("email");
                if (string.IsNullOrWhiteSpace(sub) || string.IsNullOrWhiteSpace(email))
                {
                    return AuthenticateResult.Fail("Error validating token: 'sub' and 'email' claims are required");
                }
                var claims = new[] {
                    new Claim(ClaimTypes.NameIdentifier, sub),
                    new Claim(ClaimTypes.Email, email)};
                var claimsIdentity = new ClaimsIdentity(claims, nameof(ValidateOIDCAuthenticationHandler));
                var ticket = new AuthenticationTicket(new ClaimsPrincipal(claimsIdentity), this.Scheme.Name);
                await generalValidationTask.ConfigureAwait(false);
                return AuthenticateResult.Success(ticket);
            }
            catch(Exception ex)
            {
                switch(ex)
                {
                    case FormatException:       // Payload decoding failed - malformed input (i.e. whitespace or padding characters)
                    case ArgumentNullException: // Payload decoding failed - rawToken likely not in 'header.payload.signature' format
                        return AuthenticateResult.Fail("Error validating token: payload decoding failed");
                    case JsonException:         // Payload failed to serialize to JSON
                        return AuthenticateResult.Fail("Error validating token: converting payload to JSON failed");
                    case InvalidJwtException:   // Token failed verification
                    default:
                        return AuthenticateResult.Fail($"Error validating token: ${ex.Message}");
                }
            }
        }

        private static string ExtractRawToken(string Header)
        {
            if (string.IsNullOrWhiteSpace(Header))
            {
                return string.Empty;
            }
            string[] splitHeader = Header.ToString().Split(' ');
            if (splitHeader.Length != 2)
            {
                return string.Empty;
            }
            var scheme = splitHeader[0];
            var token = splitHeader[1];
            if (string.IsNullOrWhiteSpace(token) || scheme.ToLowerInvariant() != "bearer")
            {
                return string.Empty;
            }
            return token;
        }
    }
 }
diff --git a/Startup.cs b/Startup.cs
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.OpenApi.Models;
 using Google.Apis.Auth;
 using OIDCAuthentication;

 namespace WebApiCustomAuthOIDC
 {
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = OIDCAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OIDCAuthenticationDefaults.AuthenticationScheme;
            })
            .AddCustomAuth(options => {
                SignedTokenVerificationOptions tokenOptions = new SignedTokenVerificationOptions();
                Configuration.GetSection("OidcOptions").Bind(tokenOptions);
                options.TokenVerificationOptions = tokenOptions;
            });

            services.AddControllers();
            services.AddSwaggerGen(c =>
            {
                c.SwaggerDoc("v1", new OpenApiInfo { Title = "WebApiCustomAuthOIDC", Version = "v1" });
            });


        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
            public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseSwagger();
                app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "WebApiCustomAuthOIDC v1"));
            }

            app.UseHttpsRedirection();

            app.UseRouting();

            app.UseAuthentication();

            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
    }
 }
	{
	"OidcOptions": {
	"TrustedAudiences": [ "[YOUR_GCP_PROJECT_ID]" ],
	"CertificatesUrl": "https://www.googleapis.com/service_accounts/v1/jwk/[email protected]"
	},
	"Logging": {
	"LogLevel": {
	"Default": "Information",
	"Microsoft": "Warning",
	"Microsoft.Hosting.Lifetime": "Information"
	}
	},
	"AllowedHosts": "*"
	}
	using System;
	using System.Security.Claims;
	using System.Text.Encodings.Web;
	using System.Threading.Tasks;
	using Microsoft.AspNetCore.Authentication;
	using Microsoft.Extensions.Logging;
	using Microsoft.Extensions.Options;
	using Google.Apis.Auth;
	using System.Linq;
	using System.Text;
	using Microsoft.AspNetCore.WebUtilities;
	using System.Text.Json;

	namespace OIDCAuthentication
	{
	public static class OIDCAuthenticationDefaults
	{
	public const string AuthenticationScheme = "OIDCAuthentication";
	}

	public static class AuthenticationBuilderExtensions
	{
	public static AuthenticationBuilder AddCustomAuth(this AuthenticationBuilder builder, Action<ValidateOIDCAuthenticationSchemeOptions> configureOptions)
	{
	return builder.AddScheme<ValidateOIDCAuthenticationSchemeOptions, ValidateOIDCAuthenticationHandler>
	(OIDCAuthenticationDefaults.AuthenticationScheme, configureOptions);
	}
	}
	public class ValidateOIDCAuthenticationSchemeOptions: AuthenticationSchemeOptions
	{
	public SignedTokenVerificationOptions TokenVerificationOptions { get; set; }
	}

	public class ValidateOIDCAuthenticationHandler: AuthenticationHandler<ValidateOIDCAuthenticationSchemeOptions>
	{
	public ValidateOIDCAuthenticationHandler(
	IOptionsMonitor<ValidateOIDCAuthenticationSchemeOptions> options,
	ILoggerFactory logger,
	UrlEncoder encoder,
	ISystemClock clock)
	: base(options, logger, encoder, clock) { }

	protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
	{
	if (!Request.Headers.ContainsKey("Authorization"))
	{
	return AuthenticateResult.Fail("Authorization header missing");
	}
	var rawToken = ExtractRawToken(Request.Headers["Authorization"].ToString());
	if (string.IsNullOrWhiteSpace(rawToken))
	{
	return AuthenticateResult.Fail("Bearer token missing");
	}
	try
	{
	// Payload returned by JsonWebSignature.VerifySignedTokenAsync does not include the email claim
	// Will decode it using WebEncoders.Base64UrlDecode
	// JsonWebSignature.Payload payload = await JsonWebSignature.VerifySignedTokenAsync(token, Options.TokenVerificationOptions);
	var generalValidationTask = JsonWebSignature.VerifySignedTokenAsync(rawToken, Options.TokenVerificationOptions);
	var payload = rawToken.Split('.').ElementAtOrDefault(1); // A token has the form 'header.payload.signature'
	JsonDocument payloadJson = JsonDocument.Parse(Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(payload)));
	var sub = payloadJson.RootElement.GetString("sub");
	var email = payloadJson.RootElement.GetString("email");
	if (string.IsNullOrWhiteSpace(sub) \|\| string.IsNullOrWhiteSpace(email))
	{
	return AuthenticateResult.Fail("Error validating token: 'sub' and 'email' claims are required");
	}
	var claims = new[] {
	new Claim(ClaimTypes.NameIdentifier, sub),
	new Claim(ClaimTypes.Email, email)};
	var claimsIdentity = new ClaimsIdentity(claims, nameof(ValidateOIDCAuthenticationHandler));
	var ticket = new AuthenticationTicket(new ClaimsPrincipal(claimsIdentity), this.Scheme.Name);
	await generalValidationTask.ConfigureAwait(false);
	return AuthenticateResult.Success(ticket);
	}
	catch(Exception ex)
	{
	switch(ex)
	{
	case FormatException: // Payload decoding failed - malformed input (i.e. whitespace or padding characters)
	case ArgumentNullException: // Payload decoding failed - rawToken likely not in 'header.payload.signature' format
	return AuthenticateResult.Fail("Error validating token: payload decoding failed");
	case JsonException: // Payload failed to serialize to JSON
	return AuthenticateResult.Fail("Error validating token: converting payload to JSON failed");
	case InvalidJwtException: // Token failed verification
	default:
	return AuthenticateResult.Fail($"Error validating token: ${ex.Message}");
	}
	}
	}

	private static string ExtractRawToken(string Header)
	{
	if (string.IsNullOrWhiteSpace(Header))
	{
	return string.Empty;
	}
	string[] splitHeader = Header.ToString().Split(' ');
	if (splitHeader.Length != 2)
	{
	return string.Empty;
	}
	var scheme = splitHeader[0];
	var token = splitHeader[1];
	if (string.IsNullOrWhiteSpace(token) \|\| scheme.ToLowerInvariant() != "bearer")
	{
	return string.Empty;
	}
	return token;
	}
	}
	}
	using Microsoft.AspNetCore.Builder;
	using Microsoft.AspNetCore.Hosting;
	using Microsoft.Extensions.Configuration;
	using Microsoft.Extensions.DependencyInjection;
	using Microsoft.Extensions.Hosting;
	using Microsoft.OpenApi.Models;
	using Google.Apis.Auth;
	using OIDCAuthentication;

	namespace WebApiCustomAuthOIDC
	{
	public class Startup
	{
	public Startup(IConfiguration configuration)
	{
	Configuration = configuration;
	}

	public IConfiguration Configuration { get; }

	// This method gets called by the runtime. Use this method to add services to the container.
	public void ConfigureServices(IServiceCollection services)
	{
	services.AddAuthentication(options =>
	{
	options.DefaultAuthenticateScheme = OIDCAuthenticationDefaults.AuthenticationScheme;
	options.DefaultChallengeScheme = OIDCAuthenticationDefaults.AuthenticationScheme;
	})
	.AddCustomAuth(options => {
	SignedTokenVerificationOptions tokenOptions = new SignedTokenVerificationOptions();
	Configuration.GetSection("OidcOptions").Bind(tokenOptions);
	options.TokenVerificationOptions = tokenOptions;
	});

	services.AddControllers();
	services.AddSwaggerGen(c =>
	{
	c.SwaggerDoc("v1", new OpenApiInfo { Title = "WebApiCustomAuthOIDC", Version = "v1" });
	});


	}

	// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
	public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
	{
	if (env.IsDevelopment())
	{
	app.UseDeveloperExceptionPage();
	app.UseSwagger();
	app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "WebApiCustomAuthOIDC v1"));
	}

	app.UseHttpsRedirection();

	app.UseRouting();

	app.UseAuthentication();

	app.UseAuthorization();

	app.UseEndpoints(endpoints =>
	{
	endpoints.MapControllers();
	});
	}
	}
	}