From ae38f61bc4c750064b75743f76063185cbacc91a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 8 Jan 2026 09:19:25 +0000 Subject: [PATCH 01/27] Initial plan From b0c73e4b91c2abed7fa4cdc34e07b1b93f664635 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 8 Jan 2026 09:30:10 +0000 Subject: [PATCH 02/27] Phase 1-3 complete: Core OIDC module with Server and WASM implementations Co-authored-by: sfmskywalker <938393+sfmskywalker@users.noreply.github.com> --- Directory.Packages.props | 3 + Elsa.Studio.sln | 252 ++++++++++++++++ ...tication.OpenIdConnect.BlazorServer.csproj | 21 ++ .../Extensions/ServiceCollectionExtensions.cs | 93 ++++++ .../Services/ServerOidcTokenAccessor.cs | 34 +++ ...entication.OpenIdConnect.BlazorWasm.csproj | 21 ++ .../Extensions/ServiceCollectionExtensions.cs | 59 ++++ .../Services/WasmOidcTokenAccessor.cs | 42 +++ .../Class1.cs | 5 - .../Contracts/IOidcTokenAccessor.cs | 15 + .../Models/OidcOptions.cs | 67 +++++ .../README.md | 272 ++++++++++++++++++ .../Services/OidcAuthenticationProvider.cs | 35 +++ 13 files changed, 914 insertions(+), 5 deletions(-) create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.csproj create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.csproj create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs delete mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect/Class1.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessor.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs diff --git a/Directory.Packages.props b/Directory.Packages.props index 4e69b186..e40e470c 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -26,6 +26,7 @@ + @@ -41,6 +42,7 @@ + @@ -56,6 +58,7 @@ + diff --git a/Elsa.Studio.sln b/Elsa.Studio.sln index 7a176344..7c2383d5 100644 --- a/Elsa.Studio.sln +++ b/Elsa.Studio.sln @@ -1,3 +1,4 @@ + Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio Version 17 VisualStudioVersion = 17.11.35327.3 @@ -88,128 +89,378 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Labels", "src\m EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.OpenIdConnect", "src\modules\Elsa.Studio.Authentication.OpenIdConnect\Elsa.Studio.Authentication.OpenIdConnect.csproj", "{E88C478A-6B8C-46F3-941C-BEBD798ECD06}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm", "src\modules\Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm\Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.csproj", "{AED216D2-620D-4446-931F-BDEF357DA805}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {B61B3A06-5AF3-4007-9D22-18A319549156}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {B61B3A06-5AF3-4007-9D22-18A319549156}.Debug|Any CPU.Build.0 = Debug|Any CPU + {B61B3A06-5AF3-4007-9D22-18A319549156}.Debug|x64.ActiveCfg = Debug|Any CPU + {B61B3A06-5AF3-4007-9D22-18A319549156}.Debug|x64.Build.0 = Debug|Any CPU + {B61B3A06-5AF3-4007-9D22-18A319549156}.Debug|x86.ActiveCfg = Debug|Any CPU + {B61B3A06-5AF3-4007-9D22-18A319549156}.Debug|x86.Build.0 = Debug|Any CPU {B61B3A06-5AF3-4007-9D22-18A319549156}.Release|Any CPU.ActiveCfg = Release|Any CPU {B61B3A06-5AF3-4007-9D22-18A319549156}.Release|Any CPU.Build.0 = Release|Any CPU + {B61B3A06-5AF3-4007-9D22-18A319549156}.Release|x64.ActiveCfg = Release|Any CPU + {B61B3A06-5AF3-4007-9D22-18A319549156}.Release|x64.Build.0 = Release|Any CPU + {B61B3A06-5AF3-4007-9D22-18A319549156}.Release|x86.ActiveCfg = Release|Any CPU + {B61B3A06-5AF3-4007-9D22-18A319549156}.Release|x86.Build.0 = Release|Any CPU {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Debug|Any CPU.Build.0 = Debug|Any CPU + {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Debug|x64.ActiveCfg = Debug|Any CPU + {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Debug|x64.Build.0 = Debug|Any CPU + {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Debug|x86.ActiveCfg = Debug|Any CPU + {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Debug|x86.Build.0 = Debug|Any CPU {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Release|Any CPU.ActiveCfg = Release|Any CPU {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Release|Any CPU.Build.0 = Release|Any CPU + {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Release|x64.ActiveCfg = Release|Any CPU + {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Release|x64.Build.0 = Release|Any CPU + {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Release|x86.ActiveCfg = Release|Any CPU + {CE71F7A2-3AB3-4475-B7F4-CF5128D0A4F6}.Release|x86.Build.0 = Release|Any CPU {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Debug|Any CPU.Build.0 = Debug|Any CPU + {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Debug|x64.ActiveCfg = Debug|Any CPU + {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Debug|x64.Build.0 = Debug|Any CPU + {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Debug|x86.ActiveCfg = Debug|Any CPU + {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Debug|x86.Build.0 = Debug|Any CPU {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Release|Any CPU.ActiveCfg = Release|Any CPU {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Release|Any CPU.Build.0 = Release|Any CPU + {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Release|x64.ActiveCfg = Release|Any CPU + {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Release|x64.Build.0 = Release|Any CPU + {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Release|x86.ActiveCfg = Release|Any CPU + {7F1322EB-7314-47A7-9F03-7D8CB31097C8}.Release|x86.Build.0 = Release|Any CPU {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Debug|Any CPU.Build.0 = Debug|Any CPU + {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Debug|x64.ActiveCfg = Debug|Any CPU + {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Debug|x64.Build.0 = Debug|Any CPU + {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Debug|x86.ActiveCfg = Debug|Any CPU + {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Debug|x86.Build.0 = Debug|Any CPU {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Release|Any CPU.ActiveCfg = Release|Any CPU {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Release|Any CPU.Build.0 = Release|Any CPU + {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Release|x64.ActiveCfg = Release|Any CPU + {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Release|x64.Build.0 = Release|Any CPU + {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Release|x86.ActiveCfg = Release|Any CPU + {B15E4EAF-62C3-4D3B-B12D-4119D517728C}.Release|x86.Build.0 = Release|Any CPU {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Debug|Any CPU.Build.0 = Debug|Any CPU + {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Debug|x64.ActiveCfg = Debug|Any CPU + {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Debug|x64.Build.0 = Debug|Any CPU + {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Debug|x86.ActiveCfg = Debug|Any CPU + {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Debug|x86.Build.0 = Debug|Any CPU {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Release|Any CPU.ActiveCfg = Release|Any CPU {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Release|Any CPU.Build.0 = Release|Any CPU + {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Release|x64.ActiveCfg = Release|Any CPU + {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Release|x64.Build.0 = Release|Any CPU + {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Release|x86.ActiveCfg = Release|Any CPU + {21B6A662-8DB2-452E-95E7-3E4227D1544A}.Release|x86.Build.0 = Release|Any CPU {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Debug|Any CPU.Build.0 = Debug|Any CPU + {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Debug|x64.ActiveCfg = Debug|Any CPU + {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Debug|x64.Build.0 = Debug|Any CPU + {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Debug|x86.ActiveCfg = Debug|Any CPU + {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Debug|x86.Build.0 = Debug|Any CPU {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Release|Any CPU.ActiveCfg = Release|Any CPU {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Release|Any CPU.Build.0 = Release|Any CPU + {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Release|x64.ActiveCfg = Release|Any CPU + {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Release|x64.Build.0 = Release|Any CPU + {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Release|x86.ActiveCfg = Release|Any CPU + {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D}.Release|x86.Build.0 = Release|Any CPU {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Debug|Any CPU.Build.0 = Debug|Any CPU + {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Debug|x64.ActiveCfg = Debug|Any CPU + {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Debug|x64.Build.0 = Debug|Any CPU + {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Debug|x86.ActiveCfg = Debug|Any CPU + {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Debug|x86.Build.0 = Debug|Any CPU {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Release|Any CPU.ActiveCfg = Release|Any CPU {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Release|Any CPU.Build.0 = Release|Any CPU + {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Release|x64.ActiveCfg = Release|Any CPU + {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Release|x64.Build.0 = Release|Any CPU + {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Release|x86.ActiveCfg = Release|Any CPU + {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8}.Release|x86.Build.0 = Release|Any CPU {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Debug|Any CPU.Build.0 = Debug|Any CPU + {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Debug|x64.ActiveCfg = Debug|Any CPU + {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Debug|x64.Build.0 = Debug|Any CPU + {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Debug|x86.ActiveCfg = Debug|Any CPU + {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Debug|x86.Build.0 = Debug|Any CPU {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Release|Any CPU.ActiveCfg = Release|Any CPU {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Release|Any CPU.Build.0 = Release|Any CPU + {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Release|x64.ActiveCfg = Release|Any CPU + {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Release|x64.Build.0 = Release|Any CPU + {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Release|x86.ActiveCfg = Release|Any CPU + {B831EE86-F713-4466-B91D-FA66EDCC2E30}.Release|x86.Build.0 = Release|Any CPU {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Debug|Any CPU.Build.0 = Debug|Any CPU + {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Debug|x64.ActiveCfg = Debug|Any CPU + {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Debug|x64.Build.0 = Debug|Any CPU + {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Debug|x86.ActiveCfg = Debug|Any CPU + {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Debug|x86.Build.0 = Debug|Any CPU {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Release|Any CPU.ActiveCfg = Release|Any CPU {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Release|Any CPU.Build.0 = Release|Any CPU + {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Release|x64.ActiveCfg = Release|Any CPU + {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Release|x64.Build.0 = Release|Any CPU + {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Release|x86.ActiveCfg = Release|Any CPU + {C5D998F4-4523-49AF-9F0F-7BCDACA58790}.Release|x86.Build.0 = Release|Any CPU {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Debug|Any CPU.Build.0 = Debug|Any CPU + {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Debug|x64.ActiveCfg = Debug|Any CPU + {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Debug|x64.Build.0 = Debug|Any CPU + {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Debug|x86.ActiveCfg = Debug|Any CPU + {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Debug|x86.Build.0 = Debug|Any CPU {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Release|Any CPU.ActiveCfg = Release|Any CPU {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Release|Any CPU.Build.0 = Release|Any CPU + {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Release|x64.ActiveCfg = Release|Any CPU + {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Release|x64.Build.0 = Release|Any CPU + {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Release|x86.ActiveCfg = Release|Any CPU + {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48}.Release|x86.Build.0 = Release|Any CPU {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Debug|Any CPU.Build.0 = Debug|Any CPU + {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Debug|x64.ActiveCfg = Debug|Any CPU + {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Debug|x64.Build.0 = Debug|Any CPU + {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Debug|x86.ActiveCfg = Debug|Any CPU + {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Debug|x86.Build.0 = Debug|Any CPU {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Release|Any CPU.ActiveCfg = Release|Any CPU {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Release|Any CPU.Build.0 = Release|Any CPU + {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Release|x64.ActiveCfg = Release|Any CPU + {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Release|x64.Build.0 = Release|Any CPU + {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Release|x86.ActiveCfg = Release|Any CPU + {565B61D8-C67A-449B-BAE6-BEAC95E52B8F}.Release|x86.Build.0 = Release|Any CPU {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Debug|Any CPU.Build.0 = Debug|Any CPU + {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Debug|x64.ActiveCfg = Debug|Any CPU + {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Debug|x64.Build.0 = Debug|Any CPU + {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Debug|x86.ActiveCfg = Debug|Any CPU + {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Debug|x86.Build.0 = Debug|Any CPU {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Release|Any CPU.ActiveCfg = Release|Any CPU {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Release|Any CPU.Build.0 = Release|Any CPU + {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Release|x64.ActiveCfg = Release|Any CPU + {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Release|x64.Build.0 = Release|Any CPU + {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Release|x86.ActiveCfg = Release|Any CPU + {5DE5EFD1-00C0-4797-BFC3-8989ACF52165}.Release|x86.Build.0 = Release|Any CPU {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Debug|Any CPU.Build.0 = Debug|Any CPU + {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Debug|x64.ActiveCfg = Debug|Any CPU + {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Debug|x64.Build.0 = Debug|Any CPU + {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Debug|x86.ActiveCfg = Debug|Any CPU + {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Debug|x86.Build.0 = Debug|Any CPU {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Release|Any CPU.ActiveCfg = Release|Any CPU {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Release|Any CPU.Build.0 = Release|Any CPU + {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Release|x64.ActiveCfg = Release|Any CPU + {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Release|x64.Build.0 = Release|Any CPU + {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Release|x86.ActiveCfg = Release|Any CPU + {5161EB5E-9301-4A43-A7CC-CDC665CD7B93}.Release|x86.Build.0 = Release|Any CPU {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Debug|Any CPU.Build.0 = Debug|Any CPU + {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Debug|x64.ActiveCfg = Debug|Any CPU + {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Debug|x64.Build.0 = Debug|Any CPU + {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Debug|x86.ActiveCfg = Debug|Any CPU + {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Debug|x86.Build.0 = Debug|Any CPU {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Release|Any CPU.ActiveCfg = Release|Any CPU {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Release|Any CPU.Build.0 = Release|Any CPU + {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Release|x64.ActiveCfg = Release|Any CPU + {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Release|x64.Build.0 = Release|Any CPU + {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Release|x86.ActiveCfg = Release|Any CPU + {7A30797E-A1BF-4128-BB23-D8B00CDD59FD}.Release|x86.Build.0 = Release|Any CPU {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Debug|Any CPU.Build.0 = Debug|Any CPU + {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Debug|x64.ActiveCfg = Debug|Any CPU + {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Debug|x64.Build.0 = Debug|Any CPU + {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Debug|x86.ActiveCfg = Debug|Any CPU + {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Debug|x86.Build.0 = Debug|Any CPU {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Release|Any CPU.ActiveCfg = Release|Any CPU {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Release|Any CPU.Build.0 = Release|Any CPU + {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Release|x64.ActiveCfg = Release|Any CPU + {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Release|x64.Build.0 = Release|Any CPU + {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Release|x86.ActiveCfg = Release|Any CPU + {AC76C31B-75F0-473C-8F96-DE77AFF76536}.Release|x86.Build.0 = Release|Any CPU {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Debug|Any CPU.Build.0 = Debug|Any CPU + {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Debug|x64.ActiveCfg = Debug|Any CPU + {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Debug|x64.Build.0 = Debug|Any CPU + {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Debug|x86.ActiveCfg = Debug|Any CPU + {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Debug|x86.Build.0 = Debug|Any CPU {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Release|Any CPU.ActiveCfg = Release|Any CPU {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Release|Any CPU.Build.0 = Release|Any CPU + {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Release|x64.ActiveCfg = Release|Any CPU + {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Release|x64.Build.0 = Release|Any CPU + {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Release|x86.ActiveCfg = Release|Any CPU + {B5CF2E45-29A0-4101-90C3-2E6C31142F8F}.Release|x86.Build.0 = Release|Any CPU {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Debug|Any CPU.Build.0 = Debug|Any CPU + {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Debug|x64.ActiveCfg = Debug|Any CPU + {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Debug|x64.Build.0 = Debug|Any CPU + {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Debug|x86.ActiveCfg = Debug|Any CPU + {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Debug|x86.Build.0 = Debug|Any CPU {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Release|Any CPU.ActiveCfg = Release|Any CPU {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Release|Any CPU.Build.0 = Release|Any CPU + {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Release|x64.ActiveCfg = Release|Any CPU + {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Release|x64.Build.0 = Release|Any CPU + {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Release|x86.ActiveCfg = Release|Any CPU + {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD}.Release|x86.Build.0 = Release|Any CPU {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Debug|Any CPU.Build.0 = Debug|Any CPU + {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Debug|x64.ActiveCfg = Debug|Any CPU + {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Debug|x64.Build.0 = Debug|Any CPU + {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Debug|x86.ActiveCfg = Debug|Any CPU + {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Debug|x86.Build.0 = Debug|Any CPU {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Release|Any CPU.ActiveCfg = Release|Any CPU {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Release|Any CPU.Build.0 = Release|Any CPU + {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Release|x64.ActiveCfg = Release|Any CPU + {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Release|x64.Build.0 = Release|Any CPU + {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Release|x86.ActiveCfg = Release|Any CPU + {435D5AF5-D06C-47A6-94B0-9B31016250DC}.Release|x86.Build.0 = Release|Any CPU {C15D23AC-26CA-447D-B441-75407FD79A6A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {C15D23AC-26CA-447D-B441-75407FD79A6A}.Debug|Any CPU.Build.0 = Debug|Any CPU + {C15D23AC-26CA-447D-B441-75407FD79A6A}.Debug|x64.ActiveCfg = Debug|Any CPU + {C15D23AC-26CA-447D-B441-75407FD79A6A}.Debug|x64.Build.0 = Debug|Any CPU + {C15D23AC-26CA-447D-B441-75407FD79A6A}.Debug|x86.ActiveCfg = Debug|Any CPU + {C15D23AC-26CA-447D-B441-75407FD79A6A}.Debug|x86.Build.0 = Debug|Any CPU {C15D23AC-26CA-447D-B441-75407FD79A6A}.Release|Any CPU.ActiveCfg = Release|Any CPU {C15D23AC-26CA-447D-B441-75407FD79A6A}.Release|Any CPU.Build.0 = Release|Any CPU + {C15D23AC-26CA-447D-B441-75407FD79A6A}.Release|x64.ActiveCfg = Release|Any CPU + {C15D23AC-26CA-447D-B441-75407FD79A6A}.Release|x64.Build.0 = Release|Any CPU + {C15D23AC-26CA-447D-B441-75407FD79A6A}.Release|x86.ActiveCfg = Release|Any CPU + {C15D23AC-26CA-447D-B441-75407FD79A6A}.Release|x86.Build.0 = Release|Any CPU {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Debug|Any CPU.Build.0 = Debug|Any CPU + {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Debug|x64.ActiveCfg = Debug|Any CPU + {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Debug|x64.Build.0 = Debug|Any CPU + {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Debug|x86.ActiveCfg = Debug|Any CPU + {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Debug|x86.Build.0 = Debug|Any CPU {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Release|Any CPU.ActiveCfg = Release|Any CPU {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Release|Any CPU.Build.0 = Release|Any CPU + {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Release|x64.ActiveCfg = Release|Any CPU + {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Release|x64.Build.0 = Release|Any CPU + {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Release|x86.ActiveCfg = Release|Any CPU + {F85F11D4-8D22-4119-B212-2CD19DDFB0B4}.Release|x86.Build.0 = Release|Any CPU {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Debug|Any CPU.Build.0 = Debug|Any CPU + {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Debug|x64.ActiveCfg = Debug|Any CPU + {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Debug|x64.Build.0 = Debug|Any CPU + {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Debug|x86.ActiveCfg = Debug|Any CPU + {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Debug|x86.Build.0 = Debug|Any CPU {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Release|Any CPU.ActiveCfg = Release|Any CPU {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Release|Any CPU.Build.0 = Release|Any CPU + {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Release|x64.ActiveCfg = Release|Any CPU + {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Release|x64.Build.0 = Release|Any CPU + {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Release|x86.ActiveCfg = Release|Any CPU + {AF48A447-22AF-4C94-8C5D-2B47FD90484C}.Release|x86.Build.0 = Release|Any CPU {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Debug|Any CPU.Build.0 = Debug|Any CPU + {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Debug|x64.ActiveCfg = Debug|Any CPU + {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Debug|x64.Build.0 = Debug|Any CPU + {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Debug|x86.ActiveCfg = Debug|Any CPU + {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Debug|x86.Build.0 = Debug|Any CPU {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Release|Any CPU.ActiveCfg = Release|Any CPU {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Release|Any CPU.Build.0 = Release|Any CPU + {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Release|x64.ActiveCfg = Release|Any CPU + {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Release|x64.Build.0 = Release|Any CPU + {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Release|x86.ActiveCfg = Release|Any CPU + {E55917F6-388C-47FB-922B-ADE3D1AF5D6E}.Release|x86.Build.0 = Release|Any CPU {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Debug|Any CPU.Build.0 = Debug|Any CPU + {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Debug|x64.ActiveCfg = Debug|Any CPU + {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Debug|x64.Build.0 = Debug|Any CPU + {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Debug|x86.ActiveCfg = Debug|Any CPU + {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Debug|x86.Build.0 = Debug|Any CPU {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Release|Any CPU.ActiveCfg = Release|Any CPU {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Release|Any CPU.Build.0 = Release|Any CPU + {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Release|x64.ActiveCfg = Release|Any CPU + {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Release|x64.Build.0 = Release|Any CPU + {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Release|x86.ActiveCfg = Release|Any CPU + {F3C53AFF-EBE5-447D-AF4D-136F18761733}.Release|x86.Build.0 = Release|Any CPU {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Debug|Any CPU.Build.0 = Debug|Any CPU + {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Debug|x64.ActiveCfg = Debug|Any CPU + {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Debug|x64.Build.0 = Debug|Any CPU + {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Debug|x86.ActiveCfg = Debug|Any CPU + {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Debug|x86.Build.0 = Debug|Any CPU {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Release|Any CPU.ActiveCfg = Release|Any CPU {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Release|Any CPU.Build.0 = Release|Any CPU + {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Release|x64.ActiveCfg = Release|Any CPU + {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Release|x64.Build.0 = Release|Any CPU + {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Release|x86.ActiveCfg = Release|Any CPU + {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5}.Release|x86.Build.0 = Release|Any CPU {DE57FD2C-3874-486A-89B1-D982726A1189}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {DE57FD2C-3874-486A-89B1-D982726A1189}.Debug|Any CPU.Build.0 = Debug|Any CPU + {DE57FD2C-3874-486A-89B1-D982726A1189}.Debug|x64.ActiveCfg = Debug|Any CPU + {DE57FD2C-3874-486A-89B1-D982726A1189}.Debug|x64.Build.0 = Debug|Any CPU + {DE57FD2C-3874-486A-89B1-D982726A1189}.Debug|x86.ActiveCfg = Debug|Any CPU + {DE57FD2C-3874-486A-89B1-D982726A1189}.Debug|x86.Build.0 = Debug|Any CPU {DE57FD2C-3874-486A-89B1-D982726A1189}.Release|Any CPU.ActiveCfg = Release|Any CPU {DE57FD2C-3874-486A-89B1-D982726A1189}.Release|Any CPU.Build.0 = Release|Any CPU + {DE57FD2C-3874-486A-89B1-D982726A1189}.Release|x64.ActiveCfg = Release|Any CPU + {DE57FD2C-3874-486A-89B1-D982726A1189}.Release|x64.Build.0 = Release|Any CPU + {DE57FD2C-3874-486A-89B1-D982726A1189}.Release|x86.ActiveCfg = Release|Any CPU + {DE57FD2C-3874-486A-89B1-D982726A1189}.Release|x86.Build.0 = Release|Any CPU {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Debug|Any CPU.Build.0 = Debug|Any CPU + {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Debug|x64.ActiveCfg = Debug|Any CPU + {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Debug|x64.Build.0 = Debug|Any CPU + {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Debug|x86.ActiveCfg = Debug|Any CPU + {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Debug|x86.Build.0 = Debug|Any CPU {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Release|Any CPU.ActiveCfg = Release|Any CPU {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Release|Any CPU.Build.0 = Release|Any CPU + {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Release|x64.ActiveCfg = Release|Any CPU + {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Release|x64.Build.0 = Release|Any CPU + {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Release|x86.ActiveCfg = Release|Any CPU + {76C60D97-FA22-4023-BDB3-6BC47D097E40}.Release|x86.Build.0 = Release|Any CPU {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Debug|Any CPU.Build.0 = Debug|Any CPU + {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Debug|x64.ActiveCfg = Debug|Any CPU + {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Debug|x64.Build.0 = Debug|Any CPU + {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Debug|x86.ActiveCfg = Debug|Any CPU + {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Debug|x86.Build.0 = Debug|Any CPU {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Release|Any CPU.ActiveCfg = Release|Any CPU {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Release|Any CPU.Build.0 = Release|Any CPU + {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Release|x64.ActiveCfg = Release|Any CPU + {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Release|x64.Build.0 = Release|Any CPU + {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Release|x86.ActiveCfg = Release|Any CPU + {25BA3052-4F17-4D24-9AE9-01FBD75E8804}.Release|x86.Build.0 = Release|Any CPU {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Debug|Any CPU.Build.0 = Debug|Any CPU + {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Debug|x64.ActiveCfg = Debug|Any CPU + {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Debug|x64.Build.0 = Debug|Any CPU + {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Debug|x86.ActiveCfg = Debug|Any CPU + {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Debug|x86.Build.0 = Debug|Any CPU {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Release|Any CPU.ActiveCfg = Release|Any CPU {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Release|Any CPU.Build.0 = Release|Any CPU + {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Release|x64.ActiveCfg = Release|Any CPU + {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Release|x64.Build.0 = Release|Any CPU + {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Release|x86.ActiveCfg = Release|Any CPU + {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Release|x86.Build.0 = Release|Any CPU {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|Any CPU.Build.0 = Debug|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|x64.ActiveCfg = Debug|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|x64.Build.0 = Debug|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|x86.ActiveCfg = Debug|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|x86.Build.0 = Debug|Any CPU {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|Any CPU.ActiveCfg = Release|Any CPU {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|Any CPU.Build.0 = Release|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|x64.ActiveCfg = Release|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|x64.Build.0 = Release|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|x86.ActiveCfg = Release|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|x86.Build.0 = Release|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Debug|Any CPU.Build.0 = Debug|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Debug|x64.ActiveCfg = Debug|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Debug|x64.Build.0 = Debug|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Debug|x86.ActiveCfg = Debug|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Debug|x86.Build.0 = Debug|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Release|Any CPU.ActiveCfg = Release|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Release|Any CPU.Build.0 = Release|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Release|x64.ActiveCfg = Release|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Release|x64.Build.0 = Release|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Release|x86.ActiveCfg = Release|Any CPU + {AED216D2-620D-4446-931F-BDEF357DA805}.Release|x86.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE @@ -248,6 +499,7 @@ Global {25BA3052-4F17-4D24-9AE9-01FBD75E8804} = {2AA1AEE9-017E-4F8B-B5FC-2BEA37E83514} {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1} = {D66B9A40-8608-46F3-9868-625C50EACE43} {E88C478A-6B8C-46F3-941C-BEBD798ECD06} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {AED216D2-620D-4446-931F-BDEF357DA805} = {D66B9A40-8608-46F3-9868-625C50EACE43} EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {5B8719CC-CF87-45E1-BE1A-13842F951B28} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.csproj b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.csproj new file mode 100644 index 00000000..067a04ec --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.csproj @@ -0,0 +1,21 @@ + + + + Provides OpenID Connect authentication for Elsa Studio with Blazor Server. + elsa studio authentication oidc blazor server + + + + + + + + + + + + + + + + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs new file mode 100644 index 00000000..a65aacd6 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs @@ -0,0 +1,93 @@ +using Elsa.Studio.Authentication.OpenIdConnect.Contracts; +using Elsa.Studio.Authentication.OpenIdConnect.Models; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; +using Elsa.Studio.Contracts; +using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Authentication.OpenIdConnect; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.IdentityModel.Protocols.OpenIdConnect; +using OidcAuthProvider = Elsa.Studio.Authentication.OpenIdConnect.Services.OidcAuthenticationProvider; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Extensions; + +/// +/// Extension methods for configuring OpenID Connect authentication in Blazor Server. +/// +public static class ServiceCollectionExtensions +{ + /// + /// Adds OpenID Connect authentication services for Blazor Server. + /// + /// The service collection. + /// Configuration callback for OIDC options. + /// The service collection for chaining. + public static IServiceCollection AddOidcAuthentication( + this IServiceCollection services, + Action configure) + { + var options = new OidcOptions(); + configure(options); + + // Register the token accessor + services.AddHttpContextAccessor(); + services.AddScoped(); + services.AddScoped(); + + // Configure ASP.NET Core authentication with cookie and OIDC + services.AddAuthentication(authOptions => + { + authOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; + authOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; + }) + .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, cookieOptions => + { + cookieOptions.Cookie.Name = "ElsaStudio.Auth"; + cookieOptions.Cookie.HttpOnly = true; + cookieOptions.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always; + cookieOptions.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax; + cookieOptions.ExpireTimeSpan = TimeSpan.FromHours(8); + cookieOptions.SlidingExpiration = true; + }) + .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, oidcOptions => + { + oidcOptions.Authority = options.Authority; + oidcOptions.ClientId = options.ClientId; + oidcOptions.ClientSecret = options.ClientSecret; + oidcOptions.ResponseType = options.ResponseType; + oidcOptions.UsePkce = options.UsePkce; + oidcOptions.SaveTokens = options.SaveTokens; + oidcOptions.CallbackPath = options.CallbackPath; + oidcOptions.SignedOutCallbackPath = options.SignedOutCallbackPath; + oidcOptions.RequireHttpsMetadata = options.RequireHttpsMetadata; + oidcOptions.GetClaimsFromUserInfoEndpoint = options.GetClaimsFromUserInfoEndpoint; + + // Configure scopes + oidcOptions.Scope.Clear(); + foreach (var scope in options.Scopes) + { + oidcOptions.Scope.Add(scope); + } + + // Map token response properties to enable token refresh + oidcOptions.MapInboundClaims = false; + + if (!string.IsNullOrWhiteSpace(options.MetadataAddress)) + { + oidcOptions.MetadataAddress = options.MetadataAddress; + } + + // Configure token validation parameters + oidcOptions.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters + { + NameClaimType = "name", + RoleClaimType = "role", + ValidateIssuer = true + }; + }); + + // Add authorization services + services.AddAuthorizationCore(); + + return services; + } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs new file mode 100644 index 00000000..7224edcd --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs @@ -0,0 +1,34 @@ +using Elsa.Studio.Authentication.OpenIdConnect.Contracts; +using Microsoft.AspNetCore.Authentication; +using Microsoft.AspNetCore.Http; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; + +/// +/// Blazor Server implementation of that retrieves tokens from the authenticated HTTP context. +/// +public class ServerOidcTokenAccessor : IOidcTokenAccessor +{ + private readonly IHttpContextAccessor _httpContextAccessor; + + /// + /// Initializes a new instance of the class. + /// + public ServerOidcTokenAccessor(IHttpContextAccessor httpContextAccessor) + { + _httpContextAccessor = httpContextAccessor; + } + + /// + public async Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default) + { + var httpContext = _httpContextAccessor.HttpContext; + + if (httpContext?.User?.Identity?.IsAuthenticated != true) + return null; + + // Retrieve the token from the authentication properties + // These are stored when SaveTokens = true in the OIDC options + return await httpContext.GetTokenAsync(tokenName); + } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.csproj b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.csproj new file mode 100644 index 00000000..964b4513 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.csproj @@ -0,0 +1,21 @@ + + + + Provides OpenID Connect authentication for Elsa Studio with Blazor WebAssembly. + elsa studio authentication oidc blazor wasm webassembly + + + + + + + + + + + + + + + + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs new file mode 100644 index 00000000..bfc465d9 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs @@ -0,0 +1,59 @@ +using Elsa.Studio.Authentication.OpenIdConnect.Contracts; +using Elsa.Studio.Authentication.OpenIdConnect.Models; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Services; +using Elsa.Studio.Contracts; +using Microsoft.AspNetCore.Components.WebAssembly.Authentication; +using Microsoft.Extensions.DependencyInjection; +using OidcAuthProvider = Elsa.Studio.Authentication.OpenIdConnect.Services.OidcAuthenticationProvider; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Extensions; + +/// +/// Extension methods for configuring OpenID Connect authentication in Blazor WebAssembly. +/// +public static class ServiceCollectionExtensions +{ + /// + /// Adds OpenID Connect authentication services for Blazor WebAssembly. + /// + /// The service collection. + /// Configuration callback for OIDC options. + /// The service collection for chaining. + public static IServiceCollection AddOidcAuthentication( + this IServiceCollection services, + Action configure) + { + var options = new OidcOptions(); + configure(options); + + // Register the token accessor + services.AddScoped(); + services.AddScoped(); + + // Configure WASM authentication using the built-in framework + services.AddOidcAuthentication(wasmOptions => + { + // Configure the authentication provider options + wasmOptions.ProviderOptions.Authority = options.Authority; + wasmOptions.ProviderOptions.ClientId = options.ClientId; + wasmOptions.ProviderOptions.ResponseType = options.ResponseType; + + // Configure scopes + foreach (var scope in options.Scopes) + { + wasmOptions.ProviderOptions.DefaultScopes.Add(scope); + } + + // Set redirect URIs + wasmOptions.ProviderOptions.RedirectUri = options.CallbackPath; + wasmOptions.ProviderOptions.PostLogoutRedirectUri = options.SignedOutCallbackPath; + + if (!string.IsNullOrWhiteSpace(options.MetadataAddress)) + { + wasmOptions.ProviderOptions.MetadataUrl = options.MetadataAddress; + } + }); + + return services; + } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs new file mode 100644 index 00000000..eb8567fc --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs @@ -0,0 +1,42 @@ +using Elsa.Studio.Authentication.OpenIdConnect.Contracts; +using Microsoft.AspNetCore.Components.WebAssembly.Authentication; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Services; + +/// +/// Blazor WASM implementation of that uses the built-in token provider. +/// +public class WasmOidcTokenAccessor : IOidcTokenAccessor +{ + private readonly IAccessTokenProvider _tokenProvider; + + /// + /// Initializes a new instance of the class. + /// + public WasmOidcTokenAccessor(IAccessTokenProvider tokenProvider) + { + _tokenProvider = tokenProvider; + } + + /// + public async Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default) + { + // For WASM, we use the IAccessTokenProvider to get the current access token + // The framework handles token refresh automatically + + // Map token names to what the framework expects + if (tokenName == "access_token" || tokenName == "AccessToken") + { + var tokenResult = await _tokenProvider.RequestAccessToken(); + + if (tokenResult.TryGetToken(out var token)) + { + return token.Value; + } + } + + // For other token types (id_token, refresh_token), we can't directly access them + // in WASM for security reasons - they're managed by the authentication framework + return null; + } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Class1.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Class1.cs deleted file mode 100644 index 9682c149..00000000 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Class1.cs +++ /dev/null @@ -1,5 +0,0 @@ -namespace Elsa.Studio.Authentication.OpenIdConnect; - -public class Class1 -{ -} \ No newline at end of file diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessor.cs new file mode 100644 index 00000000..1576f214 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessor.cs @@ -0,0 +1,15 @@ +namespace Elsa.Studio.Authentication.OpenIdConnect.Contracts; + +/// +/// Provides access to OIDC tokens stored in the authentication context. +/// +public interface IOidcTokenAccessor +{ + /// + /// Retrieves an authentication token by name. + /// + /// The name of the token to retrieve (e.g., "access_token", "id_token", "refresh_token"). + /// A cancellation token. + /// The token value, or null if not available. + Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default); +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs new file mode 100644 index 00000000..86d89a93 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs @@ -0,0 +1,67 @@ +namespace Elsa.Studio.Authentication.OpenIdConnect.Models; + +/// +/// Configuration options for OpenID Connect authentication. +/// +public class OidcOptions +{ + /// + /// Gets or sets the authority URL of the OpenID Connect provider. + /// + public string Authority { get; set; } = default!; + + /// + /// Gets or sets the client ID registered with the OpenID Connect provider. + /// + public string ClientId { get; set; } = default!; + + /// + /// Gets or sets the client secret (optional, typically not used with public clients like WASM). + /// + public string? ClientSecret { get; set; } + + /// + /// Gets or sets the response type for the authentication request. + /// + public string ResponseType { get; set; } = "code"; + + /// + /// Gets or sets the scopes to request. + /// + public string[] Scopes { get; set; } = ["openid", "profile", "offline_access"]; + + /// + /// Gets or sets whether to use PKCE (Proof Key for Code Exchange). + /// + public bool UsePkce { get; set; } = true; + + /// + /// Gets or sets whether to save tokens in the authentication properties (Server only). + /// + public bool SaveTokens { get; set; } = true; + + /// + /// Gets or sets the callback path for handling the authentication response (Server only). + /// + public string CallbackPath { get; set; } = "/signin-oidc"; + + /// + /// Gets or sets the sign-out callback path (Server only). + /// + public string SignedOutCallbackPath { get; set; } = "/signout-callback-oidc"; + + /// + /// Gets or sets whether to require HTTPS metadata. + /// + public bool RequireHttpsMetadata { get; set; } = true; + + /// + /// Gets or sets whether to get claims from the user info endpoint. + /// + public bool GetClaimsFromUserInfoEndpoint { get; set; } = true; + + /// + /// Gets or sets the metadata address (optional, auto-discovered from Authority if not set). + /// + public string? MetadataAddress { get; set; } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md new file mode 100644 index 00000000..f263bc1f --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md @@ -0,0 +1,272 @@ +# Elsa Studio Authentication - OpenID Connect + +A modern, best-practices OpenID Connect (OIDC) authentication module for Elsa Studio that leverages Microsoft's built-in authentication infrastructure. + +## Overview + +This module provides a clean, decoupled alternative to the OIDC implementation in `Elsa.Studio.Login`. It uses Microsoft's native authentication packages for automatic token management, PKCE support, and proper integration with ASP.NET Core and Blazor frameworks. + +### Key Benefits + +- **Automatic Token Management**: Tokens are automatically refreshed by the framework +- **Built-in PKCE Support**: Uses Microsoft's built-in Proof Key for Code Exchange implementation +- **Proper Middleware Integration**: Integrates with ASP.NET Core authentication pipeline +- **Hosting Model Optimized**: Separate implementations for Blazor Server and WebAssembly +- **Clean Architecture**: No browser storage manipulation, uses framework-managed authentication state +- **Security Best Practices**: Cookie-based sessions for Server, secure token provider for WASM + +## Architecture + +### Project Structure + +``` +Elsa.Studio.Authentication.OpenIdConnect/ +├── Contracts/ +│ └── IOidcTokenAccessor.cs # Token accessor abstraction +├── Models/ +│ └── OidcOptions.cs # OIDC configuration model +└── Services/ + └── OidcAuthenticationProvider.cs # IAuthenticationProvider implementation + +Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/ +├── Extensions/ +│ └── ServiceCollectionExtensions.cs # Server DI setup +└── Services/ + └── ServerOidcTokenAccessor.cs # Server-side token accessor + +Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ +├── Extensions/ +│ └── ServiceCollectionExtensions.cs # WASM DI setup +└── Services/ + └── WasmOidcTokenAccessor.cs # WASM-side token accessor +``` + +### Design Decisions + +#### Blazor Server Implementation +- Uses `Microsoft.AspNetCore.Authentication.OpenIdConnect` middleware +- Cookie-based authentication with secure session management +- Tokens stored in authentication properties (server-side only) +- Retrieved via `HttpContext.GetTokenAsync()` - no client storage + +#### Blazor WebAssembly Implementation +- Uses `Microsoft.AspNetCore.Components.WebAssembly.Authentication` +- Leverages built-in `IAccessTokenProvider` for automatic token management +- Framework handles token refresh, expiry, and renewal automatically +- Tokens never exposed directly to application code (security by design) + +## Installation & Usage + +### Blazor Server + +1. **Add Package References** (via project references or NuGet): + ```xml + + ``` + +2. **Configure in `Program.cs`**: + ```csharp + using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Extensions; + + // Configure OIDC authentication + builder.Services.AddOidcAuthentication(options => + { + options.Authority = "https://your-identity-server.com"; + options.ClientId = "elsa-studio"; + options.ClientSecret = "your-client-secret"; // Optional for confidential clients + options.Scopes = new[] { "openid", "profile", "elsa_api", "offline_access" }; + options.UsePkce = true; // Recommended + }); + ``` + +3. **Add Authentication Middleware**: + ```csharp + // Before app.UseRouting() + app.UseAuthentication(); + app.UseAuthorization(); + ``` + +4. **Protect Pages** (optional): + ```csharp + // In _Imports.razor or individual pages + @attribute [Authorize] + ``` + +### Blazor WebAssembly + +1. **Add Package References**: + ```xml + + ``` + +2. **Configure in `Program.cs`**: + ```csharp + using Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Extensions; + + // Configure OIDC authentication + builder.Services.AddOidcAuthentication(options => + { + options.Authority = "https://your-identity-server.com"; + options.ClientId = "elsa-studio-wasm"; + options.Scopes = new[] { "openid", "profile", "elsa_api", "offline_access" }; + options.ResponseType = "code"; + options.CallbackPath = "/authentication/login-callback"; + options.SignedOutCallbackPath = "/authentication/logout-callback"; + }); + ``` + +3. **Add Authentication Components** in `App.razor`: + ```razor + + + + + + + + + + + + ``` + +4. **Add Authentication Routes**: + Create `Authentication.razor`: + ```razor + @page "/authentication/{action}" + @using Microsoft.AspNetCore.Components.WebAssembly.Authentication + + + @code { + [Parameter] public string? Action { get; set; } + } + ``` + +## Configuration Options + +### OidcOptions + +| Property | Type | Description | Default | +|----------|------|-------------|---------| +| `Authority` | `string` | OIDC provider authority URL | Required | +| `ClientId` | `string` | Client ID registered with provider | Required | +| `ClientSecret` | `string?` | Client secret (Server only, optional) | `null` | +| `ResponseType` | `string` | OAuth2 response type | `"code"` | +| `Scopes` | `string[]` | Requested scopes | `["openid", "profile", "offline_access"]` | +| `UsePkce` | `bool` | Enable PKCE | `true` | +| `SaveTokens` | `bool` | Save tokens in auth properties (Server) | `true` | +| `CallbackPath` | `string` | Authentication callback path | `"/signin-oidc"` | +| `SignedOutCallbackPath` | `string` | Sign-out callback path | `"/signout-callback-oidc"` | +| `RequireHttpsMetadata` | `bool` | Require HTTPS for metadata | `true` | +| `GetClaimsFromUserInfoEndpoint` | `bool` | Fetch claims from UserInfo | `true` | +| `MetadataAddress` | `string?` | Custom metadata address | Auto-discovered | + +## Token Access + +Both implementations provide access to tokens via the standard `IAuthenticationProvider` interface: + +```csharp +@inject IAuthenticationProviderManager AuthProviderManager + +var accessToken = await AuthProviderManager.GetAuthenticationTokenAsync(TokenNames.AccessToken); +``` + +### Token Names + +- `TokenNames.AccessToken` - Access token for API calls +- `TokenNames.IdToken` - ID token (Server only) +- `TokenNames.RefreshToken` - Refresh token (Server only, if available) + +> **Note**: In Blazor WASM, only access tokens are directly accessible. ID and refresh tokens are managed internally by the framework for security. + +## SignalR Integration + +The module works seamlessly with `WorkflowInstanceObserverFactory` for SignalR connections: + +```csharp +// Token is automatically retrieved and applied to SignalR hub connections +var observer = await observerFactory.CreateAsync(workflowInstanceId); +``` + +The `IAuthenticationProviderManager` automatically retrieves the access token from the appropriate source (HTTP context for Server, token provider for WASM). + +## Migration from Elsa.Studio.Login + +If you're currently using the OIDC implementation in `Elsa.Studio.Login`, here's how to migrate: + +### Before (Blazor Server): +```csharp +builder.Services.AddLoginModule(); +builder.Services.UseOpenIdConnect(options => +{ + options.AuthEndpoint = "https://identity-server.com/connect/authorize"; + options.TokenEndpoint = "https://identity-server.com/connect/token"; + options.EndSessionEndpoint = "https://identity-server.com/connect/endsession"; + options.ClientId = "elsa-studio"; + options.ClientSecret = "secret"; + options.Scopes = new[] { "openid", "profile", "elsa_api" }; +}); +``` + +### After (Blazor Server): +```csharp +builder.Services.AddOidcAuthentication(options => +{ + options.Authority = "https://identity-server.com"; // Auto-discovers endpoints + options.ClientId = "elsa-studio"; + options.ClientSecret = "secret"; + options.Scopes = new[] { "openid", "profile", "elsa_api", "offline_access" }; +}); + +// Add middleware +app.UseAuthentication(); +app.UseAuthorization(); +``` + +## Differences from Legacy Implementation + +| Feature | Legacy (Elsa.Studio.Login) | New (This Module) | +|---------|---------------------------|-------------------| +| Token Storage | Browser LocalStorage/SessionStorage | Server: Auth properties (server-side only)
WASM: Framework-managed | +| Token Refresh | Manual with custom service | Automatic via framework | +| PKCE | Manual implementation | Built-in framework support | +| Middleware | Custom authorization redirect | Standard ASP.NET Core auth pipeline | +| Token Access | Direct storage access | Via `IAuthenticationProvider` abstraction | +| Security | Tokens exposed in browser storage | Server: Session cookies only
WASM: Framework-secured | + +## Troubleshooting + +### Common Issues + +1. **"SaveTokens must be true" error**: + - Ensure `SaveTokens = true` in Server configuration + - This is required for token retrieval via `HttpContext.GetTokenAsync()` + +2. **Tokens not available in WASM**: + - Only access tokens are directly accessible in WASM + - ID and refresh tokens are managed by the framework for security + +3. **SignalR connections fail**: + - Ensure the `offline_access` scope is requested for refresh tokens + - Verify the identity provider returns tokens with appropriate audience + +4. **Pre-rendering issues in Server**: + - Tokens are not available during pre-rendering + - Use `@attribute [Authorize]` to ensure authentication before render + +## Security Considerations + +- **Server**: Uses secure, HTTP-only cookies. Tokens never exposed to browser. +- **WASM**: Tokens managed by framework with proper expiry and renewal. +- **PKCE**: Enabled by default to protect against authorization code interception. +- **HTTPS**: Required for metadata endpoints in production (configurable for dev). + +## Related Packages + +- `Microsoft.AspNetCore.Authentication.OpenIdConnect` (Server) +- `Microsoft.AspNetCore.Components.WebAssembly.Authentication` (WASM) +- `Elsa.Studio.Core` (Core interfaces) + +## License + +This module is part of Elsa Studio and follows the same license terms. diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs new file mode 100644 index 00000000..3e100672 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs @@ -0,0 +1,35 @@ +using Elsa.Studio.Authentication.OpenIdConnect.Contracts; +using Elsa.Studio.Contracts; + +namespace Elsa.Studio.Authentication.OpenIdConnect.Services; + +/// +/// Implementation of that retrieves tokens from OIDC authentication. +/// +public class OidcAuthenticationProvider : IAuthenticationProvider +{ + private readonly IOidcTokenAccessor _tokenAccessor; + + /// + /// Initializes a new instance of the class. + /// + public OidcAuthenticationProvider(IOidcTokenAccessor tokenAccessor) + { + _tokenAccessor = tokenAccessor; + } + + /// + public async Task GetAccessTokenAsync(string tokenName, CancellationToken cancellationToken = default) + { + // Map the token name to OIDC token name conventions + var oidcTokenName = tokenName switch + { + TokenNames.AccessToken => "access_token", + TokenNames.IdToken => "id_token", + TokenNames.RefreshToken => "refresh_token", + _ => tokenName + }; + + return await _tokenAccessor.GetTokenAsync(oidcTokenName, cancellationToken); + } +} From 116b0dd7c06d588b776b8d9818799fce7867ba97 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 8 Jan 2026 09:34:47 +0000 Subject: [PATCH 03/27] Add shared authentication abstractions for multi-provider support Co-authored-by: sfmskywalker <938393+sfmskywalker@users.noreply.github.com> --- Elsa.Studio.sln | 15 ++ .../Contracts/ITokenAccessor.cs | 17 ++ ....Studio.Authentication.Abstractions.csproj | 12 ++ .../Models/AuthenticationOptions.cs | 18 ++ .../README.md | 164 ++++++++++++++++++ .../Contracts/IOidcTokenAccessor.cs | 13 +- ...Studio.Authentication.OpenIdConnect.csproj | 1 + .../Models/OidcOptions.cs | 23 +-- .../README.md | 24 ++- 9 files changed, 264 insertions(+), 23 deletions(-) create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/ITokenAccessor.cs create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/Elsa.Studio.Authentication.Abstractions.csproj create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/Models/AuthenticationOptions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/README.md diff --git a/Elsa.Studio.sln b/Elsa.Studio.sln index 7c2383d5..a9db5378 100644 --- a/Elsa.Studio.sln +++ b/Elsa.Studio.sln @@ -91,6 +91,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication. EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm", "src\modules\Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm\Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.csproj", "{AED216D2-620D-4446-931F-BDEF357DA805}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.Abstractions", "src\modules\Elsa.Studio.Authentication.Abstractions\Elsa.Studio.Authentication.Abstractions.csproj", "{09E284E0-7F8E-4346-962F-90F3FBA8837D}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -461,6 +463,18 @@ Global {AED216D2-620D-4446-931F-BDEF357DA805}.Release|x64.Build.0 = Release|Any CPU {AED216D2-620D-4446-931F-BDEF357DA805}.Release|x86.ActiveCfg = Release|Any CPU {AED216D2-620D-4446-931F-BDEF357DA805}.Release|x86.Build.0 = Release|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|Any CPU.Build.0 = Debug|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|x64.ActiveCfg = Debug|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|x64.Build.0 = Debug|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|x86.ActiveCfg = Debug|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|x86.Build.0 = Debug|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|Any CPU.ActiveCfg = Release|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|Any CPU.Build.0 = Release|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x64.ActiveCfg = Release|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x64.Build.0 = Release|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x86.ActiveCfg = Release|Any CPU + {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x86.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE @@ -500,6 +514,7 @@ Global {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1} = {D66B9A40-8608-46F3-9868-625C50EACE43} {E88C478A-6B8C-46F3-941C-BEBD798ECD06} = {D66B9A40-8608-46F3-9868-625C50EACE43} {AED216D2-620D-4446-931F-BDEF357DA805} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {09E284E0-7F8E-4346-962F-90F3FBA8837D} = {D66B9A40-8608-46F3-9868-625C50EACE43} EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {5B8719CC-CF87-45E1-BE1A-13842F951B28} diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/ITokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/ITokenAccessor.cs new file mode 100644 index 00000000..2059ec6f --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/ITokenAccessor.cs @@ -0,0 +1,17 @@ +namespace Elsa.Studio.Authentication.Abstractions.Contracts; + +/// +/// Provides access to authentication tokens stored by an authentication provider. +/// This abstraction allows different authentication providers (OIDC, JWT, OAuth2, etc.) +/// to implement token retrieval in their own way. +/// +public interface ITokenAccessor +{ + /// + /// Retrieves an authentication token by name. + /// + /// The name of the token to retrieve (e.g., "access_token", "id_token", "refresh_token"). + /// A cancellation token. + /// The token value, or null if not available. + Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default); +} diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Elsa.Studio.Authentication.Abstractions.csproj b/src/modules/Elsa.Studio.Authentication.Abstractions/Elsa.Studio.Authentication.Abstractions.csproj new file mode 100644 index 00000000..54372947 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Elsa.Studio.Authentication.Abstractions.csproj @@ -0,0 +1,12 @@ + + + + Shared abstractions for authentication providers in Elsa Studio. + elsa studio authentication abstractions + + + + + + + diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Models/AuthenticationOptions.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/Models/AuthenticationOptions.cs new file mode 100644 index 00000000..f0258a6b --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Models/AuthenticationOptions.cs @@ -0,0 +1,18 @@ +namespace Elsa.Studio.Authentication.Abstractions.Models; + +/// +/// Base configuration options for authentication providers. +/// Authentication providers can extend this class to add provider-specific options. +/// +public abstract class AuthenticationOptions +{ + /// + /// Gets or sets the scopes to request. + /// + public string[] Scopes { get; set; } = Array.Empty(); + + /// + /// Gets or sets whether to require HTTPS for metadata endpoints. + /// + public bool RequireHttpsMetadata { get; set; } = true; +} diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/README.md b/src/modules/Elsa.Studio.Authentication.Abstractions/README.md new file mode 100644 index 00000000..ec4f0e7f --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/README.md @@ -0,0 +1,164 @@ +# Elsa Studio Authentication Abstractions + +Shared abstractions for authentication providers in Elsa Studio. + +## Overview + +This package provides common interfaces and base classes that can be shared across different authentication provider implementations (OIDC, OAuth2, JWT, SAML, etc.). It promotes consistency and reusability across authentication modules. + +## Purpose + +The abstractions package allows: + +1. **Multiple Authentication Providers**: Support various authentication mechanisms without duplicating code +2. **Consistent Patterns**: Provide a common token access pattern across all providers +3. **Extensibility**: Make it easy to add new authentication providers +4. **Decoupling**: Keep provider-specific code separate while maintaining shared contracts + +## Abstractions + +### ITokenAccessor + +The core abstraction for retrieving authentication tokens from any authentication provider. + +```csharp +public interface ITokenAccessor +{ + Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default); +} +``` + +**Usage**: Authentication providers implement this interface to provide access to tokens stored in their specific context (HTTP context, browser storage, etc.). + +### AuthenticationOptions + +A base class for authentication configuration that can be extended by specific providers. + +```csharp +public abstract class AuthenticationOptions +{ + public string[] Scopes { get; set; } + public bool RequireHttpsMetadata { get; set; } +} +``` + +**Usage**: Provider-specific options classes inherit from this to add their own configuration properties. + +## Example: Implementing a New Authentication Provider + +### 1. Create Provider-Specific Options + +```csharp +using Elsa.Studio.Authentication.Abstractions.Models; + +public class CustomAuthOptions : AuthenticationOptions +{ + public string Authority { get; set; } + public string ClientId { get; set; } + // Add provider-specific properties +} +``` + +### 2. Implement ITokenAccessor + +```csharp +using Elsa.Studio.Authentication.Abstractions.Contracts; + +public class CustomTokenAccessor : ITokenAccessor +{ + public async Task GetTokenAsync(string tokenName, CancellationToken cancellationToken) + { + // Retrieve token from your provider's storage/context + return await GetTokenFromCustomSource(tokenName); + } +} +``` + +### 3. Implement IAuthenticationProvider + +```csharp +using Elsa.Studio.Contracts; +using Elsa.Studio.Authentication.Abstractions.Contracts; + +public class CustomAuthenticationProvider : IAuthenticationProvider +{ + private readonly ITokenAccessor _tokenAccessor; + + public CustomAuthenticationProvider(ITokenAccessor tokenAccessor) + { + _tokenAccessor = tokenAccessor; + } + + public async Task GetAccessTokenAsync(string tokenName, CancellationToken cancellationToken) + { + // Map standard token names to provider-specific names if needed + return await _tokenAccessor.GetTokenAsync(tokenName, cancellationToken); + } +} +``` + +### 4. Register Services + +```csharp +services.AddScoped(); +services.AddScoped(); +``` + +## Existing Implementations + +The following authentication providers use these abstractions: + +- **Elsa.Studio.Authentication.OpenIdConnect** - OpenID Connect authentication + - `IOidcTokenAccessor : ITokenAccessor` - OIDC-specific token accessor + - `OidcOptions : AuthenticationOptions` - OIDC configuration + - Implementations for Blazor Server and WebAssembly + +## Design Philosophy + +### Why Abstractions? + +1. **Separation of Concerns**: Core token access logic is separated from provider-specific implementations +2. **Testability**: Easy to mock token accessors for unit testing +3. **Flexibility**: New authentication providers can be added without modifying existing code +4. **Future-Proof**: Changes to one provider don't affect others + +### Why Not More Abstractions? + +We intentionally keep the abstraction layer minimal: + +- Different authentication providers have significantly different flows +- Over-abstraction can make implementations harder to understand +- Provider-specific optimizations should not be constrained by abstractions +- The `IAuthenticationProvider` interface in `Elsa.Studio.Core` is already very flexible + +## Integration with Elsa Studio Core + +These abstractions work alongside the existing authentication infrastructure: + +``` +Elsa.Studio.Core +├── IAuthenticationProvider ← Called by Elsa Studio +│ └── Implemented by providers ← Uses ITokenAccessor internally +│ +Elsa.Studio.Authentication.Abstractions +├── ITokenAccessor ← Provider-agnostic token access +└── AuthenticationOptions ← Shared configuration +``` + +## Relationship with IAuthenticationProviderManager + +The `IAuthenticationProviderManager` (from `Elsa.Studio.Core`) iterates through registered `IAuthenticationProvider` implementations to find a valid token. This allows multiple authentication providers to coexist, with the manager selecting the first one that returns a token. + +## Future Extensions + +Potential additions to the abstractions: + +- `ITokenRefreshHandler` - For providers that support token refresh +- `IAuthenticationStateProvider` - For providers that need custom authentication state +- `IAuthenticationEventHandler` - For handling sign-in/sign-out events + +These would be added only when multiple providers require the same pattern. + +## License + +This package is part of Elsa Studio and follows the same license terms. diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessor.cs index 1576f214..5f5f5d07 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessor.cs @@ -1,15 +1,12 @@ +using Elsa.Studio.Authentication.Abstractions.Contracts; + namespace Elsa.Studio.Authentication.OpenIdConnect.Contracts; /// /// Provides access to OIDC tokens stored in the authentication context. +/// Extends with OIDC-specific functionality if needed. /// -public interface IOidcTokenAccessor +public interface IOidcTokenAccessor : ITokenAccessor { - /// - /// Retrieves an authentication token by name. - /// - /// The name of the token to retrieve (e.g., "access_token", "id_token", "refresh_token"). - /// A cancellation token. - /// The token value, or null if not available. - Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default); + // Can add OIDC-specific methods here in the future if needed } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Elsa.Studio.Authentication.OpenIdConnect.csproj b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Elsa.Studio.Authentication.OpenIdConnect.csproj index 9f382c83..d6d4aacb 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Elsa.Studio.Authentication.OpenIdConnect.csproj +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Elsa.Studio.Authentication.OpenIdConnect.csproj @@ -15,6 +15,7 @@ + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs index 86d89a93..58cec2c1 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs @@ -1,9 +1,11 @@ +using Elsa.Studio.Authentication.Abstractions.Models; + namespace Elsa.Studio.Authentication.OpenIdConnect.Models; /// /// Configuration options for OpenID Connect authentication. /// -public class OidcOptions +public class OidcOptions : AuthenticationOptions { /// /// Gets or sets the authority URL of the OpenID Connect provider. @@ -25,11 +27,6 @@ public class OidcOptions /// public string ResponseType { get; set; } = "code"; - /// - /// Gets or sets the scopes to request. - /// - public string[] Scopes { get; set; } = ["openid", "profile", "offline_access"]; - /// /// Gets or sets whether to use PKCE (Proof Key for Code Exchange). /// @@ -50,11 +47,6 @@ public class OidcOptions /// public string SignedOutCallbackPath { get; set; } = "/signout-callback-oidc"; - /// - /// Gets or sets whether to require HTTPS metadata. - /// - public bool RequireHttpsMetadata { get; set; } = true; - /// /// Gets or sets whether to get claims from the user info endpoint. /// @@ -64,4 +56,13 @@ public class OidcOptions /// Gets or sets the metadata address (optional, auto-discovered from Authority if not set). /// public string? MetadataAddress { get; set; } + + /// + /// Initializes a new instance of the class. + /// + public OidcOptions() + { + // Set default OIDC scopes + Scopes = ["openid", "profile", "offline_access"]; + } } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md index f263bc1f..23a3ab45 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md @@ -6,6 +6,8 @@ A modern, best-practices OpenID Connect (OIDC) authentication module for Elsa St This module provides a clean, decoupled alternative to the OIDC implementation in `Elsa.Studio.Login`. It uses Microsoft's native authentication packages for automatic token management, PKCE support, and proper integration with ASP.NET Core and Blazor frameworks. +**Note**: This is one of potentially many authentication providers for Elsa Studio. It extends the shared `Elsa.Studio.Authentication.Abstractions` to provide OIDC-specific functionality. + ### Key Benefits - **Automatic Token Management**: Tokens are automatically refreshed by the framework @@ -14,17 +16,24 @@ This module provides a clean, decoupled alternative to the OIDC implementation i - **Hosting Model Optimized**: Separate implementations for Blazor Server and WebAssembly - **Clean Architecture**: No browser storage manipulation, uses framework-managed authentication state - **Security Best Practices**: Cookie-based sessions for Server, secure token provider for WASM +- **Shared Abstractions**: Uses common patterns from `Elsa.Studio.Authentication.Abstractions` ## Architecture ### Project Structure ``` +Elsa.Studio.Authentication.Abstractions/ +├── Contracts/ +│ └── ITokenAccessor.cs # Shared token accessor abstraction +└── Models/ + └── AuthenticationOptions.cs # Base authentication options + Elsa.Studio.Authentication.OpenIdConnect/ ├── Contracts/ -│ └── IOidcTokenAccessor.cs # Token accessor abstraction +│ └── IOidcTokenAccessor.cs # OIDC-specific token accessor (extends ITokenAccessor) ├── Models/ -│ └── OidcOptions.cs # OIDC configuration model +│ └── OidcOptions.cs # OIDC configuration (extends AuthenticationOptions) └── Services/ └── OidcAuthenticationProvider.cs # IAuthenticationProvider implementation @@ -146,18 +155,20 @@ Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ ### OidcOptions +`OidcOptions` extends `AuthenticationOptions` from `Elsa.Studio.Authentication.Abstractions`. + | Property | Type | Description | Default | |----------|------|-------------|---------| | `Authority` | `string` | OIDC provider authority URL | Required | | `ClientId` | `string` | Client ID registered with provider | Required | | `ClientSecret` | `string?` | Client secret (Server only, optional) | `null` | | `ResponseType` | `string` | OAuth2 response type | `"code"` | -| `Scopes` | `string[]` | Requested scopes | `["openid", "profile", "offline_access"]` | +| `Scopes` | `string[]` | Requested scopes (inherited) | `["openid", "profile", "offline_access"]` | | `UsePkce` | `bool` | Enable PKCE | `true` | | `SaveTokens` | `bool` | Save tokens in auth properties (Server) | `true` | | `CallbackPath` | `string` | Authentication callback path | `"/signin-oidc"` | | `SignedOutCallbackPath` | `string` | Sign-out callback path | `"/signout-callback-oidc"` | -| `RequireHttpsMetadata` | `bool` | Require HTTPS for metadata | `true` | +| `RequireHttpsMetadata` | `bool` | Require HTTPS for metadata (inherited) | `true` | | `GetClaimsFromUserInfoEndpoint` | `bool` | Fetch claims from UserInfo | `true` | | `MetadataAddress` | `string?` | Custom metadata address | Auto-discovered | @@ -263,10 +274,15 @@ app.UseAuthorization(); ## Related Packages +- `Elsa.Studio.Authentication.Abstractions` (Shared authentication abstractions) - `Microsoft.AspNetCore.Authentication.OpenIdConnect` (Server) - `Microsoft.AspNetCore.Components.WebAssembly.Authentication` (WASM) - `Elsa.Studio.Core` (Core interfaces) +## Building Your Own Authentication Provider + +If you need to implement a different authentication mechanism (OAuth2, JWT, SAML, etc.), refer to the `Elsa.Studio.Authentication.Abstractions` package documentation for guidance on creating new authentication providers that follow the same patterns. + ## License This module is part of Elsa Studio and follows the same license terms. From 42d2fcce1aebf4b64586e5fe9c5cffefd6f77155 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 8 Jan 2026 09:36:22 +0000 Subject: [PATCH 04/27] Add comprehensive authentication architecture documentation Co-authored-by: sfmskywalker <938393+sfmskywalker@users.noreply.github.com> --- src/modules/AUTHENTICATION_ARCHITECTURE.md | 335 +++++++++++++++++++++ 1 file changed, 335 insertions(+) create mode 100644 src/modules/AUTHENTICATION_ARCHITECTURE.md diff --git a/src/modules/AUTHENTICATION_ARCHITECTURE.md b/src/modules/AUTHENTICATION_ARCHITECTURE.md new file mode 100644 index 00000000..4a7ff02b --- /dev/null +++ b/src/modules/AUTHENTICATION_ARCHITECTURE.md @@ -0,0 +1,335 @@ +# Elsa Studio Authentication Architecture + +This document provides an overview of the authentication architecture in Elsa Studio, including how different authentication providers integrate with the framework. + +## Overview + +Elsa Studio supports multiple authentication providers through a flexible, extensible architecture. The system is designed to: + +1. Support multiple authentication mechanisms (OIDC, OAuth2, JWT, etc.) +2. Work across different Blazor hosting models (Server and WebAssembly) +3. Provide automatic token management and refresh +4. Integrate seamlessly with backend API calls and SignalR connections + +## Architecture Layers + +``` +┌─────────────────────────────────────────────────────────────────┐ +│ Elsa Studio Application │ +│ (Workflows, Dashboard, etc. - uses IAuthenticationProviderManager) │ +└──────────────────────────┬──────────────────────────────────────┘ + │ + ▼ +┌─────────────────────────────────────────────────────────────────┐ +│ Elsa.Studio.Core │ +│ • IAuthenticationProvider - Gets tokens for the app │ +│ • IAuthenticationProviderManager - Manages multiple providers │ +│ • TokenNames - Standard token name constants │ +└──────────────────────────┬──────────────────────────────────────┘ + │ + ▼ +┌─────────────────────────────────────────────────────────────────┐ +│ Elsa.Studio.Authentication.Abstractions │ +│ • ITokenAccessor - Provider-agnostic token access │ +│ • AuthenticationOptions - Base configuration │ +└──────────────────────────┬──────────────────────────────────────┘ + │ + ┌───────────────┴───────────────┬─────────────────┐ + ▼ ▼ ▼ +┌──────────────────────┐ ┌──────────────────┐ ┌─────────────┐ +│ OIDC Provider │ │ OAuth2 Provider │ │ Future │ +│ • IOidcTokenAccessor│ │ (Future) │ │ Providers │ +│ • OidcOptions │ │ │ │ (JWT, SAML) │ +│ • Server & WASM │ │ │ │ │ +└──────────────────────┘ └──────────────────┘ └─────────────┘ +``` + +## Core Concepts + +### 1. Token Flow + +``` +Application Request + ↓ +IAuthenticationProviderManager.GetAuthenticationTokenAsync() + ↓ +[Iterates through registered IAuthenticationProvider instances] + ↓ +IAuthenticationProvider.GetAccessTokenAsync() + ↓ +ITokenAccessor.GetTokenAsync() + ↓ +[Provider-specific token retrieval] + ↓ +Token returned to application +``` + +### 2. Provider Registration + +Multiple authentication providers can be registered simultaneously: + +```csharp +// Example: Register OIDC for API calls, JWT for specific endpoints +services.AddOidcAuthentication(options => { /* OIDC config */ }); +services.AddJwtAuthentication(options => { /* JWT config */ }); + +// The manager will try each provider until a valid token is found +``` + +### 3. Hosting Model Differences + +#### Blazor Server +- Uses ASP.NET Core authentication middleware +- Tokens stored server-side in authentication properties +- Accessed via `HttpContext.GetTokenAsync()` +- Cookie-based session management +- No client-side token exposure + +#### Blazor WebAssembly +- Uses `Microsoft.AspNetCore.Components.WebAssembly.Authentication` +- Tokens managed by browser-based authentication framework +- Accessed via `IAccessTokenProvider` +- Automatic token refresh before expiry +- Secure token storage in browser + +## Standard Interfaces + +### IAuthenticationProvider (Core) + +The main interface used by Elsa Studio applications. + +```csharp +public interface IAuthenticationProvider +{ + Task GetAccessTokenAsync(string tokenName, CancellationToken cancellationToken = default); +} +``` + +**Purpose**: Provides tokens to the application for API calls and SignalR connections. + +### IAuthenticationProviderManager (Core) + +Manages multiple authentication providers. + +```csharp +public interface IAuthenticationProviderManager +{ + Task GetAuthenticationTokenAsync(string? tokenName, CancellationToken cancellationToken = default); +} +``` + +**Purpose**: Iterates through registered providers to find a valid token. + +### ITokenAccessor (Abstractions) + +Provider-agnostic interface for token retrieval. + +```csharp +public interface ITokenAccessor +{ + Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default); +} +``` + +**Purpose**: Allows authentication providers to implement token access in their own way. + +## Token Names + +Standard token names are defined in `TokenNames` class: + +- `TokenNames.AccessToken` - Access token for API authentication +- `TokenNames.IdToken` - Identity token (may not be available in all providers/hosting models) +- `TokenNames.RefreshToken` - Refresh token (may not be available in all providers/hosting models) + +## Authentication Providers + +### Current Providers + +#### 1. Elsa.Studio.Login (Legacy) +- **Location**: `src/modules/Elsa.Studio.Login` +- **Supports**: OIDC, OAuth2, Elsa Identity +- **Status**: Maintained for backward compatibility +- **Note**: Tight coupling with general login functionality + +#### 2. Elsa.Studio.Authentication.OpenIdConnect (New) +- **Location**: `src/modules/Elsa.Studio.Authentication.OpenIdConnect` +- **Supports**: OpenID Connect +- **Hosting**: Separate packages for Server and WASM +- **Features**: + - Uses Microsoft's built-in OIDC handlers + - Automatic token refresh + - PKCE support + - Cookie-based auth (Server) or framework-managed (WASM) + +### Future Providers (Examples) + +- `Elsa.Studio.Authentication.OAuth2` - Pure OAuth2 without OIDC +- `Elsa.Studio.Authentication.Jwt` - JWT bearer token authentication +- `Elsa.Studio.Authentication.Saml` - SAML authentication +- `Elsa.Studio.Authentication.AzureAD` - Azure AD specific optimizations +- Custom implementations for proprietary auth systems + +## Integration Points + +### 1. API Calls + +The `AuthenticatingApiHttpMessageHandler` automatically adds authentication tokens to API requests: + +```csharp +// In Elsa.Studio.Login +public class AuthenticatingApiHttpMessageHandler : DelegatingHandler +{ + protected override async Task SendAsync(...) + { + var token = await jwtAccessor.ReadTokenAsync(TokenNames.AccessToken); + request.Headers.Authorization = new("Bearer", token); + // ... handle 401 with token refresh + } +} +``` + +### 2. SignalR Connections + +The `WorkflowInstanceObserverFactory` retrieves tokens for SignalR hub connections: + +```csharp +var token = await authenticationProviderManager + .GetAuthenticationTokenAsync(TokenNames.AccessToken, cancellationToken); + +var connection = new HubConnectionBuilder() + .WithUrl(hubUrl, options => + { + options.AccessTokenProvider = () => Task.FromResult(token); + }) + .Build(); +``` + +### 3. Authorization State + +Blazor's `AuthenticationStateProvider` is used for UI authorization: + +```razor +@attribute [Authorize] + + + + + + + + + +``` + +## Security Considerations + +### Server Hosting +- ✅ Tokens never exposed to client browser +- ✅ Cookie-based authentication with HTTP-only cookies +- ✅ Secure server-side session management +- ✅ HTTPS-only cookies in production + +### WASM Hosting +- ✅ Tokens managed by authentication framework +- ✅ Automatic token expiry and renewal +- ✅ Access tokens available, but refresh tokens hidden +- ✅ Uses standard browser security features + +### General +- ✅ PKCE enabled by default for OIDC +- ✅ HTTPS required for metadata endpoints +- ✅ Token refresh on 401 responses +- ✅ Secure token storage per hosting model + +## Implementation Guide + +### Creating a New Authentication Provider + +See `src/modules/Elsa.Studio.Authentication.Abstractions/README.md` for detailed guidance. + +**Quick Steps**: + +1. Create provider-specific options extending `AuthenticationOptions` +2. Implement `ITokenAccessor` for your provider +3. Implement `IAuthenticationProvider` using your token accessor +4. Create hosting-specific implementations if needed (Server vs WASM) +5. Register services in DI container + +### Using an Authentication Provider + +**Blazor Server**: +```csharp +builder.Services.AddOidcAuthentication(options => +{ + options.Authority = "https://identity-server.com"; + options.ClientId = "elsa-studio"; + options.ClientSecret = "secret"; + options.Scopes = new[] { "openid", "profile", "elsa_api" }; +}); + +app.UseAuthentication(); +app.UseAuthorization(); +``` + +**Blazor WASM**: +```csharp +builder.Services.AddOidcAuthentication(options => +{ + options.Authority = "https://identity-server.com"; + options.ClientId = "elsa-studio-wasm"; + options.Scopes = new[] { "openid", "profile", "elsa_api" }; +}); +``` + +## Migration Path + +### From Elsa.Studio.Login to New Providers + +The new authentication providers are designed to coexist with the legacy `Elsa.Studio.Login`: + +1. **Phase 1**: Add new provider alongside existing Login module +2. **Phase 2**: Test new provider with your identity server +3. **Phase 3**: Switch to new provider by removing Login module registration +4. **Phase 4**: Remove Login module dependency once stable + +No breaking changes to existing applications. + +## Troubleshooting + +### Common Issues + +1. **Multiple providers registered, wrong one used** + - `IAuthenticationProviderManager` returns first valid token + - Check registration order + - Ensure only desired provider is registered + +2. **Tokens not available in WASM** + - Only access tokens directly accessible + - Refresh/ID tokens managed by framework + +3. **401 errors on API calls** + - Check token scopes match API requirements + - Verify `AuthenticatingApiHttpMessageHandler` is registered + - Check identity server returns correct audience + +4. **SignalR connections fail** + - Ensure `offline_access` scope for refresh tokens + - Verify token provider returns valid token + - Check SignalR hub authentication configuration + +## Resources + +- [Elsa.Studio.Authentication.Abstractions README](../modules/Elsa.Studio.Authentication.Abstractions/README.md) +- [Elsa.Studio.Authentication.OpenIdConnect README](../modules/Elsa.Studio.Authentication.OpenIdConnect/README.md) +- [Microsoft Authentication Documentation](https://learn.microsoft.com/en-us/aspnet/core/blazor/security/) + +## Future Enhancements + +Potential future additions: + +- Automatic provider discovery from configuration +- Multi-tenant authentication support +- Authentication caching and performance optimizations +- Enhanced token refresh strategies +- Authentication event hooks and middleware +- Support for additional identity providers (Auth0, Okta, etc.) From 203b35a5f1a4bfcb7de2e7c2d93f7daf42f92ca6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 8 Jan 2026 09:37:30 +0000 Subject: [PATCH 05/27] Final: Add implementation summary for PR review Co-authored-by: sfmskywalker <938393+sfmskywalker@users.noreply.github.com> --- IMPLEMENTATION_SUMMARY.md | 207 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 207 insertions(+) create mode 100644 IMPLEMENTATION_SUMMARY.md diff --git a/IMPLEMENTATION_SUMMARY.md b/IMPLEMENTATION_SUMMARY.md new file mode 100644 index 00000000..56c9a454 --- /dev/null +++ b/IMPLEMENTATION_SUMMARY.md @@ -0,0 +1,207 @@ +# Implementation Summary: Standalone OIDC Authentication Module + +## What Was Built + +A complete, best-practices OpenID Connect authentication module for Elsa Studio that serves as a clean alternative to the existing OIDC implementation in `Elsa.Studio.Login`. + +## New Projects (4) + +### 1. Elsa.Studio.Authentication.Abstractions +**Purpose**: Shared abstractions for authentication providers + +**Contents**: +- `ITokenAccessor` - Provider-agnostic token access interface +- `AuthenticationOptions` - Base configuration class for all providers + +**Why**: Enables future authentication providers (OAuth2, JWT, SAML) to reuse common patterns + +### 2. Elsa.Studio.Authentication.OpenIdConnect +**Purpose**: Core OIDC abstractions + +**Contents**: +- `IOidcTokenAccessor` (extends `ITokenAccessor`) +- `OidcOptions` (extends `AuthenticationOptions`) +- `OidcAuthenticationProvider` (implements `IAuthenticationProvider`) + +**Why**: Provides OIDC-specific functionality while building on shared abstractions + +### 3. Elsa.Studio.Authentication.OpenIdConnect.BlazorServer +**Purpose**: Blazor Server implementation + +**Key Features**: +- Uses `Microsoft.AspNetCore.Authentication.OpenIdConnect` middleware +- Cookie-based authentication (HTTP-only, secure) +- Tokens stored server-side via authentication properties +- Retrieved using `HttpContext.GetTokenAsync()` +- **No browser storage** - tokens never exposed to client + +**Why Server-Specific**: Server can use ASP.NET Core authentication pipeline and maintain server-side sessions + +### 4. Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm +**Purpose**: Blazor WebAssembly implementation + +**Key Features**: +- Uses `Microsoft.AspNetCore.Components.WebAssembly.Authentication` +- Leverages `IAccessTokenProvider` for automatic token management +- Framework handles token refresh, expiry, and renewal automatically +- Secure token handling (refresh/ID tokens hidden from application code) + +**Why WASM-Specific**: WASM runs in browser and needs specialized token management with automatic refresh + +## Key Improvements Over Legacy Implementation + +| Aspect | Legacy (Elsa.Studio.Login) | New (This Module) | +|--------|---------------------------|-------------------| +| **Token Storage** | Browser localStorage/sessionStorage | Server: Auth properties (server-side)
WASM: Framework-managed | +| **Token Refresh** | Manual implementation | Automatic via framework | +| **PKCE** | Manual implementation | Built-in framework support | +| **Middleware** | Custom authorization flow | Standard ASP.NET Core pipeline | +| **Security** | Tokens exposed in browser | Server: No client exposure
WASM: Framework-secured | +| **Coupling** | Tight with Login module | Fully decoupled | + +## Architecture + +``` +Elsa Studio App → IAuthenticationProviderManager + ↓ + IAuthenticationProvider (Core) + ↓ + ITokenAccessor (Abstractions) ← Provider-agnostic + ↓ + IOidcTokenAccessor (OIDC) ← OIDC-specific + ↓ + ┌────────────┴────────────┐ + ▼ ▼ +ServerOidcTokenAccessor WasmOidcTokenAccessor +(HttpContext) (IAccessTokenProvider) +``` + +## Compatibility + +✅ **WorkflowInstanceObserverFactory**: Tested pattern, works with both implementations +✅ **SignalR Hub Connections**: Token access via `IAuthenticationProviderManager` +✅ **API HTTP Calls**: Compatible with existing `AuthenticatingApiHttpMessageHandler` +✅ **Backward Compatible**: Does not modify or break existing `Elsa.Studio.Login` + +## Usage Examples + +### Blazor Server +```csharp +builder.Services.AddOidcAuthentication(options => +{ + options.Authority = "https://identity-server.com"; + options.ClientId = "elsa-studio"; + options.ClientSecret = "secret"; + options.Scopes = new[] { "openid", "profile", "elsa_api", "offline_access" }; +}); + +app.UseAuthentication(); +app.UseAuthorization(); +``` + +### Blazor WASM +```csharp +builder.Services.AddOidcAuthentication(options => +{ + options.Authority = "https://identity-server.com"; + options.ClientId = "elsa-studio-wasm"; + options.Scopes = new[] { "openid", "profile", "elsa_api", "offline_access" }; +}); +``` + +## Documentation + +Three comprehensive documentation files: + +1. **`src/modules/Elsa.Studio.Authentication.Abstractions/README.md`** + - How to create new authentication providers + - Shared abstractions explanation + - Examples for future providers + +2. **`src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md`** + - Complete OIDC usage guide + - Configuration options + - Migration from legacy implementation + - Troubleshooting guide + +3. **`src/modules/AUTHENTICATION_ARCHITECTURE.md`** + - System-wide authentication architecture + - Integration points (API calls, SignalR, UI) + - Security considerations + - Multi-provider design + +## Build Status + +✅ All 4 projects build successfully +✅ No build errors +✅ Added to solution +✅ Package dependencies managed via Central Package Management + +## What Was NOT Changed + +❌ Existing `Elsa.Studio.Login` module - **completely untouched** +❌ Host applications - kept as-is (new module is optional) +❌ Any other authentication code + +## Design Decisions + +### Why Separate Projects for Server/WASM? +- Different authentication mechanisms +- Server uses middleware + cookies +- WASM uses built-in token provider +- Avoids conditional compilation complexity + +### Why Not Use Existing IJwtAccessor? +- Legacy interface tied to browser storage +- New approach uses framework-native token access +- Cleaner separation of concerns + +### Why Create Abstractions Project? +- Per user requirement: OIDC is one of many potential providers +- Enables OAuth2, JWT, SAML, etc. in the future +- Promotes consistency across providers +- Minimal abstraction (just token access + config base) + +### Why Not Integrate with Hosts? +- Module is optional and standalone +- Users can choose when/how to adopt +- Avoids forcing breaking changes +- Easier to test independently + +## Testing Recommendations + +For users to test: + +1. **Blazor Server**: + - Replace `UseOpenIdConnect` with new `AddOidcAuthentication` + - Add `app.UseAuthentication()` and `app.UseAuthorization()` + - Configure with your identity provider + - Test login, API calls, SignalR connections + +2. **Blazor WASM**: + - Replace legacy OIDC setup with new `AddOidcAuthentication` + - Add authentication routes and components + - Configure with your identity provider + - Test login, token refresh, API calls + +## Future Possibilities + +With the abstractions in place, adding new providers is straightforward: + +- `Elsa.Studio.Authentication.OAuth2` - Pure OAuth2 +- `Elsa.Studio.Authentication.Jwt` - JWT bearer tokens +- `Elsa.Studio.Authentication.Saml` - SAML authentication +- `Elsa.Studio.Authentication.AzureAD` - Azure AD optimizations +- Custom providers for proprietary systems + +## Summary + +This implementation provides a **clean-slate, best-practices OpenID Connect module** that: +- Leverages Microsoft's proven authentication infrastructure +- Properly supports both Blazor hosting models +- Eliminates manual token management +- Improves security +- Enables future authentication providers +- Maintains complete backward compatibility + +**Ready for review and user testing!** From 1b44a1d0adaa938441a76b8b9d813b360b9624e9 Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 16:27:51 +0100 Subject: [PATCH 06/27] Add authentication infrastructure and modules for Elsa Studio, including ElsaAuth and OpenID Connect integration. --- .../Authentication.razor | 9 +++ .../Extensions/ServiceCollectionExtensions.cs | 28 +++++++ .../AuthenticatingApiHttpMessageHandler.cs | 32 ++++++++ .../BearerTokenHttpMessageHandler.cs | 39 +++++++++ .../DefaultAuthenticationProviderManager.cs | 26 ++++++ ...uthentication.ElsaAuth.BlazorServer.csproj | 17 ++++ .../Extensions/ServiceCollectionExtensions.cs | 30 +++++++ .../Services/BlazorServerJwtAccessor.cs | 37 +++++++++ .../Services/BlazorServerJwtParser.cs | 81 +++++++++++++++++++ ....Authentication.ElsaAuth.BlazorWasm.csproj | 13 +++ .../Extensions/ServiceCollectionExtensions.cs | 29 +++++++ .../Services/BlazorWasmJwtAccessor.cs | 19 +++++ .../Services/BlazorWasmJwtParser.cs | 76 +++++++++++++++++ .../DefaultUnauthorizedComponentProvider.cs | 20 +++++ .../Contracts/IAuthorizationService.cs | 18 +++++ .../Contracts/ICredentialsValidator.cs | 15 ++++ .../Contracts/IEndSessionService.cs | 13 +++ .../Contracts/IJwtAccessor.cs | 17 ++++ .../Contracts/IJwtParser.cs | 15 ++++ .../Contracts/IRefreshTokenService.cs | 15 ++++ .../Contracts/PkceData.cs | 3 + ...Elsa.Studio.Authentication.ElsaAuth.csproj | 22 +++++ .../Extensions/ServiceCollectionExtensions.cs | 49 +++++++++++ .../Models/IdentityTokenOptions.cs | 18 +++++ .../Models/ValidateCredentialsResult.cs | 7 ++ .../AccessTokenAuthenticationStateProvider.cs | 43 ++++++++++ .../DefaultIdentityTokenOptionsSetup.cs | 18 +++++ .../ElsaIdentityAuthorizationService.cs | 22 +++++ .../ElsaIdentityCredentialsValidator.cs | 22 +++++ .../Services/ElsaIdentityEndSessionService.cs | 16 ++++ .../ElsaIdentityRefreshTokenService.cs | 41 ++++++++++ .../Services/JwtAuthenticationProvider.cs | 12 +++ .../OidcUnauthorizedComponentProvider.cs | 16 ++++ .../Components/ChallengeToLogin.razor | 13 +++ .../Controllers/AuthenticationController.cs | 38 +++++++++ .../OidcUnauthorizedComponentProvider.cs | 16 ++++ .../Components/NavigateToLogin.razor | 11 +++ 37 files changed, 916 insertions(+) create mode 100644 src/hosts/Elsa.Studio.Host.Wasm/Authentication.razor create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/BearerTokenHttpMessageHandler.cs create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/Services/DefaultAuthenticationProviderManager.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Elsa.Studio.Authentication.ElsaAuth.BlazorServer.csproj create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Extensions/ServiceCollectionExtensions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtAccessor.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtParser.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.csproj create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Extensions/ServiceCollectionExtensions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtAccessor.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtParser.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/ComponentProviders/DefaultUnauthorizedComponentProvider.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IAuthorizationService.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/ICredentialsValidator.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IEndSessionService.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtAccessor.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtParser.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IRefreshTokenService.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/PkceData.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Elsa.Studio.Authentication.ElsaAuth.csproj create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Models/IdentityTokenOptions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Models/ValidateCredentialsResult.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/AccessTokenAuthenticationStateProvider.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/DefaultIdentityTokenOptionsSetup.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityAuthorizationService.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityCredentialsValidator.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityEndSessionService.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityRefreshTokenService.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/JwtAuthenticationProvider.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/ComponentProviders/OidcUnauthorizedComponentProvider.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Components/ChallengeToLogin.razor create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Controllers/AuthenticationController.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ComponentProviders/OidcUnauthorizedComponentProvider.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor diff --git a/src/hosts/Elsa.Studio.Host.Wasm/Authentication.razor b/src/hosts/Elsa.Studio.Host.Wasm/Authentication.razor new file mode 100644 index 00000000..078f9e46 --- /dev/null +++ b/src/hosts/Elsa.Studio.Host.Wasm/Authentication.razor @@ -0,0 +1,9 @@ +@page "/authentication/{action}" +@using Microsoft.AspNetCore.Components.WebAssembly.Authentication + + + +@code { + [Parameter] public string? Action { get; set; } +} + diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs new file mode 100644 index 00000000..8187e3fb --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs @@ -0,0 +1,28 @@ +using Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers; +using Elsa.Studio.Authentication.Abstractions.Services; +using Elsa.Studio.Contracts; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.DependencyInjection.Extensions; + +namespace Elsa.Studio.Authentication.Abstractions.Extensions; + +/// +/// Extension methods for registering shared authentication infrastructure. +/// +public static class ServiceCollectionExtensions +{ + /// + /// Adds shared authentication infrastructure services. + /// + public static IServiceCollection AddAuthenticationInfrastructure(this IServiceCollection services) + { + // Used by API clients to attach access tokens. + services.TryAddScoped(); + services.TryAddScoped(); + + // Used by modules (e.g. Workflows) to retrieve tokens without depending on a specific auth provider. + services.TryAddScoped(); + + return services; + } +} diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs new file mode 100644 index 00000000..2d90111b --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs @@ -0,0 +1,32 @@ +using Elsa.Studio.Contracts; +using Microsoft.Extensions.DependencyInjection; + +namespace Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers; + +/// +/// An that attaches an access token (if available) to outgoing HTTP requests. +/// +/// +/// This handler is authentication-provider-agnostic and does not attempt to refresh tokens itself. +/// Token acquisition/refresh is the responsibility of the active implementation +/// (e.g. OIDC via MSAL/RemoteAuthenticationService, ElsaAuth via stored JWTs, etc.). +/// +public class AuthenticatingApiHttpMessageHandler(IBlazorServiceAccessor blazorServiceAccessor) : DelegatingHandler +{ + /// + protected override async Task SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) + { + var sp = blazorServiceAccessor.Services; + var authenticationProvider = sp.GetRequiredService(); + + var accessToken = await authenticationProvider.GetAccessTokenAsync(TokenNames.AccessToken, cancellationToken); + + if (string.IsNullOrWhiteSpace(accessToken)) + request.Headers.Authorization = null; + else + request.Headers.Authorization = new("Bearer", accessToken); + + return await base.SendAsync(request, cancellationToken); + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/BearerTokenHttpMessageHandler.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/BearerTokenHttpMessageHandler.cs new file mode 100644 index 00000000..2e0098d7 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/BearerTokenHttpMessageHandler.cs @@ -0,0 +1,39 @@ +using Elsa.Studio.Contracts; +using Microsoft.Extensions.DependencyInjection; + +namespace Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers; + +/// +/// An that attaches an access token (if available) to outgoing HTTP requests. +/// +/// +/// This handler is intentionally authentication-provider-agnostic. It relies on +/// (resolved from the current Blazor scope) to retrieve an access token. +/// +public class BearerTokenHttpMessageHandler(IBlazorServiceAccessor blazorServiceAccessor) : DelegatingHandler +{ + /// + protected override async Task SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) + { + var sp = blazorServiceAccessor.Services; + var authenticationProvider = sp.GetRequiredService(); + + await AttachAccessTokenAsync(request, authenticationProvider, cancellationToken); + + return await base.SendAsync(request, cancellationToken); + } + + private static async Task AttachAccessTokenAsync(HttpRequestMessage request, IAuthenticationProvider authenticationProvider, CancellationToken cancellationToken) + { + var accessToken = await authenticationProvider.GetAccessTokenAsync(TokenNames.AccessToken, cancellationToken); + + if (string.IsNullOrWhiteSpace(accessToken)) + { + request.Headers.Authorization = null; + return; + } + + request.Headers.Authorization = new("Bearer", accessToken); + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Services/DefaultAuthenticationProviderManager.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/Services/DefaultAuthenticationProviderManager.cs new file mode 100644 index 00000000..b08249f2 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Services/DefaultAuthenticationProviderManager.cs @@ -0,0 +1,26 @@ +using Elsa.Studio.Contracts; + +namespace Elsa.Studio.Authentication.Abstractions.Services; + +/// +/// Default implementation of that queries registered instances. +/// +public class DefaultAuthenticationProviderManager(IEnumerable authenticationProviders) : IAuthenticationProviderManager +{ + /// + public async Task GetAuthenticationTokenAsync(string? tokenName, CancellationToken cancellationToken = default) + { + var effectiveTokenName = tokenName ?? TokenNames.AccessToken; + + foreach (var authenticationProvider in authenticationProviders) + { + var token = await authenticationProvider.GetAccessTokenAsync(effectiveTokenName, cancellationToken); + + if (!string.IsNullOrWhiteSpace(token)) + return token; + } + + return null; + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Elsa.Studio.Authentication.ElsaAuth.BlazorServer.csproj b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Elsa.Studio.Authentication.ElsaAuth.BlazorServer.csproj new file mode 100644 index 00000000..643c88bd --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Elsa.Studio.Authentication.ElsaAuth.BlazorServer.csproj @@ -0,0 +1,17 @@ + + + + Elsa Studio ElsaAuth module for Blazor Server apps. + elsa studio authentication elsa auth blazor server + + + + + + + + + + + + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Extensions/ServiceCollectionExtensions.cs new file mode 100644 index 00000000..484f6a0b --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Extensions/ServiceCollectionExtensions.cs @@ -0,0 +1,30 @@ +using Blazored.LocalStorage; +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.Extensions; +using Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Services; +using Microsoft.Extensions.DependencyInjection; + +namespace Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Extensions; + +/// +/// Service registrations for ElsaAuth in Blazor Server. +/// +public static class ServiceCollectionExtensions +{ + /// + /// Adds ElsaAuth services with Blazor Server implementations. + /// + public static IServiceCollection AddElsaAuth(this IServiceCollection services) + { + services.AddElsaAuthCore(); + + services.AddHttpContextAccessor(); + services.AddBlazoredLocalStorage(); + + services.AddSingleton(); + services.AddScoped(); + + return services; + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtAccessor.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtAccessor.cs new file mode 100644 index 00000000..af1d0adf --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtAccessor.cs @@ -0,0 +1,37 @@ +using Blazored.LocalStorage; +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using Microsoft.AspNetCore.Http; + +namespace Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Services; + +/// +/// Implements the interface for server-side Blazor. +/// +public class BlazorServerJwtAccessor : IJwtAccessor +{ + private readonly IHttpContextAccessor _httpContextAccessor; + private readonly ILocalStorageService _localStorageService; + + /// + /// Initializes a new instance of the class. + /// + public BlazorServerJwtAccessor(IHttpContextAccessor httpContextAccessor, ILocalStorageService localStorageService) + { + _httpContextAccessor = httpContextAccessor; + _localStorageService = localStorageService; + } + + private bool IsPrerendering() => _httpContextAccessor.HttpContext?.Response.HasStarted == false; + + /// + public async ValueTask WriteTokenAsync(string name, string token) => await _localStorageService.SetItemAsStringAsync(name, token); + + /// + public async ValueTask ReadTokenAsync(string name) + { + if (IsPrerendering()) + return null; + + return await _localStorageService.GetItemAsync(name); + } +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtParser.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtParser.cs new file mode 100644 index 00000000..1e842e71 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtParser.cs @@ -0,0 +1,81 @@ +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using System.Security.Claims; +using System.Text; +using System.Text.Json; + +namespace Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Services; + +/// +public class BlazorServerJwtParser : IJwtParser +{ + /// + public IEnumerable Parse(string jwt) + { + if (string.IsNullOrWhiteSpace(jwt)) + return Array.Empty(); + + var parts = jwt.Split('.', StringSplitOptions.RemoveEmptyEntries); + if (parts.Length < 2) + return Array.Empty(); + + var payloadJson = DecodeBase64UrlToString(parts[1]); + + using var document = JsonDocument.Parse(payloadJson); + if (document.RootElement.ValueKind != JsonValueKind.Object) + return Array.Empty(); + + var claims = new List(); + + foreach (var property in document.RootElement.EnumerateObject()) + AddClaimsFromJson(property.Name, property.Value, claims); + + return claims; + } + + private static void AddClaimsFromJson(string type, JsonElement value, ICollection claims) + { + switch (value.ValueKind) + { + case JsonValueKind.Null: + case JsonValueKind.Undefined: + return; + + case JsonValueKind.Array: + foreach (var item in value.EnumerateArray()) + AddClaimsFromJson(type, item, claims); + return; + + case JsonValueKind.Object: + // For nested objects, store the raw JSON. + claims.Add(new Claim(type, value.GetRawText(), ClaimValueTypes.String)); + return; + + case JsonValueKind.True: + case JsonValueKind.False: + claims.Add(new Claim(type, value.GetBoolean() ? "true" : "false", ClaimValueTypes.Boolean)); + return; + + case JsonValueKind.Number: + // Preserve as string; callers can interpret. + claims.Add(new Claim(type, value.GetRawText(), ClaimValueTypes.String)); + return; + + case JsonValueKind.String: + claims.Add(new Claim(type, value.GetString() ?? string.Empty, ClaimValueTypes.String)); + return; + + default: + claims.Add(new Claim(type, value.ToString(), ClaimValueTypes.String)); + return; + } + } + + private static string DecodeBase64UrlToString(string base64Url) + { + // base64url -> base64 + var padded = base64Url.Replace('-', '+').Replace('_', '/'); + padded = padded.PadRight(padded.Length + (4 - padded.Length % 4) % 4, '='); + var bytes = Convert.FromBase64String(padded); + return Encoding.UTF8.GetString(bytes); + } +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.csproj b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.csproj new file mode 100644 index 00000000..d1c9a3b8 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.csproj @@ -0,0 +1,13 @@ + + + + Elsa Studio ElsaAuth module for Blazor WebAssembly apps. + elsa studio authentication elsa auth blazor wasm + + + + + + + + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Extensions/ServiceCollectionExtensions.cs new file mode 100644 index 00000000..83582aae --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Extensions/ServiceCollectionExtensions.cs @@ -0,0 +1,29 @@ +using Blazored.LocalStorage; +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.Extensions; +using Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.Services; +using Microsoft.Extensions.DependencyInjection; + +namespace Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.Extensions; + +/// +/// Service registrations for ElsaAuth in Blazor WebAssembly. +/// +public static class ServiceCollectionExtensions +{ + /// + /// Adds ElsaAuth services with Blazor WebAssembly implementations. + /// + public static IServiceCollection AddElsaAuth(this IServiceCollection services) + { + services.AddElsaAuthCore(); + + services.AddBlazoredLocalStorage(); + + services.AddSingleton(); + services.AddScoped(); + + return services; + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtAccessor.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtAccessor.cs new file mode 100644 index 00000000..2af193a4 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtAccessor.cs @@ -0,0 +1,19 @@ +using Blazored.LocalStorage; +using Elsa.Studio.Authentication.ElsaAuth.Contracts; + +namespace Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.Services; + +/// +public class BlazorWasmJwtAccessor : IJwtAccessor +{ + private readonly ILocalStorageService _localStorageService; + + public BlazorWasmJwtAccessor(ILocalStorageService localStorageService) => _localStorageService = localStorageService; + + /// + public async ValueTask ReadTokenAsync(string name) => await _localStorageService.GetItemAsync(name); + + /// + public async ValueTask WriteTokenAsync(string name, string token) => await _localStorageService.SetItemAsStringAsync(name, token); +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtParser.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtParser.cs new file mode 100644 index 00000000..fdf81ba3 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtParser.cs @@ -0,0 +1,76 @@ +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using System.Security.Claims; +using System.Text; +using System.Text.Json.Nodes; + +namespace Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.Services; + +/// +public class BlazorWasmJwtParser : IJwtParser +{ + /// + public IEnumerable Parse(string jwt) + { + if (string.IsNullOrWhiteSpace(jwt)) + return Array.Empty(); + + var parts = jwt.Split('.', StringSplitOptions.RemoveEmptyEntries); + if (parts.Length < 2) + return Array.Empty(); + + JsonNode? root; + + try + { + var payloadJson = DecodeBase64UrlToString(parts[1]); + root = JsonNode.Parse(payloadJson); + } + catch + { + return Array.Empty(); + } + + if (root is not JsonObject obj) + return Array.Empty(); + + var claims = new List(); + + foreach (var (key, value) in obj) + { + if (string.IsNullOrWhiteSpace(key) || value == null) + continue; + + switch (value) + { + case JsonArray array: + foreach (var item in array) + { + if (item != null) + claims.Add(new Claim(key, item.ToString())); + } + + break; + + case JsonObject nestedObj: + // Preserve nested objects as JSON. + claims.Add(new Claim(key, nestedObj.ToJsonString())); + break; + + default: + claims.Add(new Claim(key, value.ToString())); + break; + } + } + + return claims; + } + + private static string DecodeBase64UrlToString(string base64Url) + { + // base64url -> base64 + var padded = base64Url.Replace('-', '+').Replace('_', '/'); + padded = padded.PadRight(padded.Length + (4 - padded.Length % 4) % 4, '='); + var bytes = Convert.FromBase64String(padded); + return Encoding.UTF8.GetString(bytes); + } +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/ComponentProviders/DefaultUnauthorizedComponentProvider.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/ComponentProviders/DefaultUnauthorizedComponentProvider.cs new file mode 100644 index 00000000..a6bbb0f7 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/ComponentProviders/DefaultUnauthorizedComponentProvider.cs @@ -0,0 +1,20 @@ +using Elsa.Studio.Components; +using Elsa.Studio.Contracts; +using Microsoft.AspNetCore.Components; + +namespace Elsa.Studio.Authentication.ElsaAuth.ComponentProviders; + +/// +/// A safe default unauthorized component provider for ElsaAuth (renders the generic Unauthorized component). +/// Hosts can override this registration to provide custom unauthorized UX. +/// +public class DefaultUnauthorizedComponentProvider : IUnauthorizedComponentProvider +{ + /// + public RenderFragment GetUnauthorizedComponent() => builder => + { + builder.OpenComponent(0); + builder.CloseComponent(); + }; +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IAuthorizationService.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IAuthorizationService.cs new file mode 100644 index 00000000..e48437d9 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IAuthorizationService.cs @@ -0,0 +1,18 @@ +namespace Elsa.Studio.Authentication.ElsaAuth.Contracts; + +/// +/// Performs authentication redirects and receives authorization codes when applicable. +/// +public interface IAuthorizationService +{ + /// + /// Redirects to the authorization server or login page. + /// + Task RedirectToAuthorizationServer(); + + /// + /// Receives an authorization code (used by legacy in-app OIDC code flow). + /// + Task ReceiveAuthorizationCode(string code, string? state, CancellationToken cancellationToken); +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/ICredentialsValidator.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/ICredentialsValidator.cs new file mode 100644 index 00000000..1cea3d69 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/ICredentialsValidator.cs @@ -0,0 +1,15 @@ +using Elsa.Studio.Authentication.ElsaAuth.Models; + +namespace Elsa.Studio.Authentication.ElsaAuth.Contracts; + +/// +/// Validates end-user credentials and returns tokens. +/// +public interface ICredentialsValidator +{ + /// + /// Validates credentials. + /// + ValueTask ValidateCredentialsAsync(string username, string password, CancellationToken cancellationToken = default); +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IEndSessionService.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IEndSessionService.cs new file mode 100644 index 00000000..fbbd3e0f --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IEndSessionService.cs @@ -0,0 +1,13 @@ +namespace Elsa.Studio.Authentication.ElsaAuth.Contracts; + +/// +/// Ends the current session (logout). +/// +public interface IEndSessionService +{ + /// + /// Signs out. + /// + Task EndSessionAsync(CancellationToken cancellationToken = default); +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtAccessor.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtAccessor.cs new file mode 100644 index 00000000..a02881db --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtAccessor.cs @@ -0,0 +1,17 @@ +namespace Elsa.Studio.Authentication.ElsaAuth.Contracts; + +/// +/// Reads and writes tokens to storage (e.g. cookies, local storage, etc.). +/// +public interface IJwtAccessor +{ + /// + /// Reads a token by name. + /// + ValueTask ReadTokenAsync(string name); + + /// + /// Writes a token by name. + /// + ValueTask WriteTokenAsync(string name, string token); +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtParser.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtParser.cs new file mode 100644 index 00000000..52573af7 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtParser.cs @@ -0,0 +1,15 @@ +using System.Security.Claims; + +namespace Elsa.Studio.Authentication.ElsaAuth.Contracts; + +/// +/// Parses JWT tokens into claims. +/// +public interface IJwtParser +{ + /// + /// Parses the specified JWT and returns claims. + /// + IEnumerable Parse(string token); +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IRefreshTokenService.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IRefreshTokenService.cs new file mode 100644 index 00000000..d01560c5 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IRefreshTokenService.cs @@ -0,0 +1,15 @@ +using Elsa.Api.Client.Resources.Identity.Responses; + +namespace Elsa.Studio.Authentication.ElsaAuth.Contracts; + +/// +/// Refreshes access tokens when the backend issues refresh tokens. +/// +public interface IRefreshTokenService +{ + /// + /// Refreshes the current token. + /// + Task RefreshTokenAsync(CancellationToken cancellationToken); +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/PkceData.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/PkceData.cs new file mode 100644 index 00000000..b22d0a39 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/PkceData.cs @@ -0,0 +1,3 @@ +// This file is intentionally left blank. +// OpenID Connect support is not part of Elsa.Studio.Authentication.ElsaAuth. + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Elsa.Studio.Authentication.ElsaAuth.csproj b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Elsa.Studio.Authentication.ElsaAuth.csproj new file mode 100644 index 00000000..f2bd5ba6 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Elsa.Studio.Authentication.ElsaAuth.csproj @@ -0,0 +1,22 @@ + + + + Elsa Studio authentication module for Elsa Identity (username/password + JWT token storage). + elsa studio authentication elsa auth + + + + + + + + + + + + + + + + + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs new file mode 100644 index 00000000..a5a26f49 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs @@ -0,0 +1,49 @@ +using Elsa.Studio.Authentication.Abstractions.Extensions; +using Elsa.Studio.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.ComponentProviders; +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.Models; +using Elsa.Studio.Authentication.ElsaAuth.Services; +using Microsoft.AspNetCore.Components.Authorization; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.DependencyInjection.Extensions; +using Microsoft.Extensions.Options; + +namespace Elsa.Studio.Authentication.ElsaAuth.Extensions; + +/// +/// Service registration extensions for the ElsaAuth authentication module. +/// +public static class ServiceCollectionExtensions +{ + /// + /// Adds the ElsaAuth core services (provider-agnostic); call one of the Use* methods to select an auth flow. + /// + public static IServiceCollection AddElsaAuthCore(this IServiceCollection services) + { + services + .AddOptions() + .AddAuthorizationCore() + .AddAuthenticationInfrastructure() + .AddScoped() + .AddScoped(); + + // Default token claims mapping. + services.TryAddSingleton, DefaultIdentityTokenOptionsSetup>(); + + return services; + } + + /// + /// Configures ElsaAuth to use Elsa Identity (username/password to Elsa backend, stores JWTs). + /// + public static IServiceCollection UseElsaIdentityAuth(this IServiceCollection services) + { + return services + .AddScoped() + .AddScoped() + .AddScoped() + .AddScoped() + .AddScoped(); + } +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Models/IdentityTokenOptions.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Models/IdentityTokenOptions.cs new file mode 100644 index 00000000..0e63f4e0 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Models/IdentityTokenOptions.cs @@ -0,0 +1,18 @@ +namespace Elsa.Studio.Authentication.ElsaAuth.Models; + +/// +/// Options used by when creating the authenticated identity. +/// +public class IdentityTokenOptions +{ + /// + /// The claim type to use for the user's name. + /// + public string NameClaimType { get; set; } = "name"; + + /// + /// The claim type to use for the user's roles. + /// + public string RoleClaimType { get; set; } = "role"; +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Models/ValidateCredentialsResult.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Models/ValidateCredentialsResult.cs new file mode 100644 index 00000000..8e8409ec --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Models/ValidateCredentialsResult.cs @@ -0,0 +1,7 @@ +namespace Elsa.Studio.Authentication.ElsaAuth.Models; + +/// +/// Result of validating credentials. +/// +public record ValidateCredentialsResult(bool IsValid, string? AccessToken, string? RefreshToken); + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/AccessTokenAuthenticationStateProvider.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/AccessTokenAuthenticationStateProvider.cs new file mode 100644 index 00000000..03ac81af --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/AccessTokenAuthenticationStateProvider.cs @@ -0,0 +1,43 @@ +using System.Security.Claims; +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.Models; +using Elsa.Studio.Extensions; +using Microsoft.AspNetCore.Components.Authorization; +using Microsoft.Extensions.Options; + +namespace Elsa.Studio.Authentication.ElsaAuth.Services; + +/// +/// Provides the authentication state for the current user based on a JWT token. +/// +public class AccessTokenAuthenticationStateProvider( + IJwtAccessor jwtAccessor, + IJwtParser jwtParser, + IOptions options) + : AuthenticationStateProvider +{ + /// + public override async Task GetAuthenticationStateAsync() + { + var token = await jwtAccessor.ReadTokenAsync(TokenNames.IdToken) + ?? await jwtAccessor.ReadTokenAsync(TokenNames.AccessToken); + + if (string.IsNullOrWhiteSpace(token)) + return new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity())); + + var claims = jwtParser.Parse(token).ToList(); + + if (claims.IsExpired()) + return new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity())); + + var identity = new ClaimsIdentity(claims, "jwt", options.Value.NameClaimType, options.Value.RoleClaimType); + var user = new ClaimsPrincipal(identity); + + return new AuthenticationState(user); + } + + /// + /// Notifies the authentication state has changed. + /// + public void NotifyAuthenticationStateChanged() => NotifyAuthenticationStateChanged(GetAuthenticationStateAsync()); +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/DefaultIdentityTokenOptionsSetup.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/DefaultIdentityTokenOptionsSetup.cs new file mode 100644 index 00000000..af0c3365 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/DefaultIdentityTokenOptionsSetup.cs @@ -0,0 +1,18 @@ +using Elsa.Studio.Authentication.ElsaAuth.Models; +using Microsoft.Extensions.Options; + +namespace Elsa.Studio.Authentication.ElsaAuth.Services; + +/// +/// Provides default values for . +/// +public class DefaultIdentityTokenOptionsSetup : IConfigureOptions +{ + /// + public void Configure(IdentityTokenOptions options) + { + options.NameClaimType ??= "name"; + options.RoleClaimType ??= "role"; + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityAuthorizationService.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityAuthorizationService.cs new file mode 100644 index 00000000..06485562 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityAuthorizationService.cs @@ -0,0 +1,22 @@ +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using Microsoft.AspNetCore.Components; + +namespace Elsa.Studio.Authentication.ElsaAuth.Services; + +/// +internal class ElsaIdentityAuthorizationService(NavigationManager navigationManager) : IAuthorizationService +{ + /// + public Task RedirectToAuthorizationServer() + { + var returnUrl = navigationManager.ToBaseRelativePath(navigationManager.Uri); + var loginUrl = string.IsNullOrWhiteSpace(returnUrl) ? "/login" : $"/login?returnUrl={returnUrl}"; + navigationManager.NavigateTo(loginUrl, true); + + return Task.CompletedTask; + } + + /// + public Task ReceiveAuthorizationCode(string code, string? state, CancellationToken cancellationToken) => throw new NotSupportedException(); +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityCredentialsValidator.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityCredentialsValidator.cs new file mode 100644 index 00000000..7f587969 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityCredentialsValidator.cs @@ -0,0 +1,22 @@ +using Elsa.Api.Client.Resources.Identity.Contracts; +using Elsa.Api.Client.Resources.Identity.Requests; +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.Models; +using Elsa.Studio.Contracts; + +namespace Elsa.Studio.Authentication.ElsaAuth.Services; + +/// +/// An implementation of that consumes endpoints from Elsa.Identity. +/// +public class ElsaIdentityCredentialsValidator(IBackendApiClientProvider backendApiClientProvider) : ICredentialsValidator +{ + /// + public async ValueTask ValidateCredentialsAsync(string username, string password, CancellationToken cancellationToken = default) + { + var api = await backendApiClientProvider.GetApiAsync(cancellationToken); + var request = new LoginRequest(username, password); + var response = await api.LoginAsync(request, cancellationToken); + return new ValidateCredentialsResult(response.IsAuthenticated, response.AccessToken, response.RefreshToken); + } +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityEndSessionService.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityEndSessionService.cs new file mode 100644 index 00000000..2aab3a9a --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityEndSessionService.cs @@ -0,0 +1,16 @@ +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using Microsoft.AspNetCore.Components; + +namespace Elsa.Studio.Authentication.ElsaAuth.Services; + +/// +public class ElsaIdentityEndSessionService(NavigationManager navigationManager) : IEndSessionService +{ + /// + public Task EndSessionAsync(CancellationToken cancellationToken = default) + { + navigationManager.NavigateTo("/logout", forceLoad: true); + return Task.CompletedTask; + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityRefreshTokenService.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityRefreshTokenService.cs new file mode 100644 index 00000000..ae49cc64 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityRefreshTokenService.cs @@ -0,0 +1,41 @@ +using Elsa.Api.Client.Resources.Identity.Responses; +using Elsa.Studio.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using System.Net; +using System.Net.Http.Json; + +namespace Elsa.Studio.Authentication.ElsaAuth.Services; + +/// +public class ElsaIdentityRefreshTokenService(IRemoteBackendAccessor remoteBackendAccessor, IJwtAccessor jwtAccessor, HttpClient httpClient) : IRefreshTokenService +{ + /// + public async Task RefreshTokenAsync(CancellationToken cancellationToken) + { + // Get refresh token. + var refreshToken = await jwtAccessor.ReadTokenAsync(TokenNames.RefreshToken); + + // Setup request to get new tokens. + var url = remoteBackendAccessor.RemoteBackend.Url + "/identity/refresh-token"; + var refreshRequestMessage = new HttpRequestMessage(HttpMethod.Post, url); + refreshRequestMessage.Headers.Authorization = new("Bearer", refreshToken); + + // Send request. + var response = await httpClient.SendAsync(refreshRequestMessage, cancellationToken); + + // If the refresh token is invalid, we can't do anything. + if (response.StatusCode == HttpStatusCode.Unauthorized) + return new(false, null, null); + + // Parse response into tokens. + var tokens = (await response.Content.ReadFromJsonAsync(cancellationToken: cancellationToken))!; + + // Store tokens. + await jwtAccessor.WriteTokenAsync(TokenNames.RefreshToken, tokens.RefreshToken!); + await jwtAccessor.WriteTokenAsync(TokenNames.AccessToken, tokens.AccessToken!); + + // Return tokens. + return tokens; + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/JwtAuthenticationProvider.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/JwtAuthenticationProvider.cs new file mode 100644 index 00000000..4f98296c --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/JwtAuthenticationProvider.cs @@ -0,0 +1,12 @@ +using Elsa.Studio.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.Contracts; + +namespace Elsa.Studio.Authentication.ElsaAuth.Services; + +/// +public class JwtAuthenticationProvider(IJwtAccessor jwtAccessor) : IAuthenticationProvider +{ + /// + public async Task GetAccessTokenAsync(string tokenName, CancellationToken cancellationToken = default) => await jwtAccessor.ReadTokenAsync(tokenName); +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/ComponentProviders/OidcUnauthorizedComponentProvider.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/ComponentProviders/OidcUnauthorizedComponentProvider.cs new file mode 100644 index 00000000..bd8043c0 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/ComponentProviders/OidcUnauthorizedComponentProvider.cs @@ -0,0 +1,16 @@ +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Components; +using Elsa.Studio.Contracts; +using Elsa.Studio.Extensions; +using Microsoft.AspNetCore.Components; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.ComponentProviders; + +/// +/// Provides an unauthorized component that initiates an OpenID Connect challenge. +/// +public class OidcUnauthorizedComponentProvider : IUnauthorizedComponentProvider +{ + /// + public RenderFragment GetUnauthorizedComponent() => builder => builder.CreateComponent(); +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Components/ChallengeToLogin.razor b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Components/ChallengeToLogin.razor new file mode 100644 index 00000000..23fd9c91 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Components/ChallengeToLogin.razor @@ -0,0 +1,13 @@ +@using Microsoft.AspNetCore.Components +@inject NavigationManager NavigationManager +@code { + protected override void OnInitialized() + { + // Delegate to a server-side endpoint that triggers an OpenID Connect challenge. + // This keeps us aligned with ASP.NET Core authentication best practices. + var returnUrl = NavigationManager.ToBaseRelativePath(NavigationManager.Uri); + var url = $"/authentication/login?returnUrl={Uri.EscapeDataString("/" + returnUrl)}"; + NavigationManager.NavigateTo(url, forceLoad: true); + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Controllers/AuthenticationController.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Controllers/AuthenticationController.cs new file mode 100644 index 00000000..e5e9cbcc --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Controllers/AuthenticationController.cs @@ -0,0 +1,38 @@ +using Microsoft.AspNetCore.Authentication; +using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Authentication.OpenIdConnect; +using Microsoft.AspNetCore.Mvc; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Controllers; + +/// +/// Authentication entry points for initiating an OpenID Connect challenge/sign-out. +/// +[Route("authentication")] +public class AuthenticationController : Controller +{ + /// + /// Triggers an OpenID Connect challenge. + /// + [HttpGet("login")] + public IActionResult Login([FromQuery] string? returnUrl = null) + { + returnUrl = string.IsNullOrWhiteSpace(returnUrl) ? "/" : returnUrl; + return Challenge(new AuthenticationProperties { RedirectUri = returnUrl }, OpenIdConnectDefaults.AuthenticationScheme); + } + + /// + /// Signs out from both the local cookie and the OpenID Connect provider. + /// + [HttpGet("logout")] + public IActionResult Logout([FromQuery] string? returnUrl = null) + { + returnUrl = string.IsNullOrWhiteSpace(returnUrl) ? "/" : returnUrl; + + return SignOut( + new AuthenticationProperties { RedirectUri = returnUrl }, + CookieAuthenticationDefaults.AuthenticationScheme, + OpenIdConnectDefaults.AuthenticationScheme); + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ComponentProviders/OidcUnauthorizedComponentProvider.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ComponentProviders/OidcUnauthorizedComponentProvider.cs new file mode 100644 index 00000000..fc5aaa1e --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ComponentProviders/OidcUnauthorizedComponentProvider.cs @@ -0,0 +1,16 @@ +using Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Components; +using Elsa.Studio.Contracts; +using Elsa.Studio.Extensions; +using Microsoft.AspNetCore.Components; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.ComponentProviders; + +/// +/// Provides an unauthorized component that navigates to the built-in WASM OIDC login endpoint. +/// +public class OidcUnauthorizedComponentProvider : IUnauthorizedComponentProvider +{ + /// + public RenderFragment GetUnauthorizedComponent() => builder => builder.CreateComponent(); +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor new file mode 100644 index 00000000..d264e693 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor @@ -0,0 +1,11 @@ +@using Microsoft.AspNetCore.Components +@inject NavigationManager NavigationManager + +@code { + protected override void OnInitialized() + { + // The WASM host must provide the /authentication/{action} route hosting RemoteAuthenticatorView. + NavigationManager.NavigateTo("authentication/login"); + } +} + From 0b776301651ab4b96687f3237b4857a401bb8405 Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 16:27:57 +0100 Subject: [PATCH 07/27] Update project references to include new Elsa Studio Authentication modules. --- Elsa.Studio.sln | 60 +++++++++++++++++++ .../Elsa.Studio.Host.Server.csproj | 3 +- .../Elsa.Studio.Host.Wasm.csproj | 3 +- .../Elsa.Studio.Login.BlazorServer.csproj | 1 + .../Elsa.Studio.Login.BlazorWasm.csproj | 1 + .../Elsa.Studio.Login.csproj | 1 + 6 files changed, 66 insertions(+), 3 deletions(-) diff --git a/Elsa.Studio.sln b/Elsa.Studio.sln index a9db5378..7808bbaa 100644 --- a/Elsa.Studio.sln +++ b/Elsa.Studio.sln @@ -93,6 +93,14 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication. EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.Abstractions", "src\modules\Elsa.Studio.Authentication.Abstractions\Elsa.Studio.Authentication.Abstractions.csproj", "{09E284E0-7F8E-4346-962F-90F3FBA8837D}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.OpenIdConnect.BlazorServer", "src\modules\Elsa.Studio.Authentication.OpenIdConnect.BlazorServer\Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.csproj", "{410041C1-5429-4D42-BFD3-C4AA343959FB}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.ElsaAuth", "src\modules\Elsa.Studio.Authentication.ElsaAuth\Elsa.Studio.Authentication.ElsaAuth.csproj", "{EFDD8E80-B369-4FAD-B797-3D63B3535432}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.ElsaAuth.BlazorServer", "src\modules\Elsa.Studio.Authentication.ElsaAuth.BlazorServer\Elsa.Studio.Authentication.ElsaAuth.BlazorServer.csproj", "{E7EB0A92-C8CE-406B-AF7C-47AD21A43042}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.ElsaAuth.BlazorWasm", "src\modules\Elsa.Studio.Authentication.ElsaAuth.BlazorWasm\Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.csproj", "{5E8F930A-AEE0-4742-955A-A741B1CE93F6}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -475,6 +483,54 @@ Global {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x64.Build.0 = Release|Any CPU {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x86.ActiveCfg = Release|Any CPU {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x86.Build.0 = Release|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Debug|Any CPU.Build.0 = Debug|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Debug|x64.ActiveCfg = Debug|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Debug|x64.Build.0 = Debug|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Debug|x86.ActiveCfg = Debug|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Debug|x86.Build.0 = Debug|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Release|Any CPU.ActiveCfg = Release|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Release|Any CPU.Build.0 = Release|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Release|x64.ActiveCfg = Release|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Release|x64.Build.0 = Release|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Release|x86.ActiveCfg = Release|Any CPU + {410041C1-5429-4D42-BFD3-C4AA343959FB}.Release|x86.Build.0 = Release|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Debug|Any CPU.Build.0 = Debug|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Debug|x64.ActiveCfg = Debug|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Debug|x64.Build.0 = Debug|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Debug|x86.ActiveCfg = Debug|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Debug|x86.Build.0 = Debug|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Release|Any CPU.ActiveCfg = Release|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Release|Any CPU.Build.0 = Release|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Release|x64.ActiveCfg = Release|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Release|x64.Build.0 = Release|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Release|x86.ActiveCfg = Release|Any CPU + {EFDD8E80-B369-4FAD-B797-3D63B3535432}.Release|x86.Build.0 = Release|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Debug|Any CPU.Build.0 = Debug|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Debug|x64.ActiveCfg = Debug|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Debug|x64.Build.0 = Debug|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Debug|x86.ActiveCfg = Debug|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Debug|x86.Build.0 = Debug|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Release|Any CPU.ActiveCfg = Release|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Release|Any CPU.Build.0 = Release|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Release|x64.ActiveCfg = Release|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Release|x64.Build.0 = Release|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Release|x86.ActiveCfg = Release|Any CPU + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042}.Release|x86.Build.0 = Release|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Debug|Any CPU.Build.0 = Debug|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Debug|x64.ActiveCfg = Debug|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Debug|x64.Build.0 = Debug|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Debug|x86.ActiveCfg = Debug|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Debug|x86.Build.0 = Debug|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Release|Any CPU.ActiveCfg = Release|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Release|Any CPU.Build.0 = Release|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Release|x64.ActiveCfg = Release|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Release|x64.Build.0 = Release|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Release|x86.ActiveCfg = Release|Any CPU + {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Release|x86.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE @@ -515,6 +571,10 @@ Global {E88C478A-6B8C-46F3-941C-BEBD798ECD06} = {D66B9A40-8608-46F3-9868-625C50EACE43} {AED216D2-620D-4446-931F-BDEF357DA805} = {D66B9A40-8608-46F3-9868-625C50EACE43} {09E284E0-7F8E-4346-962F-90F3FBA8837D} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {410041C1-5429-4D42-BFD3-C4AA343959FB} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {EFDD8E80-B369-4FAD-B797-3D63B3535432} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {5E8F930A-AEE0-4742-955A-A741B1CE93F6} = {D66B9A40-8608-46F3-9868-625C50EACE43} EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {5B8719CC-CF87-45E1-BE1A-13842F951B28} diff --git a/src/hosts/Elsa.Studio.Host.Server/Elsa.Studio.Host.Server.csproj b/src/hosts/Elsa.Studio.Host.Server/Elsa.Studio.Host.Server.csproj index 7fd87aac..49e5c551 100644 --- a/src/hosts/Elsa.Studio.Host.Server/Elsa.Studio.Host.Server.csproj +++ b/src/hosts/Elsa.Studio.Host.Server/Elsa.Studio.Host.Server.csproj @@ -14,11 +14,10 @@ + - - diff --git a/src/hosts/Elsa.Studio.Host.Wasm/Elsa.Studio.Host.Wasm.csproj b/src/hosts/Elsa.Studio.Host.Wasm/Elsa.Studio.Host.Wasm.csproj index 10fda851..0eaa370f 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/Elsa.Studio.Host.Wasm.csproj +++ b/src/hosts/Elsa.Studio.Host.Wasm/Elsa.Studio.Host.Wasm.csproj @@ -21,9 +21,10 @@ + + - diff --git a/src/modules/Elsa.Studio.Login.BlazorServer/Elsa.Studio.Login.BlazorServer.csproj b/src/modules/Elsa.Studio.Login.BlazorServer/Elsa.Studio.Login.BlazorServer.csproj index 3a4a7076..7ff5ddbf 100644 --- a/src/modules/Elsa.Studio.Login.BlazorServer/Elsa.Studio.Login.BlazorServer.csproj +++ b/src/modules/Elsa.Studio.Login.BlazorServer/Elsa.Studio.Login.BlazorServer.csproj @@ -11,6 +11,7 @@ + diff --git a/src/modules/Elsa.Studio.Login.BlazorWasm/Elsa.Studio.Login.BlazorWasm.csproj b/src/modules/Elsa.Studio.Login.BlazorWasm/Elsa.Studio.Login.BlazorWasm.csproj index b0d890e1..853d96f3 100644 --- a/src/modules/Elsa.Studio.Login.BlazorWasm/Elsa.Studio.Login.BlazorWasm.csproj +++ b/src/modules/Elsa.Studio.Login.BlazorWasm/Elsa.Studio.Login.BlazorWasm.csproj @@ -6,6 +6,7 @@ + diff --git a/src/modules/Elsa.Studio.Login/Elsa.Studio.Login.csproj b/src/modules/Elsa.Studio.Login/Elsa.Studio.Login.csproj index 0720a857..e7c3a941 100644 --- a/src/modules/Elsa.Studio.Login/Elsa.Studio.Login.csproj +++ b/src/modules/Elsa.Studio.Login/Elsa.Studio.Login.csproj @@ -15,6 +15,7 @@ + From 4001b4d3b77e2105770204d00eba13df33e2db63 Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 16:28:03 +0100 Subject: [PATCH 08/27] Update `RedirectToLoginUnauthorizedComponentProvider` to support fallback to default Unauthorized component when `IAuthorizationService` is unavailable. --- ...RedirectToLoginUnauthorizedComponentProvider.cs | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/modules/Elsa.Studio.Login/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs b/src/modules/Elsa.Studio.Login/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs index 40608d0b..2e21afc1 100644 --- a/src/modules/Elsa.Studio.Login/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs +++ b/src/modules/Elsa.Studio.Login/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs @@ -1,16 +1,26 @@ +using Elsa.Studio.Components; using Elsa.Studio.Contracts; using Elsa.Studio.Extensions; using Elsa.Studio.Login.Components; +using Elsa.Studio.Login.Contracts; using Microsoft.AspNetCore.Components; +using Microsoft.Extensions.DependencyInjection; namespace Elsa.Studio.Login.ComponentProviders; /// -public class RedirectToLoginUnauthorizedComponentProvider : IUnauthorizedComponentProvider +public class RedirectToLoginUnauthorizedComponentProvider(IServiceProvider serviceProvider) : IUnauthorizedComponentProvider { /// public RenderFragment GetUnauthorizedComponent() { - return builder => builder.CreateComponent(); + // The legacy Login module requires an IAuthorizationService to perform the redirect. + // When using the newer authentication providers (e.g. the OIDC module), this service will not be registered. + // In that case, fall back to the default Unauthorized component (no redirect). + var authorizationService = serviceProvider.GetService(); + + return authorizationService != null + ? builder => builder.CreateComponent() + : builder => builder.CreateComponent(); } } \ No newline at end of file From b4c8fd4789e2c51f2735b5902f196f32d4c3a87b Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 16:28:13 +0100 Subject: [PATCH 09/27] Mark `Elsa.Studio.Login` APIs as obsolete and migrate authentication to `Elsa.Studio.Authentication.ElsaAuth`. Simplify dependencies and refactor JWT parsing for BlazorServer and BlazorWasm modules. --- .../Extensions/ServiceCollectionExtensions.cs | 19 ++--- .../Services/BlazorServerJwtAccessor.cs | 1 + .../Services/BlazorServerJwtParser.cs | 73 ++++++++++++++-- .../Extensions/ServiceCollectionExtensions.cs | 26 +++--- .../Services/BlazorWasmJwtAccessor.cs | 1 + .../Services/BlazorWasmJwtParser.cs | 1 + .../Extensions/ServiceCollectionExtensions.cs | 84 +++++++------------ .../AuthenticatingApiHttpMessageHandler.cs | 3 + .../DefaultAuthenticationProviderManager.cs | 1 + 9 files changed, 121 insertions(+), 88 deletions(-) diff --git a/src/modules/Elsa.Studio.Login.BlazorServer/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Login.BlazorServer/Extensions/ServiceCollectionExtensions.cs index 5cae93bc..92ca1a29 100644 --- a/src/modules/Elsa.Studio.Login.BlazorServer/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Login.BlazorServer/Extensions/ServiceCollectionExtensions.cs @@ -1,6 +1,4 @@ -using Blazored.LocalStorage; -using Elsa.Studio.Login.BlazorServer.Services; -using Elsa.Studio.Login.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Extensions; using Elsa.Studio.Login.Extensions; using Elsa.Studio.Login.Models; using Microsoft.Extensions.DependencyInjection; @@ -10,25 +8,20 @@ namespace Elsa.Studio.Login.BlazorServer.Extensions; /// /// Contains extension methods for the interface. /// +[Obsolete("Elsa.Studio.Login.* is obsolete. Use Elsa.Studio.Authentication.ElsaAuth.* (or Elsa.Studio.Authentication.OpenIdConnect.*) instead.")] public static class ServiceCollectionExtensions { /// /// Adds login services with Blazor Server implementations. /// + [Obsolete("Elsa.Studio.Login.* is obsolete. Use services.AddElsaAuth() from Elsa.Studio.Authentication.ElsaAuth.BlazorServer and optionally add Elsa.Studio.Login UI separately.")] public static IServiceCollection AddLoginModule(this IServiceCollection services) { - // Add the login module. + // Legacy UI + feature registrations. services.AddLoginModuleCore(); - // Register HttpContextAccessor. - services.AddHttpContextAccessor(); - - // Register Blazored LocalStorage. - services.AddBlazoredLocalStorage(); - - // Register JWT services. - services.AddSingleton(); - services.AddScoped(); + // Replace the old platform auth plumbing with ElsaAuth. + Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Extensions.ServiceCollectionExtensions.AddElsaAuth(services); return services; } diff --git a/src/modules/Elsa.Studio.Login.BlazorServer/Services/BlazorServerJwtAccessor.cs b/src/modules/Elsa.Studio.Login.BlazorServer/Services/BlazorServerJwtAccessor.cs index 8fa7bef2..c3f26261 100644 --- a/src/modules/Elsa.Studio.Login.BlazorServer/Services/BlazorServerJwtAccessor.cs +++ b/src/modules/Elsa.Studio.Login.BlazorServer/Services/BlazorServerJwtAccessor.cs @@ -7,6 +7,7 @@ namespace Elsa.Studio.Login.BlazorServer.Services; /// /// Implements the interface for server-side Blazor. /// +[Obsolete("Elsa.Studio.Login.* is obsolete. Use Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Services.BlazorServerJwtAccessor instead.")] public class BlazorServerJwtAccessor : IJwtAccessor { private readonly IHttpContextAccessor _httpContextAccessor; diff --git a/src/modules/Elsa.Studio.Login.BlazorServer/Services/BlazorServerJwtParser.cs b/src/modules/Elsa.Studio.Login.BlazorServer/Services/BlazorServerJwtParser.cs index 32162e05..433fc9ef 100644 --- a/src/modules/Elsa.Studio.Login.BlazorServer/Services/BlazorServerJwtParser.cs +++ b/src/modules/Elsa.Studio.Login.BlazorServer/Services/BlazorServerJwtParser.cs @@ -1,17 +1,80 @@ -using System.IdentityModel.Tokens.Jwt; -using System.Security.Claims; using Elsa.Studio.Login.Contracts; +using System.Security.Claims; +using System.Text; +using System.Text.Json; namespace Elsa.Studio.Login.BlazorServer.Services; /// +[Obsolete("Elsa.Studio.Login.* is obsolete. Use Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Services.BlazorServerJwtParser instead.")] public class BlazorServerJwtParser : IJwtParser { /// public IEnumerable Parse(string jwt) { - var handler = new JwtSecurityTokenHandler(); - var jwtSecurityToken = handler.ReadJwtToken(jwt); - return jwtSecurityToken.Claims; + if (string.IsNullOrWhiteSpace(jwt)) + return Array.Empty(); + + var parts = jwt.Split('.', StringSplitOptions.RemoveEmptyEntries); + if (parts.Length < 2) + return Array.Empty(); + + var payloadJson = DecodeBase64UrlToString(parts[1]); + + using var document = JsonDocument.Parse(payloadJson); + if (document.RootElement.ValueKind != JsonValueKind.Object) + return Array.Empty(); + + var claims = new List(); + + foreach (var property in document.RootElement.EnumerateObject()) + AddClaimsFromJson(property.Name, property.Value, claims); + + return claims; + } + + private static void AddClaimsFromJson(string type, JsonElement value, ICollection claims) + { + switch (value.ValueKind) + { + case JsonValueKind.Null: + case JsonValueKind.Undefined: + return; + + case JsonValueKind.Array: + foreach (var item in value.EnumerateArray()) + AddClaimsFromJson(type, item, claims); + return; + + case JsonValueKind.Object: + // For nested objects, store the raw JSON. + claims.Add(new Claim(type, value.GetRawText(), ClaimValueTypes.String)); + return; + + case JsonValueKind.True: + case JsonValueKind.False: + claims.Add(new Claim(type, value.GetBoolean() ? "true" : "false", ClaimValueTypes.Boolean)); + return; + + case JsonValueKind.Number: + claims.Add(new Claim(type, value.GetRawText(), ClaimValueTypes.String)); + return; + + case JsonValueKind.String: + claims.Add(new Claim(type, value.GetString() ?? string.Empty, ClaimValueTypes.String)); + return; + + default: + claims.Add(new Claim(type, value.ToString(), ClaimValueTypes.String)); + return; + } + } + + private static string DecodeBase64UrlToString(string base64Url) + { + var padded = base64Url.Replace('-', '+').Replace('_', '/'); + padded = padded.PadRight(padded.Length + (4 - padded.Length % 4) % 4, '='); + var bytes = Convert.FromBase64String(padded); + return Encoding.UTF8.GetString(bytes); } } \ No newline at end of file diff --git a/src/modules/Elsa.Studio.Login.BlazorWasm/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Login.BlazorWasm/Extensions/ServiceCollectionExtensions.cs index d9c0a278..6cd659e3 100644 --- a/src/modules/Elsa.Studio.Login.BlazorWasm/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Login.BlazorWasm/Extensions/ServiceCollectionExtensions.cs @@ -1,6 +1,4 @@ -using Blazored.LocalStorage; -using Elsa.Studio.Login.BlazorWasm.Services; -using Elsa.Studio.Login.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.Extensions; using Elsa.Studio.Login.Extensions; using Elsa.Studio.Login.Models; using Microsoft.Extensions.DependencyInjection; @@ -10,33 +8,31 @@ namespace Elsa.Studio.Login.BlazorWasm.Extensions; /// /// Contains extension methods for the interface. /// +[Obsolete("Elsa.Studio.Login.* is obsolete. Use Elsa.Studio.Authentication.ElsaAuth.* (or Elsa.Studio.Authentication.OpenIdConnect.*) instead.")] public static class ServiceCollectionExtensions { /// /// Adds login services with Blazor Server implementations. /// + [Obsolete("Elsa.Studio.Login.* is obsolete. Use services.AddElsaAuth() from Elsa.Studio.Authentication.ElsaAuth.BlazorWasm and optionally add Elsa.Studio.Login UI separately.")] public static IServiceCollection AddLoginModule(this IServiceCollection services) { - // Add the login module. + // Legacy UI + feature registrations. services.AddLoginModuleCore(); - - // Register Blazored LocalStorage. - services.AddBlazoredLocalStorage(); - - // Register JWT services. - services.AddSingleton(); - services.AddScoped(); - + + // Replace the old platform auth plumbing with ElsaAuth. + services.AddElsaAuth(); + return services; } - + /// /// Configures the login module to use OpenIdConnect (OIDC) /// + [Obsolete("Elsa.Studio.Login.* is obsolete. Prefer Elsa.Studio.Authentication.OpenIdConnect.*. This legacy in-app OIDC flow can be configured via Elsa.Studio.Authentication.ElsaAuth (UseLegacyOidcCodeFlowAuth).")] public static IServiceCollection UseOpenIdConnect(this IServiceCollection services, Action configure) { return services - .UseOpenIdConnectCore(configure) - ; + .UseOpenIdConnectCore(configure); } } \ No newline at end of file diff --git a/src/modules/Elsa.Studio.Login.BlazorWasm/Services/BlazorWasmJwtAccessor.cs b/src/modules/Elsa.Studio.Login.BlazorWasm/Services/BlazorWasmJwtAccessor.cs index f63855ea..ee830c7f 100644 --- a/src/modules/Elsa.Studio.Login.BlazorWasm/Services/BlazorWasmJwtAccessor.cs +++ b/src/modules/Elsa.Studio.Login.BlazorWasm/Services/BlazorWasmJwtAccessor.cs @@ -4,6 +4,7 @@ namespace Elsa.Studio.Login.BlazorWasm.Services; /// +[Obsolete("Elsa.Studio.Login.* is obsolete. Use Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.Services.BlazorWasmJwtAccessor instead.")] public class BlazorWasmJwtAccessor : IJwtAccessor { private readonly ILocalStorageService _localStorageService; diff --git a/src/modules/Elsa.Studio.Login.BlazorWasm/Services/BlazorWasmJwtParser.cs b/src/modules/Elsa.Studio.Login.BlazorWasm/Services/BlazorWasmJwtParser.cs index d7589f1e..d60bc184 100644 --- a/src/modules/Elsa.Studio.Login.BlazorWasm/Services/BlazorWasmJwtParser.cs +++ b/src/modules/Elsa.Studio.Login.BlazorWasm/Services/BlazorWasmJwtParser.cs @@ -7,6 +7,7 @@ namespace Elsa.Studio.Login.BlazorWasm.Services; /// +[Obsolete("Elsa.Studio.Login.* is obsolete. Use Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.Services.BlazorWasmJwtParser instead.")] public class BlazorWasmJwtParser : IJwtParser { // Taken and adapted from: https://trystanwilcock.com/2022/09/28/net-6-0-blazor-webassembly-jwt-token-authentication-from-scratch-c-sharp-wasm-tutorial/ diff --git a/src/modules/Elsa.Studio.Login/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Login/Extensions/ServiceCollectionExtensions.cs index 5987a61b..10a335d5 100644 --- a/src/modules/Elsa.Studio.Login/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Login/Extensions/ServiceCollectionExtensions.cs @@ -1,87 +1,61 @@ +using Elsa.Studio.Authentication.ElsaAuth.Extensions; using Elsa.Studio.Contracts; using Elsa.Studio.Login.ComponentProviders; -using Elsa.Studio.Login.Contracts; -using Elsa.Studio.Login.HttpMessageHandlers; using Elsa.Studio.Login.Models; -using Elsa.Studio.Login.Services; -using Microsoft.AspNetCore.Components.Authorization; using Microsoft.Extensions.DependencyInjection; -using Microsoft.Extensions.Options; namespace Elsa.Studio.Login.Extensions; -/// -/// Contains extension methods for the interface. -/// public static class ServiceCollectionExtensions { /// /// Adds the login module to the service collection. /// + [Obsolete("Elsa.Studio.Login is obsolete. Use Elsa.Studio.Authentication.ElsaAuth (or Elsa.Studio.Authentication.OpenIdConnect for OIDC) instead.")] public static IServiceCollection AddLoginModuleCore(this IServiceCollection services) { - return services - .AddScoped() - .AddOptions() - .AddAuthorizationCore() - .AddScoped() - .AddScoped() - .AddScoped() - .AddScoped() - ; + // Keep legacy UI/feature registrations. + services + .AddScoped() + .AddScoped(); + + // Delegate the authentication plumbing to ElsaAuth. + services.AddElsaAuthCore(); + + return services; } /// - /// Configures the login module to use elsa identity + /// Configures the login module to use elsa identity. /// - public static IServiceCollection UseElsaIdentity(this IServiceCollection services) - { - return services - .AddScoped() - .AddScoped() - .AddScoped() - .AddScoped() - .AddScoped(); - ; - } + [Obsolete("Elsa.Studio.Login is obsolete. Use services.AddElsaAuthCore().UseElsaIdentityAuth() instead.")] + public static IServiceCollection UseElsaIdentity(this IServiceCollection services) => services.UseElsaIdentityAuth(); /// /// Configures the service collection to use OAuth2 for credential validation and related services. /// + [Obsolete("OAuth2 support via Elsa.Studio.Login is obsolete. ElsaAuth no longer contains OAuth2. If you need OAuth2, keep using the legacy Elsa.Studio.Login OAuth2 implementation or migrate to a dedicated future OAuth2 module.")] public static IServiceCollection UseOAuth2(this IServiceCollection services, Action configure) { - services.Configure(configure); - - services.AddHttpClient(httpClient => - { - var options = services.BuildServiceProvider().GetRequiredService>().Value; - httpClient.BaseAddress = new(options.TokenEndpoint); - }); - - return services - .AddScoped() - .AddScoped() - .AddScoped() - .AddScoped() - .AddScoped() - .AddScoped() - ; + _ = configure; + + throw new NotSupportedException( + "OAuth2 support has been removed from Elsa.Studio.Authentication.ElsaAuth. " + + "For OIDC use Elsa.Studio.Authentication.OpenIdConnect.*. " + + "For legacy OAuth2 (ROPC) keep using the obsolete Elsa.Studio.Login implementation." ); } /// - /// Configures the login module to use OpenIdConnect (OIDC) + /// Configures the login module to use OpenIdConnect (OIDC). /// - public static IServiceCollection UseOpenIdConnectCore(this IServiceCollection services, Action configure) + [Obsolete("Elsa.Studio.Login OIDC integration is obsolete. Use Elsa.Studio.Authentication.OpenIdConnect.BlazorServer or Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.")] + public static IServiceCollection UseOpenIdConnectCore(this IServiceCollection services, Action configure) { - services.Configure(configure); - - return services - .AddScoped() - .AddScoped() - .AddScoped() - .AddScoped() - .AddScoped(); + _ = configure; - ; + throw new NotSupportedException( + "The legacy in-app OIDC code-flow is no longer available via Elsa.Studio.Authentication.ElsaAuth. " + + "Migrate to the new modules: Elsa.Studio.Authentication.OpenIdConnect.BlazorServer (server) or " + + "Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm (WASM)." ); } } \ No newline at end of file diff --git a/src/modules/Elsa.Studio.Login/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs b/src/modules/Elsa.Studio.Login/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs index 5e39eaa0..79bf5b91 100644 --- a/src/modules/Elsa.Studio.Login/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs +++ b/src/modules/Elsa.Studio.Login/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs @@ -8,6 +8,7 @@ namespace Elsa.Studio.Login.HttpMessageHandlers; /// /// An that configures the outgoing HTTP request to use the access token as bearer token. /// +[Obsolete("This handler has moved to Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers.AuthenticatingApiHttpMessageHandler. Update hosts/modules to reference the new handler.")] public class AuthenticatingApiHttpMessageHandler(IRefreshTokenService refreshTokenService, IBlazorServiceAccessor blazorServiceAccessor) : DelegatingHandler { @@ -34,3 +35,5 @@ protected override async Task SendAsync(HttpRequestMessage return response; } } + + diff --git a/src/modules/Elsa.Studio.Login/Services/DefaultAuthenticationProviderManager.cs b/src/modules/Elsa.Studio.Login/Services/DefaultAuthenticationProviderManager.cs index 1787d105..39738dd7 100644 --- a/src/modules/Elsa.Studio.Login/Services/DefaultAuthenticationProviderManager.cs +++ b/src/modules/Elsa.Studio.Login/Services/DefaultAuthenticationProviderManager.cs @@ -3,6 +3,7 @@ namespace Elsa.Studio.Login.Services; /// +[Obsolete("Elsa.Studio.Login is obsolete. Use Elsa.Studio.Authentication.Abstractions.Services.DefaultAuthenticationProviderManager / AddAuthenticationInfrastructure instead.")] public class DefaultAuthenticationProviderManager(IEnumerable authenticationProviders) : IAuthenticationProviderManager { /// From 49fc5e105972f1d034c3604c7741e8951ee2448f Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 16:28:22 +0100 Subject: [PATCH 10/27] Switch to OpenID Connect authentication, remove legacy login module, and update service registration methods. --- src/hosts/Elsa.Studio.Host.Wasm/Program.cs | 22 +++++++++++++------ .../Extensions/ServiceCollectionExtensions.cs | 22 +++++++++++++++++-- 2 files changed, 35 insertions(+), 9 deletions(-) diff --git a/src/hosts/Elsa.Studio.Host.Wasm/Program.cs b/src/hosts/Elsa.Studio.Host.Wasm/Program.cs index 7b3d43bc..6f4fb091 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/Program.cs +++ b/src/hosts/Elsa.Studio.Host.Wasm/Program.cs @@ -1,3 +1,4 @@ +using Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers; using Elsa.Studio.Dashboard.Extensions; using Elsa.Studio.Shell; using Elsa.Studio.Shell.Extensions; @@ -7,15 +8,13 @@ using Elsa.Studio.Extensions; using Elsa.Studio.Localization.Time; using Elsa.Studio.Localization.Time.Providers; -using Elsa.Studio.Login.BlazorWasm.Extensions; -using Elsa.Studio.Login.HttpMessageHandlers; using Elsa.Studio.Models; using Elsa.Studio.Workflows.Designer.Extensions; using Microsoft.AspNetCore.Components.Web; using Microsoft.AspNetCore.Components.WebAssembly.Hosting; using Elsa.Studio.Localization.Models; using Elsa.Studio.Localization.BlazorWasm.Extensions; -using Elsa.Studio.Login.Extensions; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Extensions; // Build the host. var builder = WebAssemblyHostBuilder.CreateDefault(args); @@ -30,7 +29,7 @@ var backendApiConfig = new BackendApiConfig { ConfigureBackendOptions = options => configuration.GetSection("Backend").Bind(options), - ConfigureHttpClientBuilder = options => options.AuthenticationHandler = typeof(AuthenticatingApiHttpMessageHandler), + ConfigureHttpClientBuilder = options => options.AuthenticationHandler = typeof(BearerTokenHttpMessageHandler), }; var localizationConfig = new LocalizationConfig @@ -41,8 +40,16 @@ builder.Services.AddCore(); builder.Services.AddShell(); builder.Services.AddRemoteBackend(backendApiConfig); -builder.Services.AddLoginModule(); -builder.Services.UseElsaIdentity(); + +// Remove legacy Login module for OIDC-based auth. +//builder.Services.AddLoginModule(); +//builder.Services.UseElsaIdentity(); + +builder.Services.AddElsaOidcAuthentication(options => +{ + configuration.GetSection("Authentication:Oidc").Bind(options); +}); + builder.Services.AddDashboardModule(); builder.Services.AddWorkflowsModule(); builder.Services.AddLocalizationModule(localizationConfig); @@ -60,4 +67,5 @@ await startupTaskRunner.RunStartupTasksAsync(); // Run the application. -await app.RunAsync(); \ No newline at end of file +await app.RunAsync(); + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs index bfc465d9..3ad47ee6 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs @@ -1,10 +1,11 @@ using Elsa.Studio.Authentication.OpenIdConnect.Contracts; using Elsa.Studio.Authentication.OpenIdConnect.Models; using Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Services; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.ComponentProviders; using Elsa.Studio.Contracts; -using Microsoft.AspNetCore.Components.WebAssembly.Authentication; using Microsoft.Extensions.DependencyInjection; using OidcAuthProvider = Elsa.Studio.Authentication.OpenIdConnect.Services.OidcAuthenticationProvider; +using Elsa.Studio.Authentication.Abstractions.Extensions; namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Extensions; @@ -16,10 +17,13 @@ public static class ServiceCollectionExtensions /// /// Adds OpenID Connect authentication services for Blazor WebAssembly. /// + /// + /// Named to avoid ambiguity with Microsoft.Extensions.DependencyInjection.WebAssemblyAuthenticationServiceCollectionExtensions.AddOidcAuthentication. + /// /// The service collection. /// Configuration callback for OIDC options. /// The service collection for chaining. - public static IServiceCollection AddOidcAuthentication( + public static IServiceCollection AddElsaOidcAuthentication( this IServiceCollection services, Action configure) { @@ -54,6 +58,20 @@ public static IServiceCollection AddOidcAuthentication( } }); + // Provide an OIDC-aware unauthorized component. + services.AddScoped(); + + // Shared auth infrastructure (e.g. delegating handlers). + services.AddAuthenticationInfrastructure(); + return services; } + + /// + /// Adds OpenID Connect authentication services for Blazor WebAssembly. + /// + [Obsolete("Use AddElsaOidcAuthentication instead to avoid ambiguity with Microsoft.Extensions.DependencyInjection.WebAssemblyAuthenticationServiceCollectionExtensions.AddOidcAuthentication.")] + public static IServiceCollection AddOidcAuthentication( + this IServiceCollection services, + Action configure) => services.AddElsaOidcAuthentication(configure); } From 2378354cc94b184d41964a80a4f73a3919debf6f Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 16:28:29 +0100 Subject: [PATCH 11/27] Replace `Login` module with OpenID Connect, update authentication pipeline, and revise default `GetClaimsFromUserInfoEndpoint`. --- src/hosts/Elsa.Studio.Host.Server/Program.cs | 25 +++++++++++++------ .../Elsa.Studio.Host.Server/appsettings.json | 5 ++++ .../Extensions/ServiceCollectionExtensions.cs | 8 ++++++ .../Models/OidcOptions.cs | 7 +++++- 4 files changed, 37 insertions(+), 8 deletions(-) diff --git a/src/hosts/Elsa.Studio.Host.Server/Program.cs b/src/hosts/Elsa.Studio.Host.Server/Program.cs index 0c9578db..75f8db77 100644 --- a/src/hosts/Elsa.Studio.Host.Server/Program.cs +++ b/src/hosts/Elsa.Studio.Host.Server/Program.cs @@ -1,3 +1,5 @@ +using Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Extensions; using Elsa.Studio.Branding; using Elsa.Studio.Contracts; using Elsa.Studio.Core.BlazorServer.Extensions; @@ -9,9 +11,6 @@ using Elsa.Studio.Localization.Options; using Elsa.Studio.Localization.Time; using Elsa.Studio.Localization.Time.Providers; -using Elsa.Studio.Login.BlazorServer.Extensions; -using Elsa.Studio.Login.Extensions; -using Elsa.Studio.Login.HttpMessageHandlers; using Elsa.Studio.Models; using Elsa.Studio.Shell.Extensions; using Elsa.Studio.Translations; @@ -44,7 +43,7 @@ ConfigureBackendOptions = options => configuration.GetSection("Backend").Bind(options), ConfigureHttpClientBuilder = options => { - options.AuthenticationHandler = typeof(AuthenticatingApiHttpMessageHandler); + options.AuthenticationHandler = typeof(BearerTokenHttpMessageHandler); options.ConfigureHttpClient = (_, client) => { // Set a long time out to simplify debugging both Elsa Studio and the Elsa Server backend. @@ -67,15 +66,26 @@ builder.Services.AddCore().Replace(new(typeof(IBrandingProvider), typeof(StudioBrandingProvider), ServiceLifetime.Scoped)); builder.Services.AddShell(options => configuration.GetSection("Shell").Bind(options)); builder.Services.AddRemoteBackend(backendApiConfig); -builder.Services.AddLoginModule(); -//builder.Services.UseElsaIdentity(); +// OIDC provides the auth pipeline + unauthorized redirect behavior, so we don't need the legacy Login module. +//builder.Services.AddLoginModule(); // builder.Services.UseOAuth2(options => // { // options.ClientId = "ElsaStudio"; // options.TokenEndpoint = "https://localhost:44366/connect/token"; // options.Scope = "YourSite offline_access"; // }); -builder.Services.UseOpenIdConnect(openid => configuration.GetSection("Authentication:OpenIdConnect").Bind(openid)); +//builder.Services.UseOpenIdConnect(openid => configuration.GetSection("Authentication:OpenIdConnect").Bind(openid)); + +builder.Services.AddOidcAuthentication(options => +{ + configuration.GetSection("Authentication:Oidc").Bind(options); + + // If you see a 401 from the OIDC handler while calling the "userinfo" endpoint, + // either disable UserInfo retrieval (recommended for most setups), or configure your IdP/app registration + // to allow calling userinfo with the issued access token. + // options.GetClaimsFromUserInfoEndpoint = false; +}); + builder.Services.AddDashboardModule(); builder.Services.AddWorkflowsModule(); builder.Services.AddLocalizationModule(localizationConfig); @@ -121,6 +131,7 @@ app.UseHttpsRedirection(); app.UseStaticFiles(); app.UseRouting(); +app.UseAuthentication(); app.UseAuthorization(); app.MapControllers(); app.MapBlazorHub(); diff --git a/src/hosts/Elsa.Studio.Host.Server/appsettings.json b/src/hosts/Elsa.Studio.Host.Server/appsettings.json index f5e2a3cd..b764c348 100644 --- a/src/hosts/Elsa.Studio.Host.Server/appsettings.json +++ b/src/hosts/Elsa.Studio.Host.Server/appsettings.json @@ -20,6 +20,11 @@ ] }, "Authentication": { + "Oidc": { + "Authority": "https://login.microsoftonline.com/{tenantIdOrVerifiedDomain}/v2.0", + "ClientId": "", + "ClientSecret": "" + }, "OpenIdConnect": { "ClientId": "", "ClientSecret": "", diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs index a65aacd6..10766195 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs @@ -1,6 +1,8 @@ +using Elsa.Studio.Authentication.Abstractions.Extensions; using Elsa.Studio.Authentication.OpenIdConnect.Contracts; using Elsa.Studio.Authentication.OpenIdConnect.Models; using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.ComponentProviders; using Elsa.Studio.Contracts; using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authentication.OpenIdConnect; @@ -88,6 +90,12 @@ public static IServiceCollection AddOidcAuthentication( // Add authorization services services.AddAuthorizationCore(); + // Use an OIDC-aware unauthorized component that initiates a challenge. + services.AddScoped(); + + // Shared auth infrastructure (e.g. delegating handlers). + services.AddAuthenticationInfrastructure(); + return services; } } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs index 58cec2c1..4d12bc16 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs @@ -50,7 +50,12 @@ public class OidcOptions : AuthenticationOptions /// /// Gets or sets whether to get claims from the user info endpoint. /// - public bool GetClaimsFromUserInfoEndpoint { get; set; } = true; + /// + /// When enabled, the OIDC handler calls the provider's userinfo endpoint after authentication. + /// Some providers or app registrations may return 401 from userinfo unless specific permissions/scopes + /// are configured. + /// + public bool GetClaimsFromUserInfoEndpoint { get; set; } = false; /// /// Gets or sets the metadata address (optional, auto-discovered from Authority if not set). From 1ce992581c795fff53ef2d39ed473b1cb75c1b91 Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 16:32:00 +0100 Subject: [PATCH 12/27] Replace `BearerTokenHttpMessageHandler` with `AuthenticatingApiHttpMessageHandler` and remove obsolete references --- src/hosts/Elsa.Studio.Host.Server/Program.cs | 2 +- src/hosts/Elsa.Studio.Host.Wasm/Program.cs | 2 +- .../Extensions/ServiceCollectionExtensions.cs | 1 - .../BearerTokenHttpMessageHandler.cs | 39 ------------------- 4 files changed, 2 insertions(+), 42 deletions(-) delete mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/BearerTokenHttpMessageHandler.cs diff --git a/src/hosts/Elsa.Studio.Host.Server/Program.cs b/src/hosts/Elsa.Studio.Host.Server/Program.cs index 75f8db77..5fa10947 100644 --- a/src/hosts/Elsa.Studio.Host.Server/Program.cs +++ b/src/hosts/Elsa.Studio.Host.Server/Program.cs @@ -43,7 +43,7 @@ ConfigureBackendOptions = options => configuration.GetSection("Backend").Bind(options), ConfigureHttpClientBuilder = options => { - options.AuthenticationHandler = typeof(BearerTokenHttpMessageHandler); + options.AuthenticationHandler = typeof(AuthenticatingApiHttpMessageHandler); options.ConfigureHttpClient = (_, client) => { // Set a long time out to simplify debugging both Elsa Studio and the Elsa Server backend. diff --git a/src/hosts/Elsa.Studio.Host.Wasm/Program.cs b/src/hosts/Elsa.Studio.Host.Wasm/Program.cs index 6f4fb091..fa09d2c2 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/Program.cs +++ b/src/hosts/Elsa.Studio.Host.Wasm/Program.cs @@ -29,7 +29,7 @@ var backendApiConfig = new BackendApiConfig { ConfigureBackendOptions = options => configuration.GetSection("Backend").Bind(options), - ConfigureHttpClientBuilder = options => options.AuthenticationHandler = typeof(BearerTokenHttpMessageHandler), + ConfigureHttpClientBuilder = options => options.AuthenticationHandler = typeof(AuthenticatingApiHttpMessageHandler), }; var localizationConfig = new LocalizationConfig diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs index 8187e3fb..9fcbb031 100644 --- a/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs @@ -17,7 +17,6 @@ public static class ServiceCollectionExtensions public static IServiceCollection AddAuthenticationInfrastructure(this IServiceCollection services) { // Used by API clients to attach access tokens. - services.TryAddScoped(); services.TryAddScoped(); // Used by modules (e.g. Workflows) to retrieve tokens without depending on a specific auth provider. diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/BearerTokenHttpMessageHandler.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/BearerTokenHttpMessageHandler.cs deleted file mode 100644 index 2e0098d7..00000000 --- a/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/BearerTokenHttpMessageHandler.cs +++ /dev/null @@ -1,39 +0,0 @@ -using Elsa.Studio.Contracts; -using Microsoft.Extensions.DependencyInjection; - -namespace Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers; - -/// -/// An that attaches an access token (if available) to outgoing HTTP requests. -/// -/// -/// This handler is intentionally authentication-provider-agnostic. It relies on -/// (resolved from the current Blazor scope) to retrieve an access token. -/// -public class BearerTokenHttpMessageHandler(IBlazorServiceAccessor blazorServiceAccessor) : DelegatingHandler -{ - /// - protected override async Task SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) - { - var sp = blazorServiceAccessor.Services; - var authenticationProvider = sp.GetRequiredService(); - - await AttachAccessTokenAsync(request, authenticationProvider, cancellationToken); - - return await base.SendAsync(request, cancellationToken); - } - - private static async Task AttachAccessTokenAsync(HttpRequestMessage request, IAuthenticationProvider authenticationProvider, CancellationToken cancellationToken) - { - var accessToken = await authenticationProvider.GetAccessTokenAsync(TokenNames.AccessToken, cancellationToken); - - if (string.IsNullOrWhiteSpace(accessToken)) - { - request.Headers.Authorization = null; - return; - } - - request.Headers.Authorization = new("Bearer", accessToken); - } -} - From b07c7cefeada970d6a5d18768db6ada2e93f2477 Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 17:53:19 +0100 Subject: [PATCH 13/27] Organize solution structure by adding new folders: authentication, localization, workflows, deprecated, samples, and dashboard. Remove obsolete project references. --- Elsa.Studio.sln | 76 ++++++++++++++++++++++++++----------------------- 1 file changed, 41 insertions(+), 35 deletions(-) diff --git a/Elsa.Studio.sln b/Elsa.Studio.sln index 7808bbaa..173fae20 100644 --- a/Elsa.Studio.sln +++ b/Elsa.Studio.sln @@ -101,6 +101,18 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication. EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.ElsaAuth.BlazorWasm", "src\modules\Elsa.Studio.Authentication.ElsaAuth.BlazorWasm\Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.csproj", "{5E8F930A-AEE0-4742-955A-A741B1CE93F6}" EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "authentication", "authentication", "{8A157018-5A25-434A-9990-7FA5C3B057B6}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "localization", "localization", "{5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "workflows", "workflows", "{CFC0C2A5-0013-4767-A743-BF0CEC0DEA25}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "deprecated", "deprecated", "{75420DD0-D636-499A-A2F3-31BDB21B7240}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{6B3C5B39-0F8A-471F-9F0B-6CE31F0782F7}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "dashboard", "dashboard", "{AEFE5B4E-5306-4EA3-9579-9F9A4BF75BBE}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -447,18 +459,6 @@ Global {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Release|x64.Build.0 = Release|Any CPU {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Release|x86.ActiveCfg = Release|Any CPU {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1}.Release|x86.Build.0 = Release|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|Any CPU.Build.0 = Debug|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|x64.ActiveCfg = Debug|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|x64.Build.0 = Debug|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|x86.ActiveCfg = Debug|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|x86.Build.0 = Debug|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|Any CPU.ActiveCfg = Release|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|Any CPU.Build.0 = Release|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|x64.ActiveCfg = Release|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|x64.Build.0 = Release|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|x86.ActiveCfg = Release|Any CPU - {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|x86.Build.0 = Release|Any CPU {AED216D2-620D-4446-931F-BDEF357DA805}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {AED216D2-620D-4446-931F-BDEF357DA805}.Debug|Any CPU.Build.0 = Debug|Any CPU {AED216D2-620D-4446-931F-BDEF357DA805}.Debug|x64.ActiveCfg = Debug|Any CPU @@ -547,34 +547,40 @@ Global {6BF88129-D74E-46FA-89A4-29B9FBAEC241} = {875A7E2E-4B7C-4AF0-A71E-3980B73AF363} {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D} = {6BF88129-D74E-46FA-89A4-29B9FBAEC241} {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8} = {2AA1AEE9-017E-4F8B-B5FC-2BEA37E83514} - {B831EE86-F713-4466-B91D-FA66EDCC2E30} = {D66B9A40-8608-46F3-9868-625C50EACE43} {C5D998F4-4523-49AF-9F0F-7BCDACA58790} = {C5288F1B-F4E5-423C-AEE8-049996613668} {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48} = {C5288F1B-F4E5-423C-AEE8-049996613668} {565B61D8-C67A-449B-BAE6-BEAC95E52B8F} = {C5288F1B-F4E5-423C-AEE8-049996613668} - {5DE5EFD1-00C0-4797-BFC3-8989ACF52165} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {5161EB5E-9301-4A43-A7CC-CDC665CD7B93} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {7A30797E-A1BF-4128-BB23-D8B00CDD59FD} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {AC76C31B-75F0-473C-8F96-DE77AFF76536} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {B5CF2E45-29A0-4101-90C3-2E6C31142F8F} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {435D5AF5-D06C-47A6-94B0-9B31016250DC} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {C15D23AC-26CA-447D-B441-75407FD79A6A} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {F85F11D4-8D22-4119-B212-2CD19DDFB0B4} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {AF48A447-22AF-4C94-8C5D-2B47FD90484C} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {E55917F6-388C-47FB-922B-ADE3D1AF5D6E} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {F3C53AFF-EBE5-447D-AF4D-136F18761733} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {DE57FD2C-3874-486A-89B1-D982726A1189} = {D66B9A40-8608-46F3-9868-625C50EACE43} {76C60D97-FA22-4023-BDB3-6BC47D097E40} = {C5288F1B-F4E5-423C-AEE8-049996613668} {25BA3052-4F17-4D24-9AE9-01FBD75E8804} = {2AA1AEE9-017E-4F8B-B5FC-2BEA37E83514} - {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {E88C478A-6B8C-46F3-941C-BEBD798ECD06} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {AED216D2-620D-4446-931F-BDEF357DA805} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {09E284E0-7F8E-4346-962F-90F3FBA8837D} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {410041C1-5429-4D42-BFD3-C4AA343959FB} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {EFDD8E80-B369-4FAD-B797-3D63B3535432} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {E7EB0A92-C8CE-406B-AF7C-47AD21A43042} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {5E8F930A-AEE0-4742-955A-A741B1CE93F6} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {8A157018-5A25-434A-9990-7FA5C3B057B6} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {75420DD0-D636-499A-A2F3-31BDB21B7240} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {6B3C5B39-0F8A-471F-9F0B-6CE31F0782F7} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {B831EE86-F713-4466-B91D-FA66EDCC2E30} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} + {AF48A447-22AF-4C94-8C5D-2B47FD90484C} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} + {F85F11D4-8D22-4119-B212-2CD19DDFB0B4} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} + {E55917F6-388C-47FB-922B-ADE3D1AF5D6E} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} + {C15D23AC-26CA-447D-B441-75407FD79A6A} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} + {09E284E0-7F8E-4346-962F-90F3FBA8837D} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {EFDD8E80-B369-4FAD-B797-3D63B3535432} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {5E8F930A-AEE0-4742-955A-A741B1CE93F6} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {E88C478A-6B8C-46F3-941C-BEBD798ECD06} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {410041C1-5429-4D42-BFD3-C4AA343959FB} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {AED216D2-620D-4446-931F-BDEF357DA805} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {5DE5EFD1-00C0-4797-BFC3-8989ACF52165} = {6B3C5B39-0F8A-471F-9F0B-6CE31F0782F7} + {F3C53AFF-EBE5-447D-AF4D-136F18761733} = {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} + {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5} = {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} + {DE57FD2C-3874-486A-89B1-D982726A1189} = {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} + {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {AC76C31B-75F0-473C-8F96-DE77AFF76536} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {B5CF2E45-29A0-4101-90C3-2E6C31142F8F} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {435D5AF5-D06C-47A6-94B0-9B31016250DC} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {7A30797E-A1BF-4128-BB23-D8B00CDD59FD} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {AEFE5B4E-5306-4EA3-9579-9F9A4BF75BBE} = {D66B9A40-8608-46F3-9868-625C50EACE43} + {5161EB5E-9301-4A43-A7CC-CDC665CD7B93} = {AEFE5B4E-5306-4EA3-9579-9F9A4BF75BBE} EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {5B8719CC-CF87-45E1-BE1A-13842F951B28} From 884d67a4da1c25ab9bedff9581375290e3e5cf65 Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 18:31:42 +0100 Subject: [PATCH 14/27] Refactor authentication: replace legacy services, update OIDC implementation, and restructure PKCE flow --- .../Extensions/ServiceCollectionExtensions.cs | 13 -- .../ElsaIdentityAuthorizationService.cs | 2 +- ...ectToLoginUnauthorizedComponentProvider.cs | 14 +- .../IOpenIdConnectPkceStateService.cs | 18 +++ .../Elsa.Studio.Login.csproj | 5 +- .../Extensions/ServiceCollectionExtensions.cs | 81 +++++++---- .../AuthenticatingApiHttpMessageHandler.cs | 3 - .../Models/OpenIdConnectConfiguration.cs | 7 +- .../DefaultAuthenticationProviderManager.cs | 1 - .../OpenIdConnectAuthorizationService.cs | 128 ++++-------------- 10 files changed, 109 insertions(+), 163 deletions(-) create mode 100644 src/modules/Elsa.Studio.Login/Contracts/IOpenIdConnectPkceStateService.cs diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs index a5a26f49..a0bbb83d 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs @@ -33,17 +33,4 @@ public static IServiceCollection AddElsaAuthCore(this IServiceCollection service return services; } - - /// - /// Configures ElsaAuth to use Elsa Identity (username/password to Elsa backend, stores JWTs). - /// - public static IServiceCollection UseElsaIdentityAuth(this IServiceCollection services) - { - return services - .AddScoped() - .AddScoped() - .AddScoped() - .AddScoped() - .AddScoped(); - } } diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityAuthorizationService.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityAuthorizationService.cs index 06485562..1ffe51a3 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityAuthorizationService.cs +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityAuthorizationService.cs @@ -4,7 +4,7 @@ namespace Elsa.Studio.Authentication.ElsaAuth.Services; /// -internal class ElsaIdentityAuthorizationService(NavigationManager navigationManager) : IAuthorizationService +public class ElsaIdentityAuthorizationService(NavigationManager navigationManager) : IAuthorizationService { /// public Task RedirectToAuthorizationServer() diff --git a/src/modules/Elsa.Studio.Login/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs b/src/modules/Elsa.Studio.Login/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs index 2e21afc1..40608d0b 100644 --- a/src/modules/Elsa.Studio.Login/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs +++ b/src/modules/Elsa.Studio.Login/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs @@ -1,26 +1,16 @@ -using Elsa.Studio.Components; using Elsa.Studio.Contracts; using Elsa.Studio.Extensions; using Elsa.Studio.Login.Components; -using Elsa.Studio.Login.Contracts; using Microsoft.AspNetCore.Components; -using Microsoft.Extensions.DependencyInjection; namespace Elsa.Studio.Login.ComponentProviders; /// -public class RedirectToLoginUnauthorizedComponentProvider(IServiceProvider serviceProvider) : IUnauthorizedComponentProvider +public class RedirectToLoginUnauthorizedComponentProvider : IUnauthorizedComponentProvider { /// public RenderFragment GetUnauthorizedComponent() { - // The legacy Login module requires an IAuthorizationService to perform the redirect. - // When using the newer authentication providers (e.g. the OIDC module), this service will not be registered. - // In that case, fall back to the default Unauthorized component (no redirect). - var authorizationService = serviceProvider.GetService(); - - return authorizationService != null - ? builder => builder.CreateComponent() - : builder => builder.CreateComponent(); + return builder => builder.CreateComponent(); } } \ No newline at end of file diff --git a/src/modules/Elsa.Studio.Login/Contracts/IOpenIdConnectPkceStateService.cs b/src/modules/Elsa.Studio.Login/Contracts/IOpenIdConnectPkceStateService.cs new file mode 100644 index 00000000..df52d02e --- /dev/null +++ b/src/modules/Elsa.Studio.Login/Contracts/IOpenIdConnectPkceStateService.cs @@ -0,0 +1,18 @@ +namespace Elsa.Studio.Login.Contracts +{ + /// + /// Manages PKCE (Proof Key for Code Exchange) state for the authorization code flow. + /// + public interface IOpenIdConnectPkceStateService + { + /// + /// Generates and returns a PKCE code challedge. The associated code verifier is stored in session storage. + /// + Task<(string CodeChallenge, string Method)> GeneratePkceCodeChallenge(); + + /// + /// Retrieves the code verifier for the current session. + /// + Task GetPkceCodeVerifier(); + } +} diff --git a/src/modules/Elsa.Studio.Login/Elsa.Studio.Login.csproj b/src/modules/Elsa.Studio.Login/Elsa.Studio.Login.csproj index e7c3a941..a21f422f 100644 --- a/src/modules/Elsa.Studio.Login/Elsa.Studio.Login.csproj +++ b/src/modules/Elsa.Studio.Login/Elsa.Studio.Login.csproj @@ -15,9 +15,12 @@ - + + + + diff --git a/src/modules/Elsa.Studio.Login/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Login/Extensions/ServiceCollectionExtensions.cs index 10a335d5..6428057f 100644 --- a/src/modules/Elsa.Studio.Login/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Login/Extensions/ServiceCollectionExtensions.cs @@ -1,61 +1,88 @@ -using Elsa.Studio.Authentication.ElsaAuth.Extensions; using Elsa.Studio.Contracts; using Elsa.Studio.Login.ComponentProviders; +using Elsa.Studio.Login.Contracts; +using Elsa.Studio.Login.HttpMessageHandlers; using Elsa.Studio.Login.Models; +using Elsa.Studio.Login.Services; +using Microsoft.AspNetCore.Components.Authorization; using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.Options; namespace Elsa.Studio.Login.Extensions; +/// +/// Contains extension methods for the interface. +/// public static class ServiceCollectionExtensions { /// /// Adds the login module to the service collection. /// - [Obsolete("Elsa.Studio.Login is obsolete. Use Elsa.Studio.Authentication.ElsaAuth (or Elsa.Studio.Authentication.OpenIdConnect for OIDC) instead.")] public static IServiceCollection AddLoginModuleCore(this IServiceCollection services) { - // Keep legacy UI/feature registrations. - services - .AddScoped() - .AddScoped(); - - // Delegate the authentication plumbing to ElsaAuth. - services.AddElsaAuthCore(); - - return services; + return services + .AddScoped() + .AddOptions() + .AddAuthorizationCore() + .AddScoped() + .AddScoped() + .AddScoped(); } /// - /// Configures the login module to use elsa identity. + /// Configures the login module to use elsa identity /// - [Obsolete("Elsa.Studio.Login is obsolete. Use services.AddElsaAuthCore().UseElsaIdentityAuth() instead.")] - public static IServiceCollection UseElsaIdentity(this IServiceCollection services) => services.UseElsaIdentityAuth(); + public static IServiceCollection UseElsaIdentity(this IServiceCollection services) + { + return services + .AddScoped() + .AddScoped() + .AddScoped() + .AddScoped() + .AddScoped() + .AddScoped(); + } /// /// Configures the service collection to use OAuth2 for credential validation and related services. /// - [Obsolete("OAuth2 support via Elsa.Studio.Login is obsolete. ElsaAuth no longer contains OAuth2. If you need OAuth2, keep using the legacy Elsa.Studio.Login OAuth2 implementation or migrate to a dedicated future OAuth2 module.")] public static IServiceCollection UseOAuth2(this IServiceCollection services, Action configure) { - _ = configure; + services.Configure(configure); + + services.AddHttpClient((sp, httpClient) => + { + var options = sp.GetRequiredService>().Value; + httpClient.BaseAddress = new(options.TokenEndpoint); + }); - throw new NotSupportedException( - "OAuth2 support has been removed from Elsa.Studio.Authentication.ElsaAuth. " + - "For OIDC use Elsa.Studio.Authentication.OpenIdConnect.*. " + - "For legacy OAuth2 (ROPC) keep using the obsolete Elsa.Studio.Login implementation." ); + return services + .AddScoped() + .AddScoped() + .AddScoped() + .AddScoped() + .AddScoped(); } /// /// Configures the login module to use OpenIdConnect (OIDC). /// - [Obsolete("Elsa.Studio.Login OIDC integration is obsolete. Use Elsa.Studio.Authentication.OpenIdConnect.BlazorServer or Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.")] - public static IServiceCollection UseOpenIdConnectCore(this IServiceCollection services, Action configure) + public static IServiceCollection UseOpenIdConnect(this IServiceCollection services, Action configure) { - _ = configure; + services.Configure(configure); - throw new NotSupportedException( - "The legacy in-app OIDC code-flow is no longer available via Elsa.Studio.Authentication.ElsaAuth. " + - "Migrate to the new modules: Elsa.Studio.Authentication.OpenIdConnect.BlazorServer (server) or " + - "Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm (WASM)." ); + return services + .AddScoped() + .AddScoped() + .AddScoped(); + } + + /// + /// Configures the login module to use OpenIdConnect (OIDC). + /// + [Obsolete("Elsa.Studio.Login.* is obsolete. Prefer Elsa.Studio.Authentication.OpenIdConnect.*. UseOpenIdConnectCore is kept for backwards compatibility.")] + public static IServiceCollection UseOpenIdConnectCore(this IServiceCollection services, Action configure) + { + return services.UseOpenIdConnect(configure); } } \ No newline at end of file diff --git a/src/modules/Elsa.Studio.Login/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs b/src/modules/Elsa.Studio.Login/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs index 79bf5b91..5e39eaa0 100644 --- a/src/modules/Elsa.Studio.Login/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs +++ b/src/modules/Elsa.Studio.Login/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs @@ -8,7 +8,6 @@ namespace Elsa.Studio.Login.HttpMessageHandlers; /// /// An that configures the outgoing HTTP request to use the access token as bearer token. /// -[Obsolete("This handler has moved to Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers.AuthenticatingApiHttpMessageHandler. Update hosts/modules to reference the new handler.")] public class AuthenticatingApiHttpMessageHandler(IRefreshTokenService refreshTokenService, IBlazorServiceAccessor blazorServiceAccessor) : DelegatingHandler { @@ -35,5 +34,3 @@ protected override async Task SendAsync(HttpRequestMessage return response; } } - - diff --git a/src/modules/Elsa.Studio.Login/Models/OpenIdConnectConfiguration.cs b/src/modules/Elsa.Studio.Login/Models/OpenIdConnectConfiguration.cs index d6795186..7aa725bc 100644 --- a/src/modules/Elsa.Studio.Login/Models/OpenIdConnectConfiguration.cs +++ b/src/modules/Elsa.Studio.Login/Models/OpenIdConnectConfiguration.cs @@ -24,11 +24,6 @@ public class OpenIdConnectConfiguration /// The client_id as which this application is registered with the authorization server /// public required string ClientId { get; set; } - - /// - /// The client_secret as which this application is registered with the authorization server. - /// - public string? ClientSecret { get; set; } /// /// The scopes to request, defaulting to: openid profile offline_access @@ -38,5 +33,5 @@ public class OpenIdConnectConfiguration /// /// Enables PKCE (Proof Key for Code Exchange) for the authorization code flow. /// - public bool UsePkce { get; set; } + public bool UsePkce { get; set; } = false; } diff --git a/src/modules/Elsa.Studio.Login/Services/DefaultAuthenticationProviderManager.cs b/src/modules/Elsa.Studio.Login/Services/DefaultAuthenticationProviderManager.cs index 39738dd7..1787d105 100644 --- a/src/modules/Elsa.Studio.Login/Services/DefaultAuthenticationProviderManager.cs +++ b/src/modules/Elsa.Studio.Login/Services/DefaultAuthenticationProviderManager.cs @@ -3,7 +3,6 @@ namespace Elsa.Studio.Login.Services; /// -[Obsolete("Elsa.Studio.Login is obsolete. Use Elsa.Studio.Authentication.Abstractions.Services.DefaultAuthenticationProviderManager / AddAuthenticationInfrastructure instead.")] public class DefaultAuthenticationProviderManager(IEnumerable authenticationProviders) : IAuthenticationProviderManager { /// diff --git a/src/modules/Elsa.Studio.Login/Services/OpenIdConnectAuthorizationService.cs b/src/modules/Elsa.Studio.Login/Services/OpenIdConnectAuthorizationService.cs index 93b2d5e5..2c1ba319 100644 --- a/src/modules/Elsa.Studio.Login/Services/OpenIdConnectAuthorizationService.cs +++ b/src/modules/Elsa.Studio.Login/Services/OpenIdConnectAuthorizationService.cs @@ -3,142 +3,72 @@ using Microsoft.AspNetCore.Components; using Microsoft.AspNetCore.WebUtilities; using Microsoft.Extensions.Options; +using System.Net; using System.Net.Http.Json; -using System.Security.Cryptography; -using Microsoft.Extensions.Logging; -using Microsoft.JSInterop; +using System.Text; namespace Elsa.Studio.Login.Services; /// -public class OpenIdConnectAuthorizationService( - IJwtAccessor jwtAccessor, - IOptions configuration, - NavigationManager navigationManager, - HttpClient httpClient, - IOpenIdConnectPkceService pkceService, - IOidcBrowserStateStore browserState, - ILogger logger) : IAuthorizationService +public class OpenIdConnectAuthorizationService(IJwtAccessor jwtAccessor, IOptions configuration, NavigationManager navigationManager, HttpClient httpClient, IOpenIdConnectPkceStateService pkceStateService) : IAuthorizationService { - static string CryptoRandom(int bytes = 32) => - WebEncoders.Base64UrlEncode(RandomNumberGenerator.GetBytes(bytes)); - /// public async Task RedirectToAuthorizationServer() { var config = configuration.Value; var redirectUri = new Uri(navigationManager.Uri).GetLeftPart(UriPartial.Authority) + "/signin-oidc"; - - var returnUrl = navigationManager.ToBaseRelativePath(navigationManager.Uri); - if (string.IsNullOrWhiteSpace(returnUrl) || returnUrl == "/") - returnUrl = "/"; - - var state = CryptoRandom(); - var nonce = CryptoRandom(); - - await browserState.SetAsync($"state:{state}", returnUrl); - await browserState.SetAsync($"nonce:{state}", nonce); // tie nonce to state - - var query = new Dictionary - { - ["client_id"] = config.ClientId, - ["redirect_uri"] = redirectUri, - ["response_type"] = "code", - ["response_mode"] = "query", - ["scope"] = string.Join(' ', config.Scopes), - ["state"] = state, - ["nonce"] = nonce - }; - + string url = config.AuthEndpoint + $"?client_id={WebUtility.UrlEncode(config.ClientId)}&redirect_uri={WebUtility.UrlEncode(redirectUri)}&response_type=code&scope={WebUtility.UrlEncode(String.Join(' ', config.Scopes))}"; if (config.UsePkce) { - // IMPORTANT: your PKCE service should return BOTH verifier + challenge. - var pkce = await pkceService.GeneratePkceAsync(); // see note below - await browserState.SetAsync($"pkce:{state}", pkce.CodeVerifier); - - query["code_challenge"] = pkce.CodeChallenge; - query["code_challenge_method"] = pkce.Method; + var generated = await pkceStateService.GeneratePkceCodeChallenge(); + url += $"&code_challenge={generated.CodeChallenge}&code_challenge_method={generated.Method}"; + } + if (navigationManager.ToBaseRelativePath(navigationManager.Uri) is { } returnUrl and not "/") + { + url += "&state=" + WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(returnUrl)); } - var url = QueryHelpers.AddQueryString(config.AuthEndpoint, query); navigationManager.NavigateTo(url, true); } - /// public async Task ReceiveAuthorizationCode(string code, string? state, CancellationToken cancellationToken) { - if (string.IsNullOrWhiteSpace(state)) - throw new InvalidOperationException("Missing state."); - var config = configuration.Value; - var returnUrl = await browserState.TakeAsync($"state:{state}") ?? "/"; - var codeVerifier = config.UsePkce ? await browserState.TakeAsync($"pkce:{state}") : null; var redirectUri = new Uri(navigationManager.Uri).GetLeftPart(UriPartial.Authority) + "/signin-oidc"; var formValues = new List> { - new("client_id", config.ClientId), - new("grant_type", "authorization_code"), - new("code", code), - new("redirect_uri", redirectUri), - new("scope", string.Join(' ', config.Scopes)) // <-- key for getting API aud + new KeyValuePair("client_id", config.ClientId), + new KeyValuePair("code", code), + new KeyValuePair("grant_type", "authorization_code"), + new KeyValuePair("redirect_uri", redirectUri) }; - - if (!string.IsNullOrWhiteSpace(config.ClientSecret)) - formValues.Add(new("client_secret", config.ClientSecret)); - if (config.UsePkce) { - if (string.IsNullOrWhiteSpace(codeVerifier)) - throw new InvalidOperationException("Missing PKCE code_verifier."); - - formValues.Add(new("code_verifier", codeVerifier)); + var codeVerifier = await pkceStateService.GetPkceCodeVerifier(); + formValues.Add(new KeyValuePair("code_verifier", codeVerifier)); } - var response = await httpClient.PostAsync(config.TokenEndpoint, new FormUrlEncodedContent(formValues), cancellationToken); - response.EnsureSuccessStatusCode(); + var refreshRequestMessage = new HttpRequestMessage(HttpMethod.Post, config.TokenEndpoint) + { + Content = new FormUrlEncodedContent(formValues) + }; + + // Send request. + var response = await httpClient.SendAsync(refreshRequestMessage, cancellationToken); - var tokens = await response.Content.ReadFromJsonAsync(cancellationToken) - ?? throw new InvalidOperationException("Failed to read token response."); + var tokens = (await response.Content.ReadFromJsonAsync(cancellationToken))!; await jwtAccessor.WriteTokenAsync(TokenNames.RefreshToken, tokens.RefreshToken ?? ""); await jwtAccessor.WriteTokenAsync(TokenNames.AccessToken, tokens.AccessToken ?? ""); await jwtAccessor.WriteTokenAsync(TokenNames.IdToken, tokens.IdToken ?? ""); + string returnUrl = "/"; + if (!String.IsNullOrWhiteSpace(state)) + { + returnUrl = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(state)); + } navigationManager.NavigateTo(returnUrl, true); } - -} - -public interface IOidcBrowserStateStore -{ - ValueTask SetAsync(string key, string value); - ValueTask GetAsync(string key); - ValueTask RemoveAsync(string key); - ValueTask TakeAsync(string key); -} - -public class SessionStorageOidcStateStore : IOidcBrowserStateStore -{ - private readonly IJSRuntime _js; - - public SessionStorageOidcStateStore(IJSRuntime js) => _js = js; - - public ValueTask SetAsync(string key, string value) => - _js.InvokeVoidAsync("oidcState.set", key, value); - - public ValueTask GetAsync(string key) => - _js.InvokeAsync("oidcState.get", key); - - public ValueTask RemoveAsync(string key) => - _js.InvokeVoidAsync("oidcState.remove", key); - - public async ValueTask TakeAsync(string key) - { - var value = await GetAsync(key); - if (value != null) - await RemoveAsync(key); - return value; - } } From 2242b09e077cab96baaf1a3825516be41ac70adf Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 19:41:50 +0100 Subject: [PATCH 15/27] Add `Elsa.Studio.Authentication.ElsaAuth.UI` module to provide Elsa Identity authentication with a login UI and unauthorized redirect behavior. --- Elsa.Studio.sln | 66 +++++++++++------ .../appsettings.json | 8 ++ .../Elsa.Studio.Host.Server.csproj | 5 ++ src/hosts/Elsa.Studio.Host.Server/Program.cs | 50 ++++++++----- .../Elsa.Studio.Host.Server/appsettings.json | 12 +-- .../Elsa.Studio.Host.Wasm.csproj | 5 ++ src/hosts/Elsa.Studio.Host.Wasm/Program.cs | 29 ++++++-- .../wwwroot/appsettings.json | 8 ++ ...ectToLoginUnauthorizedComponentProvider.cs | 14 ++++ .../Components/LoginState.razor | 9 +++ .../Components/RedirectToLogin.razor | 14 ++++ ...a.Studio.Authentication.ElsaAuth.UI.csproj | 25 +++++++ .../Extensions/ServiceCollectionExtensions.cs | 25 +++++++ .../LoginFeature.cs | 18 +++++ .../Pages/Login/Login.razor | 57 +++++++++++++++ .../Pages/Login/Login.razor.cs | 73 +++++++++++++++++++ .../README.md | 33 +++++++++ .../_Imports.razor | 9 +++ 18 files changed, 404 insertions(+), 56 deletions(-) create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Components/LoginState.razor create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Components/RedirectToLogin.razor create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Elsa.Studio.Authentication.ElsaAuth.UI.csproj create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Extensions/ServiceCollectionExtensions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/LoginFeature.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Pages/Login/Login.razor create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Pages/Login/Login.razor.cs create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/README.md create mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/_Imports.razor diff --git a/Elsa.Studio.sln b/Elsa.Studio.sln index 173fae20..e3bec5d0 100644 --- a/Elsa.Studio.sln +++ b/Elsa.Studio.sln @@ -113,6 +113,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{6B3C EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "dashboard", "dashboard", "{AEFE5B4E-5306-4EA3-9579-9F9A4BF75BBE}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.ElsaAuth.UI", "src\modules\Elsa.Studio.Authentication.ElsaAuth.UI\Elsa.Studio.Authentication.ElsaAuth.UI.csproj", "{9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -531,6 +533,23 @@ Global {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Release|x64.Build.0 = Release|Any CPU {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Release|x86.ActiveCfg = Release|Any CPU {5E8F930A-AEE0-4742-955A-A741B1CE93F6}.Release|x86.Build.0 = Release|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Debug|Any CPU.Build.0 = Debug|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Debug|x64.ActiveCfg = Debug|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Debug|x64.Build.0 = Debug|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Debug|x86.ActiveCfg = Debug|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Debug|x86.Build.0 = Debug|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Release|Any CPU.ActiveCfg = Release|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Release|Any CPU.Build.0 = Release|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Release|x64.ActiveCfg = Release|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Release|x64.Build.0 = Release|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Release|x86.ActiveCfg = Release|Any CPU + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}.Release|x86.Build.0 = Release|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|Any CPU.Build.0 = Debug|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Debug|Any CPU.Deploy.0 = Debug|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|Any CPU.ActiveCfg = Release|Any CPU + {E88C478A-6B8C-46F3-941C-BEBD798ECD06}.Release|Any CPU.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE @@ -547,40 +566,41 @@ Global {6BF88129-D74E-46FA-89A4-29B9FBAEC241} = {875A7E2E-4B7C-4AF0-A71E-3980B73AF363} {6029D546-A5DB-4B75-8DE4-BFB83EB2A24D} = {6BF88129-D74E-46FA-89A4-29B9FBAEC241} {8A9DBE4A-A03F-44C9-9AB2-74AA973D72A8} = {2AA1AEE9-017E-4F8B-B5FC-2BEA37E83514} + {B831EE86-F713-4466-B91D-FA66EDCC2E30} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} {C5D998F4-4523-49AF-9F0F-7BCDACA58790} = {C5288F1B-F4E5-423C-AEE8-049996613668} {2FC3CE4B-02D3-4808-828E-F4D84FFD1E48} = {C5288F1B-F4E5-423C-AEE8-049996613668} {565B61D8-C67A-449B-BAE6-BEAC95E52B8F} = {C5288F1B-F4E5-423C-AEE8-049996613668} + {5DE5EFD1-00C0-4797-BFC3-8989ACF52165} = {6B3C5B39-0F8A-471F-9F0B-6CE31F0782F7} + {5161EB5E-9301-4A43-A7CC-CDC665CD7B93} = {AEFE5B4E-5306-4EA3-9579-9F9A4BF75BBE} + {7A30797E-A1BF-4128-BB23-D8B00CDD59FD} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {AC76C31B-75F0-473C-8F96-DE77AFF76536} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {B5CF2E45-29A0-4101-90C3-2E6C31142F8F} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {435D5AF5-D06C-47A6-94B0-9B31016250DC} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {C15D23AC-26CA-447D-B441-75407FD79A6A} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} + {F85F11D4-8D22-4119-B212-2CD19DDFB0B4} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} + {AF48A447-22AF-4C94-8C5D-2B47FD90484C} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} + {E55917F6-388C-47FB-922B-ADE3D1AF5D6E} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} + {F3C53AFF-EBE5-447D-AF4D-136F18761733} = {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} + {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5} = {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} + {DE57FD2C-3874-486A-89B1-D982726A1189} = {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} {76C60D97-FA22-4023-BDB3-6BC47D097E40} = {C5288F1B-F4E5-423C-AEE8-049996613668} {25BA3052-4F17-4D24-9AE9-01FBD75E8804} = {2AA1AEE9-017E-4F8B-B5FC-2BEA37E83514} + {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1} = {75420DD0-D636-499A-A2F3-31BDB21B7240} + {E88C478A-6B8C-46F3-941C-BEBD798ECD06} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {AED216D2-620D-4446-931F-BDEF357DA805} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {09E284E0-7F8E-4346-962F-90F3FBA8837D} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {410041C1-5429-4D42-BFD3-C4AA343959FB} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {EFDD8E80-B369-4FAD-B797-3D63B3535432} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {E7EB0A92-C8CE-406B-AF7C-47AD21A43042} = {8A157018-5A25-434A-9990-7FA5C3B057B6} + {5E8F930A-AEE0-4742-955A-A741B1CE93F6} = {8A157018-5A25-434A-9990-7FA5C3B057B6} {8A157018-5A25-434A-9990-7FA5C3B057B6} = {D66B9A40-8608-46F3-9868-625C50EACE43} {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} = {D66B9A40-8608-46F3-9868-625C50EACE43} {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} = {D66B9A40-8608-46F3-9868-625C50EACE43} {75420DD0-D636-499A-A2F3-31BDB21B7240} = {D66B9A40-8608-46F3-9868-625C50EACE43} {6B3C5B39-0F8A-471F-9F0B-6CE31F0782F7} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {B831EE86-F713-4466-B91D-FA66EDCC2E30} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} - {AF48A447-22AF-4C94-8C5D-2B47FD90484C} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} - {F85F11D4-8D22-4119-B212-2CD19DDFB0B4} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} - {E55917F6-388C-47FB-922B-ADE3D1AF5D6E} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} - {C15D23AC-26CA-447D-B441-75407FD79A6A} = {CFC0C2A5-0013-4767-A743-BF0CEC0DEA25} - {09E284E0-7F8E-4346-962F-90F3FBA8837D} = {8A157018-5A25-434A-9990-7FA5C3B057B6} - {EFDD8E80-B369-4FAD-B797-3D63B3535432} = {8A157018-5A25-434A-9990-7FA5C3B057B6} - {E7EB0A92-C8CE-406B-AF7C-47AD21A43042} = {8A157018-5A25-434A-9990-7FA5C3B057B6} - {5E8F930A-AEE0-4742-955A-A741B1CE93F6} = {8A157018-5A25-434A-9990-7FA5C3B057B6} - {E88C478A-6B8C-46F3-941C-BEBD798ECD06} = {8A157018-5A25-434A-9990-7FA5C3B057B6} - {410041C1-5429-4D42-BFD3-C4AA343959FB} = {8A157018-5A25-434A-9990-7FA5C3B057B6} - {AED216D2-620D-4446-931F-BDEF357DA805} = {8A157018-5A25-434A-9990-7FA5C3B057B6} - {5DE5EFD1-00C0-4797-BFC3-8989ACF52165} = {6B3C5B39-0F8A-471F-9F0B-6CE31F0782F7} - {F3C53AFF-EBE5-447D-AF4D-136F18761733} = {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} - {F5BBEF8A-D75E-442E-A2E7-EEF5F04335A5} = {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} - {DE57FD2C-3874-486A-89B1-D982726A1189} = {5A2833A5-D3D8-479B-9ED7-5D5DE4FCC8F9} - {F6F4CD65-8E0C-5401-A668-108C6C0E8CD1} = {75420DD0-D636-499A-A2F3-31BDB21B7240} - {AC76C31B-75F0-473C-8F96-DE77AFF76536} = {75420DD0-D636-499A-A2F3-31BDB21B7240} - {B5CF2E45-29A0-4101-90C3-2E6C31142F8F} = {75420DD0-D636-499A-A2F3-31BDB21B7240} - {5A3139DC-0FFB-4B44-8BF1-38F29C6133CD} = {75420DD0-D636-499A-A2F3-31BDB21B7240} - {435D5AF5-D06C-47A6-94B0-9B31016250DC} = {75420DD0-D636-499A-A2F3-31BDB21B7240} - {7A30797E-A1BF-4128-BB23-D8B00CDD59FD} = {75420DD0-D636-499A-A2F3-31BDB21B7240} {AEFE5B4E-5306-4EA3-9579-9F9A4BF75BBE} = {D66B9A40-8608-46F3-9868-625C50EACE43} - {5161EB5E-9301-4A43-A7CC-CDC665CD7B93} = {AEFE5B4E-5306-4EA3-9579-9F9A4BF75BBE} + {9953E8DA-2ADD-42CA-957F-1DFDB284BEFD} = {8A157018-5A25-434A-9990-7FA5C3B057B6} EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {5B8719CC-CF87-45E1-BE1A-13842F951B28} diff --git a/src/hosts/Elsa.Studio.Host.HostedWasm/appsettings.json b/src/hosts/Elsa.Studio.Host.HostedWasm/appsettings.json index d6c905b4..94af61a9 100644 --- a/src/hosts/Elsa.Studio.Host.HostedWasm/appsettings.json +++ b/src/hosts/Elsa.Studio.Host.HostedWasm/appsettings.json @@ -8,5 +8,13 @@ "AllowedHosts": "*", "Hosting": { "ApiUrl": "https://localhost:5001/elsa/api" + }, + "Authentication": { + "Provider": "OpenIdConnect", + "OpenIdConnect": { + "Authority": "https://login.microsoftonline.com/{tenantIdOrVerifiedDomain}/v2.0", + "ClientId": "", + "ClientSecret": "" + } } } diff --git a/src/hosts/Elsa.Studio.Host.Server/Elsa.Studio.Host.Server.csproj b/src/hosts/Elsa.Studio.Host.Server/Elsa.Studio.Host.Server.csproj index 49e5c551..bfefe23e 100644 --- a/src/hosts/Elsa.Studio.Host.Server/Elsa.Studio.Host.Server.csproj +++ b/src/hosts/Elsa.Studio.Host.Server/Elsa.Studio.Host.Server.csproj @@ -14,7 +14,12 @@ + + + + + diff --git a/src/hosts/Elsa.Studio.Host.Server/Program.cs b/src/hosts/Elsa.Studio.Host.Server/Program.cs index 5fa10947..af322ce5 100644 --- a/src/hosts/Elsa.Studio.Host.Server/Program.cs +++ b/src/hosts/Elsa.Studio.Host.Server/Program.cs @@ -1,4 +1,7 @@ using Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers; +using Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Extensions; +using Elsa.Studio.Authentication.ElsaAuth.Extensions; +using Elsa.Studio.Authentication.ElsaAuth.UI.Extensions; using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Extensions; using Elsa.Studio.Branding; using Elsa.Studio.Contracts; @@ -66,25 +69,38 @@ builder.Services.AddCore().Replace(new(typeof(IBrandingProvider), typeof(StudioBrandingProvider), ServiceLifetime.Scoped)); builder.Services.AddShell(options => configuration.GetSection("Shell").Bind(options)); builder.Services.AddRemoteBackend(backendApiConfig); -// OIDC provides the auth pipeline + unauthorized redirect behavior, so we don't need the legacy Login module. -//builder.Services.AddLoginModule(); -// builder.Services.UseOAuth2(options => -// { -// options.ClientId = "ElsaStudio"; -// options.TokenEndpoint = "https://localhost:44366/connect/token"; -// options.Scope = "YourSite offline_access"; -// }); -//builder.Services.UseOpenIdConnect(openid => configuration.GetSection("Authentication:OpenIdConnect").Bind(openid)); -builder.Services.AddOidcAuthentication(options => +// Choose authentication provider. +// Supported values: "OpenIdConnect" (default) or "ElsaAuth". +var authProvider = configuration["Authentication:Provider"]; +if (string.IsNullOrWhiteSpace(authProvider)) + authProvider = "OpenIdConnect"; + +authProvider = authProvider.Trim(); + +if (authProvider.Equals("ElsaAuth", StringComparison.OrdinalIgnoreCase)) +{ + // Elsa Identity (username/password against Elsa backend) + login UI at /login. + builder.Services.AddElsaAuth(); + builder.Services.AddElsaAuthUI(); +} +else if (authProvider.Equals("OpenIdConnect", StringComparison.OrdinalIgnoreCase)) { - configuration.GetSection("Authentication:Oidc").Bind(options); + // OpenID Connect. + builder.Services.AddOidcAuthentication(options => + { + configuration.GetSection("Authentication:OpenIdConnect").Bind(options); - // If you see a 401 from the OIDC handler while calling the "userinfo" endpoint, - // either disable UserInfo retrieval (recommended for most setups), or configure your IdP/app registration - // to allow calling userinfo with the issued access token. - // options.GetClaimsFromUserInfoEndpoint = false; -}); + // If you see a 401 from the OIDC handler while calling the "userinfo" endpoint, + // either disable UserInfo retrieval (recommended for most setups), or configure your IdP/app registration + // to allow calling userinfo with the issued access token. + // options.GetClaimsFromUserInfoEndpoint = false; + }); +} +else +{ + throw new InvalidOperationException($"Unsupported Authentication:Provider value '{authProvider}'. Supported values are 'OpenIdConnect' and 'ElsaAuth'."); +} builder.Services.AddDashboardModule(); builder.Services.AddWorkflowsModule(); @@ -136,4 +152,4 @@ app.MapControllers(); app.MapBlazorHub(); app.MapFallbackToPage("/_Host"); -app.Run(); \ No newline at end of file +app.Run(); diff --git a/src/hosts/Elsa.Studio.Host.Server/appsettings.json b/src/hosts/Elsa.Studio.Host.Server/appsettings.json index b764c348..689f4f3e 100644 --- a/src/hosts/Elsa.Studio.Host.Server/appsettings.json +++ b/src/hosts/Elsa.Studio.Host.Server/appsettings.json @@ -20,19 +20,11 @@ ] }, "Authentication": { - "Oidc": { + "Provider": "OpenIdConnect", + "OpenIdConnect": { "Authority": "https://login.microsoftonline.com/{tenantIdOrVerifiedDomain}/v2.0", "ClientId": "", "ClientSecret": "" - }, - "OpenIdConnect": { - "ClientId": "", - "ClientSecret": "", - "AuthEndpoint": "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize", - "EndSessionEndpoint": "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/logout", - "TokenEndpoint": "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token", - "Scopes": ["openid", "profile", "offline_access"], - "UsePkce": false } } } diff --git a/src/hosts/Elsa.Studio.Host.Wasm/Elsa.Studio.Host.Wasm.csproj b/src/hosts/Elsa.Studio.Host.Wasm/Elsa.Studio.Host.Wasm.csproj index 0eaa370f..a387b8ad 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/Elsa.Studio.Host.Wasm.csproj +++ b/src/hosts/Elsa.Studio.Host.Wasm/Elsa.Studio.Host.Wasm.csproj @@ -22,7 +22,12 @@ + + + + + diff --git a/src/hosts/Elsa.Studio.Host.Wasm/Program.cs b/src/hosts/Elsa.Studio.Host.Wasm/Program.cs index fa09d2c2..f3a4ea21 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/Program.cs +++ b/src/hosts/Elsa.Studio.Host.Wasm/Program.cs @@ -41,14 +41,31 @@ builder.Services.AddShell(); builder.Services.AddRemoteBackend(backendApiConfig); -// Remove legacy Login module for OIDC-based auth. -//builder.Services.AddLoginModule(); -//builder.Services.UseElsaIdentity(); +// Choose authentication provider. +// Supported values: "OpenIdConnect" (default) or "ElsaAuth". +var authProvider = configuration["Authentication:Provider"]; +if (string.IsNullOrWhiteSpace(authProvider)) + authProvider = "OpenIdConnect"; -builder.Services.AddElsaOidcAuthentication(options => +authProvider = authProvider.Trim(); + +if (authProvider.Equals("ElsaAuth", StringComparison.OrdinalIgnoreCase)) +{ + // Elsa Identity (username/password against Elsa backend) + login UI at /login. + Elsa.Studio.Authentication.ElsaAuth.BlazorWasm.Extensions.ServiceCollectionExtensions.AddElsaAuth(builder.Services); + Elsa.Studio.Authentication.ElsaAuth.UI.Extensions.ServiceCollectionExtensions.AddElsaAuthUI(builder.Services); +} +else if (authProvider.Equals("OpenIdConnect", StringComparison.OrdinalIgnoreCase)) +{ + builder.Services.AddElsaOidcAuthentication(options => + { + configuration.GetSection("Authentication:OpenIdConnect").Bind(options); + }); +} +else { - configuration.GetSection("Authentication:Oidc").Bind(options); -}); + throw new InvalidOperationException($"Unsupported Authentication:Provider value '{authProvider}'. Supported values are 'OpenIdConnect' and 'ElsaAuth'."); +} builder.Services.AddDashboardModule(); builder.Services.AddWorkflowsModule(); diff --git a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json index c0c96b6c..7a3f8e8b 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json +++ b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json @@ -7,5 +7,13 @@ }, "Backend": { "Url": "https://localhost:5001/elsa/api" + }, + "Authentication": { + "Provider": "OpenIdConnect", + "OpenIdConnect": { + "Authority": "https://login.microsoftonline.com/{tenantIdOrVerifiedDomain}/v2.0", + "ClientId": "", + "ClientSecret": "" + } } } diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs new file mode 100644 index 00000000..8d13ec24 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/ComponentProviders/RedirectToLoginUnauthorizedComponentProvider.cs @@ -0,0 +1,14 @@ +using Elsa.Studio.Contracts; +using Elsa.Studio.Extensions; +using Elsa.Studio.Authentication.ElsaAuth.UI.Components; +using Microsoft.AspNetCore.Components; + +namespace Elsa.Studio.Authentication.ElsaAuth.UI.ComponentProviders; + +/// +public class RedirectToLoginUnauthorizedComponentProvider : IUnauthorizedComponentProvider +{ + /// + public RenderFragment GetUnauthorizedComponent() => builder => builder.CreateComponent(); +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Components/LoginState.razor b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Components/LoginState.razor new file mode 100644 index 00000000..ab5ab0a4 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Components/LoginState.razor @@ -0,0 +1,9 @@ +@using Microsoft.AspNetCore.Components +@using Microsoft.AspNetCore.Components.Authorization +@using Variant = MudBlazor.Variant +@inject AuthenticationStateProvider AuthenticationStateProvider + + + Login + + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Components/RedirectToLogin.razor b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Components/RedirectToLogin.razor new file mode 100644 index 00000000..4caaa9fb --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Components/RedirectToLogin.razor @@ -0,0 +1,14 @@ +@using Microsoft.AspNetCore.Components +@inject NavigationManager NavigationManager + +@code { + protected override void OnAfterRender(bool firstRender) + { + if (!firstRender) + return; + + var returnUrl = Uri.EscapeDataString(NavigationManager.ToBaseRelativePath(NavigationManager.Uri)); + NavigationManager.NavigateTo($"/login?returnUrl={returnUrl}", true); + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Elsa.Studio.Authentication.ElsaAuth.UI.csproj b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Elsa.Studio.Authentication.ElsaAuth.UI.csproj new file mode 100644 index 00000000..e9f99126 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Elsa.Studio.Authentication.ElsaAuth.UI.csproj @@ -0,0 +1,25 @@ + + + + Login UI for Elsa Studio ElsaAuth (Elsa Identity) authentication. + elsa studio authentication elsa auth ui + + + + + + + + + + + + + + + + + + + + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Extensions/ServiceCollectionExtensions.cs new file mode 100644 index 00000000..1d6f40a2 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Extensions/ServiceCollectionExtensions.cs @@ -0,0 +1,25 @@ +using Elsa.Studio.Authentication.ElsaAuth.UI.ComponentProviders; +using Elsa.Studio.Contracts; +using Microsoft.Extensions.DependencyInjection; + +namespace Elsa.Studio.Authentication.ElsaAuth.UI.Extensions; + +/// +/// Service registration extensions for the ElsaAuth UI module. +/// +public static class ServiceCollectionExtensions +{ + /// + /// Adds Elsa Identity login UI (route: /login) and an unauthorized redirect behavior. + /// + public static IServiceCollection AddElsaAuthUI(this IServiceCollection services) + { + // Provide a default unauthorized UI for Elsa Identity. + services.AddScoped(); + + // Optional shell feature (adds app-bar login state UI). + services.AddScoped(); + + return services; + } +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/LoginFeature.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/LoginFeature.cs new file mode 100644 index 00000000..480938e5 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/LoginFeature.cs @@ -0,0 +1,18 @@ +using Elsa.Studio.Abstractions; +using Elsa.Studio.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.UI.Components; + +namespace Elsa.Studio.Authentication.ElsaAuth.UI; + +/// +/// Adds a login app-bar component. +/// +public class LoginFeature(IAppBarService appBarService) : FeatureBase +{ + /// + public override ValueTask InitializeAsync(CancellationToken cancellationToken = default) + { + appBarService.AddComponent(); + return base.InitializeAsync(cancellationToken); + } +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Pages/Login/Login.razor b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Pages/Login/Login.razor new file mode 100644 index 00000000..aa516a74 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Pages/Login/Login.razor @@ -0,0 +1,57 @@ +@page "/login" +@using Elsa.Studio.Branding +@using Elsa.Studio.Layouts +@using Elsa.Studio.Localization +@inherits Elsa.Studio.Components.StudioComponentBase +@inject ILocalizer Localizer +@inject IBrandingProvider BrandingProvider +@layout BasicLayout + + + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Pages/Login/Login.razor.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Pages/Login/Login.razor.cs new file mode 100644 index 00000000..fd18385b --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Pages/Login/Login.razor.cs @@ -0,0 +1,73 @@ +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.Services; +using Elsa.Studio.Contracts; +using Elsa.Studio.Services; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Components; +using Microsoft.AspNetCore.Components.Authorization; +using Microsoft.AspNetCore.WebUtilities; +using MudBlazor; +using Radzen; + +namespace Elsa.Studio.Authentication.ElsaAuth.UI.Pages.Login; + +/// +/// The login page. +/// +[AllowAnonymous] +public partial class Login +{ + [Inject] private IJwtAccessor JwtAccessor { get; set; } = null!; + [Inject] private ICredentialsValidator CredentialsValidator { get; set; } = null!; + [Inject] private NavigationManager NavigationManager { get; set; } = null!; + [Inject] private AuthenticationStateProvider AuthenticationStateProvider { get; set; } = null!; + [Inject] private IClientInformationProvider ClientInformationProvider { get; set; } = null!; + [Inject] private IServerInformationProvider ServerInformationProvider { get; set; } = null!; + [Inject] private IUserMessageService UserMessageService { get; set; } = null!; + + private string ClientVersion { get; set; } = "3.0.0"; + private string ServerVersion { get; set; } = "3.0.0"; + + /// + protected override async Task OnInitializedAsync() + { + var clientInformation = await ClientInformationProvider.GetInfoAsync(); + var serverInformation = await ServerInformationProvider.GetInfoAsync(); + ClientVersion = clientInformation.PackageVersion; + ServerVersion = string.Join('.', serverInformation.PackageVersion.Split('.').Take(2)); + } + + private async Task TryLogin(LoginArgs args) + { + var isValid = await ValidateCredentials(args.Username, args.Password); + if (!isValid) + { + UserMessageService.ShowSnackbarTextMessage("Invalid credentials. Please try again", Severity.Error); + return; + } + + if (AuthenticationStateProvider is AccessTokenAuthenticationStateProvider tokenProvider) + tokenProvider.NotifyAuthenticationStateChanged(); + + var uri = new Uri(NavigationManager.Uri); + if (QueryHelpers.ParseQuery(uri.Query).TryGetValue("returnUrl", out var returnUrl)) + NavigationManager.NavigateTo(returnUrl.FirstOrDefault() ?? string.Empty, true); + else + NavigationManager.NavigateTo(string.Empty, true); + } + + private async Task ValidateCredentials(string username, string password) + { + if (string.IsNullOrEmpty(username) && string.IsNullOrEmpty(password)) + return false; + + var result = await CredentialsValidator.ValidateCredentialsAsync(username, password); + + if (!result.IsValid) + return false; + + await JwtAccessor.WriteTokenAsync(TokenNames.AccessToken, result.AccessToken!); + await JwtAccessor.WriteTokenAsync(TokenNames.RefreshToken, result.RefreshToken!); + return true; + } +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/README.md b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/README.md new file mode 100644 index 00000000..8cc869d6 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/README.md @@ -0,0 +1,33 @@ +# Elsa.Studio.Authentication.ElsaAuth.UI + +Provides the Elsa Identity login UI for Elsa Studio. + +## What you get +- A Blazor login page at `/login` +- A default unauthorized component provider that redirects to `/login?returnUrl=...` +- A simple app-bar login component (optional) + +## Usage +### 1) Configure ElsaAuth (Elsa Identity) +This UI module assumes you are using **Elsa Identity** (username/password against the Elsa backend API). + +In your host (Server or WASM), register ElsaAuth and the identity flow, then add the UI: + +```csharp +// Platform services: +builder.Services.AddElsaAuth(); + +// Core + Elsa Identity flow: +builder.Services.AddElsaAuthCore().UseElsaIdentityAuth(); + +// UI (this package): +builder.Services.AddElsaAuthUI(); +``` + +### 2) Switching providers (hosts) +Elsa Studio hosts can switch providers using configuration: + +- `Authentication:Provider` = `OpenIdConnect` or `ElsaAuth` +- `Authentication:OpenIdConnect` contains OIDC settings when using `OpenIdConnect` + +> Note: You still need to configure the backend URL to point to your Elsa API. diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/_Imports.razor b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/_Imports.razor new file mode 100644 index 00000000..77a3849f --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/_Imports.razor @@ -0,0 +1,9 @@ +@using Elsa.Studio.Abstractions +@using Elsa.Studio.Contracts +@using Elsa.Studio.Shared +@using Elsa.Studio.Shared.Layouts +@using Elsa.Studio.Shared.Components +@using Elsa.Studio.Shared.Services +@using MudBlazor +@using Radzen +@using Radzen.Blazor From 48552abf876767e4326dc6618203102cc73fbdbd Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 20:06:06 +0100 Subject: [PATCH 16/27] Migrate `AUTHENTICATION_ARCHITECTURE.md` to `doc/` folder, update project references, and refine namespace imports for authentication module. --- Elsa.Studio.sln | 5 + IMPLEMENTATION_SUMMARY.md | 207 ------------------ .../AUTHENTICATION_ARCHITECTURE.md | 0 ...a.Studio.Authentication.ElsaAuth.UI.csproj | 3 +- .../_Imports.razor | 7 +- 5 files changed, 10 insertions(+), 212 deletions(-) delete mode 100644 IMPLEMENTATION_SUMMARY.md rename {src/modules => doc}/AUTHENTICATION_ARCHITECTURE.md (100%) diff --git a/Elsa.Studio.sln b/Elsa.Studio.sln index e3bec5d0..92c66728 100644 --- a/Elsa.Studio.sln +++ b/Elsa.Studio.sln @@ -115,6 +115,11 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "dashboard", "dashboard", "{ EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.ElsaAuth.UI", "src\modules\Elsa.Studio.Authentication.ElsaAuth.UI\Elsa.Studio.Authentication.ElsaAuth.UI.csproj", "{9953E8DA-2ADD-42CA-957F-1DFDB284BEFD}" EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "doc", "doc", "{60B07BD6-80AE-496A-B5C4-55EBB12EF3BC}" + ProjectSection(SolutionItems) = preProject + doc\AUTHENTICATION_ARCHITECTURE.md = doc\AUTHENTICATION_ARCHITECTURE.md + EndProjectSection +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU diff --git a/IMPLEMENTATION_SUMMARY.md b/IMPLEMENTATION_SUMMARY.md deleted file mode 100644 index 56c9a454..00000000 --- a/IMPLEMENTATION_SUMMARY.md +++ /dev/null @@ -1,207 +0,0 @@ -# Implementation Summary: Standalone OIDC Authentication Module - -## What Was Built - -A complete, best-practices OpenID Connect authentication module for Elsa Studio that serves as a clean alternative to the existing OIDC implementation in `Elsa.Studio.Login`. - -## New Projects (4) - -### 1. Elsa.Studio.Authentication.Abstractions -**Purpose**: Shared abstractions for authentication providers - -**Contents**: -- `ITokenAccessor` - Provider-agnostic token access interface -- `AuthenticationOptions` - Base configuration class for all providers - -**Why**: Enables future authentication providers (OAuth2, JWT, SAML) to reuse common patterns - -### 2. Elsa.Studio.Authentication.OpenIdConnect -**Purpose**: Core OIDC abstractions - -**Contents**: -- `IOidcTokenAccessor` (extends `ITokenAccessor`) -- `OidcOptions` (extends `AuthenticationOptions`) -- `OidcAuthenticationProvider` (implements `IAuthenticationProvider`) - -**Why**: Provides OIDC-specific functionality while building on shared abstractions - -### 3. Elsa.Studio.Authentication.OpenIdConnect.BlazorServer -**Purpose**: Blazor Server implementation - -**Key Features**: -- Uses `Microsoft.AspNetCore.Authentication.OpenIdConnect` middleware -- Cookie-based authentication (HTTP-only, secure) -- Tokens stored server-side via authentication properties -- Retrieved using `HttpContext.GetTokenAsync()` -- **No browser storage** - tokens never exposed to client - -**Why Server-Specific**: Server can use ASP.NET Core authentication pipeline and maintain server-side sessions - -### 4. Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm -**Purpose**: Blazor WebAssembly implementation - -**Key Features**: -- Uses `Microsoft.AspNetCore.Components.WebAssembly.Authentication` -- Leverages `IAccessTokenProvider` for automatic token management -- Framework handles token refresh, expiry, and renewal automatically -- Secure token handling (refresh/ID tokens hidden from application code) - -**Why WASM-Specific**: WASM runs in browser and needs specialized token management with automatic refresh - -## Key Improvements Over Legacy Implementation - -| Aspect | Legacy (Elsa.Studio.Login) | New (This Module) | -|--------|---------------------------|-------------------| -| **Token Storage** | Browser localStorage/sessionStorage | Server: Auth properties (server-side)
WASM: Framework-managed | -| **Token Refresh** | Manual implementation | Automatic via framework | -| **PKCE** | Manual implementation | Built-in framework support | -| **Middleware** | Custom authorization flow | Standard ASP.NET Core pipeline | -| **Security** | Tokens exposed in browser | Server: No client exposure
WASM: Framework-secured | -| **Coupling** | Tight with Login module | Fully decoupled | - -## Architecture - -``` -Elsa Studio App → IAuthenticationProviderManager - ↓ - IAuthenticationProvider (Core) - ↓ - ITokenAccessor (Abstractions) ← Provider-agnostic - ↓ - IOidcTokenAccessor (OIDC) ← OIDC-specific - ↓ - ┌────────────┴────────────┐ - ▼ ▼ -ServerOidcTokenAccessor WasmOidcTokenAccessor -(HttpContext) (IAccessTokenProvider) -``` - -## Compatibility - -✅ **WorkflowInstanceObserverFactory**: Tested pattern, works with both implementations -✅ **SignalR Hub Connections**: Token access via `IAuthenticationProviderManager` -✅ **API HTTP Calls**: Compatible with existing `AuthenticatingApiHttpMessageHandler` -✅ **Backward Compatible**: Does not modify or break existing `Elsa.Studio.Login` - -## Usage Examples - -### Blazor Server -```csharp -builder.Services.AddOidcAuthentication(options => -{ - options.Authority = "https://identity-server.com"; - options.ClientId = "elsa-studio"; - options.ClientSecret = "secret"; - options.Scopes = new[] { "openid", "profile", "elsa_api", "offline_access" }; -}); - -app.UseAuthentication(); -app.UseAuthorization(); -``` - -### Blazor WASM -```csharp -builder.Services.AddOidcAuthentication(options => -{ - options.Authority = "https://identity-server.com"; - options.ClientId = "elsa-studio-wasm"; - options.Scopes = new[] { "openid", "profile", "elsa_api", "offline_access" }; -}); -``` - -## Documentation - -Three comprehensive documentation files: - -1. **`src/modules/Elsa.Studio.Authentication.Abstractions/README.md`** - - How to create new authentication providers - - Shared abstractions explanation - - Examples for future providers - -2. **`src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md`** - - Complete OIDC usage guide - - Configuration options - - Migration from legacy implementation - - Troubleshooting guide - -3. **`src/modules/AUTHENTICATION_ARCHITECTURE.md`** - - System-wide authentication architecture - - Integration points (API calls, SignalR, UI) - - Security considerations - - Multi-provider design - -## Build Status - -✅ All 4 projects build successfully -✅ No build errors -✅ Added to solution -✅ Package dependencies managed via Central Package Management - -## What Was NOT Changed - -❌ Existing `Elsa.Studio.Login` module - **completely untouched** -❌ Host applications - kept as-is (new module is optional) -❌ Any other authentication code - -## Design Decisions - -### Why Separate Projects for Server/WASM? -- Different authentication mechanisms -- Server uses middleware + cookies -- WASM uses built-in token provider -- Avoids conditional compilation complexity - -### Why Not Use Existing IJwtAccessor? -- Legacy interface tied to browser storage -- New approach uses framework-native token access -- Cleaner separation of concerns - -### Why Create Abstractions Project? -- Per user requirement: OIDC is one of many potential providers -- Enables OAuth2, JWT, SAML, etc. in the future -- Promotes consistency across providers -- Minimal abstraction (just token access + config base) - -### Why Not Integrate with Hosts? -- Module is optional and standalone -- Users can choose when/how to adopt -- Avoids forcing breaking changes -- Easier to test independently - -## Testing Recommendations - -For users to test: - -1. **Blazor Server**: - - Replace `UseOpenIdConnect` with new `AddOidcAuthentication` - - Add `app.UseAuthentication()` and `app.UseAuthorization()` - - Configure with your identity provider - - Test login, API calls, SignalR connections - -2. **Blazor WASM**: - - Replace legacy OIDC setup with new `AddOidcAuthentication` - - Add authentication routes and components - - Configure with your identity provider - - Test login, token refresh, API calls - -## Future Possibilities - -With the abstractions in place, adding new providers is straightforward: - -- `Elsa.Studio.Authentication.OAuth2` - Pure OAuth2 -- `Elsa.Studio.Authentication.Jwt` - JWT bearer tokens -- `Elsa.Studio.Authentication.Saml` - SAML authentication -- `Elsa.Studio.Authentication.AzureAD` - Azure AD optimizations -- Custom providers for proprietary systems - -## Summary - -This implementation provides a **clean-slate, best-practices OpenID Connect module** that: -- Leverages Microsoft's proven authentication infrastructure -- Properly supports both Blazor hosting models -- Eliminates manual token management -- Improves security -- Enables future authentication providers -- Maintains complete backward compatibility - -**Ready for review and user testing!** diff --git a/src/modules/AUTHENTICATION_ARCHITECTURE.md b/doc/AUTHENTICATION_ARCHITECTURE.md similarity index 100% rename from src/modules/AUTHENTICATION_ARCHITECTURE.md rename to doc/AUTHENTICATION_ARCHITECTURE.md diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Elsa.Studio.Authentication.ElsaAuth.UI.csproj b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Elsa.Studio.Authentication.ElsaAuth.UI.csproj index e9f99126..da0b2672 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Elsa.Studio.Authentication.ElsaAuth.UI.csproj +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/Elsa.Studio.Authentication.ElsaAuth.UI.csproj @@ -10,6 +10,7 @@ + @@ -17,7 +18,7 @@ - + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/_Imports.razor b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/_Imports.razor index 77a3849f..bd1015a9 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/_Imports.razor +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.UI/_Imports.razor @@ -1,9 +1,8 @@ @using Elsa.Studio.Abstractions @using Elsa.Studio.Contracts -@using Elsa.Studio.Shared -@using Elsa.Studio.Shared.Layouts -@using Elsa.Studio.Shared.Components -@using Elsa.Studio.Shared.Services +@using Elsa.Studio.Components +@using Elsa.Studio.Layouts +@using Elsa.Studio.Services @using MudBlazor @using Radzen @using Radzen.Blazor From b16851ee4f46770ce35aac5953b840bdb5e2f5ef Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 20:30:15 +0100 Subject: [PATCH 17/27] Introduce `IAnonymousBackendApiClientProvider` and refactor API client creation to support non-authenticated backend calls. --- .../IAnonymousBackendApiClientProvider.cs | 24 ++++++++++++++ .../Contracts/IBackendApiClientProvider.cs | 4 ++- .../Extensions/ServiceCollectionExtensions.cs | 1 + .../Services/ApiClientFactory.cs | 14 ++++++++ .../Services/BlazorScopedProxyApi.cs | 3 +- ...efaultAnonymousBackendApiClientProvider.cs | 32 +++++++++++++++++++ .../DefaultBackendApiClientProvider.cs | 6 ++-- src/hosts/Elsa.Studio.Host.Server/Program.cs | 1 - .../Elsa.Studio.Host.Server/appsettings.json | 2 +- .../AuthenticatingApiHttpMessageHandler.cs | 6 ++-- .../Extensions/ServiceCollectionExtensions.cs | 4 ++- .../ElsaIdentityCredentialsValidator.cs | 2 +- 12 files changed, 88 insertions(+), 11 deletions(-) create mode 100644 src/framework/Elsa.Studio.Core/Contracts/IAnonymousBackendApiClientProvider.cs create mode 100644 src/framework/Elsa.Studio.Core/Services/ApiClientFactory.cs create mode 100644 src/framework/Elsa.Studio.Core/Services/DefaultAnonymousBackendApiClientProvider.cs diff --git a/src/framework/Elsa.Studio.Core/Contracts/IAnonymousBackendApiClientProvider.cs b/src/framework/Elsa.Studio.Core/Contracts/IAnonymousBackendApiClientProvider.cs new file mode 100644 index 00000000..44ae9890 --- /dev/null +++ b/src/framework/Elsa.Studio.Core/Contracts/IAnonymousBackendApiClientProvider.cs @@ -0,0 +1,24 @@ +using System.Diagnostics.CodeAnalysis; + +namespace Elsa.Studio.Contracts; + +/// +/// Provides API clients to the backend for anonymous (non-authenticated) calls. +/// +/// +/// This provider is intended for endpoints like /identity/login where attaching an access token is not required +/// and can even be harmful (e.g., stale tokens, circular dependencies during sign-in). +/// +public interface IAnonymousBackendApiClientProvider +{ + /// + /// Gets the URL to the backend. + /// + Uri Url { get; } + + /// + /// Gets an API client that does not attach access tokens. + /// + /// The API client type. + ValueTask GetApiAsync<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)] T>(CancellationToken cancellationToken = default) where T : class; +} diff --git a/src/framework/Elsa.Studio.Core/Contracts/IBackendApiClientProvider.cs b/src/framework/Elsa.Studio.Core/Contracts/IBackendApiClientProvider.cs index 0e699cc6..b1f69e02 100644 --- a/src/framework/Elsa.Studio.Core/Contracts/IBackendApiClientProvider.cs +++ b/src/framework/Elsa.Studio.Core/Contracts/IBackendApiClientProvider.cs @@ -1,3 +1,5 @@ +using System.Diagnostics.CodeAnalysis; + namespace Elsa.Studio.Contracts; /// @@ -15,5 +17,5 @@ public interface IBackendApiClientProvider /// /// The API client type. /// The API client. - ValueTask GetApiAsync(CancellationToken cancellationToken = default) where T : class; + ValueTask GetApiAsync<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)] T>(CancellationToken cancellationToken = default) where T : class; } \ No newline at end of file diff --git a/src/framework/Elsa.Studio.Core/Extensions/ServiceCollectionExtensions.cs b/src/framework/Elsa.Studio.Core/Extensions/ServiceCollectionExtensions.cs index 870ed98a..335890a1 100644 --- a/src/framework/Elsa.Studio.Core/Extensions/ServiceCollectionExtensions.cs +++ b/src/framework/Elsa.Studio.Core/Extensions/ServiceCollectionExtensions.cs @@ -60,6 +60,7 @@ public static IServiceCollection AddRemoteBackend(this IServiceCollection servic services.AddDefaultApiClients(config?.ConfigureHttpClientBuilder); services.TryAddScoped(); services.TryAddScoped(); + services.TryAddScoped(); return services; } diff --git a/src/framework/Elsa.Studio.Core/Services/ApiClientFactory.cs b/src/framework/Elsa.Studio.Core/Services/ApiClientFactory.cs new file mode 100644 index 00000000..50b3cb2a --- /dev/null +++ b/src/framework/Elsa.Studio.Core/Services/ApiClientFactory.cs @@ -0,0 +1,14 @@ +using System.Diagnostics.CodeAnalysis; +using Elsa.Api.Client.Extensions; + +namespace Elsa.Studio.Services; + +/// +/// Bridges calls to Elsa.Api.Client API client creation methods while preserving trimming annotations. +/// +internal static class ApiClientFactory +{ + internal static T Create<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)] T>(IServiceProvider serviceProvider, Uri backendUrl) where T : class + => serviceProvider.CreateApi(backendUrl); +} + diff --git a/src/framework/Elsa.Studio.Core/Services/BlazorScopedProxyApi.cs b/src/framework/Elsa.Studio.Core/Services/BlazorScopedProxyApi.cs index e9bc00a7..cd3a7f59 100644 --- a/src/framework/Elsa.Studio.Core/Services/BlazorScopedProxyApi.cs +++ b/src/framework/Elsa.Studio.Core/Services/BlazorScopedProxyApi.cs @@ -1,3 +1,4 @@ +using System.Diagnostics.CodeAnalysis; using System.Reflection; using Elsa.Studio.Contracts; @@ -6,7 +7,7 @@ namespace Elsa.Studio.Services; /// /// Decorates an API client with a Blazor service accessor, ensuring that the service provider is available to the API client when calling DI-resolved delegating handlers. /// -public class BlazorScopedProxyApi : DispatchProxy +public class BlazorScopedProxyApi<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)] T> : DispatchProxy { private T _decoratedApi = default!; private IBlazorServiceAccessor _blazorServiceAccessor = null!; diff --git a/src/framework/Elsa.Studio.Core/Services/DefaultAnonymousBackendApiClientProvider.cs b/src/framework/Elsa.Studio.Core/Services/DefaultAnonymousBackendApiClientProvider.cs new file mode 100644 index 00000000..f131045e --- /dev/null +++ b/src/framework/Elsa.Studio.Core/Services/DefaultAnonymousBackendApiClientProvider.cs @@ -0,0 +1,32 @@ +using System.Diagnostics.CodeAnalysis; +using System.Reflection; +using Elsa.Studio.Contracts; + +namespace Elsa.Studio.Services; + +/// +/// Default implementation of . +/// +public class DefaultAnonymousBackendApiClientProvider( + IRemoteBackendAccessor remoteBackendAccessor, + IBlazorServiceAccessor blazorServiceAccessor, + IServiceProvider serviceProvider) : IAnonymousBackendApiClientProvider +{ + /// + public Uri Url => remoteBackendAccessor.RemoteBackend.Url; + + /// + public ValueTask GetApiAsync<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)] T>(CancellationToken cancellationToken = default) where T : class + { + var backendUrl = remoteBackendAccessor.RemoteBackend.Url; + + // Create a raw API client. This bypasses DI-resolved delegating handlers (like AuthenticatingApiHttpMessageHandler). + var client = ApiClientFactory.Create(serviceProvider, backendUrl); + + // Keep the Blazor scoped-service-provider behavior consistent. + var decorator = DispatchProxy.Create>(); + (decorator as BlazorScopedProxyApi)!.Initialize(client, blazorServiceAccessor, serviceProvider); + + return new(decorator); + } +} diff --git a/src/framework/Elsa.Studio.Core/Services/DefaultBackendApiClientProvider.cs b/src/framework/Elsa.Studio.Core/Services/DefaultBackendApiClientProvider.cs index dc91bf64..fb014b04 100644 --- a/src/framework/Elsa.Studio.Core/Services/DefaultBackendApiClientProvider.cs +++ b/src/framework/Elsa.Studio.Core/Services/DefaultBackendApiClientProvider.cs @@ -1,5 +1,5 @@ +using System.Diagnostics.CodeAnalysis; using System.Reflection; -using Elsa.Api.Client.Extensions; using Elsa.Studio.Contracts; namespace Elsa.Studio.Services; @@ -13,10 +13,10 @@ public class DefaultBackendApiClientProvider(IRemoteBackendAccessor remoteBacken public Uri Url => remoteBackendAccessor.RemoteBackend.Url; /// - public ValueTask GetApiAsync(CancellationToken cancellationToken) where T : class + public ValueTask GetApiAsync<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)] T>(CancellationToken cancellationToken = default) where T : class { var backendUrl = remoteBackendAccessor.RemoteBackend.Url; - var client = serviceProvider.CreateApi(backendUrl); + var client = ApiClientFactory.Create(serviceProvider, backendUrl); var decorator = DispatchProxy.Create>(); (decorator as BlazorScopedProxyApi)!.Initialize(client, blazorServiceAccessor, serviceProvider); return new(decorator); diff --git a/src/hosts/Elsa.Studio.Host.Server/Program.cs b/src/hosts/Elsa.Studio.Host.Server/Program.cs index af322ce5..41974705 100644 --- a/src/hosts/Elsa.Studio.Host.Server/Program.cs +++ b/src/hosts/Elsa.Studio.Host.Server/Program.cs @@ -1,6 +1,5 @@ using Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers; using Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Extensions; -using Elsa.Studio.Authentication.ElsaAuth.Extensions; using Elsa.Studio.Authentication.ElsaAuth.UI.Extensions; using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Extensions; using Elsa.Studio.Branding; diff --git a/src/hosts/Elsa.Studio.Host.Server/appsettings.json b/src/hosts/Elsa.Studio.Host.Server/appsettings.json index 689f4f3e..e92155d4 100644 --- a/src/hosts/Elsa.Studio.Host.Server/appsettings.json +++ b/src/hosts/Elsa.Studio.Host.Server/appsettings.json @@ -20,7 +20,7 @@ ] }, "Authentication": { - "Provider": "OpenIdConnect", + "Provider": "ElsaAuth", "OpenIdConnect": { "Authority": "https://login.microsoftonline.com/{tenantIdOrVerifiedDomain}/v2.0", "ClientId": "", diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs index 2d90111b..514bc548 100644 --- a/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs @@ -17,7 +17,10 @@ public class AuthenticatingApiHttpMessageHandler(IBlazorServiceAccessor blazorSe protected override async Task SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { var sp = blazorServiceAccessor.Services; - var authenticationProvider = sp.GetRequiredService(); + var authenticationProvider = sp.GetService(); + + if (authenticationProvider == null) + return await base.SendAsync(request, cancellationToken); var accessToken = await authenticationProvider.GetAccessTokenAsync(TokenNames.AccessToken, cancellationToken); @@ -29,4 +32,3 @@ protected override async Task SendAsync(HttpRequestMessage return await base.SendAsync(request, cancellationToken); } } - diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs index a0bbb83d..71c14408 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs @@ -26,7 +26,9 @@ public static IServiceCollection AddElsaAuthCore(this IServiceCollection service .AddAuthorizationCore() .AddAuthenticationInfrastructure() .AddScoped() - .AddScoped(); + .AddScoped() + .AddScoped() + .AddScoped(); // Default token claims mapping. services.TryAddSingleton, DefaultIdentityTokenOptionsSetup>(); diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityCredentialsValidator.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityCredentialsValidator.cs index 7f587969..6c7566da 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityCredentialsValidator.cs +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityCredentialsValidator.cs @@ -9,7 +9,7 @@ namespace Elsa.Studio.Authentication.ElsaAuth.Services; /// /// An implementation of that consumes endpoints from Elsa.Identity. /// -public class ElsaIdentityCredentialsValidator(IBackendApiClientProvider backendApiClientProvider) : ICredentialsValidator +public class ElsaIdentityCredentialsValidator(IAnonymousBackendApiClientProvider backendApiClientProvider) : ICredentialsValidator { /// public async ValueTask ValidateCredentialsAsync(string username, string password, CancellationToken cancellationToken = default) From 7806db9f54d92490917c215de3aceadc709d6458 Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 21:03:00 +0100 Subject: [PATCH 18/27] Add token refresh mechanism for OpenID Connect and Elsa Identity authentication modules. Introduce token refresh coordinators, configuration providers, and support for silent token refresh. Update related services and integrate advanced options for customization. --- .../Contracts/ITokenRefreshCoordinator.cs | 13 ++ .../Extensions/ServiceCollectionExtensions.cs | 4 + .../Services/TokenRefreshCoordinator.cs | 27 +++++ .../Services/BlazorServerJwtAccessor.cs | 9 ++ .../Services/BlazorWasmJwtAccessor.cs | 4 +- .../Contracts/IJwtAccessor.cs | 5 + .../Contracts/PkceData.cs | 3 - .../Extensions/ServiceCollectionExtensions.cs | 3 + .../ElsaIdentityRefreshTokenService.cs | 24 ++-- .../Services/JwtAuthenticationProvider.cs | 62 +++++++++- .../Extensions/ServiceCollectionExtensions.cs | 6 +- .../Models/OidcTokenRefreshOptions.cs | 34 ++++++ ...DefaultOidcRefreshConfigurationProvider.cs | 47 ++++++++ .../IOidcRefreshConfigurationProvider.cs | 29 +++++ .../Services/ServerOidcTokenAccessor.cs | 113 +++++++++++++++++- .../README.md | 84 ++++++++++--- 16 files changed, 433 insertions(+), 34 deletions(-) create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/ITokenRefreshCoordinator.cs create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/Services/TokenRefreshCoordinator.cs delete mode 100644 src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/PkceData.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshOptions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/DefaultOidcRefreshConfigurationProvider.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/IOidcRefreshConfigurationProvider.cs diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/ITokenRefreshCoordinator.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/ITokenRefreshCoordinator.cs new file mode 100644 index 00000000..acee4f66 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/ITokenRefreshCoordinator.cs @@ -0,0 +1,13 @@ +namespace Elsa.Studio.Authentication.Abstractions.Contracts; + +/// +/// Coordinates token refresh operations to prevent multiple concurrent refresh attempts. +/// +public interface ITokenRefreshCoordinator +{ + /// + /// Ensures only one refresh operation runs at a time for the current scope. + /// + Task RunAsync(Func> action, CancellationToken cancellationToken); +} + diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs index 9fcbb031..3ed38939 100644 --- a/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Extensions/ServiceCollectionExtensions.cs @@ -3,6 +3,7 @@ using Elsa.Studio.Contracts; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.DependencyInjection.Extensions; +using Elsa.Studio.Authentication.Abstractions.Contracts; namespace Elsa.Studio.Authentication.Abstractions.Extensions; @@ -22,6 +23,9 @@ public static IServiceCollection AddAuthenticationInfrastructure(this IServiceCo // Used by modules (e.g. Workflows) to retrieve tokens without depending on a specific auth provider. services.TryAddScoped(); + // Coordinates refresh operations to prevent refresh storms under parallel requests. + services.TryAddScoped(); + return services; } } diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Services/TokenRefreshCoordinator.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/Services/TokenRefreshCoordinator.cs new file mode 100644 index 00000000..53d70870 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Services/TokenRefreshCoordinator.cs @@ -0,0 +1,27 @@ +using Elsa.Studio.Authentication.Abstractions.Contracts; + +namespace Elsa.Studio.Authentication.Abstractions.Services; + +/// +/// Default implementation of . +/// +public class TokenRefreshCoordinator : ITokenRefreshCoordinator +{ + private readonly SemaphoreSlim _semaphore = new(1, 1); + + /// + public async Task RunAsync(Func> action, CancellationToken cancellationToken) + { + await _semaphore.WaitAsync(cancellationToken); + + try + { + return await action(cancellationToken); + } + finally + { + _semaphore.Release(); + } + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtAccessor.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtAccessor.cs index af1d0adf..197a681e 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorServer/Services/BlazorServerJwtAccessor.cs @@ -34,4 +34,13 @@ public BlazorServerJwtAccessor(IHttpContextAccessor httpContextAccessor, ILocalS return await _localStorageService.GetItemAsync(name); } + + /// + public async ValueTask ClearTokenAsync(string name) + { + if (IsPrerendering()) + return; + + await _localStorageService.RemoveItemAsync(name); + } } diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtAccessor.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtAccessor.cs index 2af193a4..4b52ba62 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth.BlazorWasm/Services/BlazorWasmJwtAccessor.cs @@ -15,5 +15,7 @@ public class BlazorWasmJwtAccessor : IJwtAccessor /// public async ValueTask WriteTokenAsync(string name, string token) => await _localStorageService.SetItemAsStringAsync(name, token); -} + /// + public async ValueTask ClearTokenAsync(string name) => await _localStorageService.RemoveItemAsync(name); +} diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtAccessor.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtAccessor.cs index a02881db..fa95da1f 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/IJwtAccessor.cs @@ -14,4 +14,9 @@ public interface IJwtAccessor /// Writes a token by name. /// ValueTask WriteTokenAsync(string name, string token); + + /// + /// Removes a token from storage. + /// + ValueTask ClearTokenAsync(string name); } diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/PkceData.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/PkceData.cs deleted file mode 100644 index b22d0a39..00000000 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Contracts/PkceData.cs +++ /dev/null @@ -1,3 +0,0 @@ -// This file is intentionally left blank. -// OpenID Connect support is not part of Elsa.Studio.Authentication.ElsaAuth. - diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs index 71c14408..a7eb16d8 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Extensions/ServiceCollectionExtensions.cs @@ -30,6 +30,9 @@ public static IServiceCollection AddElsaAuthCore(this IServiceCollection service .AddScoped() .AddScoped(); + services.AddHttpClient(ElsaIdentityRefreshTokenService.AnonymousClientName); + services.AddScoped(); + // Default token claims mapping. services.TryAddSingleton, DefaultIdentityTokenOptionsSetup>(); diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityRefreshTokenService.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityRefreshTokenService.cs index ae49cc64..d2f190f0 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityRefreshTokenService.cs +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/ElsaIdentityRefreshTokenService.cs @@ -1,25 +1,33 @@ -using Elsa.Api.Client.Resources.Identity.Responses; -using Elsa.Studio.Contracts; -using Elsa.Studio.Authentication.ElsaAuth.Contracts; using System.Net; using System.Net.Http.Json; +using Elsa.Api.Client.Resources.Identity.Responses; +using Elsa.Studio.Authentication.ElsaAuth.Contracts; +using Elsa.Studio.Contracts; namespace Elsa.Studio.Authentication.ElsaAuth.Services; /// -public class ElsaIdentityRefreshTokenService(IRemoteBackendAccessor remoteBackendAccessor, IJwtAccessor jwtAccessor, HttpClient httpClient) : IRefreshTokenService +public class ElsaIdentityRefreshTokenService(IRemoteBackendAccessor remoteBackendAccessor, IJwtAccessor jwtAccessor, IHttpClientFactory httpClientFactory) : IRefreshTokenService { + internal const string AnonymousClientName = "Elsa.Studio.Authentication.ElsaAuth.Anonymous"; + /// public async Task RefreshTokenAsync(CancellationToken cancellationToken) { // Get refresh token. var refreshToken = await jwtAccessor.ReadTokenAsync(TokenNames.RefreshToken); + if (string.IsNullOrWhiteSpace(refreshToken)) + return new(false, null, null); + // Setup request to get new tokens. var url = remoteBackendAccessor.RemoteBackend.Url + "/identity/refresh-token"; var refreshRequestMessage = new HttpRequestMessage(HttpMethod.Post, url); refreshRequestMessage.Headers.Authorization = new("Bearer", refreshToken); + // IMPORTANT: Use an anonymous HttpClient (no AuthenticatingApiHttpMessageHandler) to avoid recursion. + var httpClient = httpClientFactory.CreateClient(AnonymousClientName); + // Send request. var response = await httpClient.SendAsync(refreshRequestMessage, cancellationToken); @@ -31,11 +39,13 @@ public async Task RefreshTokenAsync(CancellationToken cancellatio var tokens = (await response.Content.ReadFromJsonAsync(cancellationToken: cancellationToken))!; // Store tokens. - await jwtAccessor.WriteTokenAsync(TokenNames.RefreshToken, tokens.RefreshToken!); - await jwtAccessor.WriteTokenAsync(TokenNames.AccessToken, tokens.AccessToken!); + if (!string.IsNullOrWhiteSpace(tokens.RefreshToken)) + await jwtAccessor.WriteTokenAsync(TokenNames.RefreshToken, tokens.RefreshToken); + + if (!string.IsNullOrWhiteSpace(tokens.AccessToken)) + await jwtAccessor.WriteTokenAsync(TokenNames.AccessToken, tokens.AccessToken); // Return tokens. return tokens; } } - diff --git a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/JwtAuthenticationProvider.cs b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/JwtAuthenticationProvider.cs index 4f98296c..f66a8c4d 100644 --- a/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/JwtAuthenticationProvider.cs +++ b/src/modules/Elsa.Studio.Authentication.ElsaAuth/Services/JwtAuthenticationProvider.cs @@ -1,12 +1,68 @@ +using System.Diagnostics; +using System.Security.Claims; +using Elsa.Studio.Authentication.Abstractions.Contracts; +using Elsa.Studio.Authentication.ElsaAuth.Models; +using Elsa.Studio.Extensions; using Elsa.Studio.Contracts; using Elsa.Studio.Authentication.ElsaAuth.Contracts; namespace Elsa.Studio.Authentication.ElsaAuth.Services; /// -public class JwtAuthenticationProvider(IJwtAccessor jwtAccessor) : IAuthenticationProvider +public class JwtAuthenticationProvider( + IJwtAccessor jwtAccessor, + IJwtParser jwtParser, + ITokenRefreshCoordinator refreshCoordinator, + IRefreshTokenService refreshTokenService) : IAuthenticationProvider { + private static readonly TimeSpan RefreshSkew = TimeSpan.FromMinutes(2); + /// - public async Task GetAccessTokenAsync(string tokenName, CancellationToken cancellationToken = default) => await jwtAccessor.ReadTokenAsync(tokenName); -} + public async Task GetAccessTokenAsync(string tokenName, CancellationToken cancellationToken = default) + { + // Only the access token participates in refresh. + if (!string.Equals(tokenName, TokenNames.AccessToken, StringComparison.Ordinal)) + return await jwtAccessor.ReadTokenAsync(tokenName); + + var accessToken = await jwtAccessor.ReadTokenAsync(TokenNames.AccessToken); + + if (string.IsNullOrWhiteSpace(accessToken)) + return null; + + if (!IsExpiredOrNearExpiry(accessToken)) + return accessToken; + // Single-flight refresh: multiple concurrent API calls shouldn't trigger multiple refresh requests. + var refreshResponse = await refreshCoordinator.RunAsync(refreshTokenService.RefreshTokenAsync, cancellationToken); + + if (!refreshResponse.IsAuthenticated) + { + // Refresh failed: clear local tokens so the app can transition to unauthenticated state. + await jwtAccessor.ClearTokenAsync(TokenNames.AccessToken); + await jwtAccessor.ClearTokenAsync(TokenNames.RefreshToken); + await jwtAccessor.ClearTokenAsync(TokenNames.IdToken); + return null; + } + + return await jwtAccessor.ReadTokenAsync(TokenNames.AccessToken); + } + + private bool IsExpiredOrNearExpiry(string jwt) + { + try + { + var claims = jwtParser.Parse(jwt).ToList(); + var expString = claims.FirstOrDefault(x => x.Type == "exp")?.Value.Trim(); + if (string.IsNullOrWhiteSpace(expString) || !long.TryParse(expString, out var exp)) + return false; + + var expiresAt = DateTimeOffset.FromUnixTimeSeconds(exp); + return expiresAt <= DateTimeOffset.UtcNow.Add(RefreshSkew); + } + catch + { + // If parsing fails, don't attempt refresh here. + return false; + } + } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs index 10766195..93f31163 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs @@ -7,8 +7,8 @@ using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authentication.OpenIdConnect; using Microsoft.Extensions.DependencyInjection; -using Microsoft.IdentityModel.Protocols.OpenIdConnect; using OidcAuthProvider = Elsa.Studio.Authentication.OpenIdConnect.Services.OidcAuthenticationProvider; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Extensions; @@ -34,6 +34,7 @@ public static IServiceCollection AddOidcAuthentication( services.AddHttpContextAccessor(); services.AddScoped(); services.AddScoped(); + services.AddScoped(); // Configure ASP.NET Core authentication with cookie and OIDC services.AddAuthentication(authOptions => @@ -96,6 +97,9 @@ public static IServiceCollection AddOidcAuthentication( // Shared auth infrastructure (e.g. delegating handlers). services.AddAuthenticationInfrastructure(); + services.AddOptions(); + services.AddHttpClient("Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Anonymous"); + return services; } } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshOptions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshOptions.cs new file mode 100644 index 00000000..01c3cd54 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshOptions.cs @@ -0,0 +1,34 @@ +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; + +/// +/// Options for server-side OpenID Connect access-token refresh. +/// +public class OidcTokenRefreshOptions +{ + /// + /// Enables silent refresh using the refresh token stored in the auth cookie (requires SaveTokens=true + /// and requesting offline_access so a refresh token is issued). + /// + public bool EnableRefreshTokens { get; set; } = true; + + /// + /// How long before expiry we attempt refresh. + /// + public TimeSpan RefreshSkew { get; set; } = TimeSpan.FromMinutes(2); + + /// + /// Optional override for the token endpoint. If not set, it will be discovered via OIDC metadata. + /// + public string? TokenEndpoint { get; set; } + + /// + /// Optional override for the client ID. If not set, uses the configured OIDC client id. + /// + public string? ClientId { get; set; } + + /// + /// Optional override for the client secret. + /// + public string? ClientSecret { get; set; } +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/DefaultOidcRefreshConfigurationProvider.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/DefaultOidcRefreshConfigurationProvider.cs new file mode 100644 index 00000000..f64cd834 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/DefaultOidcRefreshConfigurationProvider.cs @@ -0,0 +1,47 @@ +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; +using Microsoft.AspNetCore.Authentication.OpenIdConnect; +using Microsoft.Extensions.Options; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; + +/// +/// Default implementation that resolves the token endpoint from the configured +/// and OIDC metadata, with optional overrides from . +/// +public class DefaultOidcRefreshConfigurationProvider( + IOptionsMonitor oidcOptionsMonitor, + IOptions refreshOptions) : IOidcRefreshConfigurationProvider +{ + /// + public async ValueTask GetAsync(CancellationToken cancellationToken = default) + { + var options = oidcOptionsMonitor.Get(OpenIdConnectDefaults.AuthenticationScheme); + var overrides = refreshOptions.Value; + + var clientId = overrides.ClientId ?? options.ClientId; + var clientSecret = overrides.ClientSecret ?? options.ClientSecret; + + if (string.IsNullOrWhiteSpace(clientId)) + return null; + + // Determine the token endpoint. + var tokenEndpoint = overrides.TokenEndpoint; + + if (string.IsNullOrWhiteSpace(tokenEndpoint)) + { + // Best practice: use the handler's configuration manager to fetch metadata. + var configurationManager = options.ConfigurationManager; + + if (configurationManager != null) + { + var config = await configurationManager.GetConfigurationAsync(cancellationToken); + tokenEndpoint = config?.TokenEndpoint; + } + } + + if (string.IsNullOrWhiteSpace(tokenEndpoint)) + return null; + + return new OidcRefreshConfiguration(tokenEndpoint, clientId, clientSecret); + } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/IOidcRefreshConfigurationProvider.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/IOidcRefreshConfigurationProvider.cs new file mode 100644 index 00000000..842f051f --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/IOidcRefreshConfigurationProvider.cs @@ -0,0 +1,29 @@ +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; + +/// +/// Resolves the effective token endpoint and client credentials to use for server-side OIDC refresh. +/// +public interface IOidcRefreshConfigurationProvider +{ + /// + /// Gets the effective refresh configuration or null if refresh is not possible. + /// + ValueTask GetAsync(CancellationToken cancellationToken = default); +} + +/// +/// Effective configuration to use for performing a refresh-token grant. +/// +public class OidcRefreshConfiguration +{ + public OidcRefreshConfiguration(string tokenEndpoint, string clientId, string? clientSecret) + { + TokenEndpoint = tokenEndpoint; + ClientId = clientId; + ClientSecret = clientSecret; + } + + public string TokenEndpoint { get; } + public string ClientId { get; } + public string? ClientSecret { get; } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs index 7224edcd..a1a2a2bd 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs @@ -1,3 +1,9 @@ +using System.Globalization; +using System.Text.Json; +using Elsa.Studio.Authentication.Abstractions.Contracts; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; +using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.Extensions.Options; using Elsa.Studio.Authentication.OpenIdConnect.Contracts; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Http; @@ -10,25 +16,122 @@ namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; public class ServerOidcTokenAccessor : IOidcTokenAccessor { private readonly IHttpContextAccessor _httpContextAccessor; + private readonly ITokenRefreshCoordinator _refreshCoordinator; + private readonly IHttpClientFactory _httpClientFactory; + private readonly IOptions _refreshOptions; + private readonly IOidcRefreshConfigurationProvider _refreshConfigurationProvider; /// /// Initializes a new instance of the class. /// - public ServerOidcTokenAccessor(IHttpContextAccessor httpContextAccessor) + public ServerOidcTokenAccessor( + IHttpContextAccessor httpContextAccessor, + ITokenRefreshCoordinator refreshCoordinator, + IHttpClientFactory httpClientFactory, + IOptions refreshOptions, + IOidcRefreshConfigurationProvider refreshConfigurationProvider) { _httpContextAccessor = httpContextAccessor; + _refreshCoordinator = refreshCoordinator; + _httpClientFactory = httpClientFactory; + _refreshOptions = refreshOptions; + _refreshConfigurationProvider = refreshConfigurationProvider; } /// public async Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default) { var httpContext = _httpContextAccessor.HttpContext; - - if (httpContext?.User?.Identity?.IsAuthenticated != true) + + if (httpContext?.User.Identity?.IsAuthenticated != true) return null; - // Retrieve the token from the authentication properties - // These are stored when SaveTokens = true in the OIDC options + // Ensure we have a fresh access token when asked for one. + if (string.Equals(tokenName, "access_token", StringComparison.Ordinal)) + await TryRefreshAccessTokenAsync(httpContext, cancellationToken); + + // Retrieve the token from the authentication properties. return await httpContext.GetTokenAsync(tokenName); } + + private async Task TryRefreshAccessTokenAsync(HttpContext httpContext, CancellationToken cancellationToken) + { + var options = _refreshOptions.Value; + + if (!options.EnableRefreshTokens) + return; + + // SaveTokens must be enabled or tokens won't be in the auth cookie. + var accessToken = await httpContext.GetTokenAsync("access_token"); + var refreshToken = await httpContext.GetTokenAsync("refresh_token"); + var expiresAtString = await httpContext.GetTokenAsync("expires_at"); + + if (string.IsNullOrWhiteSpace(accessToken) || string.IsNullOrWhiteSpace(refreshToken) || string.IsNullOrWhiteSpace(expiresAtString)) + return; + + if (!DateTimeOffset.TryParse(expiresAtString, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal, out var expiresAt)) + return; + + if (expiresAt > DateTimeOffset.UtcNow.Add(options.RefreshSkew)) + return; // still valid + + await _refreshCoordinator.RunAsync(async ct => + { + // Re-check after acquiring the lock. + var currentExpiresAtString = await httpContext.GetTokenAsync("expires_at"); + if (!DateTimeOffset.TryParse(currentExpiresAtString, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal, out var currentExpiresAt)) + return 0; + + if (currentExpiresAt > DateTimeOffset.UtcNow.Add(options.RefreshSkew)) + return 0; + + var refreshConfig = await _refreshConfigurationProvider.GetAsync(ct); + if (refreshConfig == null) + return 0; + + var httpClient = _httpClientFactory.CreateClient("Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Anonymous"); + + using var request = new HttpRequestMessage(HttpMethod.Post, refreshConfig.TokenEndpoint); + request.Content = new FormUrlEncodedContent(new Dictionary + { + ["grant_type"] = "refresh_token", + ["client_id"] = refreshConfig.ClientId, + ["refresh_token"] = refreshToken, + // client_secret is optional depending on provider/client type. + ["client_secret"] = refreshConfig.ClientSecret ?? string.Empty + }.Where(x => !string.IsNullOrWhiteSpace(x.Value))); + + var response = await httpClient.SendAsync(request, ct); + + if (!response.IsSuccessStatusCode) + return 0; + + var payload = await response.Content.ReadAsStringAsync(ct); + using var doc = JsonDocument.Parse(payload); + + var newAccessToken = doc.RootElement.TryGetProperty("access_token", out var at) ? at.GetString() : null; + var newRefreshToken = doc.RootElement.TryGetProperty("refresh_token", out var rt) ? rt.GetString() : null; + var expiresInSeconds = doc.RootElement.TryGetProperty("expires_in", out var exp) ? exp.GetInt32() : 0; + + if (string.IsNullOrWhiteSpace(newAccessToken) || expiresInSeconds <= 0) + return 0; + + var newExpiresAt = DateTimeOffset.UtcNow.AddSeconds(expiresInSeconds); + + var authResult = await httpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme); + if (!authResult.Succeeded) + return 0; + + authResult.Properties.UpdateTokenValue("access_token", newAccessToken); + authResult.Properties.UpdateTokenValue("expires_at", newExpiresAt.ToString("o", CultureInfo.InvariantCulture)); + + if (!string.IsNullOrWhiteSpace(newRefreshToken)) + authResult.Properties.UpdateTokenValue("refresh_token", newRefreshToken); + + // Re-issue the cookie with the updated tokens. + await httpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, authResult.Principal!, authResult.Properties); + + return 0; + }, cancellationToken); + } } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md index 23a3ab45..9fdf462b 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md @@ -265,24 +265,80 @@ app.UseAuthorization(); - Tokens are not available during pre-rendering - Use `@attribute [Authorize]` to ensure authentication before render -## Security Considerations +## Silent access token refresh (Blazor Server) -- **Server**: Uses secure, HTTP-only cookies. Tokens never exposed to browser. -- **WASM**: Tokens managed by framework with proper expiry and renewal. -- **PKCE**: Enabled by default to protect against authorization code interception. -- **HTTPS**: Required for metadata endpoints in production (configurable for dev). +On Blazor Server, Elsa Studio uses the standard ASP.NET Core Cookie + OpenID Connect handler. +When you set `SaveTokens = true`, the handler stores `access_token`, `refresh_token` (if issued) and `expires_at` in the authentication cookie properties. -## Related Packages +This module can **silently refresh the access token** when it is about to expire by: +- reading `expires_at` / `refresh_token` from the auth cookie +- calling the OIDC provider's `token_endpoint` using the `refresh_token` grant +- updating the tokens stored in the auth cookie (via `SignInAsync`) -- `Elsa.Studio.Authentication.Abstractions` (Shared authentication abstractions) -- `Microsoft.AspNetCore.Authentication.OpenIdConnect` (Server) -- `Microsoft.AspNetCore.Components.WebAssembly.Authentication` (WASM) -- `Elsa.Studio.Core` (Core interfaces) +### Flip-a-switch configuration -## Building Your Own Authentication Provider +The only thing you need to do to enable silent refresh is to keep refresh tokens enabled and request `offline_access`: -If you need to implement a different authentication mechanism (OAuth2, JWT, SAML, etc.), refer to the `Elsa.Studio.Authentication.Abstractions` package documentation for guidance on creating new authentication providers that follow the same patterns. +```csharp +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Extensions; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; + +builder.Services.AddOidcAuthentication(options => +{ + options.Authority = "https://login.microsoftonline.com/{tenantId}/v2.0"; // or your provider + options.ClientId = "..."; + + // Required if you want the handler to store tokens in the auth cookie. + options.SaveTokens = true; + + // Required if you want refresh tokens. + // Note: some providers/app registrations might not issue a refresh token even if requested. + options.Scopes = new[] { "openid", "profile", "offline_access" }; +}); + +// Optional: control refresh behavior. +builder.Services.Configure(options => +{ + options.EnableRefreshTokens = true; // default + options.RefreshSkew = TimeSpan.FromMinutes(2); // default +}); +``` + +### Prerequisites and behavior -## License +- `SaveTokens` must be `true` (otherwise no tokens are available in the auth cookie). +- `offline_access` should be requested (otherwise a refresh token is typically not issued). +- If no refresh token is available, or refresh fails, the module does not throw; the next API call will typically result in a normal auth challenge. -This module is part of Elsa Studio and follows the same license terms. +### Microsoft Entra ID notes + +For Microsoft Entra ID (Azure AD), the authority usually looks like: +- Tenant-specific: `https://login.microsoftonline.com/{tenantId}/v2.0` +- Or common endpoint (multi-tenant apps): `https://login.microsoftonline.com/common/v2.0` + +Refresh tokens depend on: +- requesting `offline_access` +- your app registration configuration / consent +- Entra token policies (token lifetimes, session policies) + +If you don't receive a refresh token, the app will still work, but access-token renewal will require re-authentication. + +### Advanced overrides (rarely needed) + +By default, the module auto-discovers the `token_endpoint` from OIDC metadata and uses the configured `ClientId`/`ClientSecret` from `AddOidcAuthentication`. + +You can override any of these via `OidcTokenRefreshOptions`: + +```csharp +builder.Services.Configure(options => +{ + options.EnableRefreshTokens = true; + + // Override token endpoint discovery. + options.TokenEndpoint = "https://issuer.example.com/oauth2/v2.0/token"; + + // Override client credentials. + options.ClientId = "..."; + options.ClientSecret = "..."; // optional +}); +``` \ No newline at end of file From 94c79e7e506bdeed1619ff9811aa8aa405e5c3ad Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Thu, 8 Jan 2026 21:41:09 +0100 Subject: [PATCH 19/27] Add persisted token refresh for OpenID Connect in Blazor Server: implement browser-side pings, background services, and configurable strategies. --- src/framework/Elsa.Studio.Shell/App.razor | 2 +- .../Components/OidcPersistedRefreshGate.razor | 11 ++ .../Pages/_Host.cshtml | 2 +- src/hosts/Elsa.Studio.Host.Server/Program.cs | 14 +++ .../Elsa.Studio.Host.Server/appsettings.json | 17 ++- .../Components/OidcPersistedRefreshPing.razor | 11 ++ .../Controllers/TokenRefreshController.cs | 27 ++++ ...istedRefreshServiceCollectionExtensions.cs | 26 ++++ .../Extensions/ServiceCollectionExtensions.cs | 6 +- .../Models/OidcRefreshConfiguration.cs | 11 ++ .../Models/OidcTokenRefreshOptions.cs | 6 +- .../Models/OidcTokenRefreshStrategy.cs | 20 +++ .../Services/BrowserRefreshPingService.cs | 19 +++ ...DefaultOidcRefreshConfigurationProvider.cs | 2 +- .../IOidcRefreshConfigurationProvider.cs | 21 +--- .../Services/OidcCookieTokenRefresher.cs | 116 ++++++++++++++++++ .../OidcPersistedRefreshBackgroundService.cs | 63 ++++++++++ .../OidcPersistedRefreshClientOptions.cs | 18 +++ .../OidcTokenRefreshOptionsAccessor.cs | 16 +++ .../Services/ServerOidcTokenAccessor.cs | 29 ++++- .../README.md | 36 +++++- 21 files changed, 445 insertions(+), 28 deletions(-) create mode 100644 src/hosts/Elsa.Studio.Host.Server/Components/OidcPersistedRefreshGate.razor create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Components/OidcPersistedRefreshPing.razor create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Controllers/TokenRefreshController.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/OidcPersistedRefreshServiceCollectionExtensions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcRefreshConfiguration.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshStrategy.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/BrowserRefreshPingService.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcCookieTokenRefresher.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcPersistedRefreshBackgroundService.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcPersistedRefreshClientOptions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcTokenRefreshOptionsAccessor.cs diff --git a/src/framework/Elsa.Studio.Shell/App.razor b/src/framework/Elsa.Studio.Shell/App.razor index be6d73f1..cc7a2575 100644 --- a/src/framework/Elsa.Studio.Shell/App.razor +++ b/src/framework/Elsa.Studio.Shell/App.razor @@ -29,4 +29,4 @@ Sorry, there's nothing at this address. - \ No newline at end of file + diff --git a/src/hosts/Elsa.Studio.Host.Server/Components/OidcPersistedRefreshGate.razor b/src/hosts/Elsa.Studio.Host.Server/Components/OidcPersistedRefreshGate.razor new file mode 100644 index 00000000..accd1d77 --- /dev/null +++ b/src/hosts/Elsa.Studio.Host.Server/Components/OidcPersistedRefreshGate.razor @@ -0,0 +1,11 @@ +@using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Components +@using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models +@using Microsoft.Extensions.Options + +@inject IOptions Options + +@if (Options.Value.Strategy == OidcTokenRefreshStrategy.Persisted) +{ + +} + diff --git a/src/hosts/Elsa.Studio.Host.Server/Pages/_Host.cshtml b/src/hosts/Elsa.Studio.Host.Server/Pages/_Host.cshtml index f1f14f71..2acfa9f4 100644 --- a/src/hosts/Elsa.Studio.Host.Server/Pages/_Host.cshtml +++ b/src/hosts/Elsa.Studio.Host.Server/Pages/_Host.cshtml @@ -12,6 +12,7 @@ + Elsa Studio @@ -45,7 +46,6 @@ - \ No newline at end of file diff --git a/src/hosts/Elsa.Studio.Host.Server/Program.cs b/src/hosts/Elsa.Studio.Host.Server/Program.cs index 41974705..bffa565c 100644 --- a/src/hosts/Elsa.Studio.Host.Server/Program.cs +++ b/src/hosts/Elsa.Studio.Host.Server/Program.cs @@ -2,6 +2,7 @@ using Elsa.Studio.Authentication.ElsaAuth.BlazorServer.Extensions; using Elsa.Studio.Authentication.ElsaAuth.UI.Extensions; using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Extensions; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; using Elsa.Studio.Branding; using Elsa.Studio.Contracts; using Elsa.Studio.Core.BlazorServer.Extensions; @@ -95,6 +96,19 @@ // to allow calling userinfo with the issued access token. // options.GetClaimsFromUserInfoEndpoint = false; }); + + // Optional: Persisted silent refresh. + // When enabled, a background ping calls POST /authentication/refresh to renew the auth cookie on a normal HTTP request. + var refreshStrategy = configuration["Authentication:OpenIdConnect:TokenRefresh:Strategy"]; + if (string.Equals(refreshStrategy, nameof(OidcTokenRefreshStrategy.Persisted), StringComparison.OrdinalIgnoreCase)) + { + builder.Services.Configure(options => options.Strategy = OidcTokenRefreshStrategy.Persisted); + + builder.Services.AddOidcPersistedRefreshBackgroundPing(options => + { + configuration.GetSection("Authentication:OpenIdConnect:TokenRefresh:Ping").Bind(options); + }); + } } else { diff --git a/src/hosts/Elsa.Studio.Host.Server/appsettings.json b/src/hosts/Elsa.Studio.Host.Server/appsettings.json index e92155d4..99c63899 100644 --- a/src/hosts/Elsa.Studio.Host.Server/appsettings.json +++ b/src/hosts/Elsa.Studio.Host.Server/appsettings.json @@ -20,11 +20,24 @@ ] }, "Authentication": { - "Provider": "ElsaAuth", + "Provider": "OpenIdConnect", "OpenIdConnect": { "Authority": "https://login.microsoftonline.com/{tenantIdOrVerifiedDomain}/v2.0", "ClientId": "", - "ClientSecret": "" + "ClientSecret": "", + "Scopes": [ + "openid", + "profile", + "offline_access" + ], + "SaveTokens": true, + "TokenRefresh": { + "Strategy": "Persisted", + "Ping": { + "RefreshEndpointPath": "/authentication/refresh", + "Interval": "00:01:00" + } + } } } } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Components/OidcPersistedRefreshPing.razor b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Components/OidcPersistedRefreshPing.razor new file mode 100644 index 00000000..430d8ef2 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Components/OidcPersistedRefreshPing.razor @@ -0,0 +1,11 @@ +@using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services +@inject BrowserRefreshPingService PingService + +@code { + protected override async Task OnAfterRenderAsync(bool firstRender) + { + if (firstRender) + await PingService.StartAsync(); + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Controllers/TokenRefreshController.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Controllers/TokenRefreshController.cs new file mode 100644 index 00000000..cafef3cb --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Controllers/TokenRefreshController.cs @@ -0,0 +1,27 @@ +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; +using Microsoft.AspNetCore.Mvc; +using Microsoft.Extensions.Options; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Controllers; + +/// +/// Endpoint used to perform persisted silent refresh (renew auth cookie) in a context where headers can be written. +/// +[Route("authentication")] +public class TokenRefreshController(OidcCookieTokenRefresher refresher, IOptions options) : Controller +{ + /// + /// Refreshes the access token (if needed) and renews the authentication cookie. + /// + [HttpPost("refresh")] + public async Task Refresh(CancellationToken cancellationToken) + { + if (options.Value.Strategy != OidcTokenRefreshStrategy.Persisted) + return NoContent(); + + var refreshed = await refresher.TryRefreshAndRenewCookieAsync(HttpContext, cancellationToken); + return refreshed ? Ok() : NoContent(); + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/OidcPersistedRefreshServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/OidcPersistedRefreshServiceCollectionExtensions.cs new file mode 100644 index 00000000..27d2c6ce --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/OidcPersistedRefreshServiceCollectionExtensions.cs @@ -0,0 +1,26 @@ +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; +using Microsoft.Extensions.DependencyInjection; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Extensions; + +/// +/// Extension methods for enabling persisted OIDC refresh behavior. +/// +public static class OidcPersistedRefreshServiceCollectionExtensions +{ + /// + /// Enables a background ping to the refresh endpoint so the auth cookie can be renewed on a normal HTTP request. + /// + public static IServiceCollection AddOidcPersistedRefreshBackgroundPing(this IServiceCollection services, Action? configure = null) + { + if (configure != null) + services.Configure(configure); + else + services.AddOptions(); + + services.AddHttpClient(OidcPersistedRefreshBackgroundService.ClientName); + services.AddHostedService(); + + return services; + } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs index 93f31163..60e5b781 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs @@ -35,6 +35,10 @@ public static IServiceCollection AddOidcAuthentication( services.AddScoped(); services.AddScoped(); services.AddScoped(); + services.AddScoped(); + services.AddScoped(); + services.AddOptions(); + services.AddScoped(); // Configure ASP.NET Core authentication with cookie and OIDC services.AddAuthentication(authOptions => @@ -80,7 +84,7 @@ public static IServiceCollection AddOidcAuthentication( } // Configure token validation parameters - oidcOptions.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters + oidcOptions.TokenValidationParameters = new() { NameClaimType = "name", RoleClaimType = "role", diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcRefreshConfiguration.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcRefreshConfiguration.cs new file mode 100644 index 00000000..8bf1152d --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcRefreshConfiguration.cs @@ -0,0 +1,11 @@ +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; + +/// +/// Effective configuration to use for performing a refresh-token grant. +/// +public class OidcRefreshConfiguration(string tokenEndpoint, string clientId, string? clientSecret) +{ + public string TokenEndpoint { get; } = tokenEndpoint; + public string ClientId { get; } = clientId; + public string? ClientSecret { get; } = clientSecret; +} \ No newline at end of file diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshOptions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshOptions.cs index 01c3cd54..2e569430 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshOptions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshOptions.cs @@ -30,5 +30,9 @@ public class OidcTokenRefreshOptions /// Optional override for the client secret. /// public string? ClientSecret { get; set; } -} + /// + /// Determines how the module performs access-token refresh in Blazor Server. + /// + public OidcTokenRefreshStrategy Strategy { get; set; } = OidcTokenRefreshStrategy.BestEffort; +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshStrategy.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshStrategy.cs new file mode 100644 index 00000000..6ba33ee4 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Models/OidcTokenRefreshStrategy.cs @@ -0,0 +1,20 @@ +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; + +/// +/// Determines how Blazor Server should perform access-token refresh. +/// +public enum OidcTokenRefreshStrategy +{ + /// + /// Best-effort refresh. The module will only refresh when it can also renew the auth cookie + /// (i.e., when HTTP response headers can still be written). + /// + BestEffort = 0, + + /// + /// Persist tokens by renewing the auth cookie via a dedicated refresh endpoint. + /// This can maintain long-lived sessions without interactive re-authentication. + /// + Persisted = 1 +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/BrowserRefreshPingService.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/BrowserRefreshPingService.cs new file mode 100644 index 00000000..41b78d7d --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/BrowserRefreshPingService.cs @@ -0,0 +1,19 @@ +using Microsoft.JSInterop; +using Microsoft.Extensions.Options; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; + +/// +/// Starts a per-user browser-side timer that periodically POSTs to the refresh endpoint. +/// The browser request carries the authenticated cookie, enabling persisted token refresh. +/// +public class BrowserRefreshPingService(IJSRuntime jsRuntime, IOptions options) +{ + /// + /// Starts the refresh ping loop. + /// Safe to call multiple times. + /// + public async ValueTask StartAsync(CancellationToken cancellationToken = default) + => await jsRuntime.InvokeVoidAsync("elsaStudioOidcRefresh.start", cancellationToken, options.Value.RefreshEndpointPath, (int)options.Value.Interval.TotalMilliseconds); +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/DefaultOidcRefreshConfigurationProvider.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/DefaultOidcRefreshConfigurationProvider.cs index f64cd834..8d5663b7 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/DefaultOidcRefreshConfigurationProvider.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/DefaultOidcRefreshConfigurationProvider.cs @@ -42,6 +42,6 @@ public class DefaultOidcRefreshConfigurationProvider( if (string.IsNullOrWhiteSpace(tokenEndpoint)) return null; - return new OidcRefreshConfiguration(tokenEndpoint, clientId, clientSecret); + return new(tokenEndpoint, clientId, clientSecret); } } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/IOidcRefreshConfigurationProvider.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/IOidcRefreshConfigurationProvider.cs index 842f051f..4dddf940 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/IOidcRefreshConfigurationProvider.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/IOidcRefreshConfigurationProvider.cs @@ -1,3 +1,5 @@ +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; + namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; /// @@ -9,21 +11,4 @@ public interface IOidcRefreshConfigurationProvider /// Gets the effective refresh configuration or null if refresh is not possible. /// ValueTask GetAsync(CancellationToken cancellationToken = default); -} - -/// -/// Effective configuration to use for performing a refresh-token grant. -/// -public class OidcRefreshConfiguration -{ - public OidcRefreshConfiguration(string tokenEndpoint, string clientId, string? clientSecret) - { - TokenEndpoint = tokenEndpoint; - ClientId = clientId; - ClientSecret = clientSecret; - } - - public string TokenEndpoint { get; } - public string ClientId { get; } - public string? ClientSecret { get; } -} +} \ No newline at end of file diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcCookieTokenRefresher.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcCookieTokenRefresher.cs new file mode 100644 index 00000000..6046357c --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcCookieTokenRefresher.cs @@ -0,0 +1,116 @@ +using System.Globalization; +using System.Text.Json; +using Elsa.Studio.Authentication.Abstractions.Contracts; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; +using Microsoft.AspNetCore.Authentication; +using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Http; +using Microsoft.Extensions.Options; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; + +/// +/// Refreshes the OIDC access token and persists it by renewing the auth cookie. +/// Intended to be invoked from a normal HTTP endpoint where headers can still be written. +/// +public class OidcCookieTokenRefresher( + ITokenRefreshCoordinator refreshCoordinator, + IOidcRefreshConfigurationProvider refreshConfigurationProvider, + IHttpClientFactory httpClientFactory, + IOptions refreshOptions) +{ + private const string AnonymousClientName = "Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Anonymous"; + + /// + /// Attempts to refresh tokens and renew the cookie if needed. + /// Returns true if tokens were refreshed and persisted; otherwise false. + /// + public async Task TryRefreshAndRenewCookieAsync(HttpContext httpContext, CancellationToken cancellationToken = default) + { + var options = refreshOptions.Value; + + if (!options.EnableRefreshTokens) + return false; + + if (httpContext.User.Identity?.IsAuthenticated != true) + return false; + + // Must be able to write cookies. + if (httpContext.Response.HasStarted) + return false; + + var refreshToken = await httpContext.GetTokenAsync("refresh_token"); + var expiresAtString = await httpContext.GetTokenAsync("expires_at"); + + if (string.IsNullOrWhiteSpace(refreshToken) || string.IsNullOrWhiteSpace(expiresAtString)) + return false; + + if (!DateTimeOffset.TryParse(expiresAtString, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal, out var expiresAt)) + return false; + + if (expiresAt > DateTimeOffset.UtcNow.Add(options.RefreshSkew)) + return false; + + var didRefresh = false; + + await refreshCoordinator.RunAsync(async ct => + { + // Check again under the lock. + var currentExpiresAtString = await httpContext.GetTokenAsync("expires_at"); + if (!DateTimeOffset.TryParse(currentExpiresAtString, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal, out var currentExpiresAt)) + return 0; + + if (currentExpiresAt > DateTimeOffset.UtcNow.Add(options.RefreshSkew)) + return 0; + + var refreshConfig = await refreshConfigurationProvider.GetAsync(ct); + if (refreshConfig == null) + return 0; + + var httpClient = httpClientFactory.CreateClient(AnonymousClientName); + + using var request = new HttpRequestMessage(HttpMethod.Post, refreshConfig.TokenEndpoint); + request.Content = new FormUrlEncodedContent(new Dictionary + { + ["grant_type"] = "refresh_token", + ["client_id"] = refreshConfig.ClientId, + ["refresh_token"] = refreshToken, + ["client_secret"] = refreshConfig.ClientSecret ?? string.Empty + }.Where(x => !string.IsNullOrWhiteSpace(x.Value))); + + var response = await httpClient.SendAsync(request, ct); + if (!response.IsSuccessStatusCode) + return 0; + + var payload = await response.Content.ReadAsStringAsync(ct); + using var doc = JsonDocument.Parse(payload); + + var newAccessToken = doc.RootElement.TryGetProperty("access_token", out var at) ? at.GetString() : null; + var newRefreshToken = doc.RootElement.TryGetProperty("refresh_token", out var rt) ? rt.GetString() : null; + var expiresInSeconds = doc.RootElement.TryGetProperty("expires_in", out var exp) ? exp.GetInt32() : 0; + + if (string.IsNullOrWhiteSpace(newAccessToken) || expiresInSeconds <= 0) + return 0; + + var newExpiresAt = DateTimeOffset.UtcNow.AddSeconds(expiresInSeconds); + + var authResult = await httpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme); + if (!authResult.Succeeded) + return 0; + + authResult.Properties.UpdateTokenValue("access_token", newAccessToken); + authResult.Properties.UpdateTokenValue("expires_at", newExpiresAt.ToString("o", CultureInfo.InvariantCulture)); + + if (!string.IsNullOrWhiteSpace(newRefreshToken)) + authResult.Properties.UpdateTokenValue("refresh_token", newRefreshToken); + + await httpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, authResult.Principal!, authResult.Properties); + + didRefresh = true; + return 0; + }, cancellationToken); + + return didRefresh; + } +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcPersistedRefreshBackgroundService.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcPersistedRefreshBackgroundService.cs new file mode 100644 index 00000000..95c7efcc --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcPersistedRefreshBackgroundService.cs @@ -0,0 +1,63 @@ +using Microsoft.Extensions.Hosting; +using Microsoft.Extensions.Logging; +using Microsoft.Extensions.Options; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; + +/// +/// Periodically calls the persisted refresh endpoint so cookies can be renewed on a normal HTTP request. +/// NOTE: This service does not have access to per-user authentication cookies and therefore cannot reliably +/// trigger persisted refresh for signed-in users. Prefer invoking the refresh endpoint from the browser (per-user) +/// or from a request that carries the user's auth cookie. +/// +public class OidcPersistedRefreshBackgroundService( + IHttpClientFactory httpClientFactory, + IOptions options, + ILogger logger, + IOptions refreshOptions) : BackgroundService +{ + internal const string ClientName = "Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.PersistedRefresh"; + + /// + protected override async Task ExecuteAsync(CancellationToken stoppingToken) + { + // This background service runs process-wide and cannot carry user cookies. + // To avoid giving a false sense of security, we only run when the strategy is BestEffort. + if (refreshOptions.Value.Strategy == OidcTokenRefreshStrategy.Persisted) + { + logger.LogWarning("OidcPersistedRefreshBackgroundService is not effective for Persisted refresh because it cannot send per-user auth cookies. Use a browser-side ping to POST {Path} instead.", options.Value.RefreshEndpointPath); + return; + } + + var settings = options.Value; + + // Delay loop. + while (!stoppingToken.IsCancellationRequested) + { + try + { + var client = httpClientFactory.CreateClient(ClientName); + + // POST because it potentially mutates auth cookie. + using var request = new HttpRequestMessage(HttpMethod.Post, settings.RefreshEndpointPath); + + var response = await client.SendAsync(request, stoppingToken); + + // Ignore failures; the next interactive request will handle auth. + if (!response.IsSuccessStatusCode && response.StatusCode != System.Net.HttpStatusCode.NoContent) + logger.LogDebug("Persisted OIDC refresh ping returned status code {StatusCode}", response.StatusCode); + } + catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested) + { + // Shutting down. + } + catch (Exception ex) + { + logger.LogDebug(ex, "Persisted OIDC refresh ping failed"); + } + + await Task.Delay(settings.Interval, stoppingToken); + } + } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcPersistedRefreshClientOptions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcPersistedRefreshClientOptions.cs new file mode 100644 index 00000000..442b31f4 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcPersistedRefreshClientOptions.cs @@ -0,0 +1,18 @@ +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; + +/// +/// Client-side options for invoking the persisted refresh endpoint. +/// +public class OidcPersistedRefreshClientOptions +{ + /// + /// The relative URL of the refresh endpoint. + /// + public string RefreshEndpointPath { get; set; } = "/authentication/refresh"; + + /// + /// How often the client should ping the refresh endpoint. + /// + public TimeSpan Interval { get; set; } = TimeSpan.FromMinutes(1); +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcTokenRefreshOptionsAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcTokenRefreshOptionsAccessor.cs new file mode 100644 index 00000000..9d988909 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/OidcTokenRefreshOptionsAccessor.cs @@ -0,0 +1,16 @@ +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; +using Microsoft.Extensions.Options; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; + +/// +/// Helps razor components determine whether persisted refresh is enabled. +/// +public class OidcTokenRefreshOptionsAccessor(IOptions options) +{ + /// + /// Gets the configured refresh strategy. + /// + public OidcTokenRefreshStrategy Strategy => options.Value.Strategy; +} + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs index a1a2a2bd..69d9b02b 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs @@ -20,6 +20,7 @@ public class ServerOidcTokenAccessor : IOidcTokenAccessor private readonly IHttpClientFactory _httpClientFactory; private readonly IOptions _refreshOptions; private readonly IOidcRefreshConfigurationProvider _refreshConfigurationProvider; + private readonly OidcCookieTokenRefresher _cookieTokenRefresher; /// /// Initializes a new instance of the class. @@ -29,13 +30,15 @@ public ServerOidcTokenAccessor( ITokenRefreshCoordinator refreshCoordinator, IHttpClientFactory httpClientFactory, IOptions refreshOptions, - IOidcRefreshConfigurationProvider refreshConfigurationProvider) + IOidcRefreshConfigurationProvider refreshConfigurationProvider, + OidcCookieTokenRefresher cookieTokenRefresher) { _httpContextAccessor = httpContextAccessor; _refreshCoordinator = refreshCoordinator; _httpClientFactory = httpClientFactory; _refreshOptions = refreshOptions; _refreshConfigurationProvider = refreshConfigurationProvider; + _cookieTokenRefresher = cookieTokenRefresher; } /// @@ -48,7 +51,20 @@ public ServerOidcTokenAccessor( // Ensure we have a fresh access token when asked for one. if (string.Equals(tokenName, "access_token", StringComparison.Ordinal)) - await TryRefreshAccessTokenAsync(httpContext, cancellationToken); + { + var options = _refreshOptions.Value; + + if (options.EnableRefreshTokens && options.Strategy == OidcTokenRefreshStrategy.Persisted) + { + // In Persisted mode, try to renew the cookie if this is a normal HTTP request. + // During Blazor circuit activity, Response.HasStarted is typically true and renewal will be skipped. + await _cookieTokenRefresher.TryRefreshAndRenewCookieAsync(httpContext, cancellationToken); + } + else + { + await TryRefreshAccessTokenAsync(httpContext, cancellationToken); + } + } // Retrieve the token from the authentication properties. return await httpContext.GetTokenAsync(tokenName); @@ -61,6 +77,15 @@ private async Task TryRefreshAccessTokenAsync(HttpContext httpContext, Cancellat if (!options.EnableRefreshTokens) return; + // BestEffort refresh can only persist tokens by renewing the cookie. + // In Persisted mode, cookie renewal is performed via the /authentication/refresh endpoint. + if (options.Strategy != OidcTokenRefreshStrategy.BestEffort) + return; + + // If headers are already sent, we cannot renew the cookie without throwing. + if (httpContext.Response.HasStarted) + return; + // SaveTokens must be enabled or tokens won't be in the auth cookie. var accessToken = await httpContext.GetTokenAsync("access_token"); var refreshToken = await httpContext.GetTokenAsync("refresh_token"); diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md index 9fdf462b..75458214 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md @@ -308,6 +308,12 @@ builder.Services.Configure(options => - `SaveTokens` must be `true` (otherwise no tokens are available in the auth cookie). - `offline_access` should be requested (otherwise a refresh token is typically not issued). +- **Strategy**: + - `BestEffort` (default): the module only renews the auth cookie when response headers can still be written. + - `Persisted`: the module renews the auth cookie via the dedicated `POST /authentication/refresh` endpoint. +- **Blazor Server note**: once the initial page load is complete, most calls happen over the SignalR circuit where HTTP headers have already been sent. In that context, cookies cannot be updated. + - With `BestEffort`, this means the app will eventually fall back to a normal OIDC re-authentication when the access token expires. + - With `Persisted`, you should periodically call the refresh endpoint (e.g., a background ping) so renewal happens in a non-circuit HTTP request. - If no refresh token is available, or refresh fails, the module does not throw; the next API call will typically result in a normal auth challenge. ### Microsoft Entra ID notes @@ -341,4 +347,32 @@ builder.Services.Configure(options => options.ClientId = "..."; options.ClientSecret = "..."; // optional }); -``` \ No newline at end of file +``` + +### Host configuration example (appsettings.json) + +In the Blazor Server host, you can enable persisted silent refresh purely via configuration: + +```json +{ + "Authentication": { + "Provider": "OpenIdConnect", + "OpenIdConnect": { + "Authority": "https://login.microsoftonline.com/{tenantId}/v2.0", + "ClientId": "...", + "ClientSecret": "...", + "Scopes": ["openid", "profile", "offline_access"], + "SaveTokens": true, + "TokenRefresh": { + "Strategy": "Persisted", + "Ping": { + "RefreshEndpointPath": "/authentication/refresh", + "Interval": "00:01:00" + } + } + } + } +} +``` + +> Set `TokenRefresh:Strategy` to `BestEffort` (or omit it) to disable persisted refresh. From a436d2a78b1ab3cbcdb1d694256cb76eb278ca0d Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Fri, 9 Jan 2026 14:28:39 +0100 Subject: [PATCH 20/27] Remove persisted token refresh strategy and related services from OpenID Connect configuration. --- .../Components/OidcPersistedRefreshGate.razor | 11 ----------- src/hosts/Elsa.Studio.Host.Server/Program.cs | 13 ------------- 2 files changed, 24 deletions(-) delete mode 100644 src/hosts/Elsa.Studio.Host.Server/Components/OidcPersistedRefreshGate.razor diff --git a/src/hosts/Elsa.Studio.Host.Server/Components/OidcPersistedRefreshGate.razor b/src/hosts/Elsa.Studio.Host.Server/Components/OidcPersistedRefreshGate.razor deleted file mode 100644 index accd1d77..00000000 --- a/src/hosts/Elsa.Studio.Host.Server/Components/OidcPersistedRefreshGate.razor +++ /dev/null @@ -1,11 +0,0 @@ -@using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Components -@using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models -@using Microsoft.Extensions.Options - -@inject IOptions Options - -@if (Options.Value.Strategy == OidcTokenRefreshStrategy.Persisted) -{ - -} - diff --git a/src/hosts/Elsa.Studio.Host.Server/Program.cs b/src/hosts/Elsa.Studio.Host.Server/Program.cs index bffa565c..4f9c2748 100644 --- a/src/hosts/Elsa.Studio.Host.Server/Program.cs +++ b/src/hosts/Elsa.Studio.Host.Server/Program.cs @@ -96,19 +96,6 @@ // to allow calling userinfo with the issued access token. // options.GetClaimsFromUserInfoEndpoint = false; }); - - // Optional: Persisted silent refresh. - // When enabled, a background ping calls POST /authentication/refresh to renew the auth cookie on a normal HTTP request. - var refreshStrategy = configuration["Authentication:OpenIdConnect:TokenRefresh:Strategy"]; - if (string.Equals(refreshStrategy, nameof(OidcTokenRefreshStrategy.Persisted), StringComparison.OrdinalIgnoreCase)) - { - builder.Services.Configure(options => options.Strategy = OidcTokenRefreshStrategy.Persisted); - - builder.Services.AddOidcPersistedRefreshBackgroundPing(options => - { - configuration.GetSection("Authentication:OpenIdConnect:TokenRefresh:Ping").Bind(options); - }); - } } else { From 595864469f2402aacbdbfbab16344bf1c4ab2e2b Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Fri, 9 Jan 2026 19:35:52 +0100 Subject: [PATCH 21/27] Refactor OIDC configuration for Blazor WebAssembly: add Azure AD compatibility patches, improve URI handling, and modularize features. --- .../wwwroot/appsettings.json | 12 +- .../wwwroot/auth-interop.js | 122 ++++++++++++++++++ .../Elsa.Studio.Host.Wasm/wwwroot/index.html | 7 + .../Extensions/ServiceCollectionExtensions.cs | 5 + .../Components/NavigateToLogin.razor | 5 +- .../Extensions/ServiceCollectionExtensions.cs | 44 ++++--- .../OpenIdConnectBlazorWasmFeature.cs | 17 +++ .../Pages}/Authentication.razor | 0 .../Pages/MySample.razor | 6 + .../Services/WasmOidcTokenAccessor.cs | 2 +- .../Models/OidcOptions.cs | 32 ++++- .../README.md | 62 +++++---- 12 files changed, 260 insertions(+), 54 deletions(-) create mode 100644 src/hosts/Elsa.Studio.Host.Wasm/wwwroot/auth-interop.js create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/OpenIdConnectBlazorWasmFeature.cs rename src/{hosts/Elsa.Studio.Host.Wasm => modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages}/Authentication.razor (100%) create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/MySample.razor diff --git a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json index 7a3f8e8b..f1dbd836 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json +++ b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json @@ -11,9 +11,15 @@ "Authentication": { "Provider": "OpenIdConnect", "OpenIdConnect": { - "Authority": "https://login.microsoftonline.com/{tenantIdOrVerifiedDomain}/v2.0", - "ClientId": "", - "ClientSecret": "" + "AppBaseUrl": "https://localhost:7052", + "Authority": "https://login.microsoftonline.com/f35bcd45-7991-4e24-84f1-e964394501ad/v2.0", + "ClientId": "0078a6b1-54d9-438b-9223-e26f07191949", + "Scopes": [ + "openid", + "profile", + "offline_access", + "api://dda3270c-997e-413a-9175-36b70134547c/elsa-server-api" + ] } } } diff --git a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/auth-interop.js b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/auth-interop.js new file mode 100644 index 00000000..eae04fb2 --- /dev/null +++ b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/auth-interop.js @@ -0,0 +1,122 @@ +// Custom JavaScript to patch oidc-client settings for Azure AD compatibility +// Azure AD requires the 'scope' parameter in token exchange requests + +(function () { + // Azure AD v2.0 only allows scopes for ONE resource per token request + // Use only the primary API resource - OIDC scopes (openid, profile, offline_access) are always allowed + // To access multiple resources, you need separate token requests for each resource + const requestedScopes = 'openid profile offline_access api://dda3270c-997e-413a-9175-36b70134547c/elsa-server-api'; + console.log('[auth-interop] Will use scopes (single resource):', requestedScopes); + + // Store the ID token to extract claims for userinfo + let lastIdToken = null; + + // Intercept XMLHttpRequest (used by oidc-client-js for token requests) + const originalOpen = XMLHttpRequest.prototype.open; + const originalSend = XMLHttpRequest.prototype.send; + + XMLHttpRequest.prototype.open = function (method, url) { + this._method = method; + this._url = url; + this._isUserInfoRequest = url && url.includes('graph.microsoft.com/oidc/userinfo'); + return originalOpen.apply(this, arguments); + }; + + XMLHttpRequest.prototype.send = function (body) { + let modifiedBody = body; + + // Intercept userinfo requests and return synthetic response from ID token + if (this._isUserInfoRequest) { + console.log('[auth-interop] Intercepting userinfo request - will return empty response'); + const xhr = this; + + // Prevent the actual request from being sent + setTimeout(() => { + Object.defineProperty(xhr, 'status', { value: 200, writable: false, configurable: true }); + Object.defineProperty(xhr, 'statusText', { value: 'OK', writable: false, configurable: true }); + Object.defineProperty(xhr, 'responseText', { value: '{}', writable: false, configurable: true }); + Object.defineProperty(xhr, 'response', { value: '{}', writable: false, configurable: true }); + Object.defineProperty(xhr, 'readyState', { value: 4, writable: false, configurable: true }); + + if (xhr.onreadystatechange) xhr.onreadystatechange(); + if (xhr.onload) xhr.onload(); + }, 0); + + return; // Don't call original send + } + + // Check if this is a token endpoint request + if (this._method === 'POST' && this._url && this._url.includes('/oauth2/') && this._url.includes('/token')) { + console.log('[auth-interop] Intercepted XHR token request to:', this._url); + + if (body && typeof body === 'string') { + console.log('[auth-interop] Original body length:', body.length); + + // Check if this is an authorization code grant and scope is missing + if (body.includes('grant_type=authorization_code') && !body.includes('scope=')) { + modifiedBody = body + '&scope=' + encodeURIComponent(requestedScopes); + console.log('[auth-interop] Added scope to token request'); + console.log('[auth-interop] Updated body length:', modifiedBody.length); + } + } + + // Capture the ID token from the response + const originalOnLoad = this.onload; + this.onload = function() { + try { + const tokenResponse = JSON.parse(this.responseText); + if (tokenResponse.id_token) { + lastIdToken = tokenResponse.id_token; + console.log('[auth-interop] Captured ID token from response'); + } + } catch (e) { + // Ignore + } + if (originalOnLoad) originalOnLoad.apply(this, arguments); + }; + } + + return originalSend.call(this, modifiedBody); + }; + + // Also intercept fetch as a fallback + const originalFetch = window.fetch; + window.fetch = function (url, options) { + // Intercept userinfo requests + if (url && typeof url === 'string' && url.includes('graph.microsoft.com/oidc/userinfo')) { + console.log('[auth-interop] Intercepting userinfo fetch - will return empty response'); + return Promise.resolve(new Response('{}', { + status: 200, + statusText: 'OK', + headers: { 'Content-Type': 'application/json' } + })); + } + + // Patch token requests + if (url && typeof url === 'string' && url.includes('/oauth2/') && url.includes('/token') && options && options.method === 'POST') { + console.log('[auth-interop] Intercepted fetch token request to:', url); + + if (options.body && typeof options.body === 'string') { + if (options.body.includes('grant_type=authorization_code') && !options.body.includes('scope=')) { + options.body = options.body + '&scope=' + encodeURIComponent(requestedScopes); + console.log('[auth-interop] Added scope to token request (fetch)'); + } + } + + // Capture ID token + return originalFetch.apply(this, arguments).then(response => { + return response.clone().json().then(tokenResponse => { + if (tokenResponse.id_token) { + lastIdToken = tokenResponse.id_token; + console.log('[auth-interop] Captured ID token from fetch response'); + } + return response; + }).catch(() => response); + }); + } + + return originalFetch.apply(this, arguments); + }; + + console.log('[auth-interop] Azure AD compatibility patches initialized (scope + userinfo intercept)'); +})(); diff --git a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/index.html b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/index.html index 903ed6b2..0092ac65 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/index.html +++ b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/index.html @@ -34,6 +34,13 @@
Loading... + + + + + + + diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs index 60e5b781..c2d48ca0 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs @@ -30,6 +30,11 @@ public static IServiceCollection AddOidcAuthentication( var options = new OidcOptions(); configure(options); + // The shared OidcOptions defaults are oriented towards Blazor WebAssembly. + // For Blazor Server, ensure we use the standard ASP.NET Core OIDC callback endpoints unless explicitly overridden. + options.CallbackPath = string.IsNullOrWhiteSpace(options.CallbackPath) ? "/signin-oidc" : options.CallbackPath; + options.SignedOutCallbackPath = string.IsNullOrWhiteSpace(options.SignedOutCallbackPath) ? "/signout-callback-oidc" : options.SignedOutCallbackPath; + // Register the token accessor services.AddHttpContextAccessor(); services.AddScoped(); diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor index d264e693..fa8a448a 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor @@ -5,7 +5,8 @@ protected override void OnInitialized() { // The WASM host must provide the /authentication/{action} route hosting RemoteAuthenticatorView. - NavigationManager.NavigateTo("authentication/login"); + // Use an absolute path and force a full page load to avoid issues when we're in a nested route. + var url = "/authentication/login".Trim(); + NavigationManager.NavigateTo(url, forceLoad: true); } } - diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs index 3ad47ee6..b43ef723 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs @@ -33,28 +33,40 @@ public static IServiceCollection AddElsaOidcAuthentication( // Register the token accessor services.AddScoped(); services.AddScoped(); + services.AddScoped(); - // Configure WASM authentication using the built-in framework + // Configure WASM authentication using the built-in framework. + // Note: Entra ID requires absolute redirect URIs. services.AddOidcAuthentication(wasmOptions => { - // Configure the authentication provider options wasmOptions.ProviderOptions.Authority = options.Authority; wasmOptions.ProviderOptions.ClientId = options.ClientId; wasmOptions.ProviderOptions.ResponseType = options.ResponseType; - // Configure scopes - foreach (var scope in options.Scopes) - { - wasmOptions.ProviderOptions.DefaultScopes.Add(scope); - } + var scopes = options.Scopes + .Where(x => !string.IsNullOrWhiteSpace(x)) + .Select(x => x.Trim()) + .Distinct(StringComparer.OrdinalIgnoreCase) + .ToList(); + + // Ensure we always request at least the OIDC basics. + if (scopes.Count == 0) + scopes.AddRange(["openid", "profile"]); - // Set redirect URIs - wasmOptions.ProviderOptions.RedirectUri = options.CallbackPath; - wasmOptions.ProviderOptions.PostLogoutRedirectUri = options.SignedOutCallbackPath; + // Clear any default scopes that might have been added by the framework + wasmOptions.ProviderOptions.DefaultScopes.Clear(); + + foreach (var scope in scopes) + wasmOptions.ProviderOptions.DefaultScopes.Add(scope); if (!string.IsNullOrWhiteSpace(options.MetadataAddress)) - { wasmOptions.ProviderOptions.MetadataUrl = options.MetadataAddress; + + // Only override redirect URIs when AppBaseUrl is provided. Otherwise, let the framework infer absolute URIs. + if (!string.IsNullOrWhiteSpace(options.AppBaseUrl)) + { + wasmOptions.ProviderOptions.RedirectUri = $"{options.AppBaseUrl.TrimEnd('/')}{options.CallbackPath}"; + wasmOptions.ProviderOptions.PostLogoutRedirectUri = $"{options.AppBaseUrl.TrimEnd('/')}{options.SignedOutCallbackPath}"; } }); @@ -66,12 +78,4 @@ public static IServiceCollection AddElsaOidcAuthentication( return services; } - - /// - /// Adds OpenID Connect authentication services for Blazor WebAssembly. - /// - [Obsolete("Use AddElsaOidcAuthentication instead to avoid ambiguity with Microsoft.Extensions.DependencyInjection.WebAssemblyAuthenticationServiceCollectionExtensions.AddOidcAuthentication.")] - public static IServiceCollection AddOidcAuthentication( - this IServiceCollection services, - Action configure) => services.AddElsaOidcAuthentication(configure); -} +} \ No newline at end of file diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/OpenIdConnectBlazorWasmFeature.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/OpenIdConnectBlazorWasmFeature.cs new file mode 100644 index 00000000..c8c47dd5 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/OpenIdConnectBlazorWasmFeature.cs @@ -0,0 +1,17 @@ +using Elsa.Studio.Abstractions; +using JetBrains.Annotations; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm; + +/// +/// Represents the OpenID Connect feature specific to Blazor WebAssembly authentication +/// within the Elsa Studio platform. +/// +/// +/// This feature integrates OpenID Connect authentication capabilities into the +/// Blazor WebAssembly context, allowing for secure user authentication in a +/// distributed environment. It derives from the class, +/// which provides a framework for modules extending the Elsa Studio dashboard. +/// +[UsedImplicitly] +public class OpenIdConnectBlazorWasmFeature : FeatureBase; diff --git a/src/hosts/Elsa.Studio.Host.Wasm/Authentication.razor b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/Authentication.razor similarity index 100% rename from src/hosts/Elsa.Studio.Host.Wasm/Authentication.razor rename to src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/Authentication.razor diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/MySample.razor b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/MySample.razor new file mode 100644 index 00000000..2ad97a42 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/MySample.razor @@ -0,0 +1,6 @@ +@page "/MySample" +

MySample

+ +@code { + +} \ No newline at end of file diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs index eb8567fc..bdff62fd 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs @@ -25,7 +25,7 @@ public WasmOidcTokenAccessor(IAccessTokenProvider tokenProvider) // The framework handles token refresh automatically // Map token names to what the framework expects - if (tokenName == "access_token" || tokenName == "AccessToken") + if (tokenName == "access_token" || string.Equals(tokenName, "accessToken", StringComparison.OrdinalIgnoreCase)) { var tokenResult = await _tokenProvider.RequestAccessToken(); diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs index 4d12bc16..9751592e 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs @@ -38,14 +38,28 @@ public class OidcOptions : AuthenticationOptions public bool SaveTokens { get; set; } = true; /// - /// Gets or sets the callback path for handling the authentication response (Server only). + /// Gets or sets the callback path for handling the authentication response. /// - public string CallbackPath { get; set; } = "/signin-oidc"; + /// + /// + /// Blazor Server typically uses /signin-oidc. + /// Blazor WebAssembly uses /authentication/login-callback. + /// + /// When using the Blazor WebAssembly authentication stack, the identity provider expects an absolute redirect_uri. + /// The framework will convert these paths into absolute URIs based on the current base URI. + /// + public string CallbackPath { get; set; } = "/authentication/login-callback"; /// - /// Gets or sets the sign-out callback path (Server only). + /// Gets or sets the sign-out callback path. /// - public string SignedOutCallbackPath { get; set; } = "/signout-callback-oidc"; + /// + /// + /// Blazor Server typically uses /signout-callback-oidc. + /// Blazor WebAssembly uses /authentication/logout-callback. + /// + /// + public string SignedOutCallbackPath { get; set; } = "/authentication/logout-callback"; /// /// Gets or sets whether to get claims from the user info endpoint. @@ -62,6 +76,16 @@ public class OidcOptions : AuthenticationOptions /// public string? MetadataAddress { get; set; } + /// + /// Gets or sets the base URL of the application (primarily for Blazor WebAssembly) used to build absolute redirect URIs. + /// + /// + /// Microsoft Entra ID requires redirect_uri to be an absolute URI. In many cases the framework can infer the base URI, + /// but if your host setup or reverse proxying causes relative redirect URIs to be sent, set this to the app origin, e.g. + /// https://localhost:9009. + /// + public string AppBaseUrl { get; set; } = string.Empty; + /// /// Initializes a new instance of the class. /// diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md index 75458214..7703cf07 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md @@ -124,32 +124,11 @@ Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ }); ``` -3. **Add Authentication Components** in `App.razor`: - ```razor - - - - - - - - - - - - ``` +3. **Authentication Routes** -4. **Add Authentication Routes**: - Create `Authentication.razor`: - ```razor - @page "/authentication/{action}" - @using Microsoft.AspNetCore.Components.WebAssembly.Authentication - + This module ships the required `/authentication/{action}` route (hosting `RemoteAuthenticatorView`) as part of the `Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm` assembly. - @code { - [Parameter] public string? Action { get; set; } - } - ``` + That means integrators **do not** need to add an `Authentication.razor` file to their host project, as long as they use Elsa Studio's shell router that includes module assemblies (which the default Elsa Studio hosts do). ## Configuration Options @@ -376,3 +355,38 @@ In the Blazor Server host, you can enable persisted silent refresh purely via co ``` > Set `TokenRefresh:Strategy` to `BestEffort` (or omit it) to disable persisted refresh. + +### Microsoft Entra ID: `graph.microsoft.com/oidc/userinfo` returns 401 + +On Blazor WebAssembly, Microsoft's built-in OIDC stack may call the OIDC UserInfo endpoint. +With Microsoft Entra ID, this endpoint is hosted on Microsoft Graph (e.g. `https://graph.microsoft.com/oidc/userinfo`). + +If you see a login failure with a browser console error like: + +- `graph.microsoft.com/oidc/userinfo: 401 (Unauthorized)` + +add a Microsoft Graph delegated permission scope such as `User.Read`. + +#### Example (`appsettings.json`) + +```json +{ + "Authentication": { + "Provider": "OpenIdConnect", + "OpenIdConnect": { + "Scopes": [ + "openid", + "profile", + "offline_access", + "https://graph.microsoft.com/User.Read", + "api://{your-api-app-id}/elsa-server-api" + ] + } + } +} +``` + +Then, in the Entra app registration: + +- Add Microsoft Graph → **Delegated permissions** → `User.Read` +- Grant admin consent (or ensure user consent is allowed in your tenant) From 12dcd61bbcc4d4ef519b3aa59def0c3f10dcae12 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 19:59:18 +0100 Subject: [PATCH 22/27] Fix Azure AD authentication in Blazor WASM by passing explicit API scopes during token exchange (#722) * Initial plan * Fix Azure AD authentication by passing explicit API scopes during token requests - Updated WasmOidcTokenAccessor to request access tokens with explicit resource scopes - Filter out standard OIDC scopes (openid, profile, email, offline_access) and pass only API scopes - Register OidcOptions in DI container so WasmOidcTokenAccessor can access configured scopes - This ensures Azure AD receives scope parameter during token exchange, fixing AADSTS errors Co-authored-by: sfmskywalker <938393+sfmskywalker@users.noreply.github.com> * Add Azure AD configuration documentation for Blazor WASM - Document Azure AD app registration setup and requirements - Explain single-resource scope limitation (no mixing Graph + custom API scopes) - Add troubleshooting guide for common Azure AD errors (AADSTS28000, AADSTS28003) - Update example to use AddElsaOidcAuthentication instead of AddOidcAuthentication - Document that standard OIDC scopes are automatically filtered Co-authored-by: sfmskywalker <938393+sfmskywalker@users.noreply.github.com> * Address code review feedback - Register OidcOptions as singleton instance instead of using Configure - Remove IOptions dependency from WasmOidcTokenAccessor - Add null check for Scopes array to prevent NullReferenceException - Simplify DI registration pattern Co-authored-by: sfmskywalker <938393+sfmskywalker@users.noreply.github.com> * Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: sfmskywalker <938393+sfmskywalker@users.noreply.github.com> Co-authored-by: Sipke Schoorstra Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../Extensions/ServiceCollectionExtensions.cs | 3 + .../Services/WasmOidcTokenAccessor.cs | 29 ++++++- .../README.md | 75 ++++++++++++++++++- 3 files changed, 103 insertions(+), 4 deletions(-) diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs index b43ef723..b74f4004 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs @@ -30,6 +30,9 @@ public static IServiceCollection AddElsaOidcAuthentication( var options = new OidcOptions(); configure(options); + // Register options for access by services + services.AddSingleton(options); + // Register the token accessor services.AddScoped(); services.AddScoped(); diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs index bdff62fd..7ba10f17 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs @@ -1,4 +1,5 @@ using Elsa.Studio.Authentication.OpenIdConnect.Contracts; +using Elsa.Studio.Authentication.OpenIdConnect.Models; using Microsoft.AspNetCore.Components.WebAssembly.Authentication; namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Services; @@ -9,13 +10,15 @@ namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Services; public class WasmOidcTokenAccessor : IOidcTokenAccessor { private readonly IAccessTokenProvider _tokenProvider; + private readonly OidcOptions _options; /// /// Initializes a new instance of the class. /// - public WasmOidcTokenAccessor(IAccessTokenProvider tokenProvider) + public WasmOidcTokenAccessor(IAccessTokenProvider tokenProvider, OidcOptions options) { _tokenProvider = tokenProvider; + _options = options; } /// @@ -25,9 +28,29 @@ public WasmOidcTokenAccessor(IAccessTokenProvider tokenProvider) // The framework handles token refresh automatically // Map token names to what the framework expects - if (tokenName == "access_token" || string.Equals(tokenName, "accessToken", StringComparison.OrdinalIgnoreCase)) + if (string.Equals(tokenName, "access_token", StringComparison.OrdinalIgnoreCase) || + string.Equals(tokenName, "accessToken", StringComparison.OrdinalIgnoreCase)) { - var tokenResult = await _tokenProvider.RequestAccessToken(); + // Get all resource scopes (excluding standard OIDC scopes) + // This is critical for Azure AD which requires explicit scopes during token requests + var standardScopes = new HashSet(StringComparer.OrdinalIgnoreCase) + { + "openid", "profile", "email", "offline_access" + }; + + var resourceScopes = _options.Scopes + ?.Where(s => !standardScopes.Contains(s)) + .ToArray() ?? Array.Empty(); + + // Request token with explicit scopes to ensure Azure AD receives the scope parameter + // in both authorization and token exchange requests + var tokenResult = resourceScopes.Length > 0 + ? await _tokenProvider.RequestAccessToken(new AccessTokenRequestOptions + { + Scopes = resourceScopes + }) + // Fallback to default scopes if no resource scopes configured + : await _tokenProvider.RequestAccessToken(); if (tokenResult.TryGetToken(out var token)) { diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md index 7703cf07..ebffb00c 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/README.md @@ -113,7 +113,7 @@ Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ using Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Extensions; // Configure OIDC authentication - builder.Services.AddOidcAuthentication(options => + builder.Services.AddElsaOidcAuthentication(options => { options.Authority = "https://your-identity-server.com"; options.ClientId = "elsa-studio-wasm"; @@ -124,12 +124,85 @@ Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ }); ``` + > **Note**: Use `AddElsaOidcAuthentication` instead of `AddOidcAuthentication` to avoid ambiguity with Microsoft's extension method. + +3. **Add Authentication Components** in `App.razor`: + ```razor + + + + + + + + + + + + ``` 3. **Authentication Routes** This module ships the required `/authentication/{action}` route (hosting `RemoteAuthenticatorView`) as part of the `Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm` assembly. That means integrators **do not** need to add an `Authentication.razor` file to their host project, as long as they use Elsa Studio's shell router that includes module assemblies (which the default Elsa Studio hosts do). +### Azure AD / Microsoft Entra ID (Blazor WebAssembly) + +Azure AD has specific requirements for Blazor WebAssembly applications: + +1. **App Registration Setup**: + - Register your application in Azure AD (Azure Portal > Microsoft Entra ID > App registrations) + - Set "Supported account types" based on your needs (single/multi-tenant) + - Add a redirect URI for SPA: `https://your-app.com/authentication/login-callback` + - Enable "Access tokens" and "ID tokens" under "Implicit grant and hybrid flows" + - Create an API scope for your backend API (e.g., `api://your-api-id/elsa-server-api`) + +2. **Scopes Configuration**: + ```csharp + using Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Extensions; + + builder.Services.AddElsaOidcAuthentication(options => + { + options.Authority = "https://login.microsoftonline.com/{tenant-id}/v2.0"; + options.ClientId = "{client-id}"; + + // IMPORTANT: Only include API scopes for your backend + // Do NOT mix Microsoft Graph scopes with custom API scopes + // Azure AD v2.0 only allows one resource per token request + options.Scopes = new[] + { + "openid", // Required for OIDC + "profile", // User profile claims + "offline_access", // Refresh tokens + "api://{your-api-id}/elsa-server-api" // Your API scope + }; + + options.ResponseType = "code"; + options.CallbackPath = "/authentication/login-callback"; + options.SignedOutCallbackPath = "/authentication/logout-callback"; + }); + ``` + +3. **Key Considerations**: + - **Single Resource per Token**: Azure AD v2.0 only allows scopes for ONE resource per token. Don't mix Graph API scopes (`https://graph.microsoft.com/.default`) with your custom API scopes. + - **Scope Format**: Use the full scope URI format: `api://{application-id}/{scope-name}` + - **Standard Scopes**: The framework automatically filters standard OIDC scopes (`openid`, `profile`, `email`, `offline_access`) and only passes resource scopes during token requests. + - **UserInfo Endpoint**: If you encounter 401 errors from the userinfo endpoint, set `options.GetClaimsFromUserInfoEndpoint = false` (most Azure AD setups don't require this). + +4. **Backend API Configuration**: + Your backend API must accept tokens from Azure AD: + ```csharp + // In your API's Program.cs + builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) + .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd")); + ``` + +5. **Troubleshooting Azure AD**: + - **AADSTS28000** (Multi-resource error): Remove Graph scopes from `options.Scopes`, only include your API scope + - **AADSTS28003** (Scope not found): Verify the API scope is exposed in your app registration + - **401 from userinfo**: Set `GetClaimsFromUserInfoEndpoint = false` in options + - **Login succeeds but redirects to /login-failed**: Ensure your API scope is correctly configured and the token audience matches your API's expected audience + ## Configuration Options ### OidcOptions From 307ecd90064d191a26cd8e871838a7dd1217290d Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Fri, 9 Jan 2026 21:35:12 +0100 Subject: [PATCH 23/27] Remove obsolete Azure AD compatibility patches and cleanup related JavaScript and Razor components. --- .../wwwroot/auth-interop.js | 122 ------------------ .../Elsa.Studio.Host.Wasm/wwwroot/index.html | 3 - .../Components/NavigateToLogin.razor | 3 +- .../Pages/Authentication.razor | 1 + .../Pages/MySample.razor | 6 - 5 files changed, 2 insertions(+), 133 deletions(-) delete mode 100644 src/hosts/Elsa.Studio.Host.Wasm/wwwroot/auth-interop.js delete mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/MySample.razor diff --git a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/auth-interop.js b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/auth-interop.js deleted file mode 100644 index eae04fb2..00000000 --- a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/auth-interop.js +++ /dev/null @@ -1,122 +0,0 @@ -// Custom JavaScript to patch oidc-client settings for Azure AD compatibility -// Azure AD requires the 'scope' parameter in token exchange requests - -(function () { - // Azure AD v2.0 only allows scopes for ONE resource per token request - // Use only the primary API resource - OIDC scopes (openid, profile, offline_access) are always allowed - // To access multiple resources, you need separate token requests for each resource - const requestedScopes = 'openid profile offline_access api://dda3270c-997e-413a-9175-36b70134547c/elsa-server-api'; - console.log('[auth-interop] Will use scopes (single resource):', requestedScopes); - - // Store the ID token to extract claims for userinfo - let lastIdToken = null; - - // Intercept XMLHttpRequest (used by oidc-client-js for token requests) - const originalOpen = XMLHttpRequest.prototype.open; - const originalSend = XMLHttpRequest.prototype.send; - - XMLHttpRequest.prototype.open = function (method, url) { - this._method = method; - this._url = url; - this._isUserInfoRequest = url && url.includes('graph.microsoft.com/oidc/userinfo'); - return originalOpen.apply(this, arguments); - }; - - XMLHttpRequest.prototype.send = function (body) { - let modifiedBody = body; - - // Intercept userinfo requests and return synthetic response from ID token - if (this._isUserInfoRequest) { - console.log('[auth-interop] Intercepting userinfo request - will return empty response'); - const xhr = this; - - // Prevent the actual request from being sent - setTimeout(() => { - Object.defineProperty(xhr, 'status', { value: 200, writable: false, configurable: true }); - Object.defineProperty(xhr, 'statusText', { value: 'OK', writable: false, configurable: true }); - Object.defineProperty(xhr, 'responseText', { value: '{}', writable: false, configurable: true }); - Object.defineProperty(xhr, 'response', { value: '{}', writable: false, configurable: true }); - Object.defineProperty(xhr, 'readyState', { value: 4, writable: false, configurable: true }); - - if (xhr.onreadystatechange) xhr.onreadystatechange(); - if (xhr.onload) xhr.onload(); - }, 0); - - return; // Don't call original send - } - - // Check if this is a token endpoint request - if (this._method === 'POST' && this._url && this._url.includes('/oauth2/') && this._url.includes('/token')) { - console.log('[auth-interop] Intercepted XHR token request to:', this._url); - - if (body && typeof body === 'string') { - console.log('[auth-interop] Original body length:', body.length); - - // Check if this is an authorization code grant and scope is missing - if (body.includes('grant_type=authorization_code') && !body.includes('scope=')) { - modifiedBody = body + '&scope=' + encodeURIComponent(requestedScopes); - console.log('[auth-interop] Added scope to token request'); - console.log('[auth-interop] Updated body length:', modifiedBody.length); - } - } - - // Capture the ID token from the response - const originalOnLoad = this.onload; - this.onload = function() { - try { - const tokenResponse = JSON.parse(this.responseText); - if (tokenResponse.id_token) { - lastIdToken = tokenResponse.id_token; - console.log('[auth-interop] Captured ID token from response'); - } - } catch (e) { - // Ignore - } - if (originalOnLoad) originalOnLoad.apply(this, arguments); - }; - } - - return originalSend.call(this, modifiedBody); - }; - - // Also intercept fetch as a fallback - const originalFetch = window.fetch; - window.fetch = function (url, options) { - // Intercept userinfo requests - if (url && typeof url === 'string' && url.includes('graph.microsoft.com/oidc/userinfo')) { - console.log('[auth-interop] Intercepting userinfo fetch - will return empty response'); - return Promise.resolve(new Response('{}', { - status: 200, - statusText: 'OK', - headers: { 'Content-Type': 'application/json' } - })); - } - - // Patch token requests - if (url && typeof url === 'string' && url.includes('/oauth2/') && url.includes('/token') && options && options.method === 'POST') { - console.log('[auth-interop] Intercepted fetch token request to:', url); - - if (options.body && typeof options.body === 'string') { - if (options.body.includes('grant_type=authorization_code') && !options.body.includes('scope=')) { - options.body = options.body + '&scope=' + encodeURIComponent(requestedScopes); - console.log('[auth-interop] Added scope to token request (fetch)'); - } - } - - // Capture ID token - return originalFetch.apply(this, arguments).then(response => { - return response.clone().json().then(tokenResponse => { - if (tokenResponse.id_token) { - lastIdToken = tokenResponse.id_token; - console.log('[auth-interop] Captured ID token from fetch response'); - } - return response; - }).catch(() => response); - }); - } - - return originalFetch.apply(this, arguments); - }; - - console.log('[auth-interop] Azure AD compatibility patches initialized (scope + userinfo intercept)'); -})(); diff --git a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/index.html b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/index.html index 0092ac65..3ef353a8 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/index.html +++ b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/index.html @@ -35,9 +35,6 @@
Loading... - - - diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor index fa8a448a..f9301705 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Components/NavigateToLogin.razor @@ -1,4 +1,3 @@ -@using Microsoft.AspNetCore.Components @inject NavigationManager NavigationManager @code { @@ -6,7 +5,7 @@ { // The WASM host must provide the /authentication/{action} route hosting RemoteAuthenticatorView. // Use an absolute path and force a full page load to avoid issues when we're in a nested route. - var url = "/authentication/login".Trim(); + var url = "/authentication/login"; NavigationManager.NavigateTo(url, forceLoad: true); } } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/Authentication.razor b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/Authentication.razor index 078f9e46..0e27f879 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/Authentication.razor +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/Authentication.razor @@ -5,5 +5,6 @@ @code { [Parameter] public string? Action { get; set; } + } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/MySample.razor b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/MySample.razor deleted file mode 100644 index 2ad97a42..00000000 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Pages/MySample.razor +++ /dev/null @@ -1,6 +0,0 @@ -@page "/MySample" -

MySample

- -@code { - -} \ No newline at end of file From 828d0037865297b6df736c81030da1c37a8238c3 Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Fri, 9 Jan 2026 21:35:19 +0100 Subject: [PATCH 24/27] Refactor OpenID Connect callback path handling: use null-coalescing assignments and remove default path values from `OidcOptions`. --- .../Extensions/ServiceCollectionExtensions.cs | 7 +++---- .../Extensions/ServiceCollectionExtensions.cs | 8 ++++++-- .../Models/OidcOptions.cs | 4 ++-- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs index c2d48ca0..9a7aa0e1 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs @@ -30,10 +30,9 @@ public static IServiceCollection AddOidcAuthentication( var options = new OidcOptions(); configure(options); - // The shared OidcOptions defaults are oriented towards Blazor WebAssembly. - // For Blazor Server, ensure we use the standard ASP.NET Core OIDC callback endpoints unless explicitly overridden. - options.CallbackPath = string.IsNullOrWhiteSpace(options.CallbackPath) ? "/signin-oidc" : options.CallbackPath; - options.SignedOutCallbackPath = string.IsNullOrWhiteSpace(options.SignedOutCallbackPath) ? "/signout-callback-oidc" : options.SignedOutCallbackPath; + // Set Blazor Server defaults for callback paths if not explicitly specified. + options.CallbackPath ??= "/signin-oidc"; + options.SignedOutCallbackPath ??= "/signout-callback-oidc"; // Register the token accessor services.AddHttpContextAccessor(); diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs index b74f4004..c4cb5032 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs @@ -27,9 +27,13 @@ public static IServiceCollection AddElsaOidcAuthentication( this IServiceCollection services, Action configure) { - var options = new OidcOptions(); + var options = new OidcOptions(); configure(options); + // Set Blazor WASM defaults for callback paths if not explicitly specified. + options.CallbackPath ??= "/authentication/login-callback"; + options.SignedOutCallbackPath ??= "/authentication/logout-callback"; + // Register options for access by services services.AddSingleton(options); @@ -45,7 +49,7 @@ public static IServiceCollection AddElsaOidcAuthentication( wasmOptions.ProviderOptions.Authority = options.Authority; wasmOptions.ProviderOptions.ClientId = options.ClientId; wasmOptions.ProviderOptions.ResponseType = options.ResponseType; - + var scopes = options.Scopes .Where(x => !string.IsNullOrWhiteSpace(x)) .Select(x => x.Trim()) diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs index 9751592e..c713d43c 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Models/OidcOptions.cs @@ -48,7 +48,7 @@ public class OidcOptions : AuthenticationOptions /// When using the Blazor WebAssembly authentication stack, the identity provider expects an absolute redirect_uri. /// The framework will convert these paths into absolute URIs based on the current base URI. /// - public string CallbackPath { get; set; } = "/authentication/login-callback"; + public string? CallbackPath { get; set; } /// /// Gets or sets the sign-out callback path. @@ -59,7 +59,7 @@ public class OidcOptions : AuthenticationOptions /// Blazor WebAssembly uses /authentication/logout-callback. /// /// - public string SignedOutCallbackPath { get; set; } = "/authentication/logout-callback"; + public string? SignedOutCallbackPath { get; set; } /// /// Gets or sets whether to get claims from the user info endpoint. From 4cedc51e3aa10b5ac2cc1aa45518d83c3aac9d1f Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Fri, 9 Jan 2026 21:35:24 +0100 Subject: [PATCH 25/27] Add token purposes and scoped token caching for enhanced authentication configuration --- src/hosts/Elsa.Studio.Host.Wasm/Program.cs | 4 ++++ .../Elsa.Studio.Host.Wasm/wwwroot/appsettings.json | 10 +++++++++- .../Extensions/ServiceCollectionExtensions.cs | 5 ++++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/src/hosts/Elsa.Studio.Host.Wasm/Program.cs b/src/hosts/Elsa.Studio.Host.Wasm/Program.cs index f3a4ea21..2d9ff4d9 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/Program.cs +++ b/src/hosts/Elsa.Studio.Host.Wasm/Program.cs @@ -1,4 +1,5 @@ using Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers; +using Elsa.Studio.Authentication.Abstractions.Models; using Elsa.Studio.Dashboard.Extensions; using Elsa.Studio.Shell; using Elsa.Studio.Shell.Extensions; @@ -41,6 +42,9 @@ builder.Services.AddShell(); builder.Services.AddRemoteBackend(backendApiConfig); +// Configure token purposes for scope-aware token acquisition +builder.Services.Configure(configuration.GetSection("Authentication:TokenPurposes")); + // Choose authentication provider. // Supported values: "OpenIdConnect" (default) or "ElsaAuth". var authProvider = configuration["Authentication:Provider"]; diff --git a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json index f1dbd836..f1bc12a9 100644 --- a/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json +++ b/src/hosts/Elsa.Studio.Host.Wasm/wwwroot/appsettings.json @@ -18,8 +18,16 @@ "openid", "profile", "offline_access", - "api://dda3270c-997e-413a-9175-36b70134547c/elsa-server-api" + "https://graph.microsoft.com/User.Read" ] + }, + "TokenPurposes": { + "BackendApiPurpose": "backend_api", + "ScopesByPurpose": { + "backend_api": [ + "api://dda3270c-997e-413a-9175-36b70134547c/elsa-server-api" + ] + } } } } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs index 9a7aa0e1..6402f0e1 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Extensions/ServiceCollectionExtensions.cs @@ -1,4 +1,5 @@ using Elsa.Studio.Authentication.Abstractions.Extensions; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Contracts; using Elsa.Studio.Authentication.OpenIdConnect.Contracts; using Elsa.Studio.Authentication.OpenIdConnect.Models; using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; @@ -34,8 +35,10 @@ public static IServiceCollection AddOidcAuthentication( options.CallbackPath ??= "/signin-oidc"; options.SignedOutCallbackPath ??= "/signout-callback-oidc"; - // Register the token accessor + // Register the token accessor and cache services.AddHttpContextAccessor(); + services.AddMemoryCache(); + services.AddSingleton(); services.AddScoped(); services.AddScoped(); services.AddScoped(); From 06765274863750eb6bf9d3db5db14a015ef394d8 Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Fri, 9 Jan 2026 21:35:32 +0100 Subject: [PATCH 26/27] Add scoped access token capabilities and token-purpose configuration Introduce `IScopedAccessTokenProvider`, `IOidcTokenAccessorWithScopes`, and associated models to enable scope-aware token acquisition based on token purposes. Update handlers to support backend API scopes and implement scoped token caching for multi-audience token scenarios. --- AZURE_AD_BLAZOR_WASM_AUTH_PLAN.md | 538 ++++++++++++++++++ .../Contracts/IScopedAccessTokenProvider.cs | 23 + .../AuthenticatingApiHttpMessageHandler.cs | 27 +- .../Models/TokenPurposeOptions.cs | 23 + .../Contracts/IScopedTokenCache.cs | 45 ++ .../Services/MemoryScopedTokenCache.cs | 92 +++ .../Services/ServerOidcTokenAccessor.cs | 111 +++- .../Services/WasmOidcTokenAccessor.cs | 39 +- .../Contracts/IOidcTokenAccessorWithScopes.cs | 23 + .../Services/OidcAuthenticationProvider.cs | 25 +- 10 files changed, 919 insertions(+), 27 deletions(-) create mode 100644 AZURE_AD_BLAZOR_WASM_AUTH_PLAN.md create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/IScopedAccessTokenProvider.cs create mode 100644 src/modules/Elsa.Studio.Authentication.Abstractions/Models/TokenPurposeOptions.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Contracts/IScopedTokenCache.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/MemoryScopedTokenCache.cs create mode 100644 src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessorWithScopes.cs diff --git a/AZURE_AD_BLAZOR_WASM_AUTH_PLAN.md b/AZURE_AD_BLAZOR_WASM_AUTH_PLAN.md new file mode 100644 index 00000000..0f1f4ac1 --- /dev/null +++ b/AZURE_AD_BLAZOR_WASM_AUTH_PLAN.md @@ -0,0 +1,538 @@ +# Azure AD Authentication for Blazor WASM - Implementation Plan + +## Problem Statement + +The current Blazor WASM OpenID Connect authentication implementation encounters multiple issues when using Azure AD (Microsoft Entra ID) with API scopes: + +### Issues Identified + +1. **Missing scope in token exchange**: Azure AD requires the `scope` parameter in both authorization and token endpoint requests, but Blazor WASM's authentication framework only sends scopes during authorization. + +2. **Multi-resource limitation**: Azure AD v2.0 only allows requesting scopes for ONE resource per token request. Requesting both Microsoft Graph (`https://graph.microsoft.com/User.Read`) and a custom API (`api://xxx/scope`) results in error AADSTS28000. + +3. **UserInfo endpoint mismatch**: Azure AD's userinfo endpoint is at `graph.microsoft.com` which requires a Graph API token, but the access token received is for the custom API, causing "Invalid audience" errors. + +4. **Authentication state not persisted**: Even when token exchange succeeds, the authentication state isn't stored in sessionStorage, causing users to be redirected to `/authentication/login-failed`. + +5. **Framework limitations**: Microsoft's `Microsoft.AspNetCore.Components.WebAssembly.Authentication` library doesn't expose configuration options to: + - Add parameters to token endpoint requests + - Disable userinfo endpoint calls + - Configure multi-resource token acquisition + +## Current Workarounds (Fragile) + +The current implementation uses JavaScript interception (`auth-interop.js`) to: +- Intercept `XMLHttpRequest.send()` to add scope parameters to token requests +- Intercept userinfo requests to prevent invalid audience errors + +**Problems with this approach:** +- Complex and fragile +- Difficult to maintain +- Doesn't solve the root issue of authentication state not being persisted +- May break with framework updates + +## Proposed Solutions + +### Option 1: Custom RemoteAuthenticationService (Recommended) + +**Goal**: Implement a custom authentication service that properly handles Azure AD's requirements. + +**Implementation Steps:** + +1. **Create custom OIDC client wrapper** + - File: `src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/AzureAdAuthenticationService.cs` + - Inherit from `RemoteAuthenticationService` + - Override token acquisition methods to inject scope parameter + - Handle multi-resource token acquisition + +2. **Implement custom token endpoint handler** + ```csharp + public class AzureAdTokenEndpointHandler : DelegatingHandler + { + protected override async Task SendAsync( + HttpRequestMessage request, + CancellationToken cancellationToken) + { + // Intercept token endpoint requests + if (request.RequestUri.PathAndQuery.Contains("/token")) + { + // Add scope parameter to request body + var content = await request.Content.ReadAsStringAsync(); + if (!content.Contains("scope=")) + { + var scopes = // get from configuration + content += $"&scope={Uri.EscapeDataString(scopes)}"; + request.Content = new StringContent(content, + Encoding.UTF8, + "application/x-www-form-urlencoded"); + } + } + return await base.SendAsync(request, cancellationToken); + } + } + ``` + +3. **Create Azure AD-specific options** + ```csharp + public class AzureAdOptions : OidcOptions + { + /// + /// The primary resource for initial authentication (your API). + /// + public string PrimaryResource { get; set; } = string.Empty; + + /// + /// Additional resources that may be accessed (e.g., MS Graph). + /// Tokens for these will be acquired on-demand. + /// + public List AdditionalResources { get; set; } = new(); + + /// + /// Whether to skip userinfo endpoint call. + /// Set to true for Azure AD when using API scopes. + /// + public bool SkipUserInfo { get; set; } = true; + } + ``` + +4. **Implement on-demand token acquisition** + ```csharp + public interface IAzureAdTokenService + { + /// + /// Get access token for the primary resource (from initial auth). + /// + Task GetPrimaryAccessTokenAsync(); + + /// + /// Acquire token for additional resource using token exchange. + /// + Task GetAccessTokenForResourceAsync(string resource); + } + ``` + +5. **Configure metadata to skip userinfo** + - Override metadata retrieval to remove userinfo_endpoint + - Or implement custom `IAccountClaimsPrincipalFactory` that doesn't call userinfo + +6. **Update service registration** + ```csharp + services.AddElsaAzureAdAuthentication(options => + { + options.Authority = "https://login.microsoftonline.com/{tenant}/v2.0"; + options.ClientId = "{client-id}"; + options.PrimaryResource = "api://{api-id}/api-scope"; + options.AdditionalResources = new List + { + "https://graph.microsoft.com/.default" + }; + options.SkipUserInfo = true; + }); + ``` + +**Pros:** +- Clean, maintainable solution +- Follows framework patterns +- Can handle multi-resource scenarios +- No JavaScript hacks + +**Cons:** +- Significant development effort +- Requires deep understanding of RemoteAuthenticationService internals +- May need to replicate some framework functionality + +**Estimated Effort**: 3-5 days + +--- + +### Option 2: Backend-for-Frontend (BFF) Pattern + +**Goal**: Move authentication concerns to a backend API that handles token acquisition. + +**Architecture:** +``` +Browser (Blazor WASM) + ↓ cookie-based auth +Backend API (BFF) + ↓ OAuth/OIDC with Azure AD +Azure AD + Your API + MS Graph +``` + +**Implementation Steps:** + +1. **Create BFF API project** + - ASP.NET Core Web API + - Add `Microsoft.Identity.Web` package + - Configure Azure AD authentication with API and Graph scopes + +2. **Implement token proxy endpoints** + ```csharp + [ApiController] + [Route("api/auth")] + [Authorize] + public class AuthController : ControllerBase + { + private readonly ITokenAcquisition _tokenAcquisition; + + [HttpGet("token/{resource}")] + public async Task GetToken(string resource) + { + var scopes = resource switch + { + "api" => new[] { "api://{id}/.default" }, + "graph" => new[] { "https://graph.microsoft.com/.default" }, + _ => throw new ArgumentException("Unknown resource") + }; + + var token = await _tokenAcquisition + .GetAccessTokenForUserAsync(scopes); + return Ok(new { access_token = token }); + } + } + ``` + +3. **Update Blazor WASM to use cookie authentication** + - Remove OIDC configuration + - Use simple cookie-based auth with BFF + - Request tokens from BFF as needed + +4. **Add token caching in BFF** + - Use `IDistributedCache` for token storage + - Handle token refresh automatically + - Return cached tokens when valid + +**Pros:** +- Tokens never exposed to browser +- Can handle complex multi-resource scenarios +- Centralized authentication logic +- Works with any SPA framework + +**Cons:** +- Requires additional backend service +- More infrastructure to maintain +- Latency for token requests +- Session management complexity + +**Estimated Effort**: 2-3 days for BFF + 1 day for WASM updates + +--- + +### Option 3: Hybrid Approach - Blazor Server for Auth + +**Goal**: Use Blazor Server for authentication pages, WASM for main app. + +**Architecture:** +- Login/callback pages: Blazor Server (can use Microsoft.Identity.Web properly) +- Main application: Blazor WASM (receives tokens from Server) + +**Implementation Steps:** + +1. **Create Blazor Server authentication module** + - Separate Blazor Server project for `/authentication/*` routes + - Use `Microsoft.Identity.Web` for proper Azure AD integration + - After authentication, serialize tokens to pass to WASM + +2. **Token transfer mechanism** + - Server writes tokens to secure cookie or session + - WASM reads tokens on load + - Or use SignalR to push tokens to WASM + +3. **Update routing** + - All `/authentication/*` routes → Blazor Server + - All other routes → Blazor WASM + +**Pros:** +- Leverages proper Azure AD libraries for auth +- Main app remains WASM (offline capable) +- Proven pattern + +**Cons:** +- Complex architecture mixing Server and WASM +- Requires Server hosting (can't be static) +- Token transfer security concerns + +**Estimated Effort**: 3-4 days + +--- + +### Option 4: Simplify Scope Requirements + +**Goal**: Restructure to avoid multi-resource tokens altogether. + +**Approach A: Backend handles external APIs** +- WASM only authenticates user (openid, profile, offline_access) +- Backend API uses On-Behalf-Of flow to access Graph/other APIs +- WASM never needs Graph tokens + +**Approach B: Separate authentication contexts** +- User authentication: openid/profile only +- API access: client credentials flow (backend) +- Graph access: handled by backend + +**Pros:** +- Simplest from WASM perspective +- Clear separation of concerns +- Most secure (backend controls API access) + +**Cons:** +- Backend must proxy all external API calls +- May not fit all architectural requirements + +**Estimated Effort**: 1-2 days (if architecture permits) + +--- + +## Recommended Approach + +**Primary Recommendation: Option 4 (Simplify) + Option 1 (Custom Service) for future** + +### Phase 1: Immediate Fix (Simplify) +1. Remove API scopes from Blazor WASM authentication +2. Use only `openid profile offline_access` for user authentication +3. Backend API uses its own credentials or OBO flow for API access +4. This unblocks current development + +### Phase 2: Proper Implementation (Custom Service) +1. Implement custom `RemoteAuthenticationService` for Azure AD +2. Support single-resource tokens with proper scope injection +3. Add on-demand token acquisition for additional resources +4. Provide clear documentation and examples + +This approach: +- ✅ Unblocks immediately +- ✅ Provides long-term robust solution +- ✅ Maintains WASM benefits +- ✅ Follows security best practices + +--- + +## Technical Details for Option 1 Implementation + +### Files to Create/Modify + +1. **New Files:** + ``` + src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ + ├── Services/ + │ ├── AzureAdAuthenticationService.cs + │ ├── AzureAdTokenService.cs + │ └── AzureAdAccountClaimsPrincipalFactory.cs + ├── Handlers/ + │ └── AzureAdTokenEndpointHandler.cs + ├── Models/ + │ └── AzureAdOptions.cs + └── Extensions/ + └── AzureAdServiceCollectionExtensions.cs + ``` + +2. **Modify Files:** + ``` + src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/ + └── Extensions/ServiceCollectionExtensions.cs (keep for generic OIDC) + + src/hosts/Elsa.Studio.Host.Wasm/ + └── Program.cs (update to use Azure AD-specific registration) + ``` + +3. **Remove Files:** + ``` + src/hosts/Elsa.Studio.Host.Wasm/wwwroot/ + └── auth-interop.js (JavaScript workarounds no longer needed) + ``` + +### Key Classes + +#### AzureAdAuthenticationService +```csharp +public class AzureAdAuthenticationService : RemoteAuthenticationService< + RemoteAuthenticationState, + RemoteUserAccount, + OidcProviderOptions> +{ + private readonly AzureAdOptions _options; + + protected override async Task> + SignInAsync(RemoteAuthenticationContext context) + { + // Override to inject scope parameter into token request + // Handle userinfo skipping + // Process multi-resource scenarios + } +} +``` + +#### AzureAdTokenService +```csharp +public class AzureAdTokenService : IAzureAdTokenService +{ + private readonly IAccessTokenProvider _tokenProvider; + private readonly ITokenAcquisition _tokenAcquisition; // custom impl + + public async Task GetPrimaryAccessTokenAsync() + { + // Return access token from authentication + } + + public async Task GetAccessTokenForResourceAsync(string resource) + { + // Use refresh token to get token for additional resource + // Implement token exchange for multi-resource scenarios + } +} +``` + +#### AzureAdAccountClaimsPrincipalFactory +```csharp +public class AzureAdAccountClaimsPrincipalFactory : + AccountClaimsPrincipalFactory +{ + protected override async ValueTask CreateUserAsync( + RemoteUserAccount account, + RemoteAuthenticationUserOptions options) + { + // Skip userinfo endpoint call + // Extract claims from ID token only + // Azure AD ID tokens contain all necessary user claims + } +} +``` + +### Configuration Example + +```csharp +// Program.cs +builder.Services.AddElsaAzureAdAuthentication(options => +{ + // Basic OIDC settings + options.Authority = configuration["Authentication:OpenIdConnect:Authority"]; + options.ClientId = configuration["Authentication:OpenIdConnect:ClientId"]; + options.AppBaseUrl = configuration["Authentication:OpenIdConnect:AppBaseUrl"]; + + // Azure AD-specific settings + options.PrimaryResource = "api://dda3270c-997e-413a-9175-36b70134547c/elsa-server-api"; + options.AdditionalResources = new List + { + "https://graph.microsoft.com/User.Read" + }; + options.SkipUserInfo = true; // Don't call userinfo endpoint +}); + +// Usage in components +@inject IAzureAdTokenService TokenService + +private async Task CallApiAsync() +{ + var token = await TokenService.GetPrimaryAccessTokenAsync(); + // Use token for API calls +} + +private async Task CallGraphAsync() +{ + var graphToken = await TokenService.GetAccessTokenForResourceAsync( + "https://graph.microsoft.com/User.Read"); + // Use token for Graph calls +} +``` + +--- + +## Testing Plan + +1. **Unit Tests:** + - Token endpoint handler adds scope parameter + - Multi-resource token acquisition logic + - Claims extraction from ID token + +2. **Integration Tests:** + - Full authentication flow with Azure AD test tenant + - Token refresh scenarios + - Multi-resource token acquisition + +3. **Manual Testing:** + - Login/logout flows + - Token expiration and refresh + - Network offline scenarios + - Browser back/forward navigation + - Deep linking to protected routes + +--- + +## Documentation Requirements + +1. **Azure AD App Registration Guide:** + - Required API permissions + - Redirect URI configuration + - Token configuration (optional claims) + +2. **Configuration Guide:** + - appsettings.json structure + - Environment-specific settings + - Multi-resource configuration + +3. **Migration Guide:** + - Updating from generic OIDC to Azure AD-specific + - Breaking changes + - JavaScript workaround removal + +4. **Troubleshooting Guide:** + - Common error codes (AADSTS28000, AADSTS28003, etc.) + - Token acquisition failures + - Scope configuration issues + +--- + +## Security Considerations + +1. **Token Storage:** + - Blazor WASM stores tokens in browser sessionStorage + - Risk: XSS attacks can access tokens + - Mitigation: Strict CSP, regular security audits + +2. **Scope Validation:** + - Backend API must validate access token scopes + - Never trust client to enforce authorization + +3. **Token Lifetime:** + - Configure appropriate token lifetimes + - Implement proper refresh token rotation + - Handle token revocation + +4. **PKCE:** + - Always use PKCE for public clients + - Already implemented in current code + +--- + +## References + +- [Microsoft Identity Platform documentation](https://learn.microsoft.com/en-us/entra/identity-platform/) +- [Azure AD OAuth2 authorization code flow](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow) +- [Secure ASP.NET Core Blazor WebAssembly](https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/) +- [IETF RFC 8252 - OAuth 2.0 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252) + +--- + +## Open Questions + +1. **Token Exchange**: Should we implement RFC 8693 token exchange for multi-resource scenarios, or use refresh token to get new access tokens? + +2. **Fallback**: Should we maintain generic OIDC support alongside Azure AD-specific implementation? + +3. **Backend Integration**: How should the backend API validate tokens for multiple potential audiences? + +4. **Graph SDK**: Should we provide a pre-configured Graph SDK client that uses the token service? + +5. **Offline Support**: How should token refresh work when the app is offline (PWA scenario)? + +--- + +## Success Criteria + +- ✅ User can authenticate with Azure AD +- ✅ Access token for primary API is acquired and usable +- ✅ No JavaScript workarounds required +- ✅ Authentication state persists across page refreshes +- ✅ Tokens refresh automatically before expiration +- ✅ Clear error messages for configuration issues +- ✅ Documentation covers common scenarios +- ✅ Works with both single-resource and multi-resource scenarios (via on-demand acquisition) diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/IScopedAccessTokenProvider.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/IScopedAccessTokenProvider.cs new file mode 100644 index 00000000..5e6c3ea2 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Contracts/IScopedAccessTokenProvider.cs @@ -0,0 +1,23 @@ +namespace Elsa.Studio.Authentication.Abstractions.Contracts; + +/// +/// Provides access tokens with specific scopes for different purposes. +/// +/// +/// This interface extends authentication providers to support scope-aware token acquisition, +/// allowing different tokens for different API audiences (e.g., Graph vs. backend API). +/// +public interface IScopedAccessTokenProvider +{ + /// + /// Gets an access token for the specified token name and scopes. + /// + /// The name of the token to retrieve (e.g., "access_token"). + /// The specific scopes to request for this token. If null or empty, uses default scopes. + /// Cancellation token. + /// The access token, or null if not available. + Task GetAccessTokenAsync( + string tokenName, + IEnumerable? scopes, + CancellationToken cancellationToken = default); +} diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs index 514bc548..c3304da4 100644 --- a/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs @@ -1,5 +1,8 @@ +using Elsa.Studio.Authentication.Abstractions.Contracts; +using Elsa.Studio.Authentication.Abstractions.Models; using Elsa.Studio.Contracts; using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.Options; namespace Elsa.Studio.Authentication.Abstractions.HttpMessageHandlers; @@ -22,7 +25,29 @@ protected override async Task SendAsync(HttpRequestMessage if (authenticationProvider == null) return await base.SendAsync(request, cancellationToken); - var accessToken = await authenticationProvider.GetAccessTokenAsync(TokenNames.AccessToken, cancellationToken); + string? accessToken; + + // Check if the provider supports scoped token requests + if (authenticationProvider is IScopedAccessTokenProvider scopedProvider) + { + // Try to get token purpose configuration + var purposeOptions = sp.GetService>()?.Value; + + string[]? scopes = null; + if (purposeOptions != null) + { + // Get scopes for the backend API purpose + purposeOptions.ScopesByPurpose.TryGetValue(purposeOptions.BackendApiPurpose, out scopes); + } + + // Request token with backend API scopes if configured + accessToken = await scopedProvider.GetAccessTokenAsync(TokenNames.AccessToken, scopes, cancellationToken); + } + else + { + // Fall back to non-scoped token request + accessToken = await authenticationProvider.GetAccessTokenAsync(TokenNames.AccessToken, cancellationToken); + } if (string.IsNullOrWhiteSpace(accessToken)) request.Headers.Authorization = null; diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/Models/TokenPurposeOptions.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/Models/TokenPurposeOptions.cs new file mode 100644 index 00000000..7dc91a20 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/Models/TokenPurposeOptions.cs @@ -0,0 +1,23 @@ +namespace Elsa.Studio.Authentication.Abstractions.Models; + +/// +/// Configuration options for token purposes, allowing different scopes for different use cases. +/// +public sealed class TokenPurposeOptions +{ + /// + /// Maps purpose names to their required scopes. + /// + /// + /// { + /// "backend_api": ["api://my-api/scope"], + /// "graph": ["https://graph.microsoft.com/User.Read"] + /// } + /// + public Dictionary ScopesByPurpose { get; set; } = new(StringComparer.OrdinalIgnoreCase); + + /// + /// Which purpose the API handler should use by default when calling backend APIs. + /// + public string BackendApiPurpose { get; set; } = "backend_api"; +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Contracts/IScopedTokenCache.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Contracts/IScopedTokenCache.cs new file mode 100644 index 00000000..7ea6b011 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Contracts/IScopedTokenCache.cs @@ -0,0 +1,45 @@ +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Contracts; + +/// +/// Cache for storing scope-specific access tokens. +/// +/// +/// This allows different tokens for different API audiences (e.g., Graph vs. backend API) +/// without overwriting the cookie's primary access token. +/// +public interface IScopedTokenCache +{ + /// + /// Gets a cached token for the specified user and scope set. + /// + /// User identifier (e.g., "sub" or "oid" claim). + /// Normalized scope key (sorted, hashed). + /// Cancellation token. + /// Cached token information, or null if not found or expired. + Task GetAsync(string userKey, string scopeKey, CancellationToken cancellationToken = default); + + /// + /// Stores a token for the specified user and scope set. + /// + /// User identifier (e.g., "sub" or "oid" claim). + /// Normalized scope key (sorted, hashed). + /// Token information to cache. + /// Cancellation token. + Task SetAsync(string userKey, string scopeKey, CachedToken token, CancellationToken cancellationToken = default); +} + +/// +/// Represents a cached token with its expiration. +/// +public sealed class CachedToken +{ + /// + /// The access token value. + /// + public required string AccessToken { get; init; } + + /// + /// When the token expires. + /// + public required DateTimeOffset ExpiresAt { get; init; } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/MemoryScopedTokenCache.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/MemoryScopedTokenCache.cs new file mode 100644 index 00000000..f7710cce --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/MemoryScopedTokenCache.cs @@ -0,0 +1,92 @@ +using System.Security.Cryptography; +using System.Text; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Contracts; +using Microsoft.Extensions.Caching.Memory; + +namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; + +/// +/// In-memory implementation of . +/// +/// +/// For production scenarios with multiple servers, consider implementing +/// a distributed cache version (e.g., using IDistributedCache). +/// +public class MemoryScopedTokenCache : IScopedTokenCache +{ + private readonly IMemoryCache _cache; + private static readonly TimeSpan DefaultSkew = TimeSpan.FromMinutes(5); + + /// + /// Initializes a new instance of the class. + /// + public MemoryScopedTokenCache(IMemoryCache cache) + { + _cache = cache; + } + + /// + public Task GetAsync(string userKey, string scopeKey, CancellationToken cancellationToken = default) + { + var cacheKey = GetCacheKey(userKey, scopeKey); + + if (_cache.TryGetValue(cacheKey, out var token)) + { + // Check if token is still valid (with skew) + if (token.ExpiresAt > DateTimeOffset.UtcNow.Add(DefaultSkew)) + { + return Task.FromResult(token); + } + + // Token expired, remove from cache + _cache.Remove(cacheKey); + } + + return Task.FromResult(null); + } + + /// + public Task SetAsync(string userKey, string scopeKey, CachedToken token, CancellationToken cancellationToken = default) + { + var cacheKey = GetCacheKey(userKey, scopeKey); + + // Cache until token expiration + var cacheExpiration = token.ExpiresAt - DateTimeOffset.UtcNow; + if (cacheExpiration > TimeSpan.Zero) + { + _cache.Set(cacheKey, token, cacheExpiration); + } + + return Task.CompletedTask; + } + + /// + /// Generates a cache key from user and scope identifiers. + /// + private static string GetCacheKey(string userKey, string scopeKey) + { + return $"scoped_token:{userKey}:{scopeKey}"; + } + + /// + /// Normalizes scopes into a stable key (sorted, space-separated, hashed). + /// + public static string NormalizeScopeKey(IEnumerable scopes) + { + var sortedScopes = scopes + .Where(s => !string.IsNullOrWhiteSpace(s)) + .Select(s => s.Trim()) + .OrderBy(s => s, StringComparer.OrdinalIgnoreCase) + .ToList(); + + if (sortedScopes.Count == 0) + return "default"; + + var scopeString = string.Join(" ", sortedScopes); + + // Hash for consistent key length + using var sha256 = SHA256.Create(); + var hashBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(scopeString)); + return Convert.ToHexString(hashBytes).ToLowerInvariant(); + } +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs index 69d9b02b..772a022a 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/Services/ServerOidcTokenAccessor.cs @@ -1,6 +1,8 @@ using System.Globalization; +using System.Security.Claims; using System.Text.Json; using Elsa.Studio.Authentication.Abstractions.Contracts; +using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Contracts; using Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Models; using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.Extensions.Options; @@ -13,7 +15,7 @@ namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Services; /// /// Blazor Server implementation of that retrieves tokens from the authenticated HTTP context. /// -public class ServerOidcTokenAccessor : IOidcTokenAccessor +public class ServerOidcTokenAccessor : IOidcTokenAccessorWithScopes { private readonly IHttpContextAccessor _httpContextAccessor; private readonly ITokenRefreshCoordinator _refreshCoordinator; @@ -21,6 +23,7 @@ public class ServerOidcTokenAccessor : IOidcTokenAccessor private readonly IOptions _refreshOptions; private readonly IOidcRefreshConfigurationProvider _refreshConfigurationProvider; private readonly OidcCookieTokenRefresher _cookieTokenRefresher; + private readonly IScopedTokenCache _scopedTokenCache; /// /// Initializes a new instance of the class. @@ -31,7 +34,8 @@ public ServerOidcTokenAccessor( IHttpClientFactory httpClientFactory, IOptions refreshOptions, IOidcRefreshConfigurationProvider refreshConfigurationProvider, - OidcCookieTokenRefresher cookieTokenRefresher) + OidcCookieTokenRefresher cookieTokenRefresher, + IScopedTokenCache scopedTokenCache) { _httpContextAccessor = httpContextAccessor; _refreshCoordinator = refreshCoordinator; @@ -39,17 +43,32 @@ public ServerOidcTokenAccessor( _refreshOptions = refreshOptions; _refreshConfigurationProvider = refreshConfigurationProvider; _cookieTokenRefresher = cookieTokenRefresher; + _scopedTokenCache = scopedTokenCache; } /// - public async Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default) + public Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default) + { + // Forward to scoped overload with null scopes (use default cookie token) + return GetTokenAsync(tokenName, scopes: null, cancellationToken); + } + + /// + public async Task GetTokenAsync(string tokenName, IEnumerable? scopes, CancellationToken cancellationToken = default) { var httpContext = _httpContextAccessor.HttpContext; if (httpContext?.User.Identity?.IsAuthenticated != true) return null; - // Ensure we have a fresh access token when asked for one. + // If scopes are provided and token is access_token, acquire scope-specific token + var scopeArray = scopes?.Where(s => !string.IsNullOrWhiteSpace(s)).ToArray(); + if (scopeArray?.Length > 0 && string.Equals(tokenName, "access_token", StringComparison.Ordinal)) + { + return await GetScopedAccessTokenAsync(httpContext, scopeArray, cancellationToken); + } + + // Otherwise, use existing cookie token refresh flow if (string.Equals(tokenName, "access_token", StringComparison.Ordinal)) { var options = _refreshOptions.Value; @@ -70,6 +89,90 @@ public ServerOidcTokenAccessor( return await httpContext.GetTokenAsync(tokenName); } + /// + /// Acquires a scope-specific access token using refresh token grant with explicit scopes. + /// + private async Task GetScopedAccessTokenAsync(HttpContext httpContext, string[] scopes, CancellationToken cancellationToken) + { + // Get user identifier for cache key + var userKey = httpContext.User.FindFirstValue("sub") ?? httpContext.User.FindFirstValue("oid") ?? httpContext.User.FindFirstValue(ClaimTypes.NameIdentifier); + if (string.IsNullOrWhiteSpace(userKey)) + return null; + + // Generate scope key for cache + var scopeKey = MemoryScopedTokenCache.NormalizeScopeKey(scopes); + + // Check cache first + var cachedToken = await _scopedTokenCache.GetAsync(userKey, scopeKey, cancellationToken); + if (cachedToken != null) + return cachedToken.AccessToken; + + // Acquire new token with specific scopes + var refreshToken = await httpContext.GetTokenAsync("refresh_token"); + if (string.IsNullOrWhiteSpace(refreshToken)) + return null; + + var refreshConfig = await _refreshConfigurationProvider.GetAsync(cancellationToken); + if (refreshConfig == null) + return null; + + // Use coordinator to prevent concurrent requests for same scope set + var lockKey = $"{userKey}:{scopeKey}"; + string? newToken = null; + + await _refreshCoordinator.RunAsync(async ct => + { + // Re-check cache after acquiring lock + var cachedAfterLock = await _scopedTokenCache.GetAsync(userKey, scopeKey, ct); + if (cachedAfterLock != null) + { + newToken = cachedAfterLock.AccessToken; + return 0; + } + + // Request token with explicit scopes + var httpClient = _httpClientFactory.CreateClient("Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.Anonymous"); + + using var request = new HttpRequestMessage(HttpMethod.Post, refreshConfig.TokenEndpoint); + request.Content = new FormUrlEncodedContent(new Dictionary + { + ["grant_type"] = "refresh_token", + ["client_id"] = refreshConfig.ClientId, + ["refresh_token"] = refreshToken, + ["scope"] = string.Join(" ", scopes), + ["client_secret"] = refreshConfig.ClientSecret ?? string.Empty + }.Where(x => !string.IsNullOrWhiteSpace(x.Value))); + + var response = await httpClient.SendAsync(request, ct); + + if (!response.IsSuccessStatusCode) + return 0; + + var payload = await response.Content.ReadAsStringAsync(ct); + using var doc = JsonDocument.Parse(payload); + + var accessToken = doc.RootElement.TryGetProperty("access_token", out var at) ? at.GetString() : null; + var expiresInSeconds = doc.RootElement.TryGetProperty("expires_in", out var exp) ? exp.GetInt32() : 0; + + if (string.IsNullOrWhiteSpace(accessToken) || expiresInSeconds <= 0) + return 0; + + var expiresAt = DateTimeOffset.UtcNow.AddSeconds(expiresInSeconds); + + // Cache the token + await _scopedTokenCache.SetAsync(userKey, scopeKey, new CachedToken + { + AccessToken = accessToken, + ExpiresAt = expiresAt + }, ct); + + newToken = accessToken; + return 0; + }, cancellationToken); + + return newToken; + } + private async Task TryRefreshAccessTokenAsync(HttpContext httpContext, CancellationToken cancellationToken) { var options = _refreshOptions.Value; diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs index 7ba10f17..ec7c74e1 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs @@ -7,7 +7,7 @@ namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Services; /// /// Blazor WASM implementation of that uses the built-in token provider. /// -public class WasmOidcTokenAccessor : IOidcTokenAccessor +public class WasmOidcTokenAccessor : IOidcTokenAccessorWithScopes { private readonly IAccessTokenProvider _tokenProvider; private readonly OidcOptions _options; @@ -22,42 +22,39 @@ public WasmOidcTokenAccessor(IAccessTokenProvider tokenProvider, OidcOptions opt } /// - public async Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default) + public Task GetTokenAsync(string tokenName, CancellationToken cancellationToken = default) + { + // Forward to scoped overload with null scopes (use default behavior) + return GetTokenAsync(tokenName, scopes: null, cancellationToken); + } + + /// + public async Task GetTokenAsync(string tokenName, IEnumerable? scopes, CancellationToken cancellationToken = default) { // For WASM, we use the IAccessTokenProvider to get the current access token // The framework handles token refresh automatically - + // Map token names to what the framework expects if (string.Equals(tokenName, "access_token", StringComparison.OrdinalIgnoreCase) || string.Equals(tokenName, "accessToken", StringComparison.OrdinalIgnoreCase)) { - // Get all resource scopes (excluding standard OIDC scopes) - // This is critical for Azure AD which requires explicit scopes during token requests - var standardScopes = new HashSet(StringComparer.OrdinalIgnoreCase) - { - "openid", "profile", "email", "offline_access" - }; - - var resourceScopes = _options.Scopes - ?.Where(s => !standardScopes.Contains(s)) - .ToArray() ?? Array.Empty(); - - // Request token with explicit scopes to ensure Azure AD receives the scope parameter - // in both authorization and token exchange requests - var tokenResult = resourceScopes.Length > 0 + // If specific scopes are requested, use them (e.g., for backend API calls) + // Otherwise, request with default scopes (e.g., for Graph/userinfo calls) + var requestedScopes = scopes?.Where(s => !string.IsNullOrWhiteSpace(s)).ToArray(); + + var tokenResult = requestedScopes?.Length > 0 ? await _tokenProvider.RequestAccessToken(new AccessTokenRequestOptions { - Scopes = resourceScopes + Scopes = requestedScopes }) - // Fallback to default scopes if no resource scopes configured : await _tokenProvider.RequestAccessToken(); - + if (tokenResult.TryGetToken(out var token)) { return token.Value; } } - + // For other token types (id_token, refresh_token), we can't directly access them // in WASM for security reasons - they're managed by the authentication framework return null; diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessorWithScopes.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessorWithScopes.cs new file mode 100644 index 00000000..23f77794 --- /dev/null +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Contracts/IOidcTokenAccessorWithScopes.cs @@ -0,0 +1,23 @@ +namespace Elsa.Studio.Authentication.OpenIdConnect.Contracts; + +/// +/// Extended OIDC token accessor that supports scope-aware token acquisition. +/// +/// +/// This interface extends to support requesting tokens +/// with specific scopes, enabling incremental consent and multi-audience scenarios. +/// +public interface IOidcTokenAccessorWithScopes : IOidcTokenAccessor +{ + /// + /// Gets a token with specific scopes. + /// + /// The name of the token to retrieve. + /// The specific scopes to request. If null or empty, uses default behavior. + /// Cancellation token. + /// The token value, or null if not available. + Task GetTokenAsync( + string tokenName, + IEnumerable? scopes, + CancellationToken cancellationToken = default); +} diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs index 3e100672..02f5f888 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs @@ -1,3 +1,4 @@ +using Elsa.Studio.Authentication.Abstractions.Contracts; using Elsa.Studio.Authentication.OpenIdConnect.Contracts; using Elsa.Studio.Contracts; @@ -6,7 +7,7 @@ namespace Elsa.Studio.Authentication.OpenIdConnect.Services; /// /// Implementation of that retrieves tokens from OIDC authentication. /// -public class OidcAuthenticationProvider : IAuthenticationProvider +public class OidcAuthenticationProvider : IAuthenticationProvider, IScopedAccessTokenProvider { private readonly IOidcTokenAccessor _tokenAccessor; @@ -32,4 +33,26 @@ public OidcAuthenticationProvider(IOidcTokenAccessor tokenAccessor) return await _tokenAccessor.GetTokenAsync(oidcTokenName, cancellationToken); } + + /// + public async Task GetAccessTokenAsync(string tokenName, IEnumerable? scopes, CancellationToken cancellationToken = default) + { + // Map the token name to OIDC token name conventions + var oidcTokenName = tokenName switch + { + TokenNames.AccessToken => "access_token", + TokenNames.IdToken => "id_token", + TokenNames.RefreshToken => "refresh_token", + _ => tokenName + }; + + // If the accessor supports scoped token requests, use it + if (_tokenAccessor is IOidcTokenAccessorWithScopes scopedAccessor) + { + return await scopedAccessor.GetTokenAsync(oidcTokenName, scopes, cancellationToken); + } + + // Fall back to non-scoped accessor for backward compatibility + return await _tokenAccessor.GetTokenAsync(oidcTokenName, cancellationToken); + } } From 36f01cc07d1a6ea02323d785364906f89d7ff4b5 Mon Sep 17 00:00:00 2001 From: Sipke Schoorstra Date: Fri, 9 Jan 2026 21:45:20 +0100 Subject: [PATCH 27/27] Refactor authentication modules: simplify scoped token handling, update OIDC providers, and enhance incremental consent support. --- .../AuthenticatingApiHttpMessageHandler.cs | 15 ++++++----- .../Services/WasmOidcTokenAccessor.cs | 9 ++++--- .../Services/OidcAuthenticationProvider.cs | 25 ++++--------------- 3 files changed, 17 insertions(+), 32 deletions(-) diff --git a/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs index c3304da4..08664c81 100644 --- a/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs +++ b/src/modules/Elsa.Studio.Authentication.Abstractions/HttpMessageHandlers/AuthenticatingApiHttpMessageHandler.cs @@ -27,25 +27,24 @@ protected override async Task SendAsync(HttpRequestMessage string? accessToken; - // Check if the provider supports scoped token requests + // Check if the provider supports scoped token requests (OIDC providers) if (authenticationProvider is IScopedAccessTokenProvider scopedProvider) { - // Try to get token purpose configuration + // Get token purpose configuration var purposeOptions = sp.GetService>()?.Value; string[]? scopes = null; - if (purposeOptions != null) - { - // Get scopes for the backend API purpose - purposeOptions.ScopesByPurpose.TryGetValue(purposeOptions.BackendApiPurpose, out scopes); - } + + // Get scopes for the backend API purpose + purposeOptions?.ScopesByPurpose.TryGetValue(purposeOptions.BackendApiPurpose, out scopes); // Request token with backend API scopes if configured accessToken = await scopedProvider.GetAccessTokenAsync(TokenNames.AccessToken, scopes, cancellationToken); } else { - // Fall back to non-scoped token request + // Non-scoped providers (e.g., ElsaAuth JWT provider) + // These use a single token for all backend calls accessToken = await authenticationProvider.GetAccessTokenAsync(TokenNames.AccessToken, cancellationToken); } diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs index ec7c74e1..99937ab7 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs @@ -1,5 +1,4 @@ using Elsa.Studio.Authentication.OpenIdConnect.Contracts; -using Elsa.Studio.Authentication.OpenIdConnect.Models; using Microsoft.AspNetCore.Components.WebAssembly.Authentication; namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Services; @@ -7,18 +6,20 @@ namespace Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.Services; /// /// Blazor WASM implementation of that uses the built-in token provider. /// +/// +/// This accessor supports scope-aware token requests, enabling incremental consent scenarios +/// where different tokens are needed for different API audiences (e.g., Graph vs. backend API). +/// public class WasmOidcTokenAccessor : IOidcTokenAccessorWithScopes { private readonly IAccessTokenProvider _tokenProvider; - private readonly OidcOptions _options; /// /// Initializes a new instance of the class. /// - public WasmOidcTokenAccessor(IAccessTokenProvider tokenProvider, OidcOptions options) + public WasmOidcTokenAccessor(IAccessTokenProvider tokenProvider) { _tokenProvider = tokenProvider; - _options = options; } /// diff --git a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs index 02f5f888..b712441e 100644 --- a/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs +++ b/src/modules/Elsa.Studio.Authentication.OpenIdConnect/Services/OidcAuthenticationProvider.cs @@ -7,18 +7,8 @@ namespace Elsa.Studio.Authentication.OpenIdConnect.Services; /// /// Implementation of that retrieves tokens from OIDC authentication. /// -public class OidcAuthenticationProvider : IAuthenticationProvider, IScopedAccessTokenProvider +public class OidcAuthenticationProvider(IOidcTokenAccessor tokenAccessor) : IAuthenticationProvider, IScopedAccessTokenProvider { - private readonly IOidcTokenAccessor _tokenAccessor; - - /// - /// Initializes a new instance of the class. - /// - public OidcAuthenticationProvider(IOidcTokenAccessor tokenAccessor) - { - _tokenAccessor = tokenAccessor; - } - /// public async Task GetAccessTokenAsync(string tokenName, CancellationToken cancellationToken = default) { @@ -31,7 +21,7 @@ public OidcAuthenticationProvider(IOidcTokenAccessor tokenAccessor) _ => tokenName }; - return await _tokenAccessor.GetTokenAsync(oidcTokenName, cancellationToken); + return await tokenAccessor.GetTokenAsync(oidcTokenName, cancellationToken); } /// @@ -46,13 +36,8 @@ public OidcAuthenticationProvider(IOidcTokenAccessor tokenAccessor) _ => tokenName }; - // If the accessor supports scoped token requests, use it - if (_tokenAccessor is IOidcTokenAccessorWithScopes scopedAccessor) - { - return await scopedAccessor.GetTokenAsync(oidcTokenName, scopes, cancellationToken); - } - - // Fall back to non-scoped accessor for backward compatibility - return await _tokenAccessor.GetTokenAsync(oidcTokenName, cancellationToken); + // All OIDC token accessors now support scoped requests + var scopedAccessor = (IOidcTokenAccessorWithScopes)tokenAccessor; + return await scopedAccessor.GetTokenAsync(oidcTokenName, scopes, cancellationToken); } }