Merge pull request #29 from jokk-itu/feature/refactor-discovery

Feature/refactor discovery

Author: jokk-itu

src/AuthServer.TestIdentityProvider/Program.cs

@@ -25,6 +25,8 @@
     {
         var identitySection = builder.Configuration.GetSection("Identity");
         options.Issuer = identitySection.GetValue<string>("Issuer")!;
+        options.OpPolicyUri = identitySection.GetValue<string>("PolicyUri");
+        options.OpTosUri = identitySection.GetValue<string>("TosUri");
         options.ClaimsSupported = ClaimNameConstants.SupportedEndUserClaims;
         options.AcrValuesSupported =
         [
@@ -33,6 +35,7 @@
             AuthenticationContextReferenceConstants.LevelOfAssuranceStrict
         ];
         options.ScopesSupported = identitySection.GetSection("ScopesSupported").Get<ICollection<string>>() ?? [];
+        options.ProtectedResources = identitySection.GetSection("ProtectedResources").Get<ICollection<string>>() ?? [];
 
         ICollection<string> signingAlgorithms =
             [JwsAlgConstants.RsaSha256, JwsAlgConstants.EcdsaSha256, JwsAlgConstants.RsaSsaPssSha256];
@@ -50,10 +53,12 @@
         options.IdTokenEncryptionAlgValuesSupported = encryptionAlgorithms;
         options.RequestObjectEncryptionAlgValuesSupported = encryptionAlgorithms;
         options.UserinfoEncryptionAlgValuesSupported = encryptionAlgorithms;
+        options.TokenEndpointAuthEncryptionAlgValuesSupported = encryptionAlgorithms;
 
         options.IdTokenEncryptionEncValuesSupported = encoderAlgorithms;
         options.RequestObjectEncryptionEncValuesSupported = encoderAlgorithms;
         options.UserinfoEncryptionEncValuesSupported = encoderAlgorithms;
+        options.TokenEndpointAuthEncryptionEncValuesSupported = encoderAlgorithms;
     });
 
 var ecdsa = ECDsa.Create();

src/AuthServer.TestIdentityProvider/appsettings.Integration.json

@@ -3,6 +3,7 @@
     "Default": ""
   },
   "Identity": {
-    "ScopesSupported": ["weather:read"]
+    "ScopesSupported": [ "weather:read" ],
+    "ProtectedResources": ["https://weather.authserver.dk"]
   }
 }

src/AuthServer.TestIdentityProvider/appsettings.json

@@ -9,6 +9,9 @@
   },
   "Identity": {
     "Issuer": "https://localhost:7254",
+    "ServiceDocumentation": "http://localhost:5300/",
+    "PolicyUri": "https://localhost:7254/policy",
+    "TosUri": "https://localhost:7254/tos",
     "AccountSelectionUri": "https://localhost:7254/SelectAccount",
     "LoginUri": "https://localhost:7254/SignIn",
     "EndSessionUri": "https://localhost:7254/SignOut",

src/AuthServer/Authorization/BaseAuthorizeValidator.cs

@@ -114,7 +114,7 @@ protected bool HasValidGrantManagementAction(string? grantId, string? grantManag
                 GrantManagementActionConstants.Merge,
                 GrantManagementActionConstants.Replace
             }
-            .Intersect(_discoveryDocumentOptions.Value.GrantManagementActionsSupported)
+            .Intersect(GrantManagementActionConstants.GrantManagementActions)
             .ToList();
 
         if (!string.IsNullOrEmpty(grantManagementAction)

src/AuthServer/Authorize/AuthorizeEndpointHandler.cs

@@ -56,9 +56,9 @@ public async Task<IResult> Handle(HttpContext httpContext, CancellationToken can
 
                     return error switch
                     {
-                        { Error: ErrorCode.LoginRequired } => Results.Extensions.LocalRedirectWithForwardSubstitutedRequest(_userInteractionOptions.Value.LoginUri, httpContext, substituteRequest),
-                        { Error: ErrorCode.ConsentRequired } => Results.Extensions.LocalRedirectWithForwardSubstitutedRequest(_userInteractionOptions.Value.ConsentUri, httpContext, substituteRequest),
-                        _ => Results.Extensions.LocalRedirectWithForwardSubstitutedRequest(_userInteractionOptions.Value.AccountSelectionUri, httpContext, substituteRequest)
+                        { Error: ErrorCode.LoginRequired } => Results.Extensions.LocalRedirectWithForwardSubstitutedRequest(_userInteractionOptions.Value.LoginUri!, httpContext, substituteRequest),
+                        { Error: ErrorCode.ConsentRequired } => Results.Extensions.LocalRedirectWithForwardSubstitutedRequest(_userInteractionOptions.Value.ConsentUri!, httpContext, substituteRequest),
+                        _ => Results.Extensions.LocalRedirectWithForwardSubstitutedRequest(_userInteractionOptions.Value.AccountSelectionUri!, httpContext, substituteRequest)
                     };
                 }
 

src/AuthServer/Authorize/AuthorizeRequestValidator.cs

@@ -111,7 +111,7 @@ public async Task<ProcessResult<AuthorizeValidatedRequest, ProcessError>> Valida
 
     private async Task<ProcessResult<AuthorizeRequest, ProcessError>> SubstituteRequestObject(AuthorizeRequest request, CancellationToken cancellationToken)
     {
-        var newRequest = await _secureRequestService.GetRequestByObject(request.RequestObject!, request.ClientId!, ClientTokenAudience.AuthorizeEndpoint, cancellationToken);
+        var newRequest = await _secureRequestService.GetRequestByObject(request.RequestObject!, request.ClientId!, ClientTokenAudience.AuthorizationEndpoint, cancellationToken);
         if (newRequest is null)
         {
             return AuthorizeError.InvalidRequest;
@@ -132,7 +132,7 @@ private async Task<ProcessResult<AuthorizeRequest, ProcessError>> SubstituteRequ
             return AuthorizeError.UnauthorizedRequestUri;
         }
 
-        var newRequest = await _secureRequestService.GetRequestByReference(requestUri, request.ClientId!, ClientTokenAudience.AuthorizeEndpoint, cancellationToken);
+        var newRequest = await _secureRequestService.GetRequestByReference(requestUri, request.ClientId!, ClientTokenAudience.AuthorizationEndpoint, cancellationToken);
         if (newRequest is null)
         {
             return AuthorizeError.InvalidRequestObjectFromRequestUri;

src/AuthServer/Constants/ClaimNameConstants.cs

@@ -1,6 +1,4 @@
-using AuthServer.Enums;
-
-namespace AuthServer.Constants;
+namespace AuthServer.Constants;
 
 /// <summary>
 /// Constants defined at IANA.

src/AuthServer/Constants/ClaimTypeConstants.cs

@@ -0,0 +1,8 @@
+namespace AuthServer.Constants;
+
+internal static class ClaimTypeConstants
+{
+    public const string Normal = "normal";
+
+    public static readonly string[] ClaimTypes = [ Normal ];
+}

src/AuthServer/Constants/GrantManagementActionConstants.cs

@@ -7,4 +7,6 @@ public static class GrantManagementActionConstants
     public const string Replace = "replace";
     public const string Merge = "merge";
     public const string Create = "create";
+
+    public static readonly string[] GrantManagementActions = [ Query, Revoke, Replace, Merge, Create ];
 }

src/AuthServer/Discovery/DiscoveryEndpointHandler.cs

@@ -0,0 +1,103 @@
+using AuthServer.Constants;
+using AuthServer.Core;
+using AuthServer.Core.Abstractions;
+using AuthServer.Endpoints.Abstractions;
+using AuthServer.Endpoints.Responses;
+using AuthServer.Options;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Options;
+using Microsoft.FeatureManagement;
+
+namespace AuthServer.Discovery;
+
+internal class DiscoveryEndpointHandler : IEndpointHandler
+{
+    private readonly IOptionsSnapshot<DiscoveryDocument> _discoveryDocumentOptions;
+    private readonly IFeatureManagerSnapshot _featureManagerSnapshot;
+    private readonly IEndpointResolver _endpointResolver;
+
+    public DiscoveryEndpointHandler(
+        IOptionsSnapshot<DiscoveryDocument> discoveryDocumentOptions,
+        IFeatureManagerSnapshot featureManagerSnapshot,
+        IEndpointResolver endpointResolver)
+    {
+        _discoveryDocumentOptions = discoveryDocumentOptions;
+        _featureManagerSnapshot = featureManagerSnapshot;
+        _endpointResolver = endpointResolver;
+    }
+
+    private DiscoveryDocument DiscoveryDocument => _discoveryDocumentOptions.Value;
+
+    public async Task<IResult> Handle(HttpContext httpContext, CancellationToken cancellationToken)
+    {
+        var response = new GetDiscoveryResponse
+        {
+            Issuer = DiscoveryDocument.Issuer,
+            ServiceDocumentation = DiscoveryDocument.ServiceDocumentation,
+            OpPolicyUri = DiscoveryDocument.OpPolicyUri,
+            OpTosUri = DiscoveryDocument.OpTosUri,
+            AuthorizationEndpoint = await Filter(_endpointResolver.AuthorizationEndpoint, FeatureFlags.Authorize),
+            TokenEndpoint = await Filter(_endpointResolver.TokenEndpoint, FeatureFlags.AuthorizationCode, FeatureFlags.RefreshToken, FeatureFlags.ClientCredentials),
+            UserinfoEndpoint = await Filter(_endpointResolver.UserinfoEndpoint, FeatureFlags.Userinfo),
+            JwksUri = await Filter(_endpointResolver.JwksEndpoint, FeatureFlags.Jwks),
+            RegistrationEndpoint = await Filter(_endpointResolver.RegistrationEndpoint, FeatureFlags.RegisterGet, FeatureFlags.RegisterDelete, FeatureFlags.RegisterPost, FeatureFlags.RegisterPut),
+            EndSessionEndpoint = await Filter(_endpointResolver.EndSessionEndpoint, FeatureFlags.EndSession),
+            IntrospectionEndpoint = await Filter(_endpointResolver.IntrospectionEndpoint, FeatureFlags.TokenIntrospection),
+            RevocationEndpoint = await Filter(_endpointResolver.RevocationEndpoint, FeatureFlags.TokenRevocation),
+            PushedAuthorizationRequestEndpoint = await Filter(_endpointResolver.PushedAuthorizationEndpoint, FeatureFlags.PushedAuthorization),
+            GrantManagementEndpoint = await Filter(_endpointResolver.GrantManagementEndpoint, FeatureFlags.GrantManagementRevoke, FeatureFlags.GrantManagementQuery),
+            ProtectedResources = DiscoveryDocument.ProtectedResources,
+            ClaimsSupported = DiscoveryDocument.ClaimsSupported,
+            ScopesSupported = DiscoveryDocument.ScopesSupported,
+            AcrValuesSupported = DiscoveryDocument.AcrValuesSupported,
+            ClaimTypesSupported = ClaimTypeConstants.ClaimTypes,
+            PromptValuesSupported = PromptConstants.Prompts,
+            DisplayValuesSupported = DisplayConstants.DisplayValues,
+            SubjectTypesSupported = SubjectTypeConstants.SubjectTypes,
+            GrantTypesSupported = GrantTypeConstants.GrantTypes,
+            ChallengeMethodsSupported = CodeChallengeMethodConstants.CodeChallengeMethods,
+            ResponseTypesSupported = ResponseTypeConstants.ResponseTypes,
+            ResponseModesSupported = ResponseModeConstants.ResponseModes,
+            IntrospectionEndpointAuthMethodsSupported = TokenEndpointAuthMethodConstants.SecureAuthMethods,
+            RevocationEndpointAuthMethodsSupported = TokenEndpointAuthMethodConstants.SecureAuthMethods,
+            TokenEndpointAuthMethodsSupported = TokenEndpointAuthMethodConstants.AuthMethods,
+            GrantManagementActionsSupported = GrantManagementActionConstants.GrantManagementActions,
+            IdTokenSigningAlgValuesSupported = DiscoveryDocument.IdTokenSigningAlgValuesSupported,
+            IdTokenEncryptionAlgValuesSupported = DiscoveryDocument.IdTokenEncryptionAlgValuesSupported,
+            IdTokenEncryptionEncValuesSupported = DiscoveryDocument.IdTokenEncryptionEncValuesSupported,
+            UserinfoSigningAlgValuesSupported = DiscoveryDocument.UserinfoSigningAlgValuesSupported,
+            UserinfoEncryptionAlgValuesSupported = DiscoveryDocument.UserinfoEncryptionAlgValuesSupported,
+            UserinfoEncryptionEncValuesSupported = DiscoveryDocument.UserinfoEncryptionEncValuesSupported,
+            RequestObjectSigningAlgValuesSupported = DiscoveryDocument.RequestObjectSigningAlgValuesSupported,
+            RequestObjectEncryptionAlgValuesSupported = DiscoveryDocument.RequestObjectEncryptionAlgValuesSupported,
+            RequestObjectEncryptionEncValuesSupported = DiscoveryDocument.RequestObjectEncryptionEncValuesSupported,
+            TokenEndpointAuthSigningAlgValuesSupported = DiscoveryDocument.TokenEndpointAuthSigningAlgValuesSupported,
+            TokenEndpointAuthEncryptionAlgValuesSupported = DiscoveryDocument.TokenEndpointAuthEncryptionAlgValuesSupported,
+            TokenEndpointAuthEncryptionEncValuesSupported = DiscoveryDocument.TokenEndpointAuthEncryptionEncValuesSupported,
+            AuthorizationResponseIssParameterSupported = true,
+            BackchannelLogoutSupported = true,
+            RequireRequestUriRegistration = true,
+            ClaimsParameterSupported = false,
+            RequestParameterSupported = true,
+            RequestUriParameterSupported = true,
+            RequireSignedRequestObject = DiscoveryDocument.RequireSignedRequestObject,
+            RequirePushedAuthorizationRequests = DiscoveryDocument.RequirePushedAuthorizationRequests,
+            GrantManagementActionRequired = DiscoveryDocument.GrantManagementActionRequired
+        };
+
+        return Results.Ok(response);
+    }
+
+    private async Task<T?> Filter<T>(T value, params string[] featureFlags)
+    {
+        foreach (var featureFlag in featureFlags)
+        {
+            if (await _featureManagerSnapshot.IsEnabledAsync(featureFlag))
+            {
+                return value;
+            }
+        }
+
+        return default;
+    }
+}