(#181) Adding OpenIddict

phongnguyend · phongnguyend · commit bf87c87c7023 · 2023-02-12T20:08:30.000+07:00
diff --git a/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/Certs/CreateSelfSignedCertificate.ps1 b/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/Certs/CreateSelfSignedCertificate.ps1
@@ -1,5 +1,5 @@
 ﻿$date_now = Get-Date
-$extended_date = $date_now.AddYears(3)
+$extended_date = $date_now.AddYears(10)
 $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname classifiedads.identityserver -notafter $extended_date
 $pwd = ConvertTo-SecureString -String 'password1234' -Force -AsPlainText
 $path = 'cert:\localMachine\my\' + $cert.thumbprint
diff --git a/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/Certs/classifiedads.identityserver.pfx b/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/Certs/classifiedads.identityserver.pfx
diff --git a/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/ConfigurationOptions/IdentityServerOptions.cs b/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/ConfigurationOptions/IdentityServerOptions.cs
@@ -4,6 +4,8 @@ namespace ClassifiedAds.IdentityServer.ConfigurationOptions
 {
     public class IdentityServerOptions
     {
-        public CertificateOption Certificate { get; set; }
+        public CertificateOption EncryptionCertificate { get; set; }
+
+        public CertificateOption SigningCertificate { get; set; }
     }
 }
diff --git a/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/Extensions/PrincipalExtensions.cs b/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/Extensions/PrincipalExtensions.cs
@@ -1,4 +1,4 @@
-﻿using IdentityModel;
+﻿using OpenIddict.Abstractions;
 using System.Security.Claims;
 
 namespace ClassifiedAds.IdentityServer.Extensions
@@ -13,7 +13,7 @@ public static string GetDisplayName(this ClaimsPrincipal principal)
                 return name;
             }
 
-            var sub = principal.FindFirst(JwtClaimTypes.Subject);
+            var sub = principal.FindFirst(OpenIddictConstants.Claims.Subject);
             if (sub != null)
             {
                 return sub.Value;
diff --git a/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/Startup.cs b/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/Startup.cs
@@ -107,8 +107,8 @@ public void ConfigureServices(IServiceCollection services)
 
                 options.RegisterScopes(Scopes.OpenId, Scopes.Profile, Scopes.OfflineAccess, "ClassifiedAds.WebAPI");
 
-                options.AddDevelopmentEncryptionCertificate()
-                       .AddDevelopmentSigningCertificate();
+                options.AddEncryptionCertificate(AppSettings.IdentityServer.EncryptionCertificate.FindCertificate())
+                       .AddSigningCertificate(AppSettings.IdentityServer.SigningCertificate.FindCertificate());
 
                 options
                     .UseAspNetCore()
diff --git a/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/appsettings.json b/src/IdentityServer/OpenIddict/ClassifiedAds.IdentityServer/appsettings.json
@@ -4,7 +4,12 @@
   },
   "IdentityServer": {
     "IssuerUri": "",
-    "Certificate": {
+    "EncryptionCertificate": {
+      "Thumbprint": null,
+      "Path": "Certs/classifiedads.identityserver.pfx",
+      "Password": "password1234"
+    },
+    "SigningCertificate": {
       "Thumbprint": null,
       "Path": "Certs/classifiedads.identityserver.pfx",
       "Password": "password1234"
diff --git a/src/IdentityServer/OpenIddict/ClassifiedAds.Infrastructure/Web/Authentication/TokenManager.cs b/src/IdentityServer/OpenIddict/ClassifiedAds.Infrastructure/Web/Authentication/TokenManager.cs
diff --git a/src/Microservices/docker-compose.yml b/src/Microservices/docker-compose.yml
@@ -83,7 +83,7 @@ services:
         image: classifiedads.services.identity.authserver
         build:
           context: ../IdentityServer/IdentityServer4
-          dockerfile: ../IdentityServer/IdentityServer4/ClassifiedAds.IdentityServer/Dockerfile
+          dockerfile: ./ClassifiedAds.IdentityServer/Dockerfile
         ports:
           - "9000:80"
         depends_on:
diff --git a/src/ModularMonolith/docker-compose.yml b/src/ModularMonolith/docker-compose.yml
@@ -39,7 +39,7 @@ services:
         image: classifiedads.modularmonolith.identityserver
         build:
           context: ../IdentityServer/IdentityServer4
-          dockerfile: ../IdentityServer/IdentityServer4/ClassifiedAds.IdentityServer/Dockerfile
+          dockerfile: ./ClassifiedAds.IdentityServer/Dockerfile
         ports:
             - "9000:80"
         depends_on:
diff --git a/src/Monolith/ClassifiedAds.WebAPI/Certs/classifiedads.identityserver.pfx b/src/Monolith/ClassifiedAds.WebAPI/Certs/classifiedads.identityserver.pfx
diff --git a/src/Monolith/ClassifiedAds.WebAPI/ClassifiedAds.WebAPI.csproj b/src/Monolith/ClassifiedAds.WebAPI/ClassifiedAds.WebAPI.csproj
@@ -37,6 +37,9 @@
   </ItemGroup>
 
   <ItemGroup>
+    <None Update="Certs\classifiedads.identityserver.pfx">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
     <None Update="Certs\classifiedads.secretsencryption.pfx">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
diff --git a/src/Monolith/ClassifiedAds.WebAPI/ConfigurationOptions/IdentityServerAuthentication.cs b/src/Monolith/ClassifiedAds.WebAPI/ConfigurationOptions/IdentityServerAuthentication.cs
@@ -1,11 +1,26 @@
-﻿namespace ClassifiedAds.WebAPI.ConfigurationOptions
+﻿using CryptographyHelper.Certificates;
+
+namespace ClassifiedAds.WebAPI.ConfigurationOptions
 {
     public class IdentityServerAuthentication
     {
+        public string Provider { get; set; }
+
         public string Authority { get; set; }
 
         public string ApiName { get; set; }
 
         public bool RequireHttpsMetadata { get; set; }
+
+        public OpenIddictOptions OpenIddict { get; set; }
+    }
+
+    public class OpenIddictOptions
+    {
+        public string IssuerUri { get; set; }
+
+        public CertificateOption TokenDecryptionCertificate { get; set; }
+
+        public CertificateOption IssuerSigningCertificate { get; set; }
     }
 }
diff --git a/src/Monolith/ClassifiedAds.WebAPI/Startup.cs b/src/Monolith/ClassifiedAds.WebAPI/Startup.cs
@@ -22,6 +22,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.IdentityModel.Tokens;
 using Microsoft.OpenApi.Models;
 using Swashbuckle.AspNetCore.SwaggerUI;
 using System;
@@ -106,9 +107,22 @@ public void ConfigureServices(IServiceCollection services)
             services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                 .AddJwtBearer(options =>
                 {
-                    options.Authority = AppSettings.IdentityServerAuthentication.Authority;
-                    options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
-                    options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
+                    if (AppSettings.IdentityServerAuthentication.Provider == "OpenIddict")
+                    {
+                        options.TokenValidationParameters = new TokenValidationParameters
+                        {
+                            ValidateAudience = false,
+                            ValidIssuer = AppSettings.IdentityServerAuthentication.OpenIddict.IssuerUri,
+                            TokenDecryptionKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.TokenDecryptionCertificate.FindCertificate()),
+                            IssuerSigningKey = new X509SecurityKey(AppSettings.IdentityServerAuthentication.OpenIddict.IssuerSigningCertificate.FindCertificate()),
+                        };
+                    }
+                    else
+                    {
+                        options.Authority = AppSettings.IdentityServerAuthentication.Authority;
+                        options.Audience = AppSettings.IdentityServerAuthentication.ApiName;
+                        options.RequireHttpsMetadata = AppSettings.IdentityServerAuthentication.RequireHttpsMetadata;
+                    }
                 });
 
             services.AddAuthorizationPolicies(Assembly.GetExecutingAssembly(), AuthorizationPolicyNames.GetPolicyNames());
diff --git a/src/Monolith/ClassifiedAds.WebAPI/appsettings.json b/src/Monolith/ClassifiedAds.WebAPI/appsettings.json
@@ -3,9 +3,23 @@
     "ClassifiedAds": "Server=127.0.0.1;Database=ClassifiedAds;User Id=sa;Password=sqladmin123!@#;MultipleActiveResultSets=true;Encrypt=False"
   },
   "IdentityServerAuthentication": {
+    "Provider": "IdentityServer4",
     "Authority": "https://localhost:44367",
     "ApiName": "ClassifiedAds.WebAPI",
-    "RequireHttpsMetadata": "true"
+    "RequireHttpsMetadata": "true",
+    "OpenIddict": {
+      "IssuerUri": "https://localhost:44367/",
+      "TokenDecryptionCertificate": {
+        "Thumbprint": null,
+        "Path": "Certs/classifiedads.identityserver.pfx",
+        "Password": "password1234"
+      },
+      "IssuerSigningCertificate": {
+        "Thumbprint": null,
+        "Path": "Certs/classifiedads.identityserver.pfx",
+        "Password": "password1234"
+      }
+    }
   },
   "Logging": {
     "LogLevel": {
diff --git a/src/Monolith/docker-compose.yml b/src/Monolith/docker-compose.yml
@@ -52,7 +52,7 @@ services:
         image: classifiedads.identityserver
         build:
           context: ../IdentityServer/IdentityServer4
-          dockerfile: ../IdentityServer/IdentityServer4/ClassifiedAds.IdentityServer/Dockerfile
+          dockerfile: ./ClassifiedAds.IdentityServer/Dockerfile
         ports:
             - "9000:80"
         depends_on:

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,8 @@ namespace ClassifiedAds.IdentityServer.ConfigurationOptions`
`4`	`4`	`{`
`5`	`5`	`public class IdentityServerOptions`
`6`	`6`	`{`
`7`		`- public CertificateOption Certificate { get; set; }`
	`7`	`+ public CertificateOption EncryptionCertificate { get; set; }`
	`8`	`+`
	`9`	`+ public CertificateOption SigningCertificate { get; set; }`
`8`	`10`	`}`
`9`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-using IdentityModel;`
	`1`	`+using OpenIddict.Abstractions;`
`2`	`2`	`using System.Security.Claims;`
`3`	`3`
`4`	`4`	`namespace ClassifiedAds.IdentityServer.Extensions`
`@@ -13,7 +13,7 @@ public static string GetDisplayName(this ClaimsPrincipal principal)`
`13`	`13`	`return name;`
`14`	`14`	`}`
`15`	`15`
`16`		`- var sub = principal.FindFirst(JwtClaimTypes.Subject);`
	`16`	`+ var sub = principal.FindFirst(OpenIddictConstants.Claims.Subject);`
`17`	`17`	`if (sub != null)`
`18`	`18`	`{`
`19`	`19`	`return sub.Value;`