private static void ConfigureAuthentication(IServiceCollection services, AzureResourceManagerOptions azureResourceManagerOptions)
{
services
.AddHttpContextAccessor()
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddAdapterAuthentication()
.AddMicrosoftIdentityWebApi(jwtOptions =>
{
// Disable audience validation
jwtOptions.TokenValidationParameters.ValidateAudience = false;
jwtOptions.Events = new JwtBearerEvents()
{
OnTokenValidated = async(TokenValidatedContext context) =>
{
var userId = context.Principal.GetObjectId();
var tenantId = context.Principal.GetTenantId();
var userClaims = await context.HttpContext.ResolveClaimsAsync(tenantId, userId).ConfigureAwait(false);
if (userClaims.Any())
{
context.Principal.AddIdentity(new ClaimsIdentity(userClaims));
}
}
};
}, identityOptions =>
{
identityOptions.ClientId = azureResourceManagerOptions.ClientId;
identityOptions.ClientSecret = azureResourceManagerOptions.ClientSecret;
identityOptions.TenantId = azureResourceManagerOptions.TenantId;
identityOptions.Instance = "https://login.microsoftonline.com/";
}, JwtBearerDefaults.AuthenticationScheme);
}
#pragma warning disable CA1822 // Mark members as static
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, AzureResourceManagerOptions resourceManagerOptions)
{
if (env.IsDevelopment())
{
app
.UseDeveloperExceptionPage()
.UseCors(builder => builder
.SetIsOriginAllowed(origin => true)
.SetPreflightMaxAge(TimeSpan.FromDays(1))
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials());
}
else
{
app
.UseHsts();
// Our app currently runs in a container in App Service
// which handels https, so this is not needed and causes
// errors when enabled
// .UseHttpsRedirection();
}
app
.UseSwagger()
.UseSwaggerUI(setup =>
{
setup.SwaggerEndpoint("/swagger/v1/swagger.json", "TeamCloud API v1");
setup.OAuthClientId(resourceManagerOptions.ClientId);
setup.OAuthClientSecret("");
setup.OAuthUsePkce();
});
app
.UseRouting()
.UseAuthentication()
.UseMiddleware <EnsureTeamCloudModelMiddleware>()
.UseAuthorization()
.UseEndpoints(endpoints => endpoints.MapControllers());
EncryptedValueProvider.DefaultDataProtectionProvider = app.ApplicationServices.GetDataProtectionProvider();
}
#pragma warning disable CA1822 // Mark members as static
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, AzureResourceManagerOptions resourceManagerOptions)
{
if (env.IsDevelopment())
{
app
.UseDeveloperExceptionPage()
.UseCors(builder => builder
.SetIsOriginAllowed(origin => true)
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials());
}
else
{
app
.UseHsts()
.UseHttpsRedirection();
}
app
.UseSwagger()
.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("/openapi/v1/openapi.json", "TeamCloud API v1");
c.OAuthClientId(resourceManagerOptions.ClientId);
c.OAuthClientSecret("");
c.OAuthUsePkce();
});
app
.UseRouting()
.UseAuthentication()
.UseMiddleware <EnsureTeamCloudModelMiddleware>()
.UseMiddleware <RequestResponseTracingMiddleware>()
.UseWhen(context => context.Request.RequiresAdminUserSet(), appBuilder =>
{
appBuilder.UseMiddleware <EnsureTeamCloudAdminMiddleware>();
})
.UseAuthorization()
.UseEndpoints(endpoints => endpoints.MapControllers());
}
public AzureSessionOptions(AzureResourceManagerOptions azureRMOptions)
{
this.azureRMOptions = azureRMOptions ?? throw new System.ArgumentNullException(nameof(azureRMOptions));
}
#pragma warning restore CA1822 // Mark members as static
private static void ConfigureSwagger(IServiceCollection services, AzureResourceManagerOptions azureResourceManagerOptions)
{
services
.AddSwaggerGen(options =>
{
options.DocumentFilter <SwaggerDocumentFilter>();
options.SwaggerDoc("v1", new OpenApiInfo
{
Version = "v1",
Title = "TeamCloud",
Description = "API for working with a TeamCloud instance.",
Contact = new OpenApiContact
{
Url = new Uri("https://github.com/microsoft/TeamCloud/issues/new"),
Email = @"*****@*****.**",
Name = "TeamCloud Dev Team"
},
License = new OpenApiLicense
{
Name = "TeamCloud is licensed under the MIT License",
Url = new Uri("https://github.com/microsoft/TeamCloud/blob/main/LICENSE")
}
});
options.EnableAnnotations();
options.UseInlineDefinitionsForEnums();
options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
{
AuthorizationCode = new OpenApiOAuthFlow
{
TokenUrl = new Uri($"https://login.microsoftonline.com/{azureResourceManagerOptions.TenantId}/oauth2/v2.0/token"),
AuthorizationUrl = new Uri($"https://login.microsoftonline.com/{azureResourceManagerOptions.TenantId}/oauth2/v2.0/authorize"),
Scopes = new Dictionary <string, string> {
{ "openid", "Sign you in" },
{ "http://TeamCloud.DEMO.Web/user_impersonation", "Access the TeamCloud API" }
}
}
}
});
options.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference {
Type = ReferenceType.SecurityScheme, Id = "oauth2"
},
},
new [] { "openid", "http://TeamCloud.DEMO.Web/user_impersonation" }
}
});
options.OperationFilter <SecurityRequirementsOperationFilter>();
})
.AddSwaggerGenNewtonsoftSupport();
}
