public static void UseHelseIdProtectedPaths(this IApplicationBuilder app,
IHelseIdWebKonfigurasjon config,
IHprFeatureFlags hprFlags,
IRedirectPagesKonfigurasjon redirect,
IReadOnlyCollection <PathString> excludeList)
{
if (!config.AuthUse)
{
return;
}
var excluded = new List <PathString>
{
"/favicon.ico",
redirect.Forbidden,
redirect.LoggedOut,
redirect.Statuscode
};
if (excludeList != null && excludeList.Any())
{
excluded.AddRange(excludeList);
}
app.UseProtectPaths(new ProtectPathsOptions(DeterminePresidingPolicy(config, hprFlags), redirect.Forbidden)
{
Exclusions = excluded
});
}
public void AddSecretConfiguration(IHelseIdWebKonfigurasjon configAuth, OpenIdConnectOptions options)
{
var secretParts = configAuth.ClientSecret.Split(':');
if (secretParts.Length != 2)
{
throw new InvalidEnterpriseCertificateSecretException(configAuth.ClientSecret);
}
var storeLocation = (StoreLocation)Enum.Parse(typeof(StoreLocation), secretParts[0]);
var thumprint = secretParts[1];
var store = new X509Store(storeLocation);
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, thumprint, true);
if (certificates.Count == 0)
{
throw new Exception($"No certificate with thumbprint {options.ClientSecret} found in store LocalMachine");
}
var x509SecurityKey = new X509SecurityKey(certificates[0]);
options.Events.OnAuthorizationCodeReceived = ctx =>
{
ctx.TokenEndpointRequest.ClientAssertionType = IdentityModel.OidcConstants.ClientAssertionTypes.JwtBearer;
ctx.TokenEndpointRequest.ClientAssertion = ClientAssertion.Generate(configAuth, x509SecurityKey);
return(Task.CompletedTask);
};
}
public static (bool Result, string PolicyName) AddHelseIdWebAuthentication(this IServiceCollection services,
IHelseIdWebKonfigurasjon helseIdKonfigurasjon,
IRedirectPagesKonfigurasjon redirectPagesKonfigurasjon,
IHprFeatureFlags hprKonfigurasjon,
IWhitelist whitelist,
IHelseIdSecretHandler?secretHandler = null)
{
if (!helseIdKonfigurasjon.AuthUse)
{
return(false, "");
}
services.AddScoped <IHprFactory, HprFactory>();
services.AddScoped <ICurrentUser, CurrentHttpUser>();
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
(var authorizeFilter, string policyName) = AddAuthentication(services, helseIdKonfigurasjon, redirectPagesKonfigurasjon, hprKonfigurasjon, whitelist, secretHandler);
services.AddControllers(config => config.Filters.Add(authorizeFilter));
if (helseIdKonfigurasjon.UseHprNumber)
{
services.AddScoped <IAuthorizationHandler, HprAuthorizationHandler>();
}
if (hprKonfigurasjon.UseHpr && hprKonfigurasjon.UseHprPolicy)
{
services.AddScoped <IAuthorizationHandler, HprGodkjenningAuthorizationHandler>();
}
return(true, policyName);
}
public static void DefaultHelseIdOptions(this OpenIdConnectOptions options,
IHelseIdWebKonfigurasjon configAuth,
IRedirectPagesKonfigurasjon redirectPagesKonfigurasjon,
IHelseIdSecretHandler?secretHandler = null)
{
var acrValues = GetAcrValues(configAuth); // spesielt for id-porten, e.g. krever sikkerhetsnivå 4
var hasAcrValues = !string.IsNullOrWhiteSpace(acrValues);
options.Authority = configAuth.Authority;
options.RequireHttpsMetadata = true;
options.ClientId = configAuth.ClientId;
options.ResponseType = "code";
options.TokenValidationParameters.ValidAudience = configAuth.ClientId;
options.CallbackPath = "/signin-callback";
options.SignedOutCallbackPath = "/signout-callback";
options.Scope.Clear();
//options.CorrelationCookie.SameSite = SameSiteMode.Lax;
//options.NonceCookie.SameSite = SameSiteMode.Lax;
foreach (var scope in configAuth.AllScopes)
{
options.Scope.Add(scope.Trim());
}
options.SaveTokens = true;
options.Events.OnRedirectToIdentityProvider = ctx =>
{
//API requests should get a 401 status instead of being redirected to login
if (ctx.Request.Path.StartsWithSegments("/api"))
{
ctx.Response.Headers["Location"] = ctx.ProtocolMessage.CreateAuthenticationRequestUrl();
ctx.Response.StatusCode = StatusCodes.Status401Unauthorized;
ctx.HandleResponse();
}
if (ctx.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication && hasAcrValues)
{
ctx.ProtocolMessage.AcrValues = acrValues;
}
return(Task.CompletedTask);
};
options.AccessDeniedPath = redirectPagesKonfigurasjon.Forbidden;
if (secretHandler == null)
{
// Defaults to Shared Secret to be backwards compatible
secretHandler = new HelseIdSharedSecretHandler();
}
secretHandler.AddSecretConfiguration(configAuth, options);
string GetAcrValues(IHelseIdWebKonfigurasjon helseIdWebKonfigurasjon)
{
return(string.Join(' ', helseIdWebKonfigurasjon.SecurityLevels.Select(sl => $"Level{sl}")));
}
}
/// <summary>
/// Determine the presiding policy from configuration.
/// Will return Policies.HidAuthenticated if no other policies are configured.
/// </summary>
/// <param name="helseIdWebKonfigurasjon"></param>
/// <param name="hprFeatureFlags"></param>
/// <returns></returns>
private static string DeterminePresidingPolicy(IHelseIdWebKonfigurasjon helseIdWebKonfigurasjon, IHprFeatureFlags hprFeatureFlags)
=> new []
{
new { PolicyActive = helseIdWebKonfigurasjon.UseHprNumber && hprFeatureFlags.UseHprPolicy, Policy = Policies.GodkjentHprKategoriPolicy },
new { PolicyActive = helseIdWebKonfigurasjon.UseHprNumber, Policy = Policies.HprNummer },
new { PolicyActive = true, Policy = Policies.HidAuthenticated }
}
.ToList()
.First(p => p.PolicyActive).Policy;
public void AddSecretConfiguration(IHelseIdWebKonfigurasjon configAuth, OpenIdConnectOptions options)
{
var jwk = File.ReadAllText(configAuth.ClientSecret);
var jwkSecurityKey = new JsonWebKey(jwk);
options.Events.OnAuthorizationCodeReceived = ctx =>
{
ctx.TokenEndpointRequest.ClientAssertionType = IdentityModel.OidcConstants.ClientAssertionTypes.JwtBearer;
ctx.TokenEndpointRequest.ClientAssertion = ClientAssertion.Generate(configAuth, jwkSecurityKey);
return(Task.CompletedTask);
};
}
public static void DefaultHelseIdOptions(this CookieAuthenticationOptions options,
IHelseIdWebKonfigurasjon configAuth,
IRedirectPagesKonfigurasjon redirectPagesKonfigurasjon)
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.SlidingExpiration = true;
options.Cookie.HttpOnly = true;
options.Cookie.IsEssential = true;
options.Cookie.SecurePolicy = configAuth.UseHttps ? CookieSecurePolicy.Always : CookieSecurePolicy.SameAsRequest;
options.AccessDeniedPath = redirectPagesKonfigurasjon.Forbidden;
// NOTE: options.Events must be set in AddAutomaticTokenManagement.
// This is because it overrides the events set here.
}
public void AddSecretConfiguration(IHelseIdWebKonfigurasjon configAuth, OpenIdConnectOptions options)
{
var xml = File.ReadAllText(configAuth.ClientSecret);
var rsa = RSA.Create();
rsa.FromXmlString(xml);
var rsaSecurityKey = new RsaSecurityKey(rsa);
options.Events.OnAuthorizationCodeReceived = ctx =>
{
ctx.TokenEndpointRequest.ClientAssertionType = IdentityModel.OidcConstants.ClientAssertionTypes.JwtBearer;
ctx.TokenEndpointRequest.ClientAssertion = ClientAssertion.Generate(configAuth, rsaSecurityKey);
return(Task.CompletedTask);
};
}
public static string Generate(IHelseIdWebKonfigurasjon configAuth, SecurityKey securityKey)
{
var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha512);
var extraClaims = new List <Claim>
{
new Claim(JwtClaimTypes.Subject, configAuth.ClientId),
new Claim(JwtClaimTypes.IssuedAt, DateTimeOffset.Now.ToUnixTimeSeconds().ToString()),
new Claim(JwtClaimTypes.JwtId, Guid.NewGuid().ToString("N"))
};
var audience = Path.Combine(configAuth.Authority, "connect/token");
var payload = CreatePayload(configAuth.ClientId, audience, extraClaims);
var header = new JwtHeader(signingCredentials);
UpdateJwtHeader(securityKey, header);
var tokenHandler = new JwtSecurityTokenHandler();
return(tokenHandler.WriteToken(new JwtSecurityToken(header, payload)));
}
public void AddSecretConfiguration(IHelseIdWebKonfigurasjon configAuth, OpenIdConnectOptions options)
{
options.ClientSecret = configAuth.ClientSecret;
}
public static (AuthorizationPolicy AuthPolicy, string PolicyName) AddHelseIdAuthorizationPolicy(this IServiceCollection services,
IHelseIdHprFeatures helseIdFeatures,
IHprFeatureFlags hprFeatures,
IHelseIdWebKonfigurasjon helseIdWebKonfigurasjon,
IWhitelist whitelist)
{
var authenticatedHidUserPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim(IdentityClaims.SecurityLevel, helseIdWebKonfigurasjon.SecurityLevels)
.Build();
if (helseIdFeatures.UseHprNumber)
{
var hprNumberPolicyBuilder = new AuthorizationPolicyBuilder()
.Combine(authenticatedHidUserPolicy);
hprNumberPolicyBuilder.Requirements.Add(new HprAuthorizationRequirement());
var hprNumberPolicy = hprNumberPolicyBuilder.Build();
if (hprFeatures.UseHpr && hprFeatures.UseHprPolicy)
{
var policy = new AuthorizationPolicyBuilder()
.Combine(hprNumberPolicy);
policy.Requirements.Add(new HprGodkjenningAuthorizationRequirement());
var HprGodkjenningPolicy = policy.Build();
services.AddAuthorization(config =>
{
config.AddPolicy(Policies.HidAuthenticated, authenticatedHidUserPolicy);
config.AddPolicy(Policies.HprNummer, hprNumberPolicy);
config.AddPolicy(Policies.GodkjentHprKategoriPolicy, HprGodkjenningPolicy);
config.DefaultPolicy = HprGodkjenningPolicy;
});
return(HprGodkjenningPolicy, Policies.GodkjentHprKategoriPolicy);
}
services.AddAuthorization(config =>
{
config.AddPolicy(Policies.HidAuthenticated, authenticatedHidUserPolicy);
config.AddPolicy(Policies.HprNummer, hprNumberPolicy);
config.DefaultPolicy = hprNumberPolicy;
});
return(hprNumberPolicy, Policies.HprNummer);
}
services.AddAuthorization(config =>
{
config.AddPolicy(Policies.HidAuthenticated, authenticatedHidUserPolicy);
config.DefaultPolicy = authenticatedHidUserPolicy;
});
return(authenticatedHidUserPolicy, Policies.HidAuthenticated);
}
/// <summary>
/// Normally used by AddHelseIdWebAuthentication
/// </summary>
public static (AuthorizeFilter AuthorizeFilter, string PolicyName) AddAuthentication(IServiceCollection services,
IHelseIdWebKonfigurasjon helseIdKonfigurasjon,
IRedirectPagesKonfigurasjon redirectPagesKonfigurasjon,
IHprFeatureFlags hprKonfigurasjon,
IWhitelist whitelist,
IHelseIdSecretHandler?secretHandler = null
)
{
const double tokenRefreshBeforeExpirationTime = 2;
services.AddHelseIdAuthentication()
.AddCookie(options =>
{
options.DefaultHelseIdOptions(helseIdKonfigurasjon, redirectPagesKonfigurasjon);
})
.AddOpenIdConnect(HelseIdContext.Scheme, options =>
{
options.DefaultHelseIdOptions(helseIdKonfigurasjon, redirectPagesKonfigurasjon, secretHandler);
})
.AddAutomaticTokenManagement(options => options.DefaultHelseIdOptions(tokenRefreshBeforeExpirationTime)); // For å kunne ha en lengre sesjon, håndterer refresh token
(var authPolicy, string policyName) = services.AddHelseIdAuthorizationPolicy(helseIdKonfigurasjon, hprKonfigurasjon, helseIdKonfigurasjon, whitelist);
return(new AuthorizeFilter(authPolicy), policyName);
}
