GodelTech.Microservices.Security
8.1.0
dotnet add package GodelTech.Microservices.Security --version 8.1.0
NuGet\Install-Package GodelTech.Microservices.Security -Version 8.1.0
<PackageReference Include="GodelTech.Microservices.Security" Version="8.1.0" />
paket add GodelTech.Microservices.Security --version 8.1.0
#r "nuget: GodelTech.Microservices.Security, 8.1.0"
// Install GodelTech.Microservices.Security as a Cake Addin #addin nuget:?package=GodelTech.Microservices.Security&version=8.1.0 // Install GodelTech.Microservices.Security as a Cake Tool #tool nuget:?package=GodelTech.Microservices.Security&version=8.1.0
GodelTech.Microservices.Security
Overview
GodelTech.Microservices.Security contains initializer responsible for REST API endpoint security configuration.
Quick Start
REST API Security
In order to configure REST API security Startup.cs
and application configuration files must be updated. Startup
class must use ApiSecurityInitializer
. The following snippet demonstrates one of possible options how to Startup
may look like:
public class Startup : MicroserviceStartup
{
public Startup(IConfiguration configuration)
: base(configuration)
{
}
protected override IEnumerable<IMicroserviceInitializer> CreateInitializers()
{
yield return new DeveloperExceptionPageInitializer(Configuration);
yield return new HstsInitializer();
yield return new GenericInitializer(null, (app, _) => app.UseRouting());
yield return new ApiSecurityInitializer(
options => Configuration.Bind("ApiSecurityOptions", options),
new PolicyFactory()
);
yield return new ApiInitializer(Configuration);
}
}
PolicyFactory class:
public class PolicyFactory : IAuthorizationPolicyFactory
{
public IReadOnlyDictionary<string, AuthorizationPolicy> Create()
{
return new Dictionary<string, AuthorizationPolicy>
{
["add"] = GetAuthorizationPolicy("fake.add"),
["edit"] = GetAuthorizationPolicy("fake.edit"),
["delete"] = GetAuthorizationPolicy("fake.delete")
};
}
private static AuthorizationPolicy GetAuthorizationPolicy(string requiredScope)
{
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.RequireAuthenticatedUser();
policyBuilder.RequireClaim("scope", requiredScope);
return policyBuilder.Build();
}
}
Configuration file may have configuration section similar to this:
"ApiSecurityOptions": {
"RequireHttpsMetadata": false,
"Authority": "https://localhost:44300",
"Issuer": "https://localhost:44300",
"Audience": "DemoApi",
"TokenValidation": {
"ValidateAudience": true
}
}
NOTE: You controller or method must be decorated with [Authorize]
attribute which has policy name specified. Here is how it may look like:
[Authorize]
[Route("fakes")]
[ApiController]
public class FakeController : ControllerBase
{
[HttpGet]
[ProducesResponseType(typeof(IList<FakeModel>), StatusCodes.Status200OK)]
public IActionResult GetList()
{
...
}
[HttpGet("{id:int}")]
[ProducesResponseType(StatusCodes.Status404NotFound)]
[ProducesResponseType(typeof(FakeModel), StatusCodes.Status200OK)]
public IActionResult Get(int id)
{
...
}
[Authorize("add")]
[HttpPost]
[ProducesResponseType(typeof(FakeModel), StatusCodes.Status201Created)]
public IActionResult Post([FromBody] FakePostModel model)
{
...
}
}
UI Security
In order to configure UI security Startup.cs
file needs to be updated. UiSecurityInitializer
must be added to list of initializers. Here is example how your Startup
class may look like:
public class Startup : MicroserviceStartup
{
public Startup(IConfiguration configuration)
: base(configuration)
{
}
protected override IEnumerable<IMicroserviceInitializer> CreateInitializers()
{
yield return new DeveloperExceptionPageInitializer();
yield return new ExceptionHandlerInitializer("/Home/Error");
yield return new HstsInitializer();
yield return new GenericInitializer(null, (app, _) => app.UseStaticFiles());
yield return new GenericInitializer(null, (app, _) => app.UseRouting());
yield return new UiSecurityInitializer(
options => Configuration.Bind("UiSecurityOptions", options)
);
yield return new MvcInitializer();
}
}
The following configuration secription need to be added to appsettings.json
:
"UiSecurityOptions": {
"Authority": "https://localhost:44300",
"Issuer": "https://localhost:44300",
"ClientId": "Mvc",
"ClientSecret": "secret",
"RequireHttpsMetadata": false,
"Scopes": [
"openid",
"profile",
"offline_access",
"api"
]
}
NOTE: You need to decorate your MVC / Razor Pages controllers with [Authorize]
attribute or apply corresponding conventions by creating subclass of RazorPagesInitializer
.
Configuration Options
ApiSecurityInitializer
uses ApiSecurityOptions
class. Full list of settings can be found in the following snippet:
"ApiSecurityOptions": {
"RequireHttpsMetadata": false,
"Authority": "https://localhost:44300",
"Issuer": "https://localhost:44300",
"Audience": "DemoApi",
"TokenValidation": {
"ValidateAudience": true,
"ValidateIssuer": true,
"ValidateIssuerSigningKey": true,
"ValidateLifetime": true
},
"SaveToken": true,
"IncludeErrorDetails": true
}
IMPORTANT: By default all validation and security restrictions are turned ON.
UiSecurityInitializer
uses UiSecurityOptions
class. Full list of settings can be found in the following snippet:
"UiSecurityOptions": {
"Authority": "https://localhost:44300",
"Issuer": "https://localhost:44300",
"ClientId": "Mvc",
"ClientSecret": "secret",
"GetClaimsFromUserInfoEndpoint": true,
"RequireHttpsMetadata": false,
"ResponseType": "code",
"Scopes": [
"openid",
"profile",
"offline_access",
"api"
],
"UsePkce": true,
"PublicAuthorityUri": "https://localhost:44300",
"SaveTokens": true
}
NOTE: PublicAuthorityUri
specific public address of identity provider. This setting might be useful when server-to-server communication happens within internal network (Kubernetes, docker-compose) but user uses public address to navigate to service.
Links
The following resources might be useful to understand internals of current project:
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 is compatible. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. |
-
net6.0
- GodelTech.Microservices.Core (>= 8.1.0)
- IdentityModel (>= 7.0.0)
- IdentityModel.AspNetCore (>= 4.3.0)
- Microsoft.AspNetCore.Authentication.JwtBearer (>= 6.0.31)
- Microsoft.AspNetCore.Authentication.OpenIdConnect (>= 6.0.31)
-
net7.0
- GodelTech.Microservices.Core (>= 8.1.0)
- IdentityModel (>= 7.0.0)
- IdentityModel.AspNetCore (>= 4.3.0)
- Microsoft.AspNetCore.Authentication.JwtBearer (>= 7.0.20)
- Microsoft.AspNetCore.Authentication.OpenIdConnect (>= 7.0.20)
-
net8.0
- GodelTech.Microservices.Core (>= 8.1.0)
- IdentityModel (>= 7.0.0)
- IdentityModel.AspNetCore (>= 4.3.0)
- Microsoft.AspNetCore.Authentication.JwtBearer (>= 8.0.6)
- Microsoft.AspNetCore.Authentication.OpenIdConnect (>= 8.0.6)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
8.1.0 | 211 | 7/2/2024 |
8.0.1 | 1,479 | 1/20/2024 |
8.0.0 | 125 | 1/18/2024 |
3.0.0 | 3,329 | 10/18/2023 |
2.7.0 | 4,809 | 11/2/2022 |
2.6.0 | 414 | 10/18/2022 |
2.4.0 | 4,294 | 7/7/2022 |
2.3.0 | 590 | 4/4/2022 |
2.2.0 | 466 | 4/3/2022 |
2.0.0 | 480 | 2/21/2022 |
1.3.0 | 5,889 | 3/21/2021 |
1.2.0 | 1,487 | 9/11/2020 |
1.1.0 | 485 | 7/31/2020 |
1.0.0 | 517 | 7/25/2020 |
0.0.1 | 499 | 7/21/2020 |