Add OIDC authentication to UI / API (#913)

.github/workflows/ci.yml

@@ -58,7 +58,7 @@ jobs:
         run: dotnet build BDMS.sln -c Release /warnaserror
 
       - name: Start db and api's
-        run: docker compose up --wait minio db api-legacy api
+        run: docker compose up --wait minio db api-legacy api oidc-server
 
       - working-directory: ./src/client
         run: npm ci

.gitignore

@@ -412,6 +412,9 @@ src/client/cypress/screenshots
 # Dependencies
 /src/client/node_modules
 
+# Generated debug files
+src/client/public/env.js
+
 # Testing
 src/client/coverage
 

CHANGELOG.md

@@ -7,6 +7,7 @@
 - Updated layer management to use the .NET API.
 - Update stratigraphy management to use the .NET API.
 - Hide outer ring for disabled radio buttons.
+- Handle Authentication with a OpenID Connect.
 
 ## v2.0.506 - 2023-12-21
 

config/oidc-mock-clients.json

@@ -0,0 +1,26 @@
+[{
+  "ClientId": "bdms-client",
+  "Description": "Client for Authorization Code flow with PKCE",
+  "RequireClientSecret": false,
+  "AlwaysIncludeUserClaimsInIdToken": true,
+  "AllowedGrantTypes": [
+    "authorization_code"
+  ],
+  "AllowedResponseTypes": [
+    "code",
+    "id_token"
+  ],
+  "AllowAccessTokensViaBrowser": true,
+  "RedirectUris": [
+      "http://localhost:3000"
+  ],
+  "AllowedScopes": [
+      "openid",
+      "profile",
+      "email"
+  ],
+  "AccessTokenType": "JWT",
+  "IdentityTokenLifetime": 3600,
+  "AccessTokenLifetime": 3600
+}
+]

config/oidc-mock-users.json

@@ -0,0 +1,66 @@
+[
+  {
+    "SubjectId":"sub_admin",
+    "Username":"admin",
+    "Password":"swissforages",
+    "Claims": [
+      {
+        "Type": "name",
+        "Value": "Admin User",
+        "ValueType": "string"
+      },
+      {
+        "Type": "family_name",
+        "Value": "User",
+        "ValueType": "string"
+      },
+      {
+        "Type": "given_name",
+        "Value": "Admin",
+        "ValueType": "string"
+      },
+      {
+        "Type": "email",
+        "Value": "admin.user@local.dev",
+        "ValueType": "string"
+      },
+      {
+        "Type": "email_verified",
+        "Value": "true",
+        "ValueType": "boolean"
+      }
+    ]
+  },
+  {
+    "SubjectId":"sub_editor",
+    "Username":"editor",
+    "Password":"swissforages",
+    "Claims": [
+      {
+        "Type": "name",
+        "Value": "Editor User",
+        "ValueType": "string"
+      },
+      {
+        "Type": "family_name",
+        "Value": "User",
+        "ValueType": "string"
+      },
+      {
+        "Type": "given_name",
+        "Value": "Editor",
+        "ValueType": "string"
+      },
+      {
+        "Type": "email",
+        "Value": "editor.user@local.dev",
+        "ValueType": "string"
+      },
+      {
+        "Type": "email_verified",
+        "Value": "true",
+        "ValueType": "boolean"
+      }
+    ]
+  }
+]

docker-compose.yml

@@ -68,6 +68,8 @@ services:
         condition: service_healthy
     environment:
       REACT_APP_PROXY_HOST_API: http://api:5000/
+      REACT_APP_CLIENT_AUTHORITY: http://localhost:4011/
+      REACT_APP_CLIENT_CLIENT_ID: bdms-client
       WATCHPACK_POLLING: 'true'
   api-legacy:
     build:
@@ -118,5 +120,28 @@ services:
       DOTNET_USE_POLLING_FILE_WATCHER: 1
       CONNECTIONSTRINGS__BdmsContext: Host=db;Username=SPAWNPLOW;Password=YELLOWSPATULA;Database=bdms;CommandTimeout=300
       ReverseProxy__Clusters__pythonApi__Destinations__legacyApi__Address: "http://api-legacy:8888/"
+      Auth__Authority: http://oidc-server
       S3__ENDPOINT: http://minio:9000
       S3__SECURE: 1
+  oidc-server:
+    image: soluto/oidc-server-mock
+    ports:
+      - "4011:80"
+    environment:
+      CLIENTS_CONFIGURATION_PATH: /tmp/config/clients-config.json
+      USERS_CONFIGURATION_PATH: /tmp/config/users-config.json
+      SERVER_OPTIONS_INLINE: |
+        {
+          "IssuerUri": "http://localhost:4011",
+          "AccessTokenJwtType": "JWT",
+          "Discovery": {
+            "ShowKeySet": true
+          },
+          "Authentication": {
+            "CookieSameSiteMode": "Lax",
+            "CheckSessionCookieSameSiteMode": "Lax"
+          }
+        }
+    volumes:
+      - ./config/oidc-mock-clients.json:/tmp/config/clients-config.json:ro
+      - ./config/oidc-mock-users.json:/tmp/config/users-config.json:ro

src/api-legacy/v1/basehandler.py

@@ -28,16 +28,16 @@ def __init__(self, *args, **kwargs):
     async def prepare(self):
 
         auth_header = self.request.headers.get('Authorization')
-        
+
         if auth_header is None:
             self.set_header('WWW-Authenticate', 'Basic realm=BDMS')
             self.set_status(401)
             self.finish()
             return
 
-        username = auth_header
+        subject_id = auth_header
 
-        async with self.pool.acquire() as conn: 
+        async with self.pool.acquire() as conn:
 
             val = await conn.fetchval("""
                 SELECT row_to_json(t)
@@ -167,11 +167,11 @@ async def prepare(self):
                     ON w.id_usr_fk = id_usr
 
                     WHERE
-                        username = $1
+                        subject_id = $1
                     AND
                         disabled_usr IS NULL
                 ) as t
-            """, username)
+            """, subject_id)
 
             if val is None:
                 self.set_status(401)

src/api-legacy/v1/user/handler.py

@@ -20,9 +20,9 @@ async def execute(self, request):
             for workgroup in self.user['workgroups']:
                 if workgroup['disabled'] is not None:
                     workgroup['roles'] = ['VIEW']
-                
+
                 workgroups.append(workgroup)
-            
+
                 for role in workgroup['roles']:
                     if role not in roles:
                         roles.append(role)
@@ -33,6 +33,7 @@ async def execute(self, request):
                     "name": self.user['name'],
                     "roles": roles,
                     "terms": self.user['terms'],
+                    "id": self.user['id'],
                     "username": self.user['username'],
                     "viewer": self.user['viewer'],
                     "workgroups": workgroups

src/api/Authentication/DatabaseAuthenticationClaimsTransformation.cs

@@ -0,0 +1,49 @@
+using BDMS.Models;
+using Microsoft.AspNetCore.Authentication;
+using System.Security.Claims;
+
+namespace BDMS.Authentication;
+
+public class DatabaseAuthenticationClaimsTransformation : IClaimsTransformation
+{
+    private readonly BdmsContext dbContext;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="DatabaseAuthenticationClaimsTransformation"/> class.
+    /// </summary>
+    /// <param name="dbContext">The EF database context containing data for the BDMS application.</param>
+    /// <exception cref="ArgumentNullException">If <paramref name="dbContext"/> is <c>null</c>.</exception>
+    public DatabaseAuthenticationClaimsTransformation(BdmsContext dbContext)
+    {
+        this.dbContext = dbContext ?? throw new ArgumentNullException(nameof(dbContext));
+    }
+
+    /// <inheritdoc/>
+    public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
+    {
+        var userId = principal.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
+        if (userId is null) return principal;
+
+        var authenticatedUser = dbContext.Users.FirstOrDefault(u => u.SubjectId == userId.Value)
+        ?? new User
+        {
+            SubjectId = userId.Value,
+            Password = "Undefined", // TODO: Remove with #911
+        };
+        if (authenticatedUser.IsDisabled) return principal;
+
+        authenticatedUser.FirstName = principal.Claims.FirstOrDefault(c => c.Type == ClaimTypes.GivenName)?.Value ?? authenticatedUser.FirstName;
+        authenticatedUser.LastName = principal.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Surname)?.Value ?? authenticatedUser.LastName;
+        authenticatedUser.Name = $"{authenticatedUser.FirstName[0]}. {authenticatedUser.LastName}";
+        dbContext.Update(authenticatedUser);
+        await dbContext.SaveChangesAsync().ConfigureAwait(false);
+
+        var claimsIdentity = new ClaimsIdentity();
+        claimsIdentity.AddClaim(new Claim(ClaimTypes.Name, authenticatedUser.Name));
+        if (authenticatedUser.IsAdmin) claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, PolicyNames.Admin));
+        else if (authenticatedUser.IsViewer) claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, PolicyNames.Viewer));
+
+        principal.AddIdentity(claimsIdentity);
+        return principal;
+    }
+}

src/api/Authentication/LegacyApiAuthenticationMiddleware.cs

@@ -15,14 +15,14 @@ public async Task InvokeAsync(HttpContext context, RequestDelegate next)
     {
         if (context.Request.Path.StartsWithSegments(new PathString("/api/v1"), StringComparison.OrdinalIgnoreCase))
         {
-            var userName = context.User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name);
-            if (userName is not null)
+            var subjectId = context.User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
+            if (subjectId is not null)
             {
-                context.Request.Headers.Authorization = userName.Value;
+                context.Request.Headers.Authorization = subjectId.Value;
 
                 await next.Invoke(context).ConfigureAwait(false);
 
-                logger.LogInformation("Authorized user <{UserName}> for legacy api accessing route <{Route}>", userName.Value, context.Request.Path);
+                logger.LogInformation("Authorized user with subject_id <{SubjectId}> for legacy api accessing route <{Route}>", subjectId.Value, context.Request.Path);
                 return;
             }
         }

src/api/BDMS.csproj

@@ -23,6 +23,7 @@
     <PackageReference Include="CsvHelper" Version="30.0.1" />
     <PackageReference Include="EFCore.BulkExtensions.PostgreSql" Version="8.0.0" />
     <PackageReference Include="Humanizer" Version="2.14.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Versioning" Version="5.1.0" />
     <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.0" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.0" />

src/api/BdmsContext.cs

@@ -52,12 +52,12 @@ public BdmsContext(DbContextOptions options)
     /// </summary>
     public async Task<int> UpdateChangeInformationAndSaveChangesAsync(HttpContext httpContext)
     {
-        var userName = httpContext?.User.FindFirst(ClaimTypes.Name)?.Value;
+        var subjectId = httpContext?.User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
 
         var entities = ChangeTracker.Entries<IChangeTracking>();
         var user = await Users
             .AsNoTracking()
-            .SingleOrDefaultAsync(u => u.Name == userName)
+            .SingleOrDefaultAsync(u => u.SubjectId == subjectId)
             .ConfigureAwait(false);
 
         foreach (var entity in entities)

src/api/BoreholeFileUploadService.cs

@@ -51,14 +51,14 @@ public async Task UploadFileAndLinkToBorehole(IFormFile file, int boreholeId)
         using var transaction = context.Database.CurrentTransaction == null ? await context.Database.BeginTransactionAsync().ConfigureAwait(false) : null;
         try
         {
-            var userName = httpContextAccessor.HttpContext?.GetUserName();
+            var subjectId = httpContextAccessor.HttpContext?.GetUserSubjectId();
 
             var user = await context.Users
                 .AsNoTracking()
-                .SingleOrDefaultAsync(u => u.Name == userName)
+                .SingleOrDefaultAsync(u => u.SubjectId == subjectId)
                 .ConfigureAwait(false);
 
-            if (user == null || userName == null) throw new InvalidOperationException($"No user with username <{userName}> found.");
+            if (user == null || subjectId == null) throw new InvalidOperationException($"No user with subject_id <{subjectId}> found.");
 
             // If file does not exist on storage, upload it and create file in database.
             if (fileId == null)