From 4c209471968934b183cbdb98e6232cb1ccfd321a Mon Sep 17 00:00:00 2001 From: maliming Date: Sat, 28 May 2022 17:22:57 +0800 Subject: [PATCH] Add `UseAbpOpenIddictValidation` and `DisableAccessTokenEncryption` by default. --- .../app/OpenIddict.Demo.API/Program.cs | 4 -- .../Pages/Index.cshtml | 31 +++++++++++-- .../Controllers/ClaimsController.cs | 16 +++++++ .../OpenIddictServerModule.cs | 45 ++++++++++--------- .../app/OpenIddict.Demo.Server/Program.cs | 15 +------ ...uilderAbpOpenIddictMiddlewareExtension.cs} | 10 ++--- .../AbpOpenIddictAspNetCoreModule.cs | 2 + .../MyProjectNameModule.cs | 21 +-------- .../appsettings.json | 4 -- .../MyProjectNameModule.cs | 21 +-------- .../appsettings.json | 4 -- .../MyProjectNameModule.cs | 21 +-------- .../appsettings.json | 5 --- .../MyProjectNameModule.cs | 21 +-------- .../appsettings.json | 5 --- .../MyProjectNameModule.cs | 21 +-------- .../appsettings.json | 4 -- .../MyProjectNameModule.cs | 21 +-------- .../appsettings.json | 4 -- .../MyProjectNameAuthServerModule.cs | 7 --- .../MyProjectNameBlazorModule.cs | 22 +-------- .../MyProjectNameHttpApiHostModule.cs | 27 +---------- .../MyProjectNameAuthServerModule.cs | 10 +---- .../appsettings.json | 5 --- 24 files changed, 84 insertions(+), 262 deletions(-) create mode 100644 modules/openiddict/app/OpenIddict.Demo.Server/Controllers/ClaimsController.cs rename modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/{Volo/Abp/OpenIddict/Jwt/JwtTokenMiddleware.cs => Microsoft/AspNetCore/Builder/ApplicationBuilderAbpOpenIddictMiddlewareExtension.cs} (58%) diff --git a/modules/openiddict/app/OpenIddict.Demo.API/Program.cs b/modules/openiddict/app/OpenIddict.Demo.API/Program.cs index 6218c5b9f7..9fe034cecf 100644 --- a/modules/openiddict/app/OpenIddict.Demo.API/Program.cs +++ b/modules/openiddict/app/OpenIddict.Demo.API/Program.cs @@ -18,10 +18,6 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) { options.Authority = "https://localhost:44301"; options.Audience = "AbpAPIResource"; - - // See OpenIddictServerModule`s PreConfigureServices method. - options.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_C40DBB176E78")); - options.TokenValidationParameters.TokenDecryptionKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_87E33FC57D80")); }); var app = builder.Build(); diff --git a/modules/openiddict/app/OpenIddict.Demo.Client.Mvc/Pages/Index.cshtml b/modules/openiddict/app/OpenIddict.Demo.Client.Mvc/Pages/Index.cshtml index 1d2feb2a8d..d2f8710862 100644 --- a/modules/openiddict/app/OpenIddict.Demo.Client.Mvc/Pages/Index.cshtml +++ b/modules/openiddict/app/OpenIddict.Demo.Client.Mvc/Pages/Index.cshtml @@ -30,14 +30,37 @@ request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", await HttpContext.GetTokenAsync("access_token")); var response = await client.SendAsync(request); - response.EnsureSuccessStatusCode(); + + + + @{ + var apiResponse = response.StatusCode.ToString(); + if (response.IsSuccessStatusCode) + { + apiResponse = JsonSerializer.Serialize(JsonDocument.Parse(await response.Content.ReadAsStringAsync()), new JsonSerializerOptions + { + WriteIndented = true + }); + } + } + @apiResponse; + + + request = new HttpRequestMessage(HttpMethod.Get, "https://localhost:44301/api/claims"); + request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", await HttpContext.GetTokenAsync("access_token")); + + response = await client.SendAsync(request); @{ - var apiResponse = JsonSerializer.Serialize(JsonDocument.Parse(await response.Content.ReadAsStringAsync()), new JsonSerializerOptions + apiResponse = response.StatusCode.ToString(); + if (response.IsSuccessStatusCode) { - WriteIndented = true - }); + apiResponse = JsonSerializer.Serialize(JsonDocument.Parse(await response.Content.ReadAsStringAsync()), new JsonSerializerOptions + { + WriteIndented = true + }); + } } @apiResponse; diff --git a/modules/openiddict/app/OpenIddict.Demo.Server/Controllers/ClaimsController.cs b/modules/openiddict/app/OpenIddict.Demo.Server/Controllers/ClaimsController.cs new file mode 100644 index 0000000000..49597709b9 --- /dev/null +++ b/modules/openiddict/app/OpenIddict.Demo.Server/Controllers/ClaimsController.cs @@ -0,0 +1,16 @@ +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; + +namespace OpenIddict.Demo.Server.Controllers; + +[ApiController] +[Authorize] +[Route("api/claims")] +public class ClaimsController : Controller +{ + [HttpGet] + public JsonResult Get() + { + return Json(User.Claims.Select(x => new {Type = x.Type, Value = x.Value})); + } +} diff --git a/modules/openiddict/app/OpenIddict.Demo.Server/OpenIddictServerModule.cs b/modules/openiddict/app/OpenIddict.Demo.Server/OpenIddictServerModule.cs index 616b3ef0c7..a2509f8576 100644 --- a/modules/openiddict/app/OpenIddict.Demo.Server/OpenIddictServerModule.cs +++ b/modules/openiddict/app/OpenIddict.Demo.Server/OpenIddictServerModule.cs @@ -1,10 +1,7 @@ -using System.Text; +using System.Security.Cryptography; +using System.Security.Cryptography.X509Certificates; using Microsoft.EntityFrameworkCore; -using Microsoft.IdentityModel.Tokens; -using OpenIddict.Abstractions; using OpenIddict.Demo.Server.EntityFrameworkCore; -using OpenIddict.Server.AspNetCore; -using OpenIddict.Validation.AspNetCore; using Volo.Abp; using Volo.Abp.Account; using Volo.Abp.Account.Web; @@ -81,12 +78,32 @@ public class OpenIddictServerModule : AbpModule { public override void PreConfigureServices(ServiceConfigurationContext context) { + PreConfigure(options => + { + //https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html + options.AddDevelopmentEncryptionAndSigningCertificate = false; + }); + PreConfigure(builder => { - //https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption //https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html - builder.AddSigningKey(new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_C40DBB176E78"))); - builder.AddEncryptionKey(new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_87E33FC57D80"))); + using (var algorithm = RSA.Create(keySizeInBits: 2048)) + { + var subject = new X500DistinguishedName("CN=Fabrikam Encryption Certificate"); + var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); + request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true)); + var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2)); + builder.AddSigningCertificate(certificate); + } + + using (var algorithm = RSA.Create(keySizeInBits: 2048)) + { + var subject = new X500DistinguishedName("CN=Fabrikam Signing Certificate"); + var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); + request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true)); + var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2)); + builder.AddEncryptionCertificate(certificate); + } }); PreConfigure(options => @@ -110,18 +127,6 @@ public class OpenIddictServerModule : AbpModule public override void ConfigureServices(ServiceConfigurationContext context) { - context.Services.ConfigureApplicationCookie(options => - { - options.ForwardDefaultSelector = ctx => ctx.Request.Path.StartsWithSegments("/api") - ? OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme - : null; - }); - - Configure(options => - { - options.AddDevelopmentEncryptionAndSigningCertificate = false; - }); - context.Services.AddAbpDbContext(options => { options.AddDefaultRepositories(includeAllEntities: true); diff --git a/modules/openiddict/app/OpenIddict.Demo.Server/Program.cs b/modules/openiddict/app/OpenIddict.Demo.Server/Program.cs index 3bfc26a9a3..bee5baa950 100644 --- a/modules/openiddict/app/OpenIddict.Demo.Server/Program.cs +++ b/modules/openiddict/app/OpenIddict.Demo.Server/Program.cs @@ -27,20 +27,6 @@ builder.Services.Configure(options => options.Languages.Add(new LanguageInfo("zh-Hant", "zh-Hant", "繁體中文")); }); -// Use Microsoft.AspNetCore.Authentication.JwtBearer instead of OpenIddict.Validation.AspNetCore -// builder.Services.AddAuthentication() -// .AddJwtBearer(options => -// { -// options.Authority = "https://localhost:44301"; -// options.Audience = "AbpAPIResource"; -// -// options.MapInboundClaims = false; -// -// // See OpenIddictServerModule`s PreConfigureServices method. -// options.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_C40DBB176E78")); -// options.TokenValidationParameters.TokenDecryptionKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Abp_OpenIddict_Demo_87E33FC57D80")); -// }); - await builder.AddApplicationAsync(); var app = builder.Build(); @@ -70,6 +56,7 @@ app.UseCors(); //app.UseJwtTokenMiddleware(); app.UseAuthentication(); +app.UseAbpOpenIddictValidation(); app.UseMultiTenancy(); app.UseAuthorization(); diff --git a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Jwt/JwtTokenMiddleware.cs b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Microsoft/AspNetCore/Builder/ApplicationBuilderAbpOpenIddictMiddlewareExtension.cs similarity index 58% rename from modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Jwt/JwtTokenMiddleware.cs rename to modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Microsoft/AspNetCore/Builder/ApplicationBuilderAbpOpenIddictMiddlewareExtension.cs index f0f2efb33e..7d8be5570b 100644 --- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Jwt/JwtTokenMiddleware.cs +++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Microsoft/AspNetCore/Builder/ApplicationBuilderAbpOpenIddictMiddlewareExtension.cs @@ -1,13 +1,11 @@ using Microsoft.AspNetCore.Authentication; -using Microsoft.AspNetCore.Builder; +using OpenIddict.Validation.AspNetCore; -namespace Volo.Abp.OpenIddict.Jwt; +namespace Microsoft.AspNetCore.Builder; -//TODO: Should we move this to another package..? - -public static class JwtTokenMiddleware +public static class ApplicationBuilderAbpOpenIddictMiddlewareExtension { - public static IApplicationBuilder UseJwtTokenMiddleware(this IApplicationBuilder app, string schema = "Bearer") + public static IApplicationBuilder UseAbpOpenIddictValidation(this IApplicationBuilder app, string schema = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme) { return app.Use(async (ctx, next) => { diff --git a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictAspNetCoreModule.cs b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictAspNetCoreModule.cs index 8e103f92fa..e8196627ce 100644 --- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictAspNetCoreModule.cs +++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictAspNetCoreModule.cs @@ -104,6 +104,8 @@ public class AbpOpenIddictAspNetCoreModule : AbpModule .AddDevelopmentSigningCertificate(); } + builder.DisableAccessTokenEncryption(); + var wildcardDomainsOptions = services.ExecutePreConfiguredActions(); if (wildcardDomainsOptions.EnableWildcardDomainSupport) { diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/MyProjectNameModule.cs b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/MyProjectNameModule.cs index c987e5dff6..00e29aff65 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/MyProjectNameModule.cs +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/MyProjectNameModule.cs @@ -117,13 +117,6 @@ public class MyProjectNameModule : AbpModule ); }); - PreConfigure(builder => - { - // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption - // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing. - builder.DisableAccessTokenEncryption(); - }); - PreConfigure(builder => { builder.AddValidation(options => @@ -150,7 +143,6 @@ public class MyProjectNameModule : AbpModule ConfigureAutoApiControllers(); ConfigureBlazorise(context); ConfigureRouter(context); - ConfigureAuthentication(context, configuration); ConfigureMongoDB(context); } @@ -189,17 +181,6 @@ public class MyProjectNameModule : AbpModule }); } - private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration) - { - context.Services.AddAuthentication() - .AddJwtBearer(options => - { - options.Authority = configuration["AuthServer:Authority"]; - options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); - options.Audience = "MyProjectName"; - }); - } - private void ConfigureLocalizationServices() { Configure(options => @@ -338,7 +319,7 @@ public class MyProjectNameModule : AbpModule app.UseStaticFiles(); app.UseRouting(); app.UseAuthentication(); - app.UseJwtTokenMiddleware(); + app.UseAbpOpenIddictValidation(); if (IsMultiTenant) { diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/appsettings.json b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/appsettings.json index e08d35f224..7872199c7e 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/appsettings.json +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/appsettings.json @@ -6,10 +6,6 @@ "ConnectionStrings": { "Default": "mongodb://localhost:27017/MyProjectName", }, - "AuthServer": { - "Authority": "https://localhost:44300", - "RequireHttpsMetadata": "false" - }, "StringEncryption": { "DefaultPassPhrase": "gsKnGZ041HLL4IM8" } diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameModule.cs b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameModule.cs index b9c8dca8f0..5be2bdc2e5 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameModule.cs +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameModule.cs @@ -118,13 +118,6 @@ public class MyProjectNameModule : AbpModule ); }); - PreConfigure(builder => - { - // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption - // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing. - builder.DisableAccessTokenEncryption(); - }); - PreConfigure(builder => { builder.AddValidation(options => @@ -151,7 +144,6 @@ public class MyProjectNameModule : AbpModule ConfigureAutoApiControllers(); ConfigureBlazorise(context); ConfigureRouter(context); - ConfigureAuthentication(context, configuration); ConfigureEfCore(context); } @@ -190,17 +182,6 @@ public class MyProjectNameModule : AbpModule }); } - private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration) - { - context.Services.AddAuthentication() - .AddJwtBearer(options => - { - options.Authority = configuration["AuthServer:Authority"]; - options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); - options.Audience = "MyProjectName"; - }); - } - private void ConfigureLocalizationServices() { Configure(options => @@ -346,7 +327,7 @@ public class MyProjectNameModule : AbpModule app.UseStaticFiles(); app.UseRouting(); app.UseAuthentication(); - app.UseJwtTokenMiddleware(); + app.UseAbpOpenIddictValidation(); if (IsMultiTenant) { diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/appsettings.json b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/appsettings.json index cc9e8226f2..250ecde40e 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/appsettings.json +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/appsettings.json @@ -6,10 +6,6 @@ "ConnectionStrings": { "Default": "Server=(LocalDb)\\MSSQLLocalDB;Database=MyProjectName;Trusted_Connection=True" }, - "AuthServer": { - "Authority": "https://localhost:44300", - "RequireHttpsMetadata": "false" - }, "StringEncryption": { "DefaultPassPhrase": "gsKnGZ041HLL4IM8" } diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/MyProjectNameModule.cs b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/MyProjectNameModule.cs index 6a9474af7b..609432b523 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/MyProjectNameModule.cs +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/MyProjectNameModule.cs @@ -108,13 +108,6 @@ public class MyProjectNameModule : AbpModule ); }); - PreConfigure(builder => - { - // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption - // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing. - builder.DisableAccessTokenEncryption(); - }); - PreConfigure(builder => { builder.AddValidation(options => @@ -139,7 +132,6 @@ public class MyProjectNameModule : AbpModule ConfigureAutoApiControllers(); ConfigureVirtualFiles(hostingEnvironment); ConfigureLocalization(); - ConfigureAuthentication(context.Services, configuration); ConfigureCors(context, configuration); ConfigureDataProtection(context, configuration, hostingEnvironment); ConfigureMongoDB(context); @@ -176,17 +168,6 @@ public class MyProjectNameModule : AbpModule }); } - private void ConfigureAuthentication(IServiceCollection services, IConfiguration configuration) - { - services.AddAuthentication() - .AddJwtBearer(options => - { - options.Authority = configuration["AuthServer:Authority"]; - options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); - options.Audience = "MyProjectName"; - }); - } - private void ConfigureLocalization() { Configure(options => @@ -341,7 +322,7 @@ public class MyProjectNameModule : AbpModule app.UseRouting(); app.UseCors(); app.UseAuthentication(); - app.UseJwtTokenMiddleware(); + app.UseAbpOpenIddictValidation(); if (IsMultiTenant) { diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/appsettings.json b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/appsettings.json index a63bc0eeb8..284615a19b 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/appsettings.json +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/appsettings.json @@ -11,11 +11,6 @@ "Redis": { "Configuration": "127.0.0.1" }, - "AuthServer": { - "Authority": "https://localhost:44300", - "RequireHttpsMetadata": "false", - "SwaggerClientId": "MyProjectName_Swagger" - }, "StringEncryption": { "DefaultPassPhrase": "gsKnGZ041HLL4IM8" }, diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/MyProjectNameModule.cs b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/MyProjectNameModule.cs index bc3a0eea8e..59b337a7c0 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/MyProjectNameModule.cs +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/MyProjectNameModule.cs @@ -110,13 +110,6 @@ public class MyProjectNameModule : AbpModule ); }); - PreConfigure(builder => - { - // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption - // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing. - builder.DisableAccessTokenEncryption(); - }); - PreConfigure(builder => { builder.AddValidation(options => @@ -141,7 +134,6 @@ public class MyProjectNameModule : AbpModule ConfigureAutoApiControllers(); ConfigureVirtualFiles(hostingEnvironment); ConfigureLocalization(); - ConfigureAuthentication(context.Services, configuration); ConfigureCors(context, configuration); ConfigureDataProtection(context, configuration, hostingEnvironment); ConfigureEfCore(context); @@ -178,17 +170,6 @@ public class MyProjectNameModule : AbpModule }); } - private void ConfigureAuthentication(IServiceCollection services, IConfiguration configuration) - { - services.AddAuthentication() - .AddJwtBearer(options => - { - options.Authority = configuration["AuthServer:Authority"]; - options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); - options.Audience = "MyProjectName"; - }); - } - private void ConfigureLocalization() { Configure(options => @@ -350,7 +331,7 @@ public class MyProjectNameModule : AbpModule app.UseRouting(); app.UseCors(); app.UseAuthentication(); - app.UseJwtTokenMiddleware(); + app.UseAbpOpenIddictValidation(); if (IsMultiTenant) { diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/appsettings.json b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/appsettings.json index 6c9d002cc6..251acbe2ac 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/appsettings.json +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/appsettings.json @@ -11,11 +11,6 @@ "Redis": { "Configuration": "127.0.0.1" }, - "AuthServer": { - "Authority": "https://localhost:44300", - "RequireHttpsMetadata": "false", - "SwaggerClientId": "MyProjectName_Swagger" - }, "StringEncryption": { "DefaultPassPhrase": "gsKnGZ041HLL4IM8" }, diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/MyProjectNameModule.cs b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/MyProjectNameModule.cs index 7a0d97014a..10cef836ae 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/MyProjectNameModule.cs +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/MyProjectNameModule.cs @@ -110,13 +110,6 @@ public class MyProjectNameModule : AbpModule ); }); - PreConfigure(builder => - { - // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption - // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing. - builder.DisableAccessTokenEncryption(); - }); - PreConfigure(builder => { builder.AddValidation(options => @@ -142,7 +135,6 @@ public class MyProjectNameModule : AbpModule ConfigureAutoApiControllers(); ConfigureVirtualFiles(hostingEnvironment); ConfigureLocalization(); - ConfigureAuthentication(context.Services, configuration); ConfigureMongoDB(context); } @@ -176,17 +168,6 @@ public class MyProjectNameModule : AbpModule }); } - private void ConfigureAuthentication(IServiceCollection services, IConfiguration configuration) - { - services.AddAuthentication() - .AddJwtBearer(options => - { - options.Authority = configuration["AuthServer:Authority"]; - options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); - options.Audience = "MyProjectName"; - }); - } - private void ConfigureLocalization() { Configure(options => @@ -314,7 +295,7 @@ public class MyProjectNameModule : AbpModule app.UseStaticFiles(); app.UseRouting(); app.UseAuthentication(); - app.UseJwtTokenMiddleware(); + app.UseAbpOpenIddictValidation(); if (IsMultiTenant) { diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/appsettings.json b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/appsettings.json index 97ad461966..f64cfd6c90 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/appsettings.json +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/appsettings.json @@ -5,10 +5,6 @@ "ConnectionStrings": { "Default": "mongodb://localhost:27017/MyProjectName" }, - "AuthServer": { - "Authority": "https://localhost:44300", - "RequireHttpsMetadata": "false" - }, "StringEncryption": { "DefaultPassPhrase": "gsKnGZ041HLL4IM8" } diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/MyProjectNameModule.cs b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/MyProjectNameModule.cs index 7f7a7a4da9..20a52729ed 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/MyProjectNameModule.cs +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/MyProjectNameModule.cs @@ -112,13 +112,6 @@ public class MyProjectNameModule : AbpModule ); }); - PreConfigure(builder => - { - // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption - // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing. - builder.DisableAccessTokenEncryption(); - }); - PreConfigure(builder => { builder.AddValidation(options => @@ -144,7 +137,6 @@ public class MyProjectNameModule : AbpModule ConfigureAutoApiControllers(); ConfigureVirtualFiles(hostingEnvironment); ConfigureLocalization(); - ConfigureAuthentication(context.Services, configuration); ConfigureEfCore(context); } @@ -179,17 +171,6 @@ public class MyProjectNameModule : AbpModule }); } - private void ConfigureAuthentication(IServiceCollection services, IConfiguration configuration) - { - services.AddAuthentication() - .AddJwtBearer(options => - { - options.Authority = configuration["AuthServer:Authority"]; - options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); - options.Audience = "MyProjectName"; - }); - } - private void ConfigureLocalization() { Configure(options => @@ -323,7 +304,7 @@ public class MyProjectNameModule : AbpModule app.UseStaticFiles(); app.UseRouting(); app.UseAuthentication(); - app.UseJwtTokenMiddleware(); + app.UseAbpOpenIddictValidation(); if (IsMultiTenant) { diff --git a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/appsettings.json b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/appsettings.json index 74bc952883..4d95841d08 100644 --- a/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/appsettings.json +++ b/templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/appsettings.json @@ -5,10 +5,6 @@ "ConnectionStrings": { "Default": "Server=(LocalDb)\\MSSQLLocalDB;Database=MyProjectName;Trusted_Connection=True" }, - "AuthServer": { - "Authority": "https://localhost:44300", - "RequireHttpsMetadata": "false" - }, "StringEncryption": { "DefaultPassPhrase": "gsKnGZ041HLL4IM8" } diff --git a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs index 05ea1c90ea..225033259f 100644 --- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs +++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs @@ -48,13 +48,6 @@ public class MyProjectNameAuthServerModule : AbpModule { public override void PreConfigureServices(ServiceConfigurationContext context) { - PreConfigure(builder => - { - // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption - // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing. - builder.DisableAccessTokenEncryption(); - }); - PreConfigure(builder => { builder.AddValidation(options => diff --git a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameBlazorModule.cs b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameBlazorModule.cs index a01ea41953..4610600956 100644 --- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameBlazorModule.cs +++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.Server/MyProjectNameBlazorModule.cs @@ -1,4 +1,3 @@ -using System; using System.IO; using Blazorise.Bootstrap5; using Blazorise.Icons.FontAwesome; @@ -74,13 +73,6 @@ public class MyProjectNameBlazorModule : AbpModule ); }); - PreConfigure(builder => - { - // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption - // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing. - builder.DisableAccessTokenEncryption(); - }); - PreConfigure(builder => { builder.AddValidation(options => @@ -99,7 +91,6 @@ public class MyProjectNameBlazorModule : AbpModule ConfigureUrls(configuration); ConfigureBundles(); - ConfigureAuthentication(context, configuration); ConfigureAutoMapper(); ConfigureVirtualFileSystem(hostingEnvironment); ConfigureLocalizationServices(); @@ -145,17 +136,6 @@ public class MyProjectNameBlazorModule : AbpModule }); } - private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration) - { - context.Services.AddAuthentication() - .AddJwtBearer(options => - { - options.Authority = configuration["AuthServer:Authority"]; - options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); - options.Audience = "MyProjectName"; - }); - } - private void ConfigureVirtualFileSystem(IWebHostEnvironment hostingEnvironment) { if (hostingEnvironment.IsDevelopment()) @@ -283,7 +263,7 @@ public class MyProjectNameBlazorModule : AbpModule app.UseStaticFiles(); app.UseRouting(); app.UseAuthentication(); - app.UseJwtTokenMiddleware(); + app.UseAbpOpenIddictValidation(); if (MultiTenancyConsts.IsEnabled) { diff --git a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs index fc8211ee43..524a7e24bf 100644 --- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs +++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs @@ -50,13 +50,6 @@ public class MyProjectNameHttpApiHostModule : AbpModule { public override void PreConfigureServices(ServiceConfigurationContext context) { - PreConfigure(builder => - { - // https://documentation.openiddict.com/configuration/token-formats.html#disabling-jwt-access-token-encryption - // In production, it is recommended to use two RSA certificates, distinct from the certificate(s) used for HTTPS: one for encryption, one for signing. - builder.DisableAccessTokenEncryption(); - }); - PreConfigure(builder => { builder.AddValidation(options => @@ -76,7 +69,6 @@ public class MyProjectNameHttpApiHostModule : AbpModule ConfigureBundles(); ConfigureUrls(configuration); ConfigureConventionalControllers(); - ConfigureAuthentication(context, configuration); ConfigureLocalization(); ConfigureVirtualFileSystem(context); ConfigureCors(context, configuration); @@ -138,23 +130,6 @@ public class MyProjectNameHttpApiHostModule : AbpModule }); } - private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration) - { - context.Services.AddAuthentication() - .AddJwtBearer(options => - { - options.Authority = configuration["AuthServer:Authority"]; - options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); - options.Audience = "MyProjectName"; - options.BackchannelHttpHandler = new HttpClientHandler - { - ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator - }; - - options.MapInboundClaims = false; - }); - } - private static void ConfigureSwaggerServices(ServiceConfigurationContext context, IConfiguration configuration) { context.Services.AddAbpSwaggerGenWithOAuth( @@ -241,7 +216,7 @@ public class MyProjectNameHttpApiHostModule : AbpModule app.UseRouting(); app.UseCors(); app.UseAuthentication(); - app.UseJwtTokenMiddleware(); + app.UseAbpOpenIddictValidation(); if (MultiTenancyConsts.IsEnabled) { diff --git a/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs b/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs index 831eb154bd..a3798432a7 100644 --- a/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs +++ b/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/MyProjectNameAuthServerModule.cs @@ -156,14 +156,6 @@ public class MyProjectNameAuthServerModule : AbpModule options.Applications["MVC"].RootUrl = configuration["App:SelfUrl"]; }); - context.Services.AddAuthentication() - .AddJwtBearer(options => - { - options.Authority = configuration["AuthServer:Authority"]; - options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); - options.Audience = configuration["AuthServer:ApiName"]; - }); - Configure(options => { options.KeyPrefix = "MyProjectName:"; @@ -226,7 +218,7 @@ public class MyProjectNameAuthServerModule : AbpModule app.UseRouting(); app.UseCors(); app.UseAuthentication(); - app.UseJwtTokenMiddleware(); + app.UseAbpOpenIddictValidation(); if (MultiTenancyConsts.IsEnabled) { diff --git a/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/appsettings.json b/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/appsettings.json index 70b1fa6216..47304e7fc6 100644 --- a/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/appsettings.json +++ b/templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/appsettings.json @@ -10,11 +10,6 @@ "Redis": { "Configuration": "127.0.0.1" }, - "AuthServer": { - "Authority": "https://localhost:44301/", - "RequireHttpsMetadata": "false", - "ApiName": "MyProjectName" - }, "OpenIddict": { "Applications": { "MyProjectName_Web": {