Protect the id for external auth with a shared sercret (using data protection).

Author: davidfowl

Todo.Api/Program.cs

@@ -6,6 +6,10 @@
 
 builder.AddServiceDefaults();
 
+// Configure data protection, setup the application discriminator
+// so that the data protection keys can be shared between the BFF and this API
+builder.Services.AddDataProtection(o => o.ApplicationDiscriminator = "TodoApp");
+
 // Configure auth
 builder.Services.AddAuthentication().AddBearerToken(IdentityConstants.BearerScheme);
 builder.Services.AddAuthorizationBuilder().AddCurrentUserHandler();

Todo.Api/Users/UsersApi.cs

@@ -1,4 +1,5 @@
 using Microsoft.AspNetCore.Authentication.BearerToken;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Identity;
 
@@ -20,9 +21,13 @@ public static RouteGroupBuilder MapUsers(this IEndpointRouteBuilder routes)
 
         // The MapIdentityApi<T> doesn't expose an external login endpoint so we write this custom endpoint that follows
         // a similar pattern
-        group.MapPost("/token/{provider}", async Task<Results<Ok<AccessTokenResponse>, SignInHttpResult, ValidationProblem>> (string provider, ExternalUserInfo userInfo, UserManager<TodoUser> userManager, SignInManager<TodoUser> signInManager) =>
+        group.MapPost("/token/{provider}", async Task<Results<Ok<AccessTokenResponse>, SignInHttpResult, ValidationProblem>> (string provider, ExternalUserInfo userInfo, UserManager<TodoUser> userManager, SignInManager<TodoUser> signInManager, IDataProtectionProvider dataProtectionProvider) =>
         {
-            var user = await userManager.FindByLoginAsync(provider, userInfo.ProviderKey);
+            var protector = dataProtectionProvider.CreateProtector(provider);
+
+            var providerKey = protector.Unprotect(userInfo.ProviderKey);
+
+            var user = await userManager.FindByLoginAsync(provider, providerKey);
 
             var result = IdentityResult.Success;
 
@@ -34,7 +39,7 @@ public static RouteGroupBuilder MapUsers(this IEndpointRouteBuilder routes)
 
                 if (result.Succeeded)
                 {
-                    result = await userManager.AddLoginAsync(user, new UserLoginInfo(provider, userInfo.ProviderKey, displayName: null));
+                    result = await userManager.AddLoginAsync(user, new UserLoginInfo(provider, providerKey, displayName: null));
                 }
             }
 

Todo.Web/Server/AuthApi.cs

@@ -1,6 +1,7 @@
 using System.Security.Claims;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.DataProtection;
 
 namespace Todo.Web.Server;
 
@@ -60,7 +61,7 @@ public static RouteGroupBuilder MapAuth(this IEndpointRouteBuilder routes)
                 authenticationSchemes: [provider]);
         });
 
-        group.MapGet("signin/{provider}", async (string provider, AuthClient client, HttpContext context) =>
+        group.MapGet("signin/{provider}", async (string provider, AuthClient client, HttpContext context, IDataProtectionProvider dataProtectionProvider) =>
         {
             // Grab the login information from the external login dance
             var result = await context.AuthenticateAsync(AuthenticationSchemes.ExternalScheme);
@@ -75,7 +76,10 @@ public static RouteGroupBuilder MapAuth(this IEndpointRouteBuilder routes)
                 // for now we'll prefer the email address
                 var name = (principal.FindFirstValue(ClaimTypes.Email) ?? principal.Identity?.Name)!;
 
-                var token = await client.GetOrCreateUserAsync(provider, new() { Username = name, ProviderKey = id });
+                // Protect the user id so it for transport
+                var protector = dataProtectionProvider.CreateProtector(provider);
+
+                var token = await client.GetOrCreateUserAsync(provider, new() { Username = name, ProviderKey = protector.Protect(id) });
 
                 if (token is not null)
                 {

Todo.Web/Server/Program.cs

@@ -9,6 +9,9 @@
 builder.AddAuthentication();
 builder.Services.AddAuthorizationBuilder();
 
+// Configure data protection, setup the application discriminator so that the data protection keys can be shared between the BFF and this API
+builder.Services.AddDataProtection(o => o.ApplicationDiscriminator = "TodoApp");
+
 // Must add client services
 builder.Services.AddScoped<TodoClient>();