Sync up. UDAP Tiered OAuth Alpha. #20
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [MudBlazor](https://github.com/MudBlazor/MudBlazor) from 6.3.0 to 6.3.1. - [Release notes](https://github.com/MudBlazor/MudBlazor/releases) - [Changelog](https://github.com/MudBlazor/MudBlazor/blob/dev/CHANGELOG.md) - [Commits](MudBlazor/MudBlazor@6.3.0...v6.3.1) --- updated-dependencies: - dependency-name: MudBlazor dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [System.CommandLine](https://github.com/dotnet/command-line-api) from 2.0.0-beta4.23219.2 to 2.0.0-beta4.23269.1. - [Release notes](https://github.com/dotnet/command-line-api/releases) - [Changelog](https://github.com/dotnet/command-line-api/blob/main/docs/History.md) - [Commits](https://github.com/dotnet/command-line-api/commits) --- updated-dependencies: - dependency-name: System.CommandLine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [FluentAssertions.Analyzers](https://github.com/fluentassertions/fluentassertions.analyzers) from 0.17.3 to 0.19.1. - [Release notes](https://github.com/fluentassertions/fluentassertions.analyzers/releases) - [Commits](fluentassertions/fluentassertions.analyzers@0.17.3...v0.19.1) --- updated-dependencies: - dependency-name: FluentAssertions.Analyzers dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
….CommandLine-2.0.0-beta4.23269.1
Bumps [Google.Cloud.Storage.V1](https://github.com/googleapis/google-cloud-dotnet) from 4.5.0 to 4.6.0. - [Release notes](https://github.com/googleapis/google-cloud-dotnet/releases) - [Commits](googleapis/google-cloud-dotnet@Google.Cloud.Storage.V1-4.5.0...Google.Cloud.Storage.V1-4.6.0) --- updated-dependencies: - dependency-name: Google.Cloud.Storage.V1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [OpenTelemetry](https://github.com/open-telemetry/opentelemetry-dotnet) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-dotnet/releases) - [Commits](open-telemetry/opentelemetry-dotnet@core-1.4.0...core-1.5.0) --- updated-dependencies: - dependency-name: OpenTelemetry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [Microsoft.NET.Test.Sdk](https://github.com/microsoft/vstest) from 17.6.0 to 17.6.2. - [Release notes](https://github.com/microsoft/vstest/releases) - [Changelog](https://github.com/microsoft/vstest/blob/main/docs/releases.md) - [Commits](microsoft/vstest@v17.6.0...v17.6.2) --- updated-dependencies: - dependency-name: Microsoft.NET.Test.Sdk dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
…Server with correct dependency versions. It is a assembly scanned plugin environment.
…Assertions.Analyzers-0.19.1 Bump FluentAssertions.Analyzers from 0.17.3 to 0.19.1
….Cloud.Storage.V1-4.6.0
…oft.NET.Test.Sdk-17.6.2
Bumps [OpenTelemetry.Exporter.Console](https://github.com/open-telemetry/opentelemetry-dotnet) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-dotnet/releases) - [Commits](open-telemetry/opentelemetry-dotnet@core-1.4.0...core-1.5.0) --- updated-dependencies: - dependency-name: OpenTelemetry.Exporter.Console dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…lemetry.Exporter.Console-1.5.0
Bumps [Microsoft.IdentityModel.JsonWebTokens](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet) from 6.30.1 to 6.31.0. - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@6.30.1...6.31.0) --- updated-dependencies: - dependency-name: Microsoft.IdentityModel.JsonWebTokens dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…oft.IdentityModel.JsonWebTokens-6.31.0
Bumps [Microsoft.AspNetCore.Components.WebAssembly.DevServer](https://github.com/dotnet/aspnetcore) from 7.0.5 to 7.0.7. - [Release notes](https://github.com/dotnet/aspnetcore/releases) - [Changelog](https://github.com/dotnet/aspnetcore/blob/main/docs/ReleasePlanning.md) - [Commits](dotnet/aspnetcore@v7.0.5...v7.0.7) --- updated-dependencies: - dependency-name: Microsoft.AspNetCore.Components.WebAssembly.DevServer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [Microsoft.AspNetCore.Components.WebAssembly.Server](https://github.com/dotnet/aspnetcore) from 7.0.5 to 7.0.7. - [Release notes](https://github.com/dotnet/aspnetcore/releases) - [Changelog](https://github.com/dotnet/aspnetcore/blob/main/docs/ReleasePlanning.md) - [Commits](dotnet/aspnetcore@v7.0.5...v7.0.7) --- updated-dependencies: - dependency-name: Microsoft.AspNetCore.Components.WebAssembly.Server dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Working toward Tiered OAuth. Adding new sample Udap.Idenitity.Provider project that is an Identity Server for Identity purposes and presents signed metadata. Udap.Server has a new extension method, "AddUdapServerAsIdentityProvider". It will not create a .well-known/udap endpoint. Rather it will allow the Udap.Metadata.Server extension, "AddUdapMetadataServer" to be configured just like you would with a resource server such as the FhirLabsApi and WeatherApi examples. This is how a Udap.Auth server acting as a client will discover and establish trust with the Udap.Identity.Provider server. Much more to come. Still need to implement a OAuth/OpenId client. The client will be built from Microsoft.AspNetCore.Authentication.OAuth or Microsoft.AspNetCore.Authentication.OpenIdConnect. Or possibly from the base class, RemoteAuthenticationHandler.
…oft.AspNetCore.Components.WebAssembly.Server-7.0.7 Bump Microsoft.AspNetCore.Components.WebAssembly.Server from 7.0.5 to 7.0.7
…oft.AspNetCore.Components.WebAssembly.DevServer-7.0.7 Bump Microsoft.AspNetCore.Components.WebAssembly.DevServer from 7.0.5 to 7.0.7
Bumps [FluentAssertions.Analyzers](https://github.com/fluentassertions/fluentassertions.analyzers) from 0.19.1 to 0.20.0. - [Release notes](https://github.com/fluentassertions/fluentassertions.analyzers/releases) - [Commits](fluentassertions/fluentassertions.analyzers@v0.19.1...0.20.0) --- updated-dependencies: - dependency-name: FluentAssertions.Analyzers dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
This journey puts a reality on the statement that "OpenID is hard to do right". I have a massive amount of refactoring ahead. And still this is not final code. It is just by not means close to being done. But it is a good place to capture work.
…Assertions.Analyzers-0.20.0 Bump FluentAssertions.Analyzers from 0.19.1 to 0.20.0
Moving away from MiddleWare and Towards a custom OAuthHandler TieredOAuthAuthenticationHandler : OAuthHandler<TieredOAuthAuthenticationOptions>
The core code that enabled tiered OAuth involves an object called TieredOAuthAuthorizationHandler inherited from the Microsoft base OAuthHandler. I may take another run at this where I inherit from OpenIdConnectHandler. Implementation under these two options are very different mechanically. OAuthHander is all about overriding methods to extend. Where OpenIdConnectHandler is more about creating delegates and pointing to those delegates and designated points. It seems a bit harder to generally understand, but the natural flow matching up to tiered OAuth along with the tested security code (guard) exist. If I stay with OAuth inheritance I will still need to revisit all the code and incorporate all the recommended security code checks.
Consumer defaults to user prefixed scopes B2B Auth Code Flow defaults to patient prefixed scopes Worked on adding a why to save and select existing client_ids Worked on cancel registration some more. Still more work to do here. This is all along a path to bring Tiered OAuth into the UI
IdP BaseUrl is wired in most of the way.
Bumps [OpenTelemetry.Exporter.OpenTelemetryProtocol](https://github.com/open-telemetry/opentelemetry-dotnet) from 1.4.0 to 1.5.1. - [Release notes](https://github.com/open-telemetry/opentelemetry-dotnet/releases) - [Commits](open-telemetry/opentelemetry-dotnet@core-1.4.0...core-1.5.1) --- updated-dependencies: - dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…lemetry.Exporter.OpenTelemetryProtocol-1.5.1 Bump OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.4.0 to 1.5.1
It is required according to specifications in the HL7 Security IG.
… is now SAN and Community. Grant type is not longer part of the client key. Addd a LogRequired ServerSettings property. Defaults to true and used in registration validation at auth server. Exposed ClientRegistrationStore in UdapIdentityServerPipelin. Not using it but left it exposed for future access in tests. Started to break down the UdapDynamicClientRegistrationValidator so I could test outside integration. Created a new Validators folder for validation tests. Will revisit this and break down tests and validations later.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Udap.Server/Registration/UdapDynamicClientRegistrationEndpoint.cs
Dismissed
Show dismissed
Hide dismissed
Udap.Server/Security/Authentication/TieredOAuth/TieredOAuthAuthenticationHandler.cs
Dismissed
Show dismissed
Hide dismissed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a mechanically funtional Tiered OAuth PR. It is not ready for consumption other than to demo it in examples included in this repository.
There are a few security exceptions. They are not ignore and will be addressed as I move out of the Tiered OAuht Alpha stage.
Two important updates from the 2023 CMS connnectathon
Client registrations are keyed off of the SAN and Community only. It used to include grant type.
The logo_uri is required for auth code flow registrations. This has been added to the UdapEd tool and is validated by the example UDAP Auth Server. It can be turned off via configuration.