Add authorization header endpoint, minor cleanup

Author: Keegan Caruso

.gitignore

@@ -357,3 +357,4 @@ MigrationBackup/
 /.SharedData
 /out/
 objd/
+/src/Microsoft.Identity.Web.Sidecar/http-client.env.json

src/Microsoft.Identity.Web.Sidecar/Endpoints/AuthorizationHeaderEndpoint.cs

@@ -0,0 +1,134 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.AspNetCore.Http.HttpResults;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Web.Sidecar.Models;
+
+namespace Microsoft.Identity.Web.Sidecar.Endpoints;
+
+internal static class DownstreamApiRequestEndpoints
+{
+    public static void AddDownstreamApiRequestEndpoints(this WebApplication app)
+    {
+        app.MapPost("/AuthorizationHeader/{apiName}", AuthorizationHeaderAsync).
+            WithName("Authorization header").
+            RequireAuthorization().
+            WithOpenApi().
+            ProducesProblem(401);
+    }
+
+    private static async Task<Results<Ok<AuthorizationHeaderResult>, ProblemHttpResult>> AuthorizationHeaderAsync(
+        HttpContext httpContext,
+        [FromRoute] string apiName,
+        [FromQuery] string? agentIdentity,
+        [FromQuery] string? agentUsername,
+        [FromQuery] string? tenant,
+        [FromBody] DownstreamApiOptions? optionsOverride,
+        [FromServices] IAuthorizationHeaderProvider headerProvider,
+        [FromServices] IConfiguration configuration)
+    {
+        DownstreamApiOptions? options = configuration.GetSection($"DownstreamApi:{apiName}").Get<DownstreamApiOptions>();
+
+        if (options is null)
+        {
+            return TypedResults.Problem(
+                detail: $"Not able to resolve '{apiName}'.",
+                statusCode: StatusCodes.Status400BadRequest);
+        }
+
+        if (optionsOverride is not null)
+        {
+            MergeDownstreamApiOptionsOverrides(options, optionsOverride);
+        }
+
+        if (options.Scopes is null)
+        {
+            return TypedResults.Problem(
+                detail: $"No scopes found for the API '{apiName}'. 'scopes' needs to be either a single ",
+                statusCode: StatusCodes.Status400BadRequest);
+        }
+
+        if (!string.IsNullOrEmpty(agentIdentity) && !string.IsNullOrEmpty(agentUsername))
+        {
+            options.WithAgentUserIdentity(agentIdentity, agentUsername);
+        }
+        else if (!string.IsNullOrEmpty(agentIdentity))
+        {
+            options.WithAgentIdentity(agentIdentity);
+        }
+
+        if (!string.IsNullOrEmpty(tenant))
+        {
+            options.AcquireTokenOptions.Tenant = tenant;
+        }
+
+        var result = await headerProvider.CreateAuthorizationHeaderAsync(
+            options.Scopes,
+            options,
+            httpContext.User,
+            httpContext.RequestAborted);
+
+        return TypedResults.Ok(new AuthorizationHeaderResult(result));
+    }
+
+    private static DownstreamApiOptions MergeDownstreamApiOptionsOverrides(DownstreamApiOptions left, DownstreamApiOptions right)
+    {
+        if (right is null)
+        {
+            return left;
+        }
+
+        var res = left.Clone();
+
+        if (right.Scopes is not null && right.Scopes.Any())
+        {
+            res.Scopes = right.Scopes;
+        }
+
+        if (!string.IsNullOrEmpty(right.AcquireTokenOptions.Tenant))
+        {
+            res.AcquireTokenOptions.Tenant = right.AcquireTokenOptions.Tenant;
+        }
+
+        if (!string.IsNullOrEmpty(right.AcquireTokenOptions.Claims))
+        {
+            res.AcquireTokenOptions.Claims = right.AcquireTokenOptions.Claims;
+        }
+
+        if (!string.IsNullOrEmpty(right.AcquireTokenOptions.AuthenticationOptionsName))
+        {
+            res.AcquireTokenOptions.AuthenticationOptionsName = right.AcquireTokenOptions.AuthenticationOptionsName;
+        }
+
+        if (!string.IsNullOrEmpty(right.AcquireTokenOptions.FmiPath))
+        {
+            res.AcquireTokenOptions.FmiPath = right.AcquireTokenOptions.FmiPath;
+        }
+
+        if (!string.IsNullOrEmpty(right.RelativePath))
+        {
+            res.RelativePath = right.RelativePath;
+        }
+
+        res.AcquireTokenOptions.ForceRefresh = right.AcquireTokenOptions.ForceRefresh;
+
+        if (right.AcquireTokenOptions.ExtraParameters is not null)
+        {
+            if (res.AcquireTokenOptions.ExtraParameters is null)
+            {
+                res.AcquireTokenOptions.ExtraParameters = new Dictionary<string, object>();
+            }
+            foreach (var extraParameter in right.AcquireTokenOptions.ExtraParameters)
+            {
+                if (!res.AcquireTokenOptions.ExtraParameters.ContainsKey(extraParameter.Key))
+                {
+                    res.AcquireTokenOptions.ExtraParameters.Add(extraParameter.Key, extraParameter.Value);
+                }
+            }
+        }
+
+        return res;
+    }
+}

src/Microsoft.Identity.Web.Sidecar/ValidateRequestEndpoints.cs renamed to src/Microsoft.Identity.Web.Sidecar/Endpoints/ValidateRequestEndpoints.cs

@@ -14,31 +14,31 @@ internal static class ValidateRequestEndpoints
     public static void AddValidateRequestEndpoints(this WebApplication app)
     {
         app.MapGet("/Validate", ValidateEndpoint).
-            WithName("Validate Authorization header")
-            .RequireAuthorization()
-            .WithOpenApi()
-            .ProducesProblem(401);
+            WithName("Validate Authorization header").
+            RequireAuthorization().
+            WithOpenApi().
+            ProducesProblem(401);
     }
 
     private static Results<Ok<ValidateAuthorizationHeaderResult>, ProblemHttpResult> ValidateEndpoint(HttpContext httpContext, IConfiguration configuration)
     {
-        string scopeRequiredByApi = configuration["AzureAd:Scopes"] ?? "";
+        string scopeRequiredByApi = configuration["AzureAd:Scopes"] ?? string.Empty;
         httpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
 
         var claimsPrincipal = httpContext.User;
         var token = claimsPrincipal.GetBootstrapToken() as JsonWebToken;
 
         if (token is null)
         {
-            return TypedResults.Problem("No token found", statusCode: 400);
+            return TypedResults.Problem("No token found", statusCode: StatusCodes.Status400BadRequest);
         }
 
         var decodedBody = Base64Url.DecodeFromChars(token.EncodedPayload);
         var jsonDoc = JsonSerializer.Deserialize<JsonNode>(decodedBody);
 
         if (jsonDoc is null)
         {
-            return TypedResults.Problem("Failed to decode token claims", statusCode: 400);
+            return TypedResults.Problem("Failed to decode token claims", statusCode: StatusCodes.Status400BadRequest);
         }
 
         var result = new ValidateAuthorizationHeaderResult(

src/Microsoft.Identity.Web.Sidecar/Microsoft.Identity.Web.Sidecar.csproj

@@ -8,29 +8,32 @@
     <GenerateDocumentationFile>False</GenerateDocumentationFile>
     <IsPackable>false</IsPackable>
     <EnablePackageValidation>false</EnablePackageValidation>
-    <NoWarn>$(NoWarn); RS0016</NoWarn>
+    <NoWarn>
+      $(NoWarn);
+      <!--RS0016: Add public types and members to the declared API-->
+      RS0016;
+      <!--RS0036: Annotate nullability of public types and members in the declared API-->
+      RS0036;
+      <!--RS0037: Enable tracking of nullability of reference types in the declared API-->
+      RS0037;
+      <!--RS0051: Add internal types and members to the declared API-->
+      RS0051
+    </NoWarn>
   </PropertyGroup>
 
-  <PropertyGroup>
-    <!--RS0016: Add public types and members to the declared API-->
-    <NoWarn>RS0016</NoWarn>
-    <!--RS0036: Annotate nullability of public types and members in the declared API-->
-    <NoWarn>RS0036</NoWarn>
-    <!--RS0037: Enable tracking of nullability of reference types in the declared API-->
-    <NoWarn>RS0037</NoWarn>
-    <!--RS0051: Add internal types and members to the declared API-->
-    <NoWarn>RS0051</NoWarn>
-  </PropertyGroup>
-
-
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.9" NoWarn="NU1605" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.9" NoWarn="NU1605" />
     <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="9.0.9" />
+    <PackageReference Include="Microsoft.Extensions.ApiDescription.Server" Version="9.0.9">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
   </ItemGroup>
 
 
   <ItemGroup>
+    <ProjectReference Include="..\Microsoft.Identity.Web.AgentIdentities\Microsoft.Identity.Web.AgentIdentities.csproj" />
     <ProjectReference Include="..\Microsoft.Identity.Web.DownstreamApi\Microsoft.Identity.Web.DownstreamApi.csproj" />
     <ProjectReference Include="..\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj" />
   </ItemGroup>

src/Microsoft.Identity.Web.Sidecar/Microsoft.Identity.Web.Sidecar.http

@@ -1,10 +1,15 @@
 @Microsoft.Identity.Web.Sidecar_HostAddress = http://localhost:5178
 
+GET {{Microsoft.Identity.Web.Sidecar_HostAddress}}/openapi/v1.json
+Accept: application/json
+
+###
+
 GET {{Microsoft.Identity.Web.Sidecar_HostAddress}}/Validate/
 Accept: application/json
 Authorization: Bearer {{AccessToken}}
 
 ###
 
-GET {{Microsoft.Identity.Web.Sidecar_HostAddress}}/openapi/v1.json
-Accept: application/json
+POST {{Microsoft.Identity.Web.Sidecar_HostAddress}}/AuthorizationHeader/me
+Authorization: Bearer {{AccessToken}}

src/Microsoft.Identity.Web.Sidecar/Models/AuthorizationHeaderResult.cs

@@ -0,0 +1,6 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Web.Sidecar.Models;
+
+internal record AuthorizationHeaderResult(string AuthorizationHeader);

src/Microsoft.Identity.Web.Sidecar/ValidateAuthorizationHeaderResult.cs renamed to src/Microsoft.Identity.Web.Sidecar/Models/ValidateAuthorizationHeaderResult.cs

@@ -1,55 +1,62 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
-#pragma warning disable RS0016 // Public API
 
 using System.Diagnostics;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.Sidecar.Endpoints;
 using Microsoft.IdentityModel.JsonWebTokens;
 
-var builder = WebApplication.CreateBuilder(args);
+namespace Microsoft.Identity.Web.Sidecar;
 
-// Add services to the container.
-builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-    .AddMicrosoftIdentityWebApi(
-        configureJwtBearerOptions: jwtBearerOptions =>
-        {
-            builder.Configuration.GetSection("AzureAd").Bind(jwtBearerOptions);
-            jwtBearerOptions.Events ??= new();
-            jwtBearerOptions.Events.OnTokenValidated = context =>
+public class Program
+{
+    public static void Main(string[] args)
+    {
+        var builder = WebApplication.CreateBuilder(args);
+
+        // Add services to the container.
+        builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"))
+            .EnableTokenAcquisitionToCallDownstreamApi()
+            .AddInMemoryTokenCaches();
+
+        builder.Services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme,
+            options =>
             {
-                Debug.Assert(context.SecurityToken is JsonWebToken, "Token should always be JsonWebToken");
-                var token = (JsonWebToken)context.SecurityToken;
-
-                if (context.Principal?.Identities.FirstOrDefault() is null)
+                options.Events ??= new();
+                options.Events.OnTokenValidated = context =>
                 {
-                    context.Fail("No principal or no identity");
-                    return Task.FromResult(context);
-                }
-
-                context.Principal.Identities.First().BootstrapContext = token!.InnerToken is not null ? token.InnerToken: token;
-                return Task.FromResult(context);
-            };
-        },
-        configureMicrosoftIdentityOptions: msidOptions => builder.Configuration.GetSection("AzureAd").Bind(msidOptions));
+                    Debug.Assert(context.SecurityToken is JsonWebToken, "Token should always be JsonWebToken");
+                    var token = (JsonWebToken)context.SecurityToken;
 
-builder.Services.AddAuthorization();
+                    if (context.Principal?.Identities.FirstOrDefault() is null)
+                    {
+                        context.Fail("No principal or no identity");
+                        return Task.FromResult(context);
+                    }
 
-// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi
-builder.Services.AddOpenApi();
+                    context.Principal.Identities.First().BootstrapContext = token.InnerToken is not null ? token.InnerToken : token;
+                    return Task.FromResult(context);
+                };
+            });
 
-var app = builder.Build();
+        builder.Services.AddAuthorization();
 
-// Configure the HTTP request pipeline.
-if (app.Environment.IsDevelopment())
-{
-    app.MapOpenApi();
-}
+        // Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi
+        builder.Services.AddOpenApi();
 
-app.AddValidateRequestEndpoints();
+        var app = builder.Build();
 
-app.Run();
+        // Configure the HTTP request pipeline.
+        if (app.Environment.IsDevelopment())
+        {
+            app.MapOpenApi();
+        }
 
+        app.AddValidateRequestEndpoints();
+        app.AddDownstreamApiRequestEndpoints();
 
-// Added for test project WebApplicationFactory discovery
-public partial class Program { }
+        app.Run();
+    }
+}

src/Microsoft.Identity.Web.Sidecar/Program.cs

@@ -2,7 +2,7 @@
   "Logging": {
     "LogLevel": {
       "Default": "Information",
-      "Microsoft.AspNetCore": "Warning"
+      "Microsoft.AspNetCore": "Information"
     }
   }
 }

src/Microsoft.Identity.Web.Sidecar/appsettings.Development.json

@@ -1,4 +1,5 @@
 {
+    "$schema": "https://raw.githubusercontent.com/AzureAD/microsoft-identity-web/refs/heads/master/JsonSchemas/microsoft-identity-web.json",
     /*
 The following identity settings need to be configured
 before the project can be successfully executed.
@@ -11,15 +12,29 @@ For more info see https://aka.ms/dotnet-template-ms-identity-platform
 
         "Scopes": "access_as_user",
 
-        "ClientCertificates": [
+        "ClientCredentials": [
+            {
+                "SourceType": "StoreWithDistinguishedName",
+                "CertificateStorePath": "LocalMachine/My",
+                "CertificateDistinguishedName": "CN=LabAuth.MSIDLab.com"
+            }
         ],
 
         "EnablePiiLogging": false
     },
+
+    "DownstreamApi": {
+        "me": {
+            "BaseUrl": "https://graph.microsoft.com/v1.0/",
+            "RelativePath": "me",
+            "Scopes": [ "User.Read" ]
+        }
+    },
+
     "Logging": {
         "LogLevel": {
             "Default": "Information",
-            "Microsoft.AspNetCore": "Information"
+            "Microsoft.AspNetCore": "Warning"
         }
     },
     "AllowedHosts": "*"