AddIdentityBearer + IdentityBearerOptions.ExtractBearerToken

- Extra API cleanup

Author: halter73

src/Identity/Endpoints/src/ConfigureIdentityEndpointJsonOptions.cs

@@ -8,6 +8,6 @@ namespace Microsoft.AspNetCore.Identity.Endpoints.DTO;
 [JsonSerializable(typeof(RegisterRequest))]
 [JsonSerializable(typeof(LoginRequest))]
 [JsonSerializable(typeof(AccessTokenResponse))]
-internal sealed partial class IdentityEndpointJsonSerializerContext : JsonSerializerContext
+internal sealed partial class IdentityEndpointsJsonSerializerContext : JsonSerializerContext
 {
 }

src/Identity/Endpoints/src/DTO/IdentityEndpointJsonSerializerContext.cs renamed to src/Identity/Endpoints/src/DTO/IdentityEndpointsJsonSerializerContext.cs

@@ -0,0 +1,27 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Identity.Endpoints;
+using Microsoft.AspNetCore.Routing;
+
+namespace Microsoft.Extensions.DependencyInjection;
+
+/// <summary>
+/// Extension methods to configure the identity bearer token authentication used by <see cref="IdentityEndpointRouteBuilderExtensions.MapIdentity{TUser}(IEndpointRouteBuilder)"/>.
+/// </summary>
+public static class IdentityBearerAuthenticationBuilderExtensions
+{
+    /// <summary>
+    /// Adds identity bearer token authentication. The default scheme is specified by <see cref="IdentityConstants.BearerScheme"/>.
+    /// <para>
+    /// Identity bearer tokens can be obtained from endpoints added by <see cref="IdentityEndpointRouteBuilderExtensions.MapIdentity{TUser}(IEndpointRouteBuilder)"/>.
+    /// </para>
+    /// </summary>
+    /// <param name="builder">The <see cref="AuthenticationBuilder"/>.</param>
+    /// <param name="configure">Action used to configure the identity bearer token authentication options.</param>
+    /// <returns>A reference to <paramref name="builder"/> after the operation has completed.</returns>
+    public static AuthenticationBuilder AddIdentityBearer(this AuthenticationBuilder builder, Action<IdentityBearerOptions>? configure)
+        => builder.AddScheme<IdentityBearerOptions, IdentityBearerAuthenticationHandler>(IdentityConstants.BearerScheme, configure);
+}

src/Identity/Endpoints/src/IdentityBearerAuthenticationBuilderExtensions.cs

@@ -13,18 +13,18 @@
 
 namespace Microsoft.AspNetCore.Identity.Endpoints;
 
-internal sealed class IdentityBearerAuthenticationHandler : SignInAuthenticationHandler<IdentityBearerAuthenticationOptions>
+internal sealed class IdentityBearerAuthenticationHandler : SignInAuthenticationHandler<IdentityBearerOptions>
 {
     private const string BearerTokenPurpose = $"Microsoft.AspNetCore.Identity.Endpoints.IdentityBearerAuthenticationHandler:v1:BearerToken";
 
-    private static readonly Task<AuthenticateResult> TokenMissingTask = Task.FromResult(AuthenticateResult.Fail("Token missing"));
-    private static readonly Task<AuthenticateResult> FailedUnprotectingTokenTask = Task.FromResult(AuthenticateResult.Fail("Unprotect token failed"));
-    private static readonly Task<AuthenticateResult> TokenExpiredTask = Task.FromResult(AuthenticateResult.Fail("Token expired"));
+    private static readonly AuthenticateResult TokenMissing = AuthenticateResult.Fail("Token missing");
+    private static readonly AuthenticateResult FailedUnprotectingToken = AuthenticateResult.Fail("Unprotected token failed");
+    private static readonly AuthenticateResult TokenExpired = AuthenticateResult.Fail("Token expired");
 
     private readonly IDataProtectionProvider _fallbackDataProtectionProvider;
 
     public IdentityBearerAuthenticationHandler(
-        IOptionsMonitor<IdentityBearerAuthenticationOptions> optionsMonitor,
+        IOptionsMonitor<IdentityBearerOptions> optionsMonitor,
         ILoggerFactory loggerFactory,
         UrlEncoder urlEncoder,
         ISystemClock clock,
@@ -40,43 +40,60 @@ private IDataProtectionProvider DataProtectionProvider
     private ISecureDataFormat<AuthenticationTicket> BearerTokenProtector
         => Options.BearerTokenProtector ?? new TicketDataFormat(DataProtectionProvider.CreateProtector(BearerTokenPurpose));
 
-    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
         // If there's no bearer token, forward to cookie auth.
-        if (GetBearerTokenOrNull() is not string token)
+        if (await GetBearerTokenOrNullAsync() is not string token)
         {
-            return Options.BearerTokenMissingFallbackScheme is string fallbackScheme
-                ? Context.AuthenticateAsync(fallbackScheme)
-                : TokenMissingTask;
+            return Options.MissingBearerTokenFallbackScheme is string fallbackScheme
+                ? await Context.AuthenticateAsync(fallbackScheme)
+                : TokenMissing;
         }
 
         var ticket = BearerTokenProtector.Unprotect(token);
 
         if (ticket?.Properties?.ExpiresUtc is null)
         {
-            return FailedUnprotectingTokenTask;
+            return FailedUnprotectingToken;
         }
 
         if (Clock.UtcNow >= ticket.Properties.ExpiresUtc)
         {
-            return TokenExpiredTask;
+            return TokenExpired;
         }
 
-        return Task.FromResult(AuthenticateResult.Success(ticket));
+        return AuthenticateResult.Success(ticket);
     }
 
-    protected override Task HandleChallengeAsync(AuthenticationProperties properties)
+    protected override async Task HandleForbiddenAsync(AuthenticationProperties properties)
     {
         // If there's no bearer token, forward to cookie auth.
-        if (GetBearerTokenOrNull() is null)
+        if (await GetBearerTokenOrNullAsync() is null)
         {
-            return Options.BearerTokenMissingFallbackScheme is string fallbackScheme
-                ? Context.AuthenticateAsync(fallbackScheme)
-                : TokenMissingTask;
+            if (Options.MissingBearerTokenFallbackScheme is string fallbackScheme)
+            {
+                await Context.ForbidAsync(fallbackScheme);
+                return;
+            }
+        }
+
+        await base.HandleForbiddenAsync(properties);
+    }
+
+    protected override async Task HandleChallengeAsync(AuthenticationProperties properties)
+    {
+        // If there's no bearer token, forward to cookie auth.
+        if (await GetBearerTokenOrNullAsync() is null)
+        {
+            if (Options.MissingBearerTokenFallbackScheme is string fallbackScheme)
+            {
+                await Context.ChallengeAsync(fallbackScheme);
+                return;
+            }
         }
 
         Response.Headers.Append(HeaderNames.WWWAuthenticate, "Bearer");
-        return base.HandleChallengeAsync(properties);
+        await base.HandleChallengeAsync(properties);
     }
 
     protected override Task HandleSignInAsync(ClaimsPrincipal user, AuthenticationProperties? properties)
@@ -97,11 +114,17 @@ protected override Task HandleSignInAsync(ClaimsPrincipal user, AuthenticationPr
     protected override Task HandleSignOutAsync(AuthenticationProperties? properties)
         => throw new NotSupportedException($"""
 Sign out is not currently supported by identity bearer tokens.
-If you want to delete cookies or clear a session, specify "{Options.BearerTokenMissingFallbackScheme}" as the authentication scheme.
+If you want to delete cookies or clear a session, specify "{IdentityConstants.ApplicationScheme}" as the authentication scheme.
 """);
 
-    private string? GetBearerTokenOrNull()
+    private async ValueTask<string?> GetBearerTokenOrNullAsync()
     {
+        if (Options.ExtractBearerToken is not null &&
+            await Options.ExtractBearerToken(Context) is string token)
+        {
+            return token;
+        }
+
         var authorization = Request.Headers.Authorization.ToString();
 
         return authorization.StartsWith("Bearer ", StringComparison.Ordinal)

src/Identity/Endpoints/src/IdentityBearerAuthenticationHandler.cs

@@ -3,14 +3,16 @@
 
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.Identity.Endpoints;
 
 /// <summary>
 /// Contains the options used to authenticate using bearer tokens issued by <see cref="IdentityEndpointRouteBuilderExtensions.MapIdentity{TUser}(IEndpointRouteBuilder)"/>.
 /// </summary>
-public sealed class IdentityBearerAuthenticationOptions : AuthenticationSchemeOptions
+public sealed class IdentityBearerOptions : AuthenticationSchemeOptions
 {
     /// <summary>
     /// Controls how much time the bearer token will remain valid from the point it is created.
@@ -31,8 +33,15 @@ public sealed class IdentityBearerAuthenticationOptions : AuthenticationSchemeOp
     public IDataProtectionProvider? DataProtectionProvider { get; set; }
 
     /// <summary>
-    /// If set, authentication and challenges will be forwarded to this scheme only if the request does not contain a bearer token.
-    /// This is typically set to Usually Identity.Application cookies <see cref="IdentityConstants.ApplicationScheme"/>
+    /// If set, authentication will be forwarded to this scheme only if the request does not contain a bearer token.
+    /// This is typically set to <see cref="IdentityConstants.ApplicationScheme"/> ("Identity.Application") the for identity cookies by
+    /// <see cref="IdentityEndpointsServiceCollectionExtensions.AddIdentityEndpoints{TUser}(IServiceCollection)"/>.
     /// </summary>
-    public string? BearerTokenMissingFallbackScheme { get; set; }
+    public string? MissingBearerTokenFallbackScheme { get; set; }
+
+    /// <summary>
+    /// If set, this provides the bearer token. If unset, the bearer token is read from the Authorization  request header with a "Bearer " prefix.
+    /// </summary>
+    public Func<HttpContext, ValueTask<string?>>? ExtractBearerToken { get; set; }
 }
+

src/Identity/Endpoints/src/IdentityBearerSchemeOptions.cs renamed to src/Identity/Endpoints/src/IdentityBearerOptions.cs

@@ -72,11 +72,11 @@ public static class IdentityEndpointRouteBuilderExtensions
             return TypedResults.SignIn(claimsPrincipal, authenticationScheme: scheme);
         });
 
-        return new IdentityEndpointConventionBuilder(v1);
+        return new IdentityEndpointsConventionBuilder(v1);
     }
 
     // Wrap RouteGroupBuilder with a non-public type to avoid a potential future behavioral breaking change.
-    private sealed class IdentityEndpointConventionBuilder(RouteGroupBuilder inner) : IEndpointConventionBuilder
+    private sealed class IdentityEndpointsConventionBuilder(RouteGroupBuilder inner) : IEndpointConventionBuilder
     {
         private readonly IEndpointConventionBuilder _inner = inner;
 

src/Identity/Endpoints/src/IdentityEndpointRouteBuilderExtensions.cs

@@ -0,0 +1,17 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Http.Json;
+using Microsoft.AspNetCore.Identity.Endpoints.DTO;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.AspNetCore.Identity.Endpoints;
+
+internal sealed class IdentityEndpointsJsonOptionsSetup : IConfigureOptions<JsonOptions>
+{
+    public void Configure(JsonOptions options)
+    {
+        // Put our resolver in front of the reflection-based one. See ProblemDetailsOptionsSetup for a detailed explanation.
+        options.SerializerOptions.TypeInfoResolverChain.Insert(0, IdentityEndpointsJsonSerializerContext.Default);
+    }
+}