Auth for dashboard web app and resource service client (#3033)

* Enable basic certificate auth for resource service This adds the ability to configured the gRPC connection from the dashboard to a resource service to use certificates for authentication. Such auth is not used in the local dev scenario, so the app host is changed to suppress auth via the `DOTNET_RESOURCE_SERVICE_DISABLE_AUTH` environment variable. The dashboard will now require certificates unless this variable is set to `1`. This discourages self-hosting the dashboard in an insecure manner. * Support loading client cert from keystore * Use enum for resource service auth mode * Dashboard web app supports OpenID Connect * Use a single authentication call for both the web app and OTLP Use explicit policies and configure those policies with the authentication schemes required. Also rejig some config settings for consistency. * Remove redundant configuration key * Rename "web app" to "frontend" * Reorder readme sections and adjust headings and their levels * Seal class * Simplify frontend auth implementation * Add docs * More thorough enum validation * Remove unused config key * Change exception type
dotnet · Mar 25, 2024 · 4768eb6 · 4768eb6
1 parent c97c3d7
commit 4768eb6
Show file tree

Hide file tree

Showing 16 changed files with 343 additions and 136 deletions.
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -39,6 +39,7 @@
     <PackageVersion Include="Azure.Provisioning" Version="1.0.0-alpha.20240315.2" />
     <!-- ASP.NET Core dependencies -->
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.Certificate" Version="$(MicrosoftAspNetCoreAuthenticationCertificatePackageVersion)" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="$(MicrosoftAspNetCoreAuthenticationOpenIdConnectPackageVersion)" />
     <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="$(MicrosoftAspNetCoreOpenApiPackageVersion)" />
     <PackageVersion Include="Microsoft.AspNetCore.OutputCaching.StackExchangeRedis" Version="$(MicrosoftAspNetCoreOutputCachingStackExchangeRedisPackageVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="$(MicrosoftExtensionsCachingStackExchangeRedisPackageVersion)" />

diff --git a/eng/Versions.props b/eng/Versions.props
@@ -34,6 +34,7 @@
     <MicrosoftExtensionsOptionsPackageVersion>8.0.2</MicrosoftExtensionsOptionsPackageVersion>
     <MicrosoftExtensionsPrimitivesPackageVersion>8.0.0</MicrosoftExtensionsPrimitivesPackageVersion>
     <MicrosoftAspNetCoreAuthenticationCertificatePackageVersion>8.0.3</MicrosoftAspNetCoreAuthenticationCertificatePackageVersion>
+    <MicrosoftAspNetCoreAuthenticationOpenIdConnectPackageVersion>8.0.3</MicrosoftAspNetCoreAuthenticationOpenIdConnectPackageVersion>
     <MicrosoftAspNetCoreOpenApiPackageVersion>8.0.3</MicrosoftAspNetCoreOpenApiPackageVersion>
     <MicrosoftAspNetCoreOutputCachingStackExchangeRedisPackageVersion>8.0.2</MicrosoftAspNetCoreOutputCachingStackExchangeRedisPackageVersion>
     <MicrosoftExtensionsCachingStackExchangeRedisPackageVersion>8.0.2</MicrosoftExtensionsCachingStackExchangeRedisPackageVersion>

diff --git a/src/Aspire.Dashboard/Aspire.Dashboard.csproj b/src/Aspire.Dashboard/Aspire.Dashboard.csproj
@@ -24,6 +24,7 @@
     <PackageReference Include="Grpc.AspNetCore" />
     <PackageReference Include="Humanizer.Core" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.Certificate" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" />
     <PackageReference Include="Microsoft.FluentUI.AspNetCore.Components" />
     <PackageReference Include="Microsoft.FluentUI.AspNetCore.Components.Icons" />
   </ItemGroup>

diff --git a/src/Aspire.Dashboard/Authentication/OtlpAuthMode.cs b/src/Aspire.Dashboard/Authentication/OtlpAuthMode.cs
@@ -5,7 +5,7 @@ namespace Aspire.Dashboard.Authentication;
 
 public enum OtlpAuthMode
 {
-    None,
+    Unsecured,
     ApiKey,
     ClientCertificate
 }
diff --git a/src/Aspire.Dashboard/Authentication/OtlpCompositeAuthenticationHandler.cs b/src/Aspire.Dashboard/Authentication/OtlpCompositeAuthenticationHandler.cs
@@ -11,30 +11,18 @@
 
 namespace Aspire.Dashboard.Authentication;
 
-public sealed class OtlpCompositeAuthenticationHandler : AuthenticationHandler<OtlpCompositeAuthenticationHandlerOptions>
+public sealed class OtlpCompositeAuthenticationHandler(
+    IOptionsMonitor<OtlpCompositeAuthenticationHandlerOptions> options,
+    ILoggerFactory logger,
+    UrlEncoder encoder)
+        : AuthenticationHandler<OtlpCompositeAuthenticationHandlerOptions>(options, logger, encoder)
 {
-    public OtlpCompositeAuthenticationHandler(IOptionsMonitor<OtlpCompositeAuthenticationHandlerOptions> options, ILoggerFactory logger, UrlEncoder encoder) : base(options, logger, encoder)
-    {
-    }
-
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
-        var connectionResult = await Context.AuthenticateAsync(OtlpConnectionAuthenticationDefaults.AuthenticationScheme).ConfigureAwait(false);
-        if (connectionResult.Failure != null)
-        {
-            return connectionResult;
-        }
-
-        var scheme = Options.OtlpAuthMode switch
-        {
-            OtlpAuthMode.ApiKey => OtlpApiKeyAuthenticationDefaults.AuthenticationScheme,
-            OtlpAuthMode.ClientCertificate => CertificateAuthenticationDefaults.AuthenticationScheme,
-            _ => null
-        };
-
-        if (scheme is not null)
+        foreach (var scheme in GetRelevantAuthenticationSchemes())
         {
             var result = await Context.AuthenticateAsync(scheme).ConfigureAwait(false);
+
             if (result.Failure is not null)
             {
                 return result;
@@ -44,6 +32,20 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
         var id = new ClaimsIdentity([new Claim(OtlpAuthorization.OtlpClaimName, bool.TrueString)]);
 
         return AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(id), Scheme.Name));
+
+        IEnumerable<string> GetRelevantAuthenticationSchemes()
+        {
+            yield return OtlpConnectionAuthenticationDefaults.AuthenticationScheme;
+
+            if (Options.OtlpAuthMode is OtlpAuthMode.ApiKey)
+            {
+                yield return OtlpApiKeyAuthenticationDefaults.AuthenticationScheme;
+            }
+            else if (Options.OtlpAuthMode is OtlpAuthMode.ClientCertificate)
+            {
+                yield return CertificateAuthenticationDefaults.AuthenticationScheme;
+            }
+        }
     }
 }
 

diff --git a/src/Aspire.Dashboard/Components/_Imports.razor b/src/Aspire.Dashboard/Components/_Imports.razor
@@ -1,5 +1,8 @@
 @using System.Net.Http
 @using System.Net.Http.Json
+@using Aspire.Dashboard.Authentication
+@using Microsoft.AspNetCore.Authentication.OpenIdConnect
+@using Microsoft.AspNetCore.Authorization
 @using Microsoft.AspNetCore.Components.Forms
 @using Microsoft.AspNetCore.Components.Routing
 @using Microsoft.AspNetCore.Components.Web
@@ -10,3 +13,6 @@
 @using Aspire.Dashboard.Components
 @using Aspire.Dashboard.Components.Controls
 @using Microsoft.Extensions.Localization
+
+@* Require authorization for all pages of the web app *@
+@attribute [Authorize(Policy = FrontendAuthorizationDefaults.PolicyName)]
diff --git a/src/Aspire.Dashboard/DashboardStartupConfiguration.cs b/src/Aspire.Dashboard/DashboardStartupConfiguration.cs
diff --git a/src/Aspire.Dashboard/DashboardWebApplication.cs b/src/Aspire.Dashboard/DashboardWebApplication.cs
@@ -12,19 +12,25 @@
 using Aspire.Dashboard.Otlp.Grpc;
 using Aspire.Dashboard.Otlp.Storage;
 using Microsoft.AspNetCore.Authentication.Certificate;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.HttpsPolicy;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.FluentUI.AspNetCore.Components;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 
 namespace Aspire.Dashboard;
 
-public class DashboardWebApplication : IAsyncDisposable
+public sealed class DashboardWebApplication : IAsyncDisposable
 {
-    internal const string DashboardInsecureAllowAnonymousVariableName = "DOTNET_DASHBOARD_INSECURE_ALLOW_ANONYMOUS";
-    internal const string DashboardOtlpAuthModeVariableName = "DOTNET_DASHBOARD_OTLP_AUTH_MODE";
-    internal const string DashboardOtlpApiKeyVariableName = "DOTNET_DASHBOARD_OTLP_API_KEY";
+    internal const string FrontendAuthModeKey = "Frontend:AuthMode";
+
+    internal const string OtlpAuthModeKey = "Otlp:AuthMode";
+    internal const string OtlpApiKeyKey = "Otlp:ApiKey";
+
     internal const string DashboardOtlpUrlVariableName = "DOTNET_DASHBOARD_OTLP_ENDPOINT_URL";
     internal const string DashboardOtlpUrlDefaultValue = "http://localhost:18889";
     internal const string DashboardUrlVariableName = "ASPNETCORE_URLS";
@@ -51,10 +57,8 @@ public Func<EndpointInfo> OtlpServiceEndPointAccessor
     public DashboardWebApplication(Action<WebApplicationBuilder>? configureBuilder = null)
     {
         var builder = WebApplication.CreateBuilder();
-        if (configureBuilder != null)
-        {
-            configureBuilder(builder);
-        }
+
+        configureBuilder?.Invoke(builder);
 
 #if !DEBUG
         builder.Logging.AddFilter("Default", LogLevel.Information);
@@ -320,8 +324,8 @@ static Func<EndpointInfo> CreateEndPointAccessor(ListenOptions options, bool isH
 
     private static void ConfigureAuthentication(WebApplicationBuilder builder, DashboardStartupConfiguration dashboardStartupConfig)
     {
-        builder.Services
-            .AddAuthentication(defaultScheme: OtlpCompositeAuthenticationDefaults.AuthenticationScheme)
+        var authentication = builder.Services
+            .AddAuthentication()
             .AddScheme<OtlpCompositeAuthenticationHandlerOptions, OtlpCompositeAuthenticationHandler>(OtlpCompositeAuthenticationDefaults.AuthenticationScheme, o =>
             {
                 o.OtlpAuthMode = dashboardStartupConfig.OtlpAuthMode;
@@ -333,7 +337,7 @@ private static void ConfigureAuthentication(WebApplicationBuilder builder, Dashb
             .AddScheme<OtlpConnectionAuthenticationHandlerOptions, OtlpConnectionAuthenticationHandler>(OtlpConnectionAuthenticationDefaults.AuthenticationScheme, o => { })
             .AddCertificate(options =>
             {
-                // Bind options to configuration so they can be override by environment variables.
+                // Bind options to configuration so they can be overridden by environment variables.
                 builder.Configuration.Bind("CertificateAuthentication", options);
 
                 options.Events = new CertificateAuthenticationEvents
@@ -358,9 +362,76 @@ private static void ConfigureAuthentication(WebApplicationBuilder builder, Dashb
                 };
             });
 
+        if (dashboardStartupConfig.FrontendAuthMode == FrontendAuthMode.OpenIdConnect)
+        {
+            authentication.AddPolicyScheme(FrontendAuthenticationDefaults.AuthenticationScheme, displayName: FrontendAuthenticationDefaults.AuthenticationScheme, o =>
+            {
+                // The frontend authentication scheme just redirects to OpenIdConnect and Cookie schemes, as appropriate.
+                o.ForwardDefault = CookieAuthenticationDefaults.AuthenticationScheme;
+                o.ForwardChallenge = OpenIdConnectDefaults.AuthenticationScheme;
+            });
+
+            authentication.AddCookie();
+
+            authentication.AddOpenIdConnect(options =>
+            {
+                // Use authorization code flow so clients don't see access tokens.
+                options.ResponseType = OpenIdConnectResponseType.Code;
+
+                options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+
+                // Scopes "openid" and "profile" are added by default, but need to be re-added
+                // in case configuration exists for Authentication:Schemes:OpenIdConnect:Scope.
+                if (!options.Scope.Contains(OpenIdConnectScope.OpenId))
+                {
+                    options.Scope.Add(OpenIdConnectScope.OpenId);
+                }
+
+                if (!options.Scope.Contains("profile"))
+                {
+                    options.Scope.Add("profile");
+                }
+
+                // Redirect to resources upon sign-in.
+                options.CallbackPath = TargetLocationInterceptor.ResourcesPath;
+
+                // Avoid "message.State is null or empty" due to use of CallbackPath above.
+                options.SkipUnrecognizedRequests = true;
+            });
+        }
+
         builder.Services.AddAuthorization(options =>
         {
-            options.AddPolicy(OtlpAuthorization.PolicyName, policy => policy.RequireClaim(OtlpAuthorization.OtlpClaimName));
+            options.AddPolicy(
+                name: OtlpAuthorization.PolicyName,
+                policy: new AuthorizationPolicyBuilder(
+                    OtlpCompositeAuthenticationDefaults.AuthenticationScheme)
+                    .RequireClaim(OtlpAuthorization.OtlpClaimName)
+                    .Build());
+
+            if (dashboardStartupConfig.FrontendAuthMode == FrontendAuthMode.OpenIdConnect)
+            {
+                // Frontend is secured with OIDC, so delegate to that authentication scheme.
+                options.AddPolicy(
+                    name: FrontendAuthorizationDefaults.PolicyName,
+                    policy: new AuthorizationPolicyBuilder(
+                        FrontendAuthenticationDefaults.AuthenticationScheme)
+                        .RequireAuthenticatedUser()
+                        .Build());
+            }
+            else if (dashboardStartupConfig.FrontendAuthMode == FrontendAuthMode.Unsecured)
+            {
+                // Frontend is unsecured so our policy doesn't need any special handling.
+                options.AddPolicy(
+                    name: FrontendAuthorizationDefaults.PolicyName,
+                    policy: new AuthorizationPolicyBuilder()
+                        .RequireAssertion(_ => true)
+                        .Build());
+            }
+            else
+            {
+                throw new NotSupportedException($"Unexpected {nameof(FrontendAuthMode)} enum member.");
+            }
         });
     }
 
@@ -382,55 +453,74 @@ private static DashboardStartupConfiguration LoadDashboardConfig(IConfiguration
         var browserUris = configuration.GetUris(DashboardUrlVariableName, new(DashboardUrlDefaultValue));
         if (browserUris.Length == 0)
         {
-            throw new InvalidOperationException($"One URL for Aspire dashboard OTLP endpoint with {DashboardUrlDefaultValue} is required.");
+            throw new InvalidOperationException($"At least one URL for Aspire dashboard browser endpoint with {DashboardOtlpUrlDefaultValue} is required.");
         }
 
+        var frontendAuthMode = configuration.GetEnum<FrontendAuthMode>(FrontendAuthModeKey);
+
         var otlpUris = configuration.GetUris(DashboardOtlpUrlVariableName, new(DashboardOtlpUrlDefaultValue));
         if (otlpUris.Length != 1)
         {
-            throw new InvalidOperationException($"At least one URL for Aspire dashboard browser endpoint with {DashboardOtlpUrlDefaultValue} is required.");
+            throw new InvalidOperationException($"One URL for Aspire dashboard OTLP endpoint with {DashboardUrlDefaultValue} is required, not {otlpUris.Length}.");
         }
 
-        var allowAnonymous = configuration.GetBool(DashboardInsecureAllowAnonymousVariableName) ?? false;
-        var otlpAuthMode = configuration.GetEnum<OtlpAuthMode>(DashboardOtlpAuthModeVariableName);
+        var otlpAuthMode = configuration.GetEnum<OtlpAuthMode>(OtlpAuthModeKey);
+
         string? otlpApiKey = null;
 
         switch (otlpAuthMode)
         {
-            case null:
-                if (!allowAnonymous)
-                {
-                    throw new InvalidOperationException($"Configuration of OTLP endpoint authentication is required. Either specify {DashboardInsecureAllowAnonymousVariableName} with a value of true, or specify {DashboardOtlpAuthModeVariableName}. Possible values: {string.Join(", ", typeof(OtlpAuthMode).GetEnumNames())}");
-                }
-                otlpAuthMode = OtlpAuthMode.None;
-                break;
-            case OtlpAuthMode.None:
-                break;
             case OtlpAuthMode.ApiKey:
-                otlpApiKey = configuration[DashboardOtlpApiKeyVariableName];
+                otlpApiKey = configuration[OtlpApiKeyKey];
                 if (string.IsNullOrEmpty(otlpApiKey))
                 {
-                    throw new InvalidOperationException($"{DashboardOtlpAuthModeVariableName} value of {nameof(OtlpAuthMode.ApiKey)} requires an API key from {DashboardOtlpApiKeyVariableName}.");
+                    throw new InvalidOperationException($"{OtlpAuthModeKey} value of {nameof(OtlpAuthMode.ApiKey)} requires an API key from {OtlpApiKeyKey}.");
                 }
                 break;
             case OtlpAuthMode.ClientCertificate:
                 if (!IsHttps(otlpUris[0]))
                 {
-                    throw new InvalidOperationException($"{DashboardOtlpAuthModeVariableName} value of {nameof(OtlpAuthMode.ClientCertificate)} requires a HTTPS OTLP endpoint.");
+                    throw new InvalidOperationException($"{OtlpAuthModeKey} value of {nameof(OtlpAuthMode.ClientCertificate)} requires a HTTPS OTLP endpoint.");
                 }
                 break;
             default:
-                throw new InvalidOperationException($"Unexpected auth mode value: {otlpAuthMode}");
+                break;
         }
 
         return new DashboardStartupConfiguration
         {
             BrowserUris = browserUris,
+            FrontendAuthMode = frontendAuthMode,
             OtlpUri = otlpUris[0],
-            OtlpAuthMode = otlpAuthMode.Value,
+            OtlpAuthMode = otlpAuthMode,
             OtlpApiKey = otlpApiKey
         };
     }
+
+    private enum FrontendAuthMode
+    {
+        Unsecured,
+        OpenIdConnect
+    }
+
+    public static class FrontendAuthenticationDefaults
+    {
+        public const string AuthenticationScheme = "Frontend";
+    }
+
+    private sealed class DashboardStartupConfiguration
+    {
+        public required Uri[] BrowserUris { get; init; }
+        public required Uri OtlpUri { get; init; }
+        public required OtlpAuthMode OtlpAuthMode { get; init; }
+        public required FrontendAuthMode FrontendAuthMode { get; init; }
+        public required string? OtlpApiKey { get; init; }
+    }
 }
 
 public record EndpointInfo(IPEndPoint EndPoint, bool isHttps);
+
+public static class FrontendAuthorizationDefaults
+{
+    public const string PolicyName = "Frontend";
+}