Auth for dashboard web app and resource service client

Directory.Packages.props

@@ -39,6 +39,7 @@
     <PackageVersion Include="Azure.Provisioning" Version="1.0.0-alpha.20240315.2" />
     <!-- ASP.NET Core dependencies -->
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.Certificate" Version="$(MicrosoftAspNetCoreAuthenticationCertificatePackageVersion)" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="$(MicrosoftAspNetCoreAuthenticationOpenIdConnectPackageVersion)" />
     <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="$(MicrosoftAspNetCoreOpenApiPackageVersion)" />
     <PackageVersion Include="Microsoft.AspNetCore.OutputCaching.StackExchangeRedis" Version="$(MicrosoftAspNetCoreOutputCachingStackExchangeRedisPackageVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="$(MicrosoftExtensionsCachingStackExchangeRedisPackageVersion)" />

eng/Versions.props

@@ -34,6 +34,7 @@
     <MicrosoftExtensionsOptionsPackageVersion>8.0.2</MicrosoftExtensionsOptionsPackageVersion>
     <MicrosoftExtensionsPrimitivesPackageVersion>8.0.0</MicrosoftExtensionsPrimitivesPackageVersion>
     <MicrosoftAspNetCoreAuthenticationCertificatePackageVersion>8.0.3</MicrosoftAspNetCoreAuthenticationCertificatePackageVersion>
+    <MicrosoftAspNetCoreAuthenticationOpenIdConnectPackageVersion>8.0.3</MicrosoftAspNetCoreAuthenticationOpenIdConnectPackageVersion>
     <MicrosoftAspNetCoreOpenApiPackageVersion>8.0.3</MicrosoftAspNetCoreOpenApiPackageVersion>
     <MicrosoftAspNetCoreOutputCachingStackExchangeRedisPackageVersion>8.0.2</MicrosoftAspNetCoreOutputCachingStackExchangeRedisPackageVersion>
     <MicrosoftExtensionsCachingStackExchangeRedisPackageVersion>8.0.2</MicrosoftExtensionsCachingStackExchangeRedisPackageVersion>

src/Aspire.Dashboard/Aspire.Dashboard.csproj

@@ -24,6 +24,7 @@
     <PackageReference Include="Grpc.AspNetCore" />
     <PackageReference Include="Humanizer.Core" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.Certificate" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" />
     <PackageReference Include="Microsoft.FluentUI.AspNetCore.Components" />
     <PackageReference Include="Microsoft.FluentUI.AspNetCore.Components.Icons" />
   </ItemGroup>

src/Aspire.Dashboard/Components/_Imports.razor

@@ -1,5 +1,6 @@
 @using System.Net.Http
 @using System.Net.Http.Json
+@using Microsoft.AspNetCore.Authorization
 @using Microsoft.AspNetCore.Components.Forms
 @using Microsoft.AspNetCore.Components.Routing
 @using Microsoft.AspNetCore.Components.Web
@@ -10,3 +11,6 @@
 @using Aspire.Dashboard.Components
 @using Aspire.Dashboard.Components.Controls
 @using Microsoft.Extensions.Localization
+
+@* Require authorization for all pages *@
+@attribute [Authorize]

src/Aspire.Dashboard/DashboardWebApplication.cs

@@ -12,11 +12,14 @@
 using Aspire.Dashboard.Otlp.Grpc;
 using Aspire.Dashboard.Otlp.Storage;
 using Microsoft.AspNetCore.Authentication.Certificate;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.HttpsPolicy;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.FluentUI.AspNetCore.Components;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 
 namespace Aspire.Dashboard;
 
@@ -50,10 +53,8 @@ public Func<EndpointInfo> OtlpServiceEndPointAccessor
     public DashboardWebApplication(Action<WebApplicationBuilder>? configureBuilder = null)
     {
         var builder = WebApplication.CreateBuilder();
-        if (configureBuilder != null)
-        {
-            configureBuilder(builder);
-        }
+
+        configureBuilder?.Invoke(builder);
 
 #if !DEBUG
         builder.Logging.AddFilter("Default", LogLevel.Information);
@@ -62,6 +63,13 @@ public DashboardWebApplication(Action<WebApplicationBuilder>? configureBuilder =
         builder.Logging.AddFilter("Microsoft.AspNetCore.Server.Kestrel", LogLevel.Error);
 #endif
 
+        var authMode = builder.Configuration.GetEnum<DashboardWebAppAuthMode>("DashboardWebApp:AuthMode");
+
+        if (authMode == null)
+        {
+            throw new InvalidOperationException("Unable to read DashboardWebApp:AuthMode. Supported values are Unsecured and OpenIdConnect.");
+        }
+
         var dashboardConfig = LoadDashboardConfig(builder.Configuration);
 
         ConfigureKestrelEndpoints(builder, dashboardConfig);
@@ -103,6 +111,30 @@ public DashboardWebApplication(Action<WebApplicationBuilder>? configureBuilder =
 
         builder.Services.AddLocalization();
 
+        if (authMode == DashboardWebAppAuthMode.OpenIdConnect)
+        {
+            // Configure OpenID Connect (OIDC)
+            var authentication = builder.Services.AddAuthentication(options =>
+            {
+                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
+            });
+
+            authentication.AddCookie();
+
+            authentication.AddOpenIdConnect(options =>
+            {
+                // Use authorization code flow so clients don't see access tokens.
+                options.ResponseType = OpenIdConnectResponseType.Code;
+
+                options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+
+                // "openid" and "profile" are added by default, but need to be re-added in case the user added more
+                // scopes via Authentication:Schemes:OpenIdConnect:Scope configuration.
+                options.Scope.Add(OpenIdConnectScope.OpenIdProfile);
+            });
+        }
+
         _app = builder.Build();
 
         var logger = _app.Services.GetRequiredService<ILoggerFactory>().CreateLogger<DashboardWebApplication>();
@@ -408,6 +440,12 @@ private static DashboardStartupConfiguration LoadDashboardConfig(IConfiguration
             OtlpApiKey = otlpApiKey
         };
     }
+
+    private enum DashboardWebAppAuthMode
+    {
+        Unsecured,
+        OpenIdConnect
+    }
 }
 
 public record EndpointInfo(IPEndPoint EndPoint, bool isHttps);

src/Aspire.Dashboard/Model/DashboardClient.cs

@@ -3,7 +3,9 @@
 
 using System.Collections.Immutable;
 using System.Diagnostics;
+using System.Net.Security;
 using System.Runtime.CompilerServices;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Channels;
 using Aspire.Dashboard.Utils;
 using Aspire.V1;
@@ -98,6 +100,33 @@ GrpcChannel CreateChannel()
                 KeepAlivePingPolicy = HttpKeepAlivePingPolicy.WithActiveRequests
             };
 
+            var authMode = configuration.GetEnum<ResourceClientAuthMode>("ResourceServiceClient:AuthMode");
+
+            if (authMode == null)
+            {
+                throw new InvalidOperationException("Unable to read ResourceServiceClient:AuthMode. Supported values are Unsecured and Certificate.");
+            }
+
+            if (authMode == ResourceClientAuthMode.Certificate)
+            {
+                // Auth hasn't been suppressed, so configure it.
+                var sourceType = configuration.GetEnum<DashboardClientCertificateSource>("ResourceServiceClient:ClientCertificate:Source");
+
+                var certificates = sourceType switch
+                {
+                    DashboardClientCertificateSource.File => GetFileCertificate(),
+                    DashboardClientCertificateSource.KeyStore => GetKeyStoreCertificate(),
+                    _ => throw new InvalidOperationException("Unable to load ResourceServiceClient client certificate.")
+                };
+
+                httpHandler.SslOptions = new SslClientAuthenticationOptions
+                {
+                    ClientCertificates = certificates
+                };
+
+                configuration.Bind("ResourceServiceClient:Ssl", httpHandler.SslOptions);
+            }
+
             // https://learn.microsoft.com/aspnet/core/grpc/retries
 
             var methodConfig = new MethodConfig
@@ -124,6 +153,44 @@ GrpcChannel CreateChannel()
                     LoggerFactory = _loggerFactory,
                     ThrowOperationCanceledOnCancellation = true
                 });
+
+            X509CertificateCollection GetFileCertificate()
+            {
+                var filePath = configuration["ResourceServiceClient:ClientCertificate:FilePath"];
+                var password = configuration["ResourceServiceClient:ClientCertificate:Password"];
+
+                if (filePath is null or [])
+                {
+                    throw new InvalidOperationException("ResourceServiceClient:ClientCertificate:Source is \"File\", but no Certificate:FilePath is configured.");
+                }
+
+                return [new X509Certificate2(filePath, password)];
+            }
+
+            X509CertificateCollection GetKeyStoreCertificate()
+            {
+                var subject = configuration["ResourceServiceClient:ClientCertificate:Subject"];
+
+                if (subject is null or [])
+                {
+                    throw new InvalidOperationException("ResourceServiceClient:ClientCertificate:Source is \"KeyStore\", but no Certificate:FilePath is configured.");
+                }
+
+                using var store = new X509Store(storeName: StoreName.My, storeLocation: StoreLocation.CurrentUser);
+
+                configuration.Bind("ResourceServiceClient:ClientCertificate:KeyStore");
+
+                store.Open(OpenFlags.ReadOnly);
+
+                var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, findValue: subject, validOnly: true);
+
+                if (certificates is [])
+                {
+                    throw new InvalidOperationException($"Unable to load client certificate with subject \"{subject}\" from key store.");
+                }
+
+                return certificates;
+            }
         }
     }
 
@@ -484,4 +551,16 @@ internal void SetInitialDataReceived(IList<Resource>? initialData = null)
 
         _initialDataReceivedTcs.TrySetResult();
     }
+
+    private enum DashboardClientCertificateSource
+    {
+        File,
+        KeyStore
+    }
+
+    private enum ResourceClientAuthMode
+    {
+        Unsecured,
+        Certificate
+    }
 }

src/Aspire.Dashboard/README.md

@@ -1,8 +1,8 @@
 # .NET Aspire Dashboard
 
-Configuration is obtained through `IConfiguration`, so it can be provided in several ways, such as via environment variables.
+## Configuration
 
-## Endpoints
+Configuration is obtained through `IConfiguration`, so it can be provided in several ways, such as via environment variables.
 
 The dashboard has two kinds of endpoints: a browser endpoint for viewing the dashboard UI and an OTLP endpoint that hosts an OTLP service and receives telemetry.
 
@@ -24,6 +24,31 @@ The OTLP endpoint can be secured with [client certificate](https://learn.microso
 
 - `DOTNET_RESOURCE_SERVICE_ENDPOINT_URL` specifies the gRPC endpoint to which the dashboard connects for its data. There's no default. If this variable is unspecified, the dashboard shows OTEL data but no resource list or console logs.
 
+The resource service client supports certificates. Set `ResourceServiceClient:AuthMode` to `Certificate`, then add the following configuration:
+
+- `ResourceServiceClient:ClientCertificate:Source` (required) one of:
+  - `File` to load the cert from a file path, configured with:
+    - `ResourceServiceClient:ClientCertificate:FilePath` (required, string)
+    - `ResourceServiceClient:ClientCertificate:Password` (optional, string)
+  - `KeyStore` to load the cert from a key store, configured with:
+    - `ResourceServiceClient:ClientCertificate:Subject` (required, string)
+    - `ResourceServiceClient:ClientCertificate:KeyStore:Name` (optional, [`StoreName`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storename), defaults to `My`)
+    - `ResourceServiceClient:ClientCertificate:KeyStore:Location` (optional, [`StoreLocation`](https://learn.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.storelocation), defaults to `CurrentUser`)
+- `ResourceServiceClient:Ssl` (optional, [`SslClientAuthenticationOptions`](https://learn.microsoft.com/dotnet/api/system.net.security.sslclientauthenticationoptions))
+
+To opt-out of authentication, set `ResourceServiceClient:AuthMode` to `Unsecured`. This completely disables all security for the resource service client. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
+
+## Dashboard web app auth
+
+The dashboard's web application supports OpenID Connect. Set `DashboardWebApp:AuthMode` to `OpenIdConnect`, then add the following configuration:
+
+- `Authentication:Schemes:OpenIdConnect:Authority` — URL to the identity provider (IdP)
+- `Authentication:Schemes:OpenIdConnect:ClientId` — Identity of the relying party (RP)
+- `Authentication:Schemes:OpenIdConnect:ClientSecret`— A secret that only the real RP would know
+- Other properties of [`OpenIdConnectOptions`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions) specified in configuration container `Authentication:Schemes:OpenIdConnect:*`
+
+It may also be run unsecured. Set `DashboardWebApp:AuthMode` to `Unsecured`. This completely disables all security for the dashboard web app. This setting is used during local development, but is not recommended if you attempt to host the dashboard in other settings.
+
 ## Telemetry Limits
 
 Telemetry is stored in-memory. To avoid excessive memory usage, the dashboard has limits on the count and size of stored telemetry. When a count limit is reached, new telemetry is added, and the oldest telemetry is removed. When a size limit is reached, data is truncated to the limit.

src/Aspire.Hosting/Dcp/ApplicationExecutor.cs

@@ -733,6 +733,7 @@ private void ConfigureAspireDashboardResource(IResource dashboardResource)
             context.EnvironmentVariables["ASPNETCORE_URLS"] = appHostApplicationUrl;
             context.EnvironmentVariables["DOTNET_RESOURCE_SERVICE_ENDPOINT_URL"] = grpcEndpointUrl;
             context.EnvironmentVariables["DOTNET_DASHBOARD_OTLP_ENDPOINT_URL"] = otlpEndpointUrl;
+            context.EnvironmentVariables["ResourceServiceClient__AuthMode"] = "Unsecured"; // No auth in local dev experience
 
             if (configuration["AppHost:OtlpApiKey"] is { } otlpApiKey)
             {
@@ -793,6 +794,11 @@ private async Task StartDashboardAsDcpExecutableAsync(CancellationToken cancella
                 Value = grpcEndpointUrl
             },
             new()
+            {
+                Name = "ResourceServiceClient__AuthMode",
+                Value = "Unsecured" // No auth in local dev experience
+            },
+            new()
             {
                 Name = "ASPNETCORE_URLS",
                 Value = dashboardUrls

src/Shared/IConfigurationExtensions.cs

@@ -118,4 +118,32 @@ public static bool GetBool(this IConfiguration configuration, string key, bool d
             throw new InvalidOperationException($"Error parsing URIs from configuration value '{key}'.", ex);
         }
     }
+
+    /// <summary>
+    /// Gets the named configuration value as a member of an enum, or <paramref name="defaultValue"/> if parsing failed.
+    /// </summary>
+    /// <remarks>
+    /// Parsing is case-insensitive.
+    /// </remarks>
+    /// <param name="configuration">The <see cref="IConfiguration"/> this method extends.</param>
+    /// <param name="key">The configuration key.</param>
+    /// <param name="defaultValue">A default value, for when the configuration value is unable to be parsed.</param>
+    /// <returns>The parsed enum member, or <paramref name="defaultValue"/> if parsing failed.</returns>
+    [return: NotNullIfNotNull(nameof(defaultValue))]
+    public static T? GetEnum<T>(this IConfiguration configuration, string key, T? defaultValue = default)
+        where T : struct
+    {
+        var value = configuration[key];
+
+        if (value is null or [])
+        {
+            return defaultValue;
+        }
+        else if (Enum.TryParse<T>(value, ignoreCase: true, out var e))
+        {
+            return e;
+        }
+
+        return default;
+    }
 }

tests/Aspire.Dashboard.Tests/Integration/IntegrationTestHelpers.cs

@@ -27,7 +27,9 @@ public static DashboardWebApplication CreateDashboardWebApplication(
         var initialData = new Dictionary<string, string?>
         {
             [DashboardWebApplication.DashboardUrlVariableName] = "http://127.0.0.1:0",
-            [DashboardWebApplication.DashboardOtlpUrlVariableName] = "http://127.0.0.1:0"
+            [DashboardWebApplication.DashboardOtlpUrlVariableName] = "http://127.0.0.1:0",
+            ["ResourceServiceClient:AuthMode"] = "Unsecured",
+            ["DashboardWebApp:AuthMode"] = "Unsecured"
         };
         additionalConfiguration?.Invoke(initialData);
 

tests/Aspire.Dashboard.Tests/Model/DashboardClientTests.cs

@@ -18,7 +18,11 @@ public sealed class DashboardClientTests
     public DashboardClientTests()
     {
         var configuration = new ConfigurationManager();
-        configuration.AddInMemoryCollection(new Dictionary<string, string?>() { { "DOTNET_RESOURCE_SERVICE_ENDPOINT_URL", "http://localhost:12345" } });
+        configuration.AddInMemoryCollection([
+            new("DashboardWebApp:AuthMode", "Unsecured"),
+            new("ResourceServiceClient:AuthMode", "Unsecured"),
+            new("DOTNET_RESOURCE_SERVICE_ENDPOINT_URL", "http://localhost:12345")
+        ]);
         _configuration = configuration;
     }