roland/miscbff (#297)

* Update samples

* Update tokenexchange sample

* Add missing reference

* Refactor OpenAPI response transformer and document writer

Improve readability of `ProxyingOpenApiDocument` logic. Update OpenAPI document writing method to handle JSON serialization asynchronously and add inline comments for future compatibility issues with OpenAPI library and .NET 10.

* make sample work again

* cleanup

* Update Docker sample

---------

Co-authored-by: roland <roland.guijt@gmail.com>
Co-authored-by: Roland Guijt <roland.guijt@duendesoftware.com>
Co-authored-by: khalidabuhakmeh <khalidabuhakmeh@gmail.com>
Co-authored-by: Erwin van der Valk <erwin@vandervalk.pro>

Author: 5 people

BFF/v4/docker/.dockerignore

@@ -0,0 +1,25 @@
+**/.dockerignore
+**/.env
+**/.git
+**/.gitignore
+**/.project
+**/.settings
+**/.toolstarget
+**/.vs
+**/.vscode
+**/.idea
+**/*.*proj.user
+**/*.dbmdl
+**/*.jfm
+**/azds.yaml
+**/bin
+**/charts
+**/docker-compose*
+**/Dockerfile*
+**/node_modules
+**/npm-debug.log
+**/obj
+**/secrets.dev.yaml
+**/values.dev.yaml
+LICENSE
+README.md

BFF/v4/docker/ContainerizedIdentityServer/Config.cs

@@ -0,0 +1,45 @@
+using Duende.IdentityServer;
+using Duende.IdentityServer.Models;
+
+namespace ContainerizedIdentityServer;
+
+public static class Config
+{
+    public static IEnumerable<IdentityResource> IdentityResources =>
+        new IdentityResource[]
+        {
+            new IdentityResources.OpenId(),
+            new IdentityResources.Profile(),
+        };
+
+    public static IEnumerable<ApiScope> ApiScopes =>
+        new ApiScope[]
+        {
+            new ApiScope("scope2"), // Example scope for interactive client
+        };
+
+    public static IEnumerable<Client> Clients =>
+        new Client[]
+        {
+            new Client
+            {
+                ClientId = "interactive",
+                ClientSecrets = { new Secret("49C1A7E1-0C79-4A89-A3D6-A37998FB86B0".Sha256()) },
+
+                AllowedGrantTypes = GrantTypes.Code,
+
+                RedirectUris = { "https://localhost:5051/signin-oidc" },
+                FrontChannelLogoutUri = "https://localhost:5051/signout-oidc", 
+                PostLogoutRedirectUris = { "https://localhost:5051/signout-callback-oidc" },
+
+                AllowOfflineAccess = true,
+                AllowedScopes = {
+                    IdentityServerConstants.StandardScopes.OpenId,
+                    IdentityServerConstants.StandardScopes.Profile,
+                    IdentityServerConstants.StandardScopes.OfflineAccess,
+                    "scope2"
+                    
+                }
+            },
+        };
+}

BFF/v4/docker/ContainerizedIdentityServer/ContainerizedIdentityServer.csproj

@@ -0,0 +1,25 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+	<PropertyGroup>
+		<TargetFramework>net10.0</TargetFramework>
+		<ImplicitUsings>enable</ImplicitUsings>
+		<Nullable>enable</Nullable>
+		<DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
+	</PropertyGroup>
+
+	<ItemGroup>
+		<PackageReference Include="Duende.IdentityServer" Version="7.4.5" />
+
+		<PackageReference Include="Microsoft.AspNetCore.Authentication.Google" Version="10.0.3" />
+		<PackageReference Include="Serilog.AspNetCore" Version="10.0.0" />
+	</ItemGroup>
+
+	<ItemGroup>
+	  <Content Include="..\.dockerignore">
+	    <Link>.dockerignore</Link>
+	  </Content>
+	</ItemGroup>
+
+
+
+</Project>

BFF/v4/docker/ContainerizedIdentityServer/Dockerfile

@@ -0,0 +1,27 @@
+FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS base
+WORKDIR /app
+
+FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
+ARG BUILD_CONFIGURATION=Release
+WORKDIR /src
+COPY ["ContainerizedIdentityServer/ContainerizedIdentityServer.csproj", "ContainerizedIdentityServer/"]
+RUN dotnet restore "ContainerizedIdentityServer/ContainerizedIdentityServer.csproj"
+COPY . .
+WORKDIR "/src/ContainerizedIdentityServer"
+RUN dotnet build "ContainerizedIdentityServer.csproj" -c $BUILD_CONFIGURATION -o /app/build
+
+FROM build AS publish
+ARG BUILD_CONFIGURATION=Release
+RUN dotnet publish "ContainerizedIdentityServer.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false
+
+FROM base AS final
+WORKDIR /app
+
+COPY --from=publish /app/publish .
+
+RUN mkdir -p /app/keys 
+RUN chown 1654:1654 /app/keys
+
+USER 1654
+
+ENTRYPOINT ["dotnet", "ContainerizedIdentityServer.dll"]

BFF/v4/docker/ContainerizedIdentityServer/HostingExtensions.cs

@@ -0,0 +1,80 @@
+using Duende.IdentityServer;
+using ContainerizedIdentityServer;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Serilog;
+
+namespace ContainerizedIdentityServer;
+
+internal static class HostingExtensions
+{
+    public static WebApplication ConfigureServices(this WebApplicationBuilder builder)
+    {
+        builder.Services.AddRazorPages();
+
+        var isBuilder = builder.Services.AddIdentityServer(options =>
+            {
+                options.Events.RaiseErrorEvents = true;
+                options.Events.RaiseInformationEvents = true;
+                options.Events.RaiseFailureEvents = true;
+                options.Events.RaiseSuccessEvents = true;
+
+                // see https://docs.duendesoftware.com/identityserver/fundamentals/resources#resources-isolation
+                options.EmitStaticAudienceClaim = true;
+                options.IssuerUri = "https://localhost:7051";
+            })
+            .AddTestUsers(TestUsers.Users);
+
+        // in-memory, code config
+        isBuilder.AddInMemoryIdentityResources(Config.IdentityResources);
+        isBuilder.AddInMemoryApiScopes(Config.ApiScopes);
+        isBuilder.AddInMemoryClients(Config.Clients);
+
+
+        // if you want to use server-side sessions: https://blog.duendesoftware.com/posts/20220406_session_management/
+        // then enable it
+        //isBuilder.AddServerSideSessions();
+        //
+        // and put some authorization on the admin/management pages
+        //builder.Services.AddAuthorization(options =>
+        //       options.AddPolicy("admin",
+        //           policy => policy.RequireClaim("sub", "1"))
+        //   );
+        //builder.Services.Configure<RazorPagesOptions>(options =>
+        //    options.Conventions.AuthorizeFolder("/ServerSideSessions", "admin"));
+
+
+        builder.Services.AddAuthentication()
+            .AddGoogle(options =>
+            {
+                options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
+
+                // register your IdentityServer with Google at https://console.developers.google.com
+                // enable the Google+ API
+                // set the redirect URI to https://localhost:5001/signin-google
+                options.ClientId = "copy client ID from Google here";
+                options.ClientSecret = "copy client secret from Google here";
+            });
+
+        return builder.Build();
+    }
+    
+    public static WebApplication ConfigurePipeline(this WebApplication app)
+    { 
+        app.UseSerilogRequestLogging();
+    
+        if (app.Environment.IsDevelopment())
+        {
+            app.UseDeveloperExceptionPage();
+        }
+
+        app.UseStaticFiles();
+        app.UseRouting();
+        app.UseIdentityServer();
+        app.UseAuthorization();
+        
+        app.MapRazorPages()
+            .RequireAuthorization();
+
+        return app;
+    }
+}

BFF/v4/docker/ContainerizedIdentityServer/Pages/Account/AccessDenied.cshtml

@@ -0,0 +1,10 @@
+@page
+@model ContainerizedIdentityServer.Pages.Account.AccessDeniedModel
+@{
+}
+<div class="row">
+    <div class="col">
+        <h1>Access Denied</h1>
+        <p>You do not have permission to access that resource.</p>
+    </div>
+</div>

BFF/v4/docker/ContainerizedIdentityServer/Pages/Account/AccessDenied.cshtml.cs

@@ -0,0 +1,13 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace ContainerizedIdentityServer.Pages.Account;
+
+public class AccessDeniedModel : PageModel
+{
+    public void OnGet()
+    {
+    }
+}

BFF/v4/docker/ContainerizedIdentityServer/Pages/Account/Create/Index.cshtml

@@ -0,0 +1,40 @@
+@page
+@model ContainerizedIdentityServer.Pages.Create.Index
+
+<div class="login-page">
+    <div class="lead">
+        <h1>Create Account</h1>
+    </div>
+
+    <partial name="_ValidationSummary" />
+
+    <div class="row">
+
+        <div class="col-sm-6">
+            <form asp-page="/Account/Create/Index">
+                <input type="hidden" asp-for="Input.ReturnUrl" />
+
+                <div class="form-group">
+                    <label asp-for="Input.Username"></label>
+                    <input class="form-control" placeholder="Username" asp-for="Input.Username" autofocus>
+                </div>
+                <div class="form-group">
+                    <label asp-for="Input.Password"></label>
+                    <input type="password" class="form-control" placeholder="Password" asp-for="Input.Password" autocomplete="off">
+                </div>
+                <div class="form-group">
+                    <label asp-for="Input.Name"></label>
+                    <input type="text" class="form-control" placeholder="Name" asp-for="Input.Name">
+                </div>
+                <div class="form-group">
+                    <label asp-for="Input.Email"></label>
+                    <input type="email" class="form-control" placeholder="Email" asp-for="Input.Email" >
+                </div>
+
+                <button class="btn btn-primary" name="Input.Button" value="create">Create</button>
+                <button class="btn btn-secondary" name="Input.Button" value="cancel">Cancel</button>
+            </form>
+        </div>
+        
+    </div>
+</div>

BFF/v4/docker/ContainerizedIdentityServer/Pages/Account/Create/Index.cshtml.cs

@@ -0,0 +1,121 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+using Duende.IdentityServer;
+using Duende.IdentityServer.Models;
+using Duende.IdentityServer.Services;
+using Duende.IdentityServer.Test;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace ContainerizedIdentityServer.Pages.Create;
+
+[SecurityHeaders]
+[AllowAnonymous]
+public class Index : PageModel
+{
+    private readonly TestUserStore _users;
+    private readonly IIdentityServerInteractionService _interaction;
+
+    [BindProperty]
+    public InputModel Input { get; set; } = default!;
+
+    public Index(
+        IIdentityServerInteractionService interaction,
+        TestUserStore? users = null)
+    {
+        // this is where you would plug in your own custom identity management library (e.g. ASP.NET Identity)
+        _users = users ?? throw new InvalidOperationException("Please call 'AddTestUsers(TestUsers.Users)' on the IIdentityServerBuilder in Startup or remove the TestUserStore from the AccountController.");
+            
+        _interaction = interaction;
+    }
+
+    public IActionResult OnGet(string? returnUrl)
+    {
+        Input = new InputModel { ReturnUrl = returnUrl };
+        return Page();
+    }
+        
+    public async Task<IActionResult> OnPost()
+    {
+        // check if we are in the context of an authorization request
+        var context = await _interaction.GetAuthorizationContextAsync(Input.ReturnUrl);
+
+        // the user clicked the "cancel" button
+        if (Input.Button != "create")
+        {
+            if (context != null)
+            {
+                // if the user cancels, send a result back into IdentityServer as if they 
+                // denied the consent (even if this client does not require consent).
+                // this will send back an access denied OIDC error response to the client.
+                await _interaction.DenyAuthorizationAsync(context, AuthorizationError.AccessDenied);
+
+                // we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
+                if (context.IsNativeClient())
+                {
+                    // The client is native, so this change in how to
+                    // return the response is for better UX for the end user.
+                    return this.LoadingPage(Input.ReturnUrl);
+                }
+
+                return Redirect(Input.ReturnUrl ?? "~/");
+            }
+            else
+            {
+                // since we don't have a valid context, then we just go back to the home page
+                return Redirect("~/");
+            }
+        }
+
+        if (_users.FindByUsername(Input.Username) != null)
+        {
+            ModelState.AddModelError("Input.Username", "Invalid username");
+        }
+
+        if (ModelState.IsValid)
+        {
+            var user = _users.CreateUser(Input.Username, Input.Password, Input.Name, Input.Email);
+
+            // issue authentication cookie with subject ID and username
+            var isuser = new IdentityServerUser(user.SubjectId)
+            {
+                DisplayName = user.Username
+            };
+
+            await HttpContext.SignInAsync(isuser);
+
+            if (context != null)
+            {
+                if (context.IsNativeClient())
+                {
+                    // The client is native, so this change in how to
+                    // return the response is for better UX for the end user.
+                    return this.LoadingPage(Input.ReturnUrl);
+                }
+
+                // we can trust Input.ReturnUrl since GetAuthorizationContextAsync returned non-null
+                return Redirect(Input.ReturnUrl ?? "~/");
+            }
+
+            // request for a local page
+            if (Url.IsLocalUrl(Input.ReturnUrl))
+            {
+                return Redirect(Input.ReturnUrl);
+            }
+            else if (string.IsNullOrEmpty(Input.ReturnUrl))
+            {
+                return Redirect("~/");
+            }
+            else
+            {
+                // user might have clicked on a malicious link - should be logged
+                throw new ArgumentException("invalid return URL");
+            }
+        }
+
+        return Page();
+    }
+}