feat: jwt-token allowed audiences guard

Author: lsipii

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/ApplicationSecurity.cs

@@ -30,8 +30,12 @@ public JwtTokenResult ParseJwtToken(string token)
         var tokenIssuer = parsedToken.Issuer;
         var securityFeature = _features.Find(o => o.Issuer == tokenIssuer) ?? throw new NotAuthorizedException("The given token issuer is not valid");
 
+        // Resolve and validate the token audience
+        var tokenAudience = parsedToken.Audiences.FirstOrDefault() ?? throw new NotAuthorizedException("The given token audience is not valid");
+        securityFeature.ValidateSecurityTokenAudience(tokenAudience);
+
         // Resolve user id
         var userId = securityFeature.ResolveTokenUserId(parsedToken) ?? throw new NotAuthorizedException("The given token claim is not valid");
-        return new JwtTokenResult { UserId = userId, Issuer = securityFeature.Issuer };
+        return new JwtTokenResult { UserId = userId, Issuer = securityFeature.Issuer, Audience = tokenAudience };
     }
 }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/ISecurityFeature.cs

@@ -10,6 +10,7 @@ public interface ISecurityFeature
     void BuildAuthorization(AuthorizationOptions options);
     string GetSecurityPolicySchemeName();
     string? ResolveTokenUserId(JwtSecurityToken jwtSecurityToken);
+    void ValidateSecurityTokenAudience(string audience);
 
-    public string? Issuer { get; }
+    public string Issuer { get; }
 }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/SecurityFeature.cs

@@ -4,6 +4,8 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.IdentityModel.Tokens;
 using NetDevPack.Security.JwtExtensions;
+using VirtualFinland.UserAPI.Exceptions;
+using VirtualFinland.UserAPI.Security.Models;
 using JwksExtension = VirtualFinland.UserAPI.Helpers.Extensions.JwksExtension;
 
 namespace VirtualFinland.UserAPI.Security.Features;
@@ -13,7 +15,13 @@ public class SecurityFeature : ISecurityFeature
     ///
     /// The issuer of the JWT token
     ///
-    public string? Issuer { get; set; }
+    public string Issuer => _issuer ?? throw new ArgumentNullException("Issuer is not set");
+    protected string? _issuer;
+
+    /// <summary>
+    /// Security feature options
+    /// </summary>
+    protected SecurityFeatureOptions _options { get; set; }
 
     /// <summary>
     /// The URL to the OpenID configuration
@@ -35,15 +43,16 @@ public class SecurityFeature : ISecurityFeature
     /// </summary>
     protected const int _configUrlRetryWaitTime = 3000;
 
-    public SecurityFeature(SecurityFeatureOptions configuration)
+    public SecurityFeature(SecurityFeatureOptions options)
     {
-        Issuer = configuration.Issuer;
-        _openIDConfigurationURL = configuration.OpenIdConfigurationUrl;
-        _jwksOptionsUrl = configuration.AuthorizationJwksJsonUrl;
+        _options = options;
+        _issuer = options.Issuer;
+        _openIDConfigurationURL = options.OpenIdConfigurationUrl;
+        _jwksOptionsUrl = options.AuthorizationJwksJsonUrl;
 
         if (string.IsNullOrEmpty(_openIDConfigurationURL) && string.IsNullOrEmpty(_jwksOptionsUrl))
         {
-            throw new ArgumentNullException("Invalid security feature configuration");
+            throw new ArgumentException("Invalid security feature configuration");
         }
     }
 
@@ -84,6 +93,17 @@ public string GetSecurityPolicySchemeName()
         return jwtSecurityToken.Subject; // the "sub" claim
     }
 
+    /// <summary>
+    /// Validates the token audience
+    /// </summary>
+    /// <param name="audience"></param>
+    /// <exception cref="NotAuthorizedException"></exception>
+    public virtual void ValidateSecurityTokenAudience(string audience)
+    {
+        if (!_options.AudienceGuardEnabled) return;
+        if (!_options.AllowedAudiences.Contains(audience)) throw new NotAuthorizedException("The given token audience is not allowed");
+    }
+
     /// <summary>
     /// Configures the OpenID Connect authentication
     /// </summary>
@@ -118,10 +138,10 @@ protected virtual async void LoadOpenIdConfigUrl()
             if (httpResponse.IsSuccessStatusCode)
             {
                 var jsonData = JsonNode.Parse(await httpResponse.Content.ReadAsStringAsync());
-                Issuer = jsonData?["issuer"]?.ToString();
+                _issuer = jsonData?["issuer"]?.ToString();
                 _jwksOptionsUrl = jsonData?["jwks_uri"]?.ToString();
 
-                if (!string.IsNullOrEmpty(Issuer) && !string.IsNullOrEmpty(_jwksOptionsUrl))
+                if (!string.IsNullOrEmpty(_issuer) && !string.IsNullOrEmpty(_jwksOptionsUrl))
                 {
                     break;
                 }
@@ -130,7 +150,7 @@ protected virtual async void LoadOpenIdConfigUrl()
         }
 
         // If all retries fail, then send an exception since the security information is critical to the functionality of the backend
-        if (string.IsNullOrEmpty(Issuer) || string.IsNullOrEmpty(_jwksOptionsUrl))
+        if (string.IsNullOrEmpty(_issuer) || string.IsNullOrEmpty(_jwksOptionsUrl))
         {
             throw new ArgumentNullException("Failed to retrieve OpenID configurations");
         }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/SinunaSecurityFeature.cs

@@ -1,4 +1,6 @@
 using System.IdentityModel.Tokens.Jwt;
+using VirtualFinland.UserAPI.Exceptions;
+using VirtualFinland.UserAPI.Security.Models;
 
 namespace VirtualFinland.UserAPI.Security.Features;
 

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/SuomiFiSecurityFeature.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.IdentityModel.Tokens;
 using NetDevPack.Security.JwtExtensions;
+using VirtualFinland.UserAPI.Security.Models;
 using JwksExtension = VirtualFinland.UserAPI.Helpers.Extensions.JwksExtension;
 
 namespace VirtualFinland.UserAPI.Security.Features;

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/TestbedSecurityFeature.cs

@@ -1,3 +1,5 @@
+using VirtualFinland.UserAPI.Security.Models;
+
 namespace VirtualFinland.UserAPI.Security.Features;
 
 public class TestbedSecurityFeature : SecurityFeature

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Models/JwtTokenResult.cs

@@ -2,6 +2,7 @@ namespace VirtualFinland.UserAPI.Security.Models;
 
 public class JwtTokenResult
 {
-    public string? UserId { get; set; }
-    public string? Issuer { get; set; }
+    public string UserId { get; set; } = default!;
+    public string Issuer { get; set; } = default!;
+    public string Audience { get; set; } = default!;
 }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Models/SecurityFeatureOptions.cs

@@ -1,7 +1,11 @@
+namespace VirtualFinland.UserAPI.Security.Models;
+
 public class SecurityFeatureOptions
 {
     public string? OpenIdConfigurationUrl { get; set; }
     public string? AuthorizationJwksJsonUrl { get; set; }
-    public string? Issuer { get; set; }
+    public string? Issuer { get; set; } = default!;
     public bool IsEnabled { get; set; }
+    public List<string> AllowedAudiences { get; set; } = new List<string>();
+    public bool AudienceGuardEnabled { get; set; } = false;
 }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/appsettings.json

@@ -33,16 +33,22 @@
         "ConsentJwksJsonUrl": "https://consent.testbed.fi/.well-known/jwks.json",
         "ConsentIssuer": "https://consent.testbed.fi",
         "ConsentVerifyUrl": "https://consent.testbed.fi/Consent/Verify",
-        "IsEnabled": false
+        "IsEnabled": false,
+        "AllowedAudiences": [],
+        "AudienceGuardEnabled": false
       },
       "Sinuna": {
         "OpenIDConfigurationURL": "https://login.iam.qa.sinuna.fi/oxauth/.well-known/openid-configuration",
-        "IsEnabled": false
+        "IsEnabled": false,
+        "AllowedAudiences": [],
+        "AudienceGuardEnabled": false
       },
       "SuomiFi": {
         "AuthorizationJwksJsonUrl": "http://localhost:4078/auth/saml2/suomifi/.well-known/jwks.json",
         "Issuer": "virtual-finland/authentication-gw/suomifi",
-        "IsEnabled": false
+        "IsEnabled": false,
+        "AllowedAudiences": [],
+        "AudienceGuardEnabled": false
       }
     }
   },

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/appsettings.local.json

@@ -28,7 +28,9 @@
         "IsEnabled": true
       },
       "Sinuna": {
-        "IsEnabled": true
+        "IsEnabled": true,
+        "AllowedAudiences": [],
+        "AudienceGuardEnabled": false
       },
       "SuomiFi": {
         "IsEnabled": true