Merge pull request #79 from Virtual-Finland-Development/feature/security-token-audience-guard

Security token audience guard

Author: lsipii

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/Productizer/ProductizerController.cs

@@ -159,7 +159,7 @@ public async Task<IActionResult> SaveOrUpdatePersonJobApplicantProfile(UpdateJob
                 e.Message);
             try
             {
-                var jwkToken = _authenticationService.ParseAuthenticationHeader(Request);
+                var jwkToken = await _authenticationService.ParseAuthenticationHeader(Request);
                 var query = new VerifyIdentityUser.Query(jwkToken.UserId, jwkToken.Issuer);
                 var createdUser = await _mediator.Send(query);
                 userId = createdUser.Id;

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Helpers/Services/AuthenticationService.cs

@@ -18,7 +18,7 @@ public AuthenticationService(UserSecurityService userSecurityService)
         return person.Id;
     }
 
-    public JwtTokenResult ParseAuthenticationHeader(HttpRequest httpRequest)
+    public Task<JwtTokenResult> ParseAuthenticationHeader(HttpRequest httpRequest)
     {
         var token = httpRequest.Headers.Authorization.ToString().Replace("Bearer ", string.Empty);
         return _userSecurityService.ParseJwtToken(token);

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Helpers/Services/UserSecurityService.cs

@@ -27,7 +27,7 @@ public UserSecurityService(UsersDbContext usersDbContext, ILogger<UserSecuritySe
     /// <exception cref="NotAuthorizedException">If user id and the issuer are not found in the DB for any given user, this is not a valid user within the users database.</exception>
     public async Task<Person> VerifyAndGetAuthenticatedUser(string token)
     {
-        var jwtTokenResult = ParseJwtToken(token);
+        var jwtTokenResult = await ParseJwtToken(token);
 
         try
         {
@@ -44,7 +44,7 @@ public async Task<Person> VerifyAndGetAuthenticatedUser(string token)
     /// <summary>
     /// Parses the JWT token and returns the issuer and the user id
     /// </summary>
-    public JwtTokenResult ParseJwtToken(string token)
+    public Task<JwtTokenResult> ParseJwtToken(string token)
     {
         return _applicationSecurity.ParseJwtToken(token);
     }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/ApplicationSecurity.cs

@@ -17,7 +17,7 @@ public ApplicationSecurity(List<ISecurityFeature> features)
     /// <summary>
     /// Parses the JWT token and returns the issuer and the user id
     /// </summary>
-    public JwtTokenResult ParseJwtToken(string token)
+    public async Task<JwtTokenResult> ParseJwtToken(string token)
     {
         if (string.IsNullOrEmpty(token)) throw new NotAuthorizedException("No token provided");
 
@@ -30,8 +30,12 @@ public JwtTokenResult ParseJwtToken(string token)
         var tokenIssuer = parsedToken.Issuer;
         var securityFeature = _features.Find(o => o.Issuer == tokenIssuer) ?? throw new NotAuthorizedException("The given token issuer is not valid");
 
+        // Resolve and validate the token audience
+        var tokenAudience = parsedToken.Audiences.FirstOrDefault() ?? throw new NotAuthorizedException("The given token audience is not valid");
+        await securityFeature.ValidateSecurityTokenAudience(tokenAudience);
+
         // Resolve user id
         var userId = securityFeature.ResolveTokenUserId(parsedToken) ?? throw new NotAuthorizedException("The given token claim is not valid");
-        return new JwtTokenResult { UserId = userId, Issuer = securityFeature.Issuer };
+        return new JwtTokenResult { UserId = userId, Issuer = securityFeature.Issuer, Audience = tokenAudience };
     }
 }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/ISecurityFeature.cs

@@ -10,6 +10,7 @@ public interface ISecurityFeature
     void BuildAuthorization(AuthorizationOptions options);
     string GetSecurityPolicySchemeName();
     string? ResolveTokenUserId(JwtSecurityToken jwtSecurityToken);
+    Task ValidateSecurityTokenAudience(string audience);
 
-    public string? Issuer { get; }
+    public string Issuer { get; }
 }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/SecurityFeature.cs

@@ -4,6 +4,8 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.IdentityModel.Tokens;
 using NetDevPack.Security.JwtExtensions;
+using VirtualFinland.UserAPI.Exceptions;
+using VirtualFinland.UserAPI.Security.Models;
 using JwksExtension = VirtualFinland.UserAPI.Helpers.Extensions.JwksExtension;
 
 namespace VirtualFinland.UserAPI.Security.Features;
@@ -13,7 +15,13 @@ public class SecurityFeature : ISecurityFeature
     ///
     /// The issuer of the JWT token
     ///
-    public string? Issuer { get; set; }
+    public string Issuer => _issuer ?? throw new ArgumentNullException("Issuer is not set");
+    protected string? _issuer;
+
+    /// <summary>
+    /// Security feature options
+    /// </summary>
+    protected SecurityFeatureOptions _options { get; set; }
 
     /// <summary>
     /// The URL to the OpenID configuration
@@ -35,15 +43,16 @@ public class SecurityFeature : ISecurityFeature
     /// </summary>
     protected const int _configUrlRetryWaitTime = 3000;
 
-    public SecurityFeature(SecurityFeatureOptions configuration)
+    public SecurityFeature(SecurityFeatureOptions options)
     {
-        Issuer = configuration.Issuer;
-        _openIDConfigurationURL = configuration.OpenIdConfigurationUrl;
-        _jwksOptionsUrl = configuration.AuthorizationJwksJsonUrl;
+        _options = options;
+        _issuer = options.Issuer;
+        _openIDConfigurationURL = options.OpenIdConfigurationUrl;
+        _jwksOptionsUrl = options.AuthorizationJwksJsonUrl;
 
         if (string.IsNullOrEmpty(_openIDConfigurationURL) && string.IsNullOrEmpty(_jwksOptionsUrl))
         {
-            throw new ArgumentNullException("Invalid security feature configuration");
+            throw new ArgumentException("Invalid security feature configuration");
         }
     }
 
@@ -84,6 +93,20 @@ public string GetSecurityPolicySchemeName()
         return jwtSecurityToken.Subject; // the "sub" claim
     }
 
+    /// <summary>
+    /// Validates the token audience
+    /// </summary>
+    /// <param name="audience"></param>
+    /// <exception cref="NotAuthorizedException"></exception>
+    public virtual Task ValidateSecurityTokenAudience(string audience)
+    {
+        if (_options.AudienceGuardEnabled)
+        {
+            if (!_options.AllowedAudiences.Contains(audience)) throw new NotAuthorizedException("The given token audience is not allowed");
+        }
+        return Task.CompletedTask;
+    }
+
     /// <summary>
     /// Configures the OpenID Connect authentication
     /// </summary>
@@ -118,10 +141,10 @@ protected virtual async void LoadOpenIdConfigUrl()
             if (httpResponse.IsSuccessStatusCode)
             {
                 var jsonData = JsonNode.Parse(await httpResponse.Content.ReadAsStringAsync());
-                Issuer = jsonData?["issuer"]?.ToString();
+                _issuer = jsonData?["issuer"]?.ToString();
                 _jwksOptionsUrl = jsonData?["jwks_uri"]?.ToString();
 
-                if (!string.IsNullOrEmpty(Issuer) && !string.IsNullOrEmpty(_jwksOptionsUrl))
+                if (!string.IsNullOrEmpty(_issuer) && !string.IsNullOrEmpty(_jwksOptionsUrl))
                 {
                     break;
                 }
@@ -130,7 +153,7 @@ protected virtual async void LoadOpenIdConfigUrl()
         }
 
         // If all retries fail, then send an exception since the security information is critical to the functionality of the backend
-        if (string.IsNullOrEmpty(Issuer) || string.IsNullOrEmpty(_jwksOptionsUrl))
+        if (string.IsNullOrEmpty(_issuer) || string.IsNullOrEmpty(_jwksOptionsUrl))
         {
             throw new ArgumentNullException("Failed to retrieve OpenID configurations");
         }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/SinunaSecurityFeature.cs

@@ -1,4 +1,6 @@
 using System.IdentityModel.Tokens.Jwt;
+using VirtualFinland.UserAPI.Exceptions;
+using VirtualFinland.UserAPI.Security.Models;
 
 namespace VirtualFinland.UserAPI.Security.Features;
 

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/SuomiFiSecurityFeature.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.IdentityModel.Tokens;
 using NetDevPack.Security.JwtExtensions;
+using VirtualFinland.UserAPI.Security.Models;
 using JwksExtension = VirtualFinland.UserAPI.Helpers.Extensions.JwksExtension;
 
 namespace VirtualFinland.UserAPI.Security.Features;

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/TestbedSecurityFeature.cs

@@ -1,3 +1,5 @@
+using VirtualFinland.UserAPI.Security.Models;
+
 namespace VirtualFinland.UserAPI.Security.Features;
 
 public class TestbedSecurityFeature : SecurityFeature

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/IApplicationSecurity.cs

@@ -2,5 +2,5 @@ namespace VirtualFinland.UserAPI.Security.Models;
 
 public interface IApplicationSecurity
 {
-    JwtTokenResult ParseJwtToken(string token);
+    Task<JwtTokenResult> ParseJwtToken(string token);
 }