Step Up

IdentityServer/v6/UserInteraction/StepUp/.vscode/launch.json

@@ -0,0 +1,51 @@
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+          "name": "IdentityServerHost",
+          "type": "coreclr",
+          "request": "launch",
+          "preLaunchTask": "build-identityServerHost",
+          "program": "${workspaceFolder}/IdentityServerHost/bin/Debug/net6.0/IdentityServerHost.dll",
+          "args": [],
+          "cwd": "${workspaceFolder}/IdentityServerHost",
+          "env": {
+              "ASPNETCORE_ENVIRONMENT": "Development"
+          }
+        },
+        {
+          "name": "Client",
+          "type": "coreclr",
+          "request": "launch",
+          "preLaunchTask": "build-client",
+          "program": "${workspaceFolder}/Client/bin/Debug/net6.0/Client.dll",
+          "args": [],
+          "cwd": "${workspaceFolder}/Client",
+          "serverReadyAction": {
+              "action": "openExternally",
+              "pattern": "\\bNow listening on:\\s+(https?://\\S+)"
+          },
+          "env": {
+              "ASPNETCORE_ENVIRONMENT": "Development"
+          }
+        },
+        {
+          "name": "Api",
+          "type": "coreclr",
+          "request": "launch",
+          "preLaunchTask": "build-api",
+          "program": "${workspaceFolder}/Api/bin/Debug/net6.0/Api.dll",
+          "args": [],
+          "cwd": "${workspaceFolder}/Api",
+          "env": {
+              "ASPNETCORE_ENVIRONMENT": "Development"
+          }
+        }
+    ],
+   "compounds": [
+        {
+            "name": "All",
+            "configurations": ["Api","Client","IdentityServerHost"]
+        }
+   ] 
+}

IdentityServer/v6/UserInteraction/StepUp/.vscode/tasks.json

@@ -0,0 +1,41 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+          "label": "build-identityServerHost",
+          "type": "process",
+          "command": "dotnet",
+          "args": [
+              "build",
+              "${workspaceFolder}/IdentityServerHost/IdentityServerHost.csproj",
+              "/property:GenerateFullPaths=true",
+              "/consoleloggerparameters:NoSummary"
+          ],
+          "problemMatcher": "$msCompile"
+        },
+        {
+          "label": "build-client",
+          "type": "process",
+          "command": "dotnet",
+          "args": [
+              "build",
+              "${workspaceFolder}/Client/Client.csproj",
+              "/property:GenerateFullPaths=true",
+              "/consoleloggerparameters:NoSummary"
+          ],
+          "problemMatcher": "$msCompile"
+        },
+        {
+          "label": "build-api",
+          "type": "process",
+          "command": "dotnet",
+          "args": [
+              "build",
+              "${workspaceFolder}/Api/Api.csproj",
+              "/property:GenerateFullPaths=true",
+              "/consoleloggerparameters:NoSummary"
+          ],
+          "problemMatcher": "$msCompile"
+        }
+    ]
+}

IdentityServer/v6/UserInteraction/StepUp/Api/Api.csproj

@@ -0,0 +1,11 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+  <PropertyGroup>
+    <TargetFramework>net6.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.4.0"/>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.12"/>
+  </ItemGroup>
+</Project>

IdentityServer/v6/UserInteraction/StepUp/Api/Authorization/MaxAgeHandler.cs

@@ -0,0 +1,29 @@
+
+using Microsoft.AspNetCore.Authorization;
+
+namespace Api.Authorization;
+
+public class MaxAgeHandler : AuthorizationHandler<MaxAgeRequirement>
+{
+    protected override Task HandleRequirementAsync(
+        AuthorizationHandlerContext ctx,
+        MaxAgeRequirement requirement)
+    {
+        var authTimeClaim = ctx.User.FindFirst("auth_time")?.Value;
+        if (authTimeClaim == null) 
+        {
+            return Task.CompletedTask;
+        }
+
+        var authTime = DateTimeOffset.FromUnixTimeSeconds(long.Parse(authTimeClaim));
+
+        var timeSinceAuth = DateTime.UtcNow - authTime;
+
+        if(timeSinceAuth < requirement.MaxAge)
+        {
+            ctx.Succeed(requirement);
+        }
+
+        return Task.CompletedTask;
+    }
+}

IdentityServer/v6/UserInteraction/StepUp/Api/Authorization/MaxAgeRequirement.cs

@@ -0,0 +1,13 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Api.Authorization;
+
+public class MaxAgeRequirement : IAuthorizationRequirement
+{
+    public MaxAgeRequirement(TimeSpan maxAge)
+    {
+        MaxAge = maxAge;
+    }
+
+    public TimeSpan MaxAge { get; }
+}

IdentityServer/v6/UserInteraction/StepUp/Api/Authorization/StepUpHandler.cs

@@ -0,0 +1,90 @@
+using System.Net.Http.Headers;
+using System.Text;
+using Api.Authorization;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+using Microsoft.AspNetCore.Authorization.Policy;
+using Microsoft.Net.Http.Headers;
+
+public class StepUpAuthorizationMiddlewareResultHandler 
+    : IAuthorizationMiddlewareResultHandler
+{
+    private readonly AuthorizationMiddlewareResultHandler defaultHandler = new();
+
+    public async Task HandleAsync(
+        RequestDelegate next,
+        HttpContext context,
+        AuthorizationPolicy policy,
+        PolicyAuthorizationResult authResult)
+    {
+        // If the authorization was forbidden due to a step-up requirement, set
+        // the status code and WWW-Authenticate header to indicate that step-up
+        // is required
+        if (authResult.Forbidden)
+        {
+            var maxAgeReq = authResult.AuthorizationFailure!.FailedRequirements
+                .OfType<MaxAgeRequirement>().FirstOrDefault();
+            var mfaReq = authResult.AuthorizationFailure!.FailedRequirements
+               .OfType<ClaimsAuthorizationRequirement>()
+               .FirstOrDefault(r => r.ClaimType == "amr" && r.AllowedValues!.Contains("mfa"));
+
+            if (maxAgeReq != null || mfaReq != null)
+            {
+                var header = new StepUpWWWAuthenticateHeader();
+                if (maxAgeReq != null)
+                {
+                    header.MaxAge = (int)maxAgeReq.MaxAge.TotalSeconds;
+                }
+                if (mfaReq != null)
+                {
+                    header.AcrValues = "mfa";
+                }
+                context.Response.Headers.WWWAuthenticate = header.ToString();
+                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                return;
+            }
+        }
+        // Fall back to the default implementation.
+        await defaultHandler.HandleAsync(next, context, policy, authResult);
+    }
+}
+
+
+public class StepUpWWWAuthenticateHeader
+{
+    private readonly string Error = "insufficient_user_authentication";
+    private string ErrorDescription {
+        get
+        {
+            var ret = string.Empty;
+            if (MaxAge != null)
+            {
+                ret += "More recent authentication is required. ";
+            }
+            if (AcrValues != null)
+            {
+                ret += "MFA is required. ";
+            }
+            return ret;
+        }
+    }
+    public int? MaxAge { get; set; }
+    public string? AcrValues { get; set; }
+
+    public override string ToString()
+    {
+        var props = new List<string> {
+            $"Bearer error=\"{Error}\"",
+            $"error_description=\"{ErrorDescription}\""
+        };
+        if(MaxAge != null)
+        {
+            props.Add($"max_age={MaxAge}");
+        }
+        if(AcrValues != null)
+        {
+            props.Add($"acr_values={AcrValues}");
+        }
+        return string.Join(',', props);
+    }
+}

IdentityServer/v6/UserInteraction/StepUp/Api/Controllers/StepUpController.cs

@@ -0,0 +1,63 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Api.Controllers;
+
+[ApiController]
+[Route("step-up")]
+public class StepUp : ControllerBase
+{
+    private readonly ILogger<StepUp> _logger;
+
+    public StepUp(ILogger<StepUp> logger)
+    {
+        _logger = logger;
+    }
+
+    [HttpGet]
+    [Route("max-age")]
+    [Authorize("MaxAgeOneMinute")]
+    public IEnumerable<string> MaxAge()
+    {
+        yield return ShowAge();
+    }
+
+    [HttpGet]
+    [Route("mfa")]
+    [Authorize("MfaRequired")]
+    public IEnumerable<string> MfaRequired()
+    {
+        yield return ShowAmrValues();
+    }
+
+
+    [HttpGet]
+    [Route("both")]
+    [Authorize("RecentMfa")]
+    public IEnumerable<string> Both()
+    {
+        yield return ShowAge();
+        yield return ShowAmrValues();
+    }
+
+    [HttpGet]
+    [Route("neither")]
+    [Authorize]
+    public IEnumerable<string> Neither()
+    {
+        yield return $"Request is authenticated";
+    }
+
+    private string ShowAge()
+    {
+        var authTime = long.Parse(User.FindFirst("auth_time")!.Value);
+        var age = DateTime.UtcNow - DateTimeOffset.FromUnixTimeSeconds(authTime);
+        return $"Authenticated {age.TotalSeconds} seconds ago";
+    }
+
+    private string ShowAmrValues()
+    {
+        var amrValues = string.Join(',', User.FindAll("amr").Select(c => c.Value));
+        return $"Authenticated using {amrValues}";
+    }
+}

IdentityServer/v6/UserInteraction/StepUp/Api/Program.cs

@@ -0,0 +1,54 @@
+using Api.Authorization;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.IdentityModel.Tokens;
+
+var builder = WebApplication.CreateBuilder(args);
+
+// Add services to the container.
+builder.Services.AddAuthentication("jwt")
+    .AddJwtBearer("jwt", opt =>
+    {
+        opt.Authority = "https://localhost:5001";
+        opt.TokenValidationParameters = new TokenValidationParameters
+        {
+            ValidateAudience = false,
+            ValidTypes = new [] { "at+jwt" }
+        };
+        opt.MapInboundClaims = false;
+    });
+
+builder.Services.AddAuthorization(opt =>
+{
+    opt.AddPolicy("MaxAgeOneMinute", p =>
+    {
+        p.RequireAuthenticatedUser();
+        p.AddRequirements(new MaxAgeRequirement(TimeSpan.FromMinutes(1)));
+    });
+    opt.AddPolicy("MfaRequired", p =>
+    {
+        p.RequireAuthenticatedUser();
+        p.RequireClaim("amr", "mfa");
+    });
+    opt.AddPolicy("RecentMfa", p =>
+    {
+        p.RequireAuthenticatedUser();
+        p.RequireClaim("amr", "mfa");
+        p.AddRequirements(new MaxAgeRequirement(TimeSpan.FromMinutes(1)));
+    });
+});
+
+builder.Services.AddSingleton<IAuthorizationHandler, MaxAgeHandler>();
+builder.Services.AddSingleton<IAuthorizationMiddlewareResultHandler, StepUpAuthorizationMiddlewareResultHandler>();
+
+builder.Services.AddControllers();
+
+var app = builder.Build();
+
+app.UseHttpsRedirection();
+
+app.UseAuthentication();
+app.UseAuthorization();
+
+app.MapControllers();
+
+app.Run();

IdentityServer/v6/UserInteraction/StepUp/Api/Properties/launchSettings.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "launchUrl": "swagger",
+      "applicationUrl": "https://localhost:7001;",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

IdentityServer/v6/UserInteraction/StepUp/Api/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}

IdentityServer/v6/UserInteraction/StepUp/Api/appsettings.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}