Gestion des autorisations avec JwtBearer

Controllers/CollaborateursApi.cs

@@ -24,6 +24,7 @@ using EPAServeur.Exceptions;
 using IO.Swagger.ClientCollaborateur;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 
 namespace IO.Swagger.Controllers
 { 
@@ -50,7 +51,7 @@ namespace IO.Swagger.Controllers
         /// <response code="404">Ressource n&#x27;a pas été trouvée</response>
         [HttpGet]
         [Route("/api/collaborateurs/{idCollaborateur}")]
-        //[Authorize(AuthenticationSchemes = BearerAuthenticationHandler.SchemeName)]
+        //[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "RH,Assistante,Commercial")]
         [ValidateModelState]
         [SwaggerOperation("GetCollaborateurById")]
         [SwaggerResponse(statusCode: 200, type: typeof(CollaborateurDTO), description: "OK")]
@@ -72,7 +73,7 @@ namespace IO.Swagger.Controllers
             }
 			catch (CollaborateurNotFoundException)
             {
-                logger.LogError("Le ccollaborateur {id} est introuvable", idCollaborateur);
+                logger.LogError("Le collaborateur {id} est introuvable", idCollaborateur);
                 ErreurDTO erreurDTO = new ErreurDTO()
                 {
                     Code = "404",
@@ -98,7 +99,7 @@ namespace IO.Swagger.Controllers
         /// <response code="404">Ressource n&#x27;a pas été trouvée</response>
         [HttpGet]
         [Route("/api/collaborateurs/mail/{mail}")]
-        //[Authorize(AuthenticationSchemes = BearerAuthenticationHandler.SchemeName)]
+        //[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "RH,Assistante,Commercial")]
         [ValidateModelState]
         [SwaggerOperation("GetCollaborateurByMail")]
         [SwaggerResponse(statusCode: 200, type: typeof(CollaborateurDTO), description: "OK")]
@@ -116,7 +117,7 @@ namespace IO.Swagger.Controllers
             }
             catch (CollaborateurNotFoundException)
             {
-                logger.LogError("Le ccollaborateur {mail} est introuvable", mail);
+                logger.LogError("Le collaborateur {mail} est introuvable", mail);
                 ErreurDTO erreurDTO = new ErreurDTO()
                 {
                     Code = "404",
@@ -152,7 +153,7 @@ namespace IO.Swagger.Controllers
         /// <response code="403">Acces interdit</response>
         [HttpGet]
         [Route("/api/collaborateurs")]
-        //[Authorize(AuthenticationSchemes = BearerAuthenticationHandler.SchemeName)]
+        [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "RH,Assistante,Commercial")]
         [ValidateModelState]
         [SwaggerOperation("GetCollaborateurs")]
         [SwaggerResponse(statusCode: 200, type: typeof(List<CollaborateurDTO>), description: "OK")]
@@ -195,7 +196,7 @@ namespace IO.Swagger.Controllers
         /// <response code="404">Ressource n&#x27;a pas été trouvée</response>
         [HttpGet]
         [Route("/api/collaborateurs/referent/{idReferent}")]
-        //[Authorize(AuthenticationSchemes = BearerAuthenticationHandler.SchemeName)]
+        //[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "RH,Assistante,Commercial")]
         [ValidateModelState]
         [SwaggerOperation("GetCollaborateursByReferent")]
         [SwaggerResponse(statusCode: 200, type: typeof(List<CollaborateurDTO>), description: "OK")]
@@ -242,7 +243,7 @@ namespace IO.Swagger.Controllers
         /// <response code="404">Ressource n&#x27;a pas été trouvée</response>
         [HttpGet]
         [Route("/api/collaborateurs/profil/{mail}/")]
-        //[Authorize(AuthenticationSchemes = BearerAuthenticationHandler.SchemeName)]
+        //[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "RH,Assistante,Commercial")]
         [ValidateModelState]
         [SwaggerOperation("GetProfilCollaborateurByMail")]
         [SwaggerResponse(statusCode: 200, type: typeof(ProfilDTO), description: "OK")]

EPAServeur.csproj

@@ -6,6 +6,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="3.1.9" />
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="3.1.7" />
     <PackageReference Include="MySql.Data.EntityFrameworkCore" Version="8.0.21" />
     <PackageReference Include="Newtonsoft.Json" Version="12.0.3" />

Startup.cs

@@ -2,10 +2,10 @@ using EPAServeur.Context;
 using EPAServeur.IServices;
 using EPAServeur.Services;
 using IO.Swagger.ApiCollaborateur;
-using IO.Swagger.Security;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
-using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
@@ -16,19 +16,72 @@ namespace EPAServeur
 {
     public class Startup
     {
-		public Startup(IConfiguration configuration)
+        readonly string AllowCrossClientEPA = "_AllowsCrossOriginClientEPA";
+
+        public Startup(IConfiguration configuration, IWebHostEnvironment env)
         {
             Configuration = configuration;
+            Environment = env;
         }
 
         public IConfiguration Configuration { get; }
+        public IWebHostEnvironment Environment { get; }
 
         // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
+            services.AddCors(options =>
+            {
+                options.AddPolicy(name: AllowCrossClientEPA,
+                                  builder =>
+                                  {
+                                      builder.WithOrigins("http://localhost:4200").AllowAnyHeader().AllowAnyMethod();
+                                  });
+            });
+
             services.AddControllers();
-			services.AddAuthentication(BearerAuthenticationHandler.SchemeName)
+
-				.AddScheme<AuthenticationSchemeOptions, BearerAuthenticationHandler>(BearerAuthenticationHandler.SchemeName, null);
+            services.AddAuthentication(options =>
+             {
+                 options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
+                 options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+             }).AddJwtBearer(o =>
+             {
+                 o.Authority = Configuration["Jwt:Authority"];
+                 o.Audience = Configuration["Jwt:Audience"];
+
+                 if (Environment.IsDevelopment())
+                 {
+                     o.RequireHttpsMetadata = false;
+                 }
+
+                 o.Events = new JwtBearerEvents()
+                 {
+                     OnAuthenticationFailed = c =>
+                     {
+                         c.NoResult();
+
+                         c.Response.StatusCode = 500;
+                         c.Response.ContentType = "text/plain";
+
+                         if (Environment.IsDevelopment())
+                         {
+                             return c.Response.WriteAsync(c.Exception.ToString());
+                         }
+
+                         return c.Response.WriteAsync("Une erreur s'est produite lors du processus d'authentification.");
+                     },
+                     OnForbidden = c =>
+                     {
+                         c.NoResult();
+
+                         c.Response.StatusCode = 403;
+                         c.Response.ContentType = "text/plain";
+
+                         return c.Response.WriteAsync("L'utilisateur n'est pas autorisé à accéder à cette ressource.");
+                     }
+                 };
+             });
 
             services.AddDbContext<EpContext>();
             using (var context = new EpContext())
@@ -55,6 +108,7 @@ namespace EPAServeur
             services.AddScoped<INoteService, NoteService>();
             services.AddScoped<IReferentService, ReferentService>();
             services.AddScoped<IEngagementService, EngagementService>();
+
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
@@ -71,12 +125,18 @@ namespace EPAServeur
 
             app.UseRouting();
 
+            app.UseCors(AllowCrossClientEPA);
+
+            app.UseAuthentication();
+
             app.UseAuthorization();
 
+
             app.UseEndpoints(endpoints =>
             {
                 endpoints.MapControllers();
             });
+
         }
     }
 }

appsettings.json

@@ -1,4 +1,8 @@
 {
+  "Jwt": {
+    "Authority": "http://localhost:8080/auth/realms/Apside",
+    "Audience": "account"
+  },
   "Logging": {
     "LogLevel": {
       "Default": "Information",