Azure
/
remote-monitoring-services-dotnet
зеркало из https://github.com/Azure/remote-monitoring-services-dotnet.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add User Management Service auth middleware ttl

This commit is contained in:
Jill Bender 2019-05-28 15:07:05 -07:00
Родитель cbe4f0f7bc
Коммит 88e787c781
6 изменённых файлов: 36 добавлений и 5 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
auth/Services/Services.csproj
Просмотреть файл

@ -12,7 +12,7 @@
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="2.1.4" />
<PackageReference Include="Newtonsoft.Json" Version="10.0.3" />
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.1.4" />
<PackageReference Include="Microsoft.Azure.KeyVault" Version="2.0.6" />
<PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.3" />
</ItemGroup>
<ItemGroup>
<None Update="data\policies\roles.json">

18
auth/WebService/Auth/AuthMiddleware.cs
Просмотреть файл

@ -55,6 +55,7 @@ namespace Microsoft.Azure.IoTSolutions.Auth.WebService.Auth
private TokenValidationParameters tokenValidationParams;
private readonly bool authRequired;
private bool tokenValidationInitialized;
private DateTime tokenValidationExpiration;
public AuthMiddleware(
// ReSharper disable once UnusedParameter.Local
@ -71,6 +72,7 @@ namespace Microsoft.Azure.IoTSolutions.Auth.WebService.Auth
this.log = log;
this.authRequired = config.AuthRequired;
this.tokenValidationInitialized = false;
this.tokenValidationExpiration = DateTime.UtcNow;
// This will show in development mode, or in case auth is turned off
if (!this.authRequired)
@ -87,7 +89,8 @@ namespace Microsoft.Azure.IoTSolutions.Auth.WebService.Auth
this.config.JwtIssuer,
this.config.JwtAudience,
this.config.JwtAllowedAlgos,
this.config.JwtClockSkew
this.config.JwtClockSkew,
this.config.OpenIdTimeToLive
});
this.InitializeTokenValidationAsync(CancellationToken.None).Wait();
@ -220,7 +223,8 @@ namespace Microsoft.Azure.IoTSolutions.Auth.WebService.Auth
private async Task<bool> InitializeTokenValidationAsync(CancellationToken token)
{
if (this.tokenValidationInitialized) return true;
// If the token has been initialized and is not past expiry, return.
if (this.tokenValidationInitialized && !this.TokenValidationExpired()) return true;
try
{
@ -248,6 +252,7 @@ namespace Microsoft.Azure.IoTSolutions.Auth.WebService.Auth
};
this.tokenValidationInitialized = true;
this.tokenValidationExpiration = DateTime.UtcNow.Add(this.config.OpenIdTimeToLive);
}
catch (Exception e)
{
@ -256,5 +261,14 @@ namespace Microsoft.Azure.IoTSolutions.Auth.WebService.Auth
return this.tokenValidationInitialized;
}
/// <summary>
/// Checks if the OpenId Connect token has hit the expiration time.
/// </summary>
/// <returns>true if the token has expired</returns>
private bool TokenValidationExpired()
{
return this.tokenValidationExpiration > DateTime.UtcNow;
}
}
}

7
auth/WebService/Auth/ClientAuthConfig.cs
Просмотреть файл

@ -42,6 +42,12 @@ namespace Microsoft.Azure.IoTSolutions.Auth.WebService.Auth
// Clock skew allowed when validating tokens expiration
// Default: 2 minutes
TimeSpan JwtClockSkew { get; set; }
// Time to live for the OpenId Connect validation token.
// The metadata settings will expire so the token needs to be
// periodically recreated.
// Default: 7 days
TimeSpan OpenIdTimeToLive { get; set; }
}
public class ClientAuthConfig : IClientAuthConfig
@ -57,5 +63,6 @@ namespace Microsoft.Azure.IoTSolutions.Auth.WebService.Auth
public string JwtAudienceSecret { get; set; }
public string ArmEndpointUrl { get; set; }
public TimeSpan JwtClockSkew { get; set; }
public TimeSpan OpenIdTimeToLive { get; set; }
}
}

6
auth/WebService/Runtime/Config.cs
Просмотреть файл

@ -44,9 +44,11 @@ namespace Microsoft.Azure.IoTSolutions.Auth.WebService.Runtime
private const string JWT_ALGOS_KEY = JWT_KEY + "allowedAlgorithms";
private const string JWT_ISSUER_KEY = JWT_KEY + "authIssuer";
private const string JWT_AUDIENCE_KEY = JWT_KEY + "aadAppId";
private const string JWT_CLOCK_SKEW_KEY = JWT_KEY + "clockSkewSeconds";
private const string OPEN_ID_KEY = APPLICATION_KEY + "ClientAuth:OpenIdConnect:";
private const string OPEN_ID_TTL_KEY = OPEN_ID_KEY + "timeToLiveDays";
public const string DEFAULT_ARM_ENDPOINT_URL = "https://management.azure.com/";
public const string DEFAULT_AAD_ENDPOINT_URL = "https://login.microsoftonline.com/";
@ -86,6 +88,8 @@ namespace Microsoft.Azure.IoTSolutions.Auth.WebService.Runtime
JwtAudience = configData.GetString(JWT_AUDIENCE_KEY, String.Empty),
// By default the allowed clock skew is 2 minutes
JwtClockSkew = TimeSpan.FromSeconds(configData.GetInt(JWT_CLOCK_SKEW_KEY, 120)),
// By default the time to live for the OpenId connect token is 7 days
OpenIdTimeToLive = TimeSpan.FromDays(configData.GetInt(OPEN_ID_TTL_KEY, 7))
};
}

2
auth/WebService/WebService.csproj
Просмотреть файл

@ -16,7 +16,7 @@
<PackageReference Include="Microsoft.AspNetCore" Version="2.0.1" />
<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="2.0.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.Ini" Version="2.0.0" />
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="2.1.4" />
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="5.4.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\Services\Services.csproj" />

6
auth/WebService/appsettings.ini
Просмотреть файл

@ -57,6 +57,12 @@ aadAppId=""
; Default: 2 minutes
clockSkewSeconds = 300
[TelemetryService:ClientAuth:OpenIdConnect]
; Time to live for the OpenId Connect validation token.
; The metadata settings will expire so the token needs to be periodically recreated.
; Default: 7 days
timeToLiveDays = 7
[KeyVault]
aadAppId = ${PCS_AAD_APPID}
aadAppSecret = ${PCS_AAD_APPSECRET}