#164 Updated Swagger UI for JTW Bearer token auth using OAuth Implicit flow (not ideal as not as secure as Authorization code flow + PKCE but its a start.

Author: SimonGeering

src/AdminAssistant.Blazor/Server/Startup.cs

@@ -4,15 +4,18 @@
 using FluentValidation.AspNetCore;
 using MicroElements.Swashbuckle.FluentValidation;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Authorization;
 using Microsoft.AspNetCore.ResponseCompression;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.OpenApi.Models;
 using Swashbuckle.AspNetCore.Swagger;
+using System.Collections.Generic;
 using System.Linq;
 
 namespace AdminAssistant.Blazor.Server
@@ -58,9 +61,14 @@ public void ConfigureServices(IServiceCollection services)
             services.AddResponseCompression(opts => opts.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(new[] { "application/octet-stream" }));
 
             services.AddHttpContextAccessor();
-            services.AddControllers()
-                .AddNewtonsoftJson()
-                .AddFluentValidation(c => c.RegisterValidatorsFromAssemblyContaining<Infra.DAL.IDatabasePersistable>());
+            services.AddControllers(opts =>
+            {
+                // Add [Authorize] for all controllers ...
+                var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
+                opts.Filters.Add(new AuthorizeFilter(policy));
+
+            }).AddNewtonsoftJson()
+              .AddFluentValidation(c => c.RegisterValidatorsFromAssemblyContaining<Infra.DAL.IDatabasePersistable>());
 
             services.AddSwaggerGen(c =>
             {
@@ -77,10 +85,31 @@ public void ConfigureServices(IServiceCollection services)
                 }); 
 
                 c.SwaggerDoc(WebAPIVersion, new OpenApiInfo { Title = WebAPITitle, Version = WebAPIVersion }); // Add OpenAPI/Swagger middleware
+                c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
+                {
+                    Name = "Authorization",
+                    In = ParameterLocation.Header,
+                    Type = SecuritySchemeType.OAuth2,
+                    Flows = new OpenApiOAuthFlows
+                    {
+                        Implicit = new OpenApiOAuthFlow
+                        {
+                            Scopes = new Dictionary<string, string>
+                            {
+                                { "openid", "Open Id" }
+                            },
+                            AuthorizationUrl = new System.Uri($"https://{configSettings.Auth0Authority}/" + "authorize?audience=" + configSettings.Auth0ApiIdentifier)
+                        }
+                    }
+                });
                 c.AddFluentValidationRules(); // Adds fluent validation rules to swagger schema See: https://github.com/micro-elements/MicroElements.Swashbuckle.FluentValidation
 
                 // Include documentation from Annotations (Swashbuckle.AspNetCore.Annotations)...
                 c.EnableAnnotations(); // https://github.com/domaindrivendev/Swashbuckle.AspNetCore#install-and-enable-annotations
+
+                // Let Swagger UI know that we put Authorize on all endpoints using a filter policy
+                // See services.AddControllers code above ...
+                c.OperationFilter<SwaggerSecurityRequirementsOperationFilter>();
             });
             services.AddSwaggerGenNewtonsoftSupport();
 
@@ -113,6 +142,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
                 c.SwaggerEndpoint("/swagger/v1/swagger.json", WebAPITitle);
                 c.RoutePrefix = "api-docs";
                 c.DocExpansion(Swashbuckle.AspNetCore.SwaggerUI.DocExpansion.List);
+                c.OAuthClientId(_configuration.GetSection(nameof(ConfigurationSettings)).Get<ConfigurationSettings>().Auth0ClientId);
             });
 
             app.UseHttpsRedirection();
@@ -129,4 +159,51 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             });
         }
     }
+
+    public class SwaggerSecurityRequirementsOperationFilter : Swashbuckle.AspNetCore.SwaggerGen.IOperationFilter
+    {
+        /// <summary>
+        /// Applies this filter on swagger documentation generation.
+        /// </summary>
+        /// <param name="operation"></param>
+        /// <param name="context"></param>
+        public void Apply(OpenApiOperation operation, Swashbuckle.AspNetCore.SwaggerGen.OperationFilterContext context)
+        {
+            // then check if there is a method-level 'AllowAnonymous', as this overrides any controller-level 'Authorize'
+            var anonControllerScope = context
+                    .MethodInfo
+                    .DeclaringType
+                    .GetCustomAttributes(true)
+                    .OfType<AllowAnonymousAttribute>();
+
+            var anonMethodScope = context
+                    .MethodInfo
+                    .GetCustomAttributes(true)
+                    .OfType<AllowAnonymousAttribute>();
+
+            // only add authorization specification information if there is at least one 'Authorize' in the chain and NO method-level 'AllowAnonymous'
+            if (!anonMethodScope.Any() && !anonControllerScope.Any())
+            {
+                // add generic message if the controller methods dont already specify the response type
+                if (!operation.Responses.ContainsKey("401"))
+                    operation.Responses.Add("401", new OpenApiResponse { Description = "If Authorization header not present, has no value or no valid jwt bearer token" });
+
+                if (!operation.Responses.ContainsKey("403"))
+                    operation.Responses.Add("403", new OpenApiResponse { Description = "If user not authorized to perform requested action" });
+
+                var jwtAuthScheme = new OpenApiSecurityScheme
+                {
+                    Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" }
+                };
+
+                operation.Security = new List<OpenApiSecurityRequirement>
+                {
+                    new OpenApiSecurityRequirement
+                    {
+                        [ jwtAuthScheme ] = new List<string>()
+                    }
+                };
+            }
+        }
+    }
 }

src/AdminAssistant/DomainModel/Shared/ConfigurationSettings.cs

@@ -6,5 +6,6 @@ public record ConfigurationSettings
         public string ConnectionString { get; set; } = string.Empty;
         public string Auth0Authority { get; set; } = string.Empty;
         public string Auth0ApiIdentifier { get; set; } = string.Empty;
+        public string Auth0ClientId { get; set; } = string.Empty;
     }
 }