diff --git a/building-blocks/Jwt/JwtExtensions.cs b/building-blocks/Jwt/JwtExtensions.cs index ba6c0ac..9baa5b4 100644 --- a/building-blocks/Jwt/JwtExtensions.cs +++ b/building-blocks/Jwt/JwtExtensions.cs @@ -30,7 +30,8 @@ public static class JwtExtensions options.TokenValidationParameters = new TokenValidationParameters { ValidateAudience = false, - ClockSkew = TimeSpan.FromSeconds(2) // For prevent add default value (5min) to life time token! + ClockSkew = TimeSpan.FromSeconds(2), // For prevent add default value (5min) to life time token! + ValidateLifetime = true, // Enforce token expiry }; options.RequireHttpsMetadata = jwtOptions.RequireHttpsMetadata; @@ -48,20 +49,14 @@ public static class JwtExtensions .RequireAuthenticatedUser() .Build(); - // Add your scope policy (optional) - if (!string.IsNullOrEmpty(jwtOptions.Audience)) - { - options.AddPolicy( - nameof(ApiScope), - policy => - { - policy.AuthenticationSchemes.Add( - JwtBearerDefaults.AuthenticationScheme); - - policy.RequireAuthenticatedUser(); - policy.RequireClaim("scope", jwtOptions.Audience); - }); - } + options.AddPolicy( + nameof(ApiScope), + policy => + { + policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme); + policy.RequireAuthenticatedUser(); + policy.RequireClaim("scope", jwtOptions.Audience); + }); }); } diff --git a/building-blocks/TestBase/TestBase.cs b/building-blocks/TestBase/TestBase.cs index 9c22a97..1365e5e 100644 --- a/building-blocks/TestBase/TestBase.cs +++ b/building-blocks/TestBase/TestBase.cs @@ -7,11 +7,13 @@ using BuildingBlocks.EFCore; using BuildingBlocks.Mongo; using BuildingBlocks.PersistMessageProcessor; using BuildingBlocks.Web; +using Duende.IdentityServer.EntityFramework.Entities; using EasyNetQ.Management.Client; using Grpc.Net.Client; using MassTransit; using MassTransit.Testing; using MediatR; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Hosting; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc.Testing; @@ -57,16 +59,15 @@ where TEntryPoint : class { get { - var claims = - new Dictionary - { - {ClaimTypes.Name, "test@sample.com"}, - {ClaimTypes.Role, "admin"}, - {"scope", "flight-api"} - }; + var claims = new Dictionary + { + { ClaimTypes.Name, "test@sample.com" }, + { ClaimTypes.Role, "admin" }, + { "scope", "flight-api" } + }; - var httpClient = _factory?.CreateClient(); - httpClient.SetFakeBearerToken(claims); + var httpClient = _factory.CreateClient(); + httpClient.SetFakeBearerToken(claims); // Uses FakeJwtBearer return httpClient; } } @@ -106,19 +107,28 @@ where TEntryPoint : class .AsImplementedInterfaces() .WithScopedLifetime()); - // add authentication using a fake jwt bearer - we can use SetAdminUser method to set authenticate user to existing HttContextAccessor + // Add Fake JWT Authentication - we can use SetAdminUser method to set authenticate user to existing HttContextAccessor // https://github.com/webmotions/fake-authentication-jwtbearer // https://github.com/webmotions/fake-authentication-jwtbearer/issues/14 services.AddAuthentication( options => { - options.DefaultAuthenticateScheme = - FakeJwtBearerDefaults.AuthenticationScheme; + options.DefaultAuthenticateScheme = FakeJwtBearerDefaults.AuthenticationScheme; - options.DefaultChallengeScheme = - FakeJwtBearerDefaults.AuthenticationScheme; + options.DefaultChallengeScheme = FakeJwtBearerDefaults.AuthenticationScheme; }) .AddFakeJwtBearer(); + + // Mock Authorization Policies + services.AddAuthorization(options => + { + options.AddPolicy(nameof(ApiScope), policy => + { + policy.AddAuthenticationSchemes(FakeJwtBearerDefaults.AuthenticationScheme); + policy.RequireAuthenticatedUser(); + policy.RequireClaim("scope", "flight-api"); // Test-specific scope + }); + }); }); }); }