Add google and jwt authentication and authorization

Core.Cerberos.Adapters/Common/Constants/Policies.cs

@@ -0,0 +1,24 @@
+using System;
+using System.Collections.Generic;
+namespace Core.Thalos.BuildingBlocks.Common.Constants
+{
+    /// <summary>
+    /// Constants for policy.
+    /// </summary>
+    public class Policies
+    {
+        /// <summary>
+        /// Defines the access policy for reading mobile-related data. 
+        /// This policy grants read-only permissions for retrieving mobile device information, 
+        /// user mobile settings, or related data as per the application's authorization scope.
+        /// </summary>
+        public const string Read = "Read";
+
+        /// <summary>
+        /// Defines the access policy for writing mobile-related data. 
+        /// This policy grants permissions to modify, update, or store mobile device information, 
+        /// user mobile settings, or related data as per the application's authorization scope.
+        /// </summary>
+        public const string Write = "Write";
+    }
+}

Core.Cerberos.Adapters/Common/Constants/Roles.cs

@@ -0,0 +1,15 @@
+namespace Core.Thalos.BuildingBlocks.Common.Constants
+{
+    public class Roles
+    {
+        /// <summary>
+        /// The role for Guest.
+        /// </summary>
+        public const string Guest = "684909c4826cd093b4f61c11";
+
+        /// <summary>
+        /// The role for Admin.
+        /// </summary>
+        public const string Admin = "68407642ec46a0e6fe1e8ec9";
+    }
+}

Core.Thalos.BuildingBlocks/Authentication/Authorization/Google/GoogleAuthorization.cs

@@ -0,0 +1,38 @@
+using Core.Thalos.BuildingBlocks.Authentication.Helpers;
+using Google.Apis.Auth.OAuth2;
+using Google.Apis.Auth.OAuth2.Flows;
+using Microsoft.Extensions.Configuration;
+
+namespace Core.Thalos.BuildingBlocks.Authentication.Authorization.Google
+{
+    public class GoogleAuthorization(
+        IGoogleAuthHelper googleHelper, IConfiguration config) : IGoogleAuthorization
+    {
+        private string RedirectUrl = config["Authentication:Google:RedirectUri"]!;
+
+        public async Task<UserCredential> ExchangeCodeForToken(string code)
+        {
+            var flow = new GoogleAuthorizationCodeFlow(
+                new GoogleAuthorizationCodeFlow.Initializer
+                {
+                    ClientSecrets = googleHelper.GetClientSecrets(),
+                    Scopes = googleHelper.GetScopes()
+                });
+
+            var token = await flow.ExchangeCodeForTokenAsync(
+                "user", code, RedirectUrl, CancellationToken.None);
+
+            return new UserCredential(flow, "user", token);
+        }
+
+        public string GetAuthorizationUrl() =>
+            new GoogleAuthorizationCodeFlow(
+                new GoogleAuthorizationCodeFlow.Initializer
+                {
+
+                    ClientSecrets = googleHelper.GetClientSecrets(),
+                    Scopes = googleHelper.GetScopes(),
+                    Prompt = "consent"
+                }).CreateAuthorizationCodeRequest(RedirectUrl).Build().ToString();
+    }
+}

Core.Thalos.BuildingBlocks/Authentication/Authorization/Google/IGoogleAuthorization.cs

@@ -0,0 +1,10 @@
+using Google.Apis.Auth.OAuth2;
+
+namespace Core.Thalos.BuildingBlocks.Authentication.Authorization.Google
+{
+    public interface IGoogleAuthorization
+    {
+        string GetAuthorizationUrl();
+        Task<UserCredential> ExchangeCodeForToken(string code);
+    }
+}

Core.Thalos.BuildingBlocks/Authentication/Authorization/Jwt/PermissionAuthorizationAdapter.cs

@@ -0,0 +1,9 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Core.Thalos.BuildingBlocks.Authentication.Authorization.Jwt
+{
+    public class PermissionAuthorizationAdapter(string[] permission) : IAuthorizationRequirement
+    {
+        public string[] Permission { get; } = permission ?? throw new ArgumentNullException(nameof(permission));
+    }
+}

Core.Thalos.BuildingBlocks/Authentication/Authorization/Jwt/PermissionsAuthorizationHandler.cs

@@ -0,0 +1,18 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Core.Thalos.BuildingBlocks.Authentication.Authorization.Jwt
+{
+    public class PermissionsAuthorizationHandler : AuthorizationHandler<PermissionAuthorizationAdapter>
+    {
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionAuthorizationAdapter requirement)
+        {
+            PermissionAuthorizationAdapter requirement2 = requirement;
+            if (context.User.Claims.Any((x) => x.Type == "roleId" && requirement2.Permission.Contains(x.Value)))
+            {
+                context.Succeed(requirement2);
+            }
+
+            return Task.CompletedTask;
+        }
+    }
+}

Core.Thalos.BuildingBlocks/Authentication/Extensions/AuthenticationExtension.cs

@@ -0,0 +1,92 @@
+using Core.Thalos.Adapters.Common.Constants;
+using Core.Thalos.Adapters.Options;
+using Core.Thalos.BuildingBlocks.Authentication.Authorization.Google;
+using Core.Thalos.BuildingBlocks.Authentication.Authorization.Jwt;
+using Core.Thalos.BuildingBlocks.Authentication.Handlers;
+using Core.Thalos.BuildingBlocks.Authentication.Helpers;
+using Core.Thalos.BuildingBlocks.Common.Constants;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.IdentityModel.Tokens;
+using System.Text;
+
+namespace Core.Thalos.BuildingBlocks.Authentication.Extensions
+{
+    /// <summary>
+    /// Extension methods for configuring authentication with various Google and JWT setups.
+    /// </summary>
+    public static class AuthenticationExtension
+    {
+        /// <summary>
+        /// Configures authentication using Google Auth for an API that requires downstream API access.
+        /// </summary>
+        /// <param name="services">The <see cref="IServiceCollection"/> to add the services to.</param>
+        /// <param name="configuration">The <see cref="IConfiguration"/> containing Google Auth configuration settings.</param>
+        public static void ConfigureAuthentication(this IServiceCollection services, IConfiguration configuration)
+        {
+            var secretKey = configuration.GetSection("SecretKey").Value ?? string.Empty;
+            var _signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey));
+            var jwtAppSettingsOptions = configuration.GetSection(nameof(JwtIssuerOptions));
+            var jwtIssuerOptions = jwtAppSettingsOptions.Get<JwtIssuerOptions>();
+
+            var googleClientId = configuration["Authentication:Google:ClientId"];
+            var googleClientSecret = configuration["Authentication:Google:ClientSecret"];
+            var redirectUri = configuration["Authentication:Google:RedirectUri"];
+
+            services.AddAuthentication(options =>
+            {
+                options.DefaultAuthenticateScheme = Schemes.GoogleScheme;
+                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+            })
+            .AddScheme<AuthenticationSchemeOptions,
+            GoogleAccessTokenAuthenticationHandler>(Schemes.GoogleScheme, null)
+            .AddGoogle(options =>
+            {
+                options.ClientId = googleClientId!;
+                options.ClientSecret = googleClientSecret!;
+                //options.SaveTokens = true;
+                options.CallbackPath = $"/{redirectUri}";
+            })
+            .AddJwtBearer(Schemes.DefaultScheme, x =>
+            {
+                x.TokenValidationParameters = new TokenValidationParameters
+                {
+                    ValidIssuer = jwtIssuerOptions?.Issuer,
+                    ValidateIssuer = true,
+                    ValidateAudience = true,
+                    ValidateLifetime = true,
+                    ValidateIssuerSigningKey = true,
+                    ValidAudience = jwtIssuerOptions?.Audience,
+                    IssuerSigningKey = new SymmetricSecurityKey(
+                        Encoding.UTF8.GetBytes(configuration["SecretKey"] ?? string.Empty))
+                };
+            });
+
+            services.Configure<JwtIssuerOptions>(options =>
+            {
+                options.Issuer = jwtAppSettingsOptions[nameof(jwtIssuerOptions.Issuer)] ?? string.Empty;
+                options.Audience = jwtAppSettingsOptions[nameof(jwtIssuerOptions.Audience)] ?? string.Empty;
+                options.SigningCredentials = new SigningCredentials(_signingKey, SecurityAlgorithms.HmacSha256);
+            });
+
+            services.AddSingleton(jwtAppSettingsOptions);
+
+            string[] roles = { Roles.Guest, Roles.Admin };
+
+            services.AddAuthorization(options =>
+            {
+                options.AddPolicy(Policies.Read, policy => policy.Requirements.Add(new PermissionAuthorizationAdapter(roles)));
+                options.AddPolicy(Policies.Write, policy => policy.Requirements.Add(new PermissionAuthorizationAdapter(roles)));
+            });
+
+            services.AddTransient<IAuthorizationHandler, PermissionsAuthorizationHandler>();
+
+            services.AddAuthorization();
+            services.AddScoped<IGoogleAuthHelper, GoogleAuthHelper>();
+            services.AddScoped<IGoogleAuthorization, GoogleAuthorization>();
+        }
+    }
+}

Core.Thalos.BuildingBlocks/Authentication/Extensions/SwaggerExtension.cs

@@ -0,0 +1,84 @@
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.OpenApi.Any;
+using Microsoft.OpenApi.Interfaces;
+using Microsoft.OpenApi.Models;
+
+namespace Core.Thalos.BuildingBlocks.Authentication.Extensions
+{
+    public static class SwaggerExtension
+    {
+        public static void AddSwaggerGen(this IServiceCollection services, IConfiguration configuration)
+        {
+            services.AddSwaggerGen(opts =>
+            {
+                const string schemeName = "oauth2";
+
+                opts.AddSecurityDefinition(schemeName, new OpenApiSecurityScheme
+                {
+                    Type = SecuritySchemeType.OAuth2,
+                    Scheme = "bearer",
+                    BearerFormat = "JWT",
+                    Name = "Authorization",
+                    In = ParameterLocation.Header,
+
+                    Extensions = new Dictionary<string, IOpenApiExtension>
+                    {
+                        ["x-tokenName"] = new OpenApiString("id_token")
+                    },
+
+                    Flows = new OpenApiOAuthFlows
+                    {
+                        AuthorizationCode = new OpenApiOAuthFlow
+                        {
+                            AuthorizationUrl = new Uri("https://accounts.google.com/o/oauth2/v2/auth"),
+                            TokenUrl = new Uri("https://oauth2.googleapis.com/token"),
+                            Scopes = new Dictionary<string, string>
+                            {
+                                { "openid",  "OpenID Connect" },
+                                { "email",   "Access email"   },
+                                { "profile", "Access profile" }
+                            }
+                        }
+                    }
+                });
+
+                // every operation requires the scheme
+                opts.AddSecurityRequirement(new OpenApiSecurityRequirement
+                {
+                    [new OpenApiSecurityScheme
+                        {
+                            Reference = new OpenApiReference
+                            { Type = ReferenceType.SecurityScheme, Id = schemeName }
+                        }
+                    ] = new[] { "openid", "email", "profile" }
+                });
+
+                opts.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
+                {
+                    Description = "JWT Authorization header using the Bearer scheme",
+                    Name = "Authorization",
+                    In = ParameterLocation.Header,
+                    Type = SecuritySchemeType.Http,
+                    Scheme = "bearer",
+                    BearerFormat = "JWT"
+                });
+
+                opts.AddSecurityRequirement(new OpenApiSecurityRequirement
+                {
+                    {
+                        new OpenApiSecurityScheme
+                        {
+                            Reference = new OpenApiReference
+                            {
+                                Type = ReferenceType.SecurityScheme,
+                                Id = "Bearer"
+                            }
+                        },
+                        Array.Empty<string>()
+                    }
+                });
+            });
+        }
+    }
+}

Core.Thalos.BuildingBlocks/Authentication/Handlers/GoogleAccessTokenAuthenticationHandler.cs

@@ -0,0 +1,63 @@
+using Core.Thalos.Adapters.Common.Constants;
+using Google.Apis.Auth;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+
+namespace Core.Thalos.BuildingBlocks.Authentication.Handlers
+{
+    public class GoogleAccessTokenAuthenticationHandler(IOptionsMonitor<AuthenticationSchemeOptions> options,
+         ILoggerFactory logger,
+         UrlEncoder encoder,
+         IConfiguration config) : AuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder)
+    {
+        protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            if (!Request.Headers.ContainsKey("Authorization"))
+                return AuthenticateResult.Fail("Missing Authorization header");
+
+            var authHeader = Request.Headers.Authorization.ToString();
+            if (!authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
+                return AuthenticateResult.Fail("Invalid Authorization header");
+
+            var idToken = authHeader["Bearer ".Length..].Trim();
+
+            GoogleJsonWebSignature.Payload payload;
+            try
+            {
+                payload = await GoogleJsonWebSignature.ValidateAsync(
+                    idToken,
+                    new GoogleJsonWebSignature.ValidationSettings
+                    {
+                        Audience = new[] { config["Authentication:Google:ClientId"]! }
+                    });
+            }
+            catch (InvalidJwtException)
+            {
+                return AuthenticateResult.Fail("Invalid Google token");
+            }
+
+            var claims = new List<Claim>
+            {
+                new Claim(ClaimTypes.NameIdentifier, payload.Subject),
+                new Claim(ClaimTypes.Email,          payload.Email),
+                new Claim(ClaimTypes.Name,           payload.Name ?? "")
+            };
+
+            var identity = new ClaimsIdentity(claims, Schemes.GoogleScheme);
+            var principal = new ClaimsPrincipal(identity);
+
+            var userEmail = principal.FindFirst(ClaimTypes.Email)?.Value;
+
+            if (string.IsNullOrEmpty(userEmail) ||
+                !userEmail.EndsWith("@agilewebs.com", StringComparison.OrdinalIgnoreCase))
+                return AuthenticateResult.Fail("Unauthorized Access");
+
+            var ticket = new AuthenticationTicket(principal, Schemes.GoogleScheme);
+            return AuthenticateResult.Success(ticket);
+        }
+    }
+}

Core.Thalos.BuildingBlocks/Authentication/Helpers/GoogleAuthHelper.cs

@@ -0,0 +1,31 @@
+using Google.Apis.Auth.OAuth2;
+using Google.Apis.Oauth2.v2;
+using Microsoft.Extensions.Configuration;
+
+namespace Core.Thalos.BuildingBlocks.Authentication.Helpers
+{
+    public class GoogleAuthHelper(IConfiguration config) : IGoogleAuthHelper
+    {
+        public ClientSecrets GetClientSecrets()
+        {
+            string clientId = config["Authentication:Google:ClientId"]!;
+            string clientSecret = config["Authentication:Google:ClientSecret"]!;
+
+            return new() { ClientId = clientId, ClientSecret = clientSecret };
+        }
+
+        public string[] GetScopes()
+        {
+            var scopes = new[]
+            {
+                Oauth2Service.Scope.Openid,
+                Oauth2Service.Scope.UserinfoEmail,
+                Oauth2Service.Scope.UserinfoProfile
+            };
+
+            return scopes;
+        }
+
+        public string ScopeToString() => string.Join(", ", GetScopes());
+    }
+}

Core.Thalos.BuildingBlocks/Authentication/Helpers/IGoogleAuthHelper.cs

@@ -0,0 +1,11 @@
+using Google.Apis.Auth.OAuth2;
+
+namespace Core.Thalos.BuildingBlocks.Authentication.Helpers
+{
+    public interface IGoogleAuthHelper
+    {
+        string[] GetScopes();
+        string ScopeToString();
+        ClientSecrets GetClientSecrets();
+    }
+}

Core.Thalos.BuildingBlocks/Common/Constants/Policies.cs

@@ -0,0 +1,24 @@
+using System;
+using System.Collections.Generic;
+namespace Core.Thalos.BuildingBlocks.Common.Constants
+{
+    /// <summary>
+    /// Constants for policy.
+    /// </summary>
+    public class Policies
+    {
+        /// <summary>
+        /// Defines the access policy for reading mobile-related data. 
+        /// This policy grants read-only permissions for retrieving mobile device information, 
+        /// user mobile settings, or related data as per the application's authorization scope.
+        /// </summary>
+        public const string Read = "Read";
+
+        /// <summary>
+        /// Defines the access policy for writing mobile-related data. 
+        /// This policy grants permissions to modify, update, or store mobile device information, 
+        /// user mobile settings, or related data as per the application's authorization scope.
+        /// </summary>
+        public const string Write = "Write";
+    }
+}

Core.Thalos.BuildingBlocks/Common/Constants/Roles.cs

@@ -0,0 +1,15 @@
+namespace Core.Thalos.BuildingBlocks.Common.Constants
+{
+    public class Roles
+    {
+        /// <summary>
+        /// The role for Guest.
+        /// </summary>
+        public const string Guest = "684909c4826cd093b4f61c11";
+
+        /// <summary>
+        /// The role for Admin.
+        /// </summary>
+        public const string Admin = "68407642ec46a0e6fe1e8ec9";
+    }
+}

Core.Thalos.BuildingBlocks/Common/Constants/Schemes.cs

@@ -14,5 +14,10 @@
         /// The azure scheme.
         /// </summary>
         public const string AzureScheme = "AzureScheme";
+
+        /// <summary>
+        /// The google scheme.
+        /// </summary>
+        public const string GoogleScheme = "GoogleScheme";
     }
 }

Core.Thalos.BuildingBlocks/Core.Thalos.BuildingBlocks.csproj

@@ -8,13 +8,16 @@
     <TargetFramework>net8.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
-	<VersionPrefix>1.0.2</VersionPrefix>
+	<VersionPrefix>1.0.5</VersionPrefix>
 	<VersionSuffix>$(Date:yyyyMMddHHmm)</VersionSuffix>
   </PropertyGroup>
 
   <ItemGroup>
     <PackageReference Include="Asp.Versioning.Mvc.ApiExplorer" Version="8.1.0" />
     <PackageReference Include="Core.Blueprint.Mongo" Version="1.0.0" />
+    <PackageReference Include="Google.Apis.Auth" Version="1.70.0" />
+    <PackageReference Include="Google.Apis.Oauth2.v2" Version="1.68.0.1869" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.Google" Version="8.0.18" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
     <PackageReference Include="Microsoft.Extensions.Configuration.AzureAppConfiguration" Version="8.2.0" />
     <PackageReference Include="Microsoft.Identity.Web" Version="3.9.1" />