#277 - JWK e JWKS na API de identidade - feature/sp8/#277

Author: jeffreysSharp

src/services/JSE.Identidade.API/Configuration/ApiConfig.cs

@@ -1,4 +1,6 @@
 using JSE.WebAPI.Core.IdentityConfiguration;
+using JSE.WebAPI.Core.User;
+using NetDevPack.Security.JwtSigningCredentials.AspNetCore;
 
 namespace JSE.Identidade.API.Configuration
 {
@@ -8,6 +10,8 @@ public static IServiceCollection AddApiConfiguration(this IServiceCollection ser
         {
             services.AddControllers();
 
+            services.AddScoped<IAspNetUser, AspNetUser>();
+
             return services;
         }
 
@@ -29,6 +33,8 @@ public static IApplicationBuilder UseApiConfiguration(this IApplicationBuilder a
                 endpoints.MapControllers();
             });
 
+            app.UseJwksDiscovery();
+
             return app;
         }
     }

src/services/JSE.Identidade.API/Configuration/IdentityConfig.cs

@@ -3,6 +3,7 @@
 using JSE.WebAPI.Core.IdentityConfiguration;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
+using NetDevPack.Security.JwtSigningCredentials;
 
 namespace JSE.Identidade.API.Configuration
 {
@@ -11,6 +12,10 @@ public static class IdentityConfig
         public static IServiceCollection AddIdentityConfiguration(this IServiceCollection services,
             IConfiguration configuration)
         {
+
+            services.AddJwksManager(options => options.Algorithm = Algorithm.ES256)
+                .PersistKeysToDatabaseStore<ApplicationDbContext>();
+
             services.AddDbContext<ApplicationDbContext>(options =>
                 options.UseSqlServer(configuration.GetConnectionString("DefaultConnection")));
 

src/services/JSE.Identidade.API/Controllers/AuthController.cs

@@ -10,6 +10,8 @@
 using JSE.MessageBus;
 using JSE.Core.Messages.Integration;
 using JSE.WebAPI.Core.IdentityConfiguration;
+using JSE.WebAPI.Core.User;
+using NetDevPack.Security.JwtSigningCredentials.Interfaces;
 
 namespace JSE.Identidade.API.Controllers
 {
@@ -19,18 +21,24 @@ public class AuthController : MainController
         private readonly SignInManager<IdentityUser> _signInManager;
         private readonly UserManager<IdentityUser> _userManager;
         private readonly AppSettings _appSettings;
+        private readonly IAspNetUser _aspNetUser;
+        private readonly IJsonWebKeySetService _jwksService;
 
         private readonly IMessageBus _bus;
 
         public AuthController(SignInManager<IdentityUser> signInManager,
                               UserManager<IdentityUser> userManager,
                               IOptions<AppSettings> appSettings,
-                              IMessageBus bus)
+                              IMessageBus bus,
+                              IAspNetUser aspNetUser,
+                              IJsonWebKeySetService jwksService)
         {
             _signInManager = signInManager;
             _userManager = userManager;
             _appSettings = appSettings.Value;
             _bus = bus;
+            _aspNetUser = aspNetUser;
+            _jwksService = jwksService;
         }
 
         [HttpPost("nova-conta")]
@@ -127,14 +135,16 @@ private async Task<ClaimsIdentity> ObterClaimsUsuario(ICollection<Claim> claims,
         private string CodificarToken(ClaimsIdentity identityClaims)
         {
             var tokenHandler = new JwtSecurityTokenHandler();
-            var key = Encoding.ASCII.GetBytes(_appSettings.Secret);
+
+            var currentIssuer = $"{_aspNetUser.ObterHttpContext().Request.Scheme}://{_aspNetUser.ObterHttpContext().Request.Host}";
+
+            var key = _jwksService.GetCurrent();
             var token = tokenHandler.CreateToken(new SecurityTokenDescriptor
             {
-                Issuer = _appSettings.Issuer,
-                Audience = _appSettings.ValidOn,
+                Issuer = currentIssuer,
                 Subject = identityClaims,
-                Expires = DateTime.UtcNow.AddHours(_appSettings.ExpirationHours),
-                SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
+                Expires = DateTime.UtcNow.AddHours(1),
+                SigningCredentials = key
             });
 
             return tokenHandler.WriteToken(token);

src/services/JSE.Identidade.API/Data/ApplicationDbContext.cs

@@ -1,10 +1,14 @@
 using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore;
+using NetDevPack.Security.JwtSigningCredentials;
+using NetDevPack.Security.JwtSigningCredentials.Store.EntityFrameworkCore;
 
 namespace JSE.Identidade.API.Data
 {
-    public class ApplicationDbContext : IdentityDbContext
+    public class ApplicationDbContext : IdentityDbContext, ISecurityKeyContext
     {
         public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options) : base(options) { }
+
+        public DbSet<SecurityKeyWithPrivate> SecurityKeys { get; set; }
     }
 }

src/services/JSE.Identidade.API/JSE.Identidade.API.csproj

@@ -16,6 +16,8 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>    
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />    
+    <PackageReference Include="NetDevPack.Security.JwtSigningCredentials.AspNetCore" Version="1.0.3" />    
+    <PackageReference Include="NetDevPack.Security.JwtSigningCredentials.Store.EntityFrameworkCore" Version="1.0.3" />    
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="6.4.0" />