feature(#22): enhance JWT authentication to resolve signing keys based on realm and secret filters

Author: https-richardy

Applications/Backend/Source/HttpsRichardy.Federation.WebApi/Extensions/AuthenticationExtension.cs

@@ -6,21 +6,72 @@ public static class AuthenticationExtension
     public static IServiceCollection AddJwtAuthentication(this IServiceCollection services)
     {
         var serviceProvider = services.BuildServiceProvider();
-        var secretRepository = serviceProvider.GetRequiredService<ISecretCollection>();
+        var accessor = serviceProvider.GetRequiredService<IHttpContextAccessor>();
 
-        var secret = secretRepository.GetSecretAsync()
-            .GetAwaiter()
-            .GetResult();
-
-        var publicKey = Common.Utilities.RsaHelper.CreateSecurityKeyFromPublicKey(secret.PublicKey);
         var validationParameters = new TokenValidationParameters
         {
             ValidateIssuer = false,
             ValidateAudience = false,
             ValidateLifetime = true,
             ValidateIssuerSigningKey = true,
-            IssuerSigningKey = publicKey,
-            ClockSkew = TimeSpan.Zero
+            ClockSkew = TimeSpan.FromSeconds(30),
+            IssuerSigningKeyResolver = (token, _, kid, _) =>
+            {
+                var context = accessor.HttpContext;
+                if (context is null || string.IsNullOrWhiteSpace(token))
+                    return [];
+
+                var secretCollection = context.RequestServices.GetRequiredService<ISecretCollection>();
+                var realmCollection = context.RequestServices.GetRequiredService<IRealmCollection>();
+
+                var jsonWebToken = new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(token);
+                var realmId = jsonWebToken.Claims.FirstOrDefault(claim => claim.Type == Infrastructure.Constants.IdentityClaimNames.RealmId)?.Value;
+
+                if (string.IsNullOrWhiteSpace(realmId))
+                {
+                    var realmName = jsonWebToken.Claims.FirstOrDefault(claim => claim.Type == Infrastructure.Constants.IdentityClaimNames.Realm)?.Value;
+
+                    if (string.IsNullOrWhiteSpace(realmName))
+                        return [];
+
+                    var realmFilters = RealmFilters.WithSpecifications()
+                        .WithName(realmName)
+                        .Build();
+
+                    var realms = realmCollection
+                        .GetRealmsAsync(realmFilters, context.RequestAborted)
+                        .GetAwaiter()
+                        .GetResult();
+
+                    realmId = realms.FirstOrDefault()?.Id;
+                }
+
+                if (string.IsNullOrWhiteSpace(realmId))
+                    return [];
+
+                var secretFilters = SecretFilters.WithSpecifications()
+                    .WithRealm(realmId)
+                    .WithCanValidate()
+                    .Build();
+
+                var secrets = secretCollection
+                    .GetSecretsAsync(secretFilters, context.RequestAborted)
+                    .GetAwaiter()
+                    .GetResult();
+
+                if (!string.IsNullOrWhiteSpace(kid))
+                {
+                    secrets = [.. secrets.Where(secret => secret.Id == kid)];
+                }
+
+                return [.. secrets.Select(secret =>
+                {
+                    var key = Common.Utilities.RsaHelper.CreateSecurityKeyFromPublicKey(secret.PublicKey);
+                    key.KeyId = secret.Id;
+
+                    return key;
+                })];
+            }
         };
 
         var builder = services.AddAuthentication(options =>