Refresh and simplify authentication/authorization samples

CommonTasks.md

@@ -137,6 +137,20 @@ docker run --rm -ti -p 5432:5432 --name steeltoe-postgres -e POSTGRES_DB=steelto
 docker run --rm -ti -p 27017:27017 --name mongoserver mongo
 ```
 
+## UAA Server for Steeltoe Samples
+
+The Steeltoe team has created a [UAA configuration](https://github.com/SteeltoeOSS/Dockerfiles/blob/main/uaa-server/uaa.yml) to use with the sample applications in this repository.
+
+### Run UAA Server with Docker
+
+```script
+docker run --rm -it -p 8080:8080 --name steeltoe-uaa steeltoe.azurecr.io/uaa-server:77.10
+```
+
+### Run Steeltoe UAA on Cloud Foundry
+
+Refer to the [README in the Dockerfiles repository](https://github.com/SteeltoeOSS/Dockerfiles/tree/main/uaa-server/README.md) for instructions.
+
 ## Zipkin
 
 ### Run Zipkin Server with Docker

README.md

@@ -8,9 +8,6 @@ Samples using the Spring Cloud Config Server and other Steeltoe configuration pr
 
 | Sample | main | latest |
 | --- | --- | --- |
-| [Simple](Configuration/src/Simple) | [![Build Status](https://dev.azure.com/SteeltoeOSS/Steeltoe/_apis/build/status/Samples/SteeltoeOSS.Samples%20%5BConfiguration_Simple%5D?branchName=main)](https://dev.azure.com/SteeltoeOSS/Steeltoe/_build/latest?definitionId=16&branchName=main) | |
-| [SimpleCloudFoundry](Configuration/src/SimpleCloudFoundry) | [![Build Status](https://dev.azure.com/SteeltoeOSS/Steeltoe/_apis/build/status/Samples/SteeltoeOSS.Samples%20%5BConfiguration_SimpleCloudFoundry%5D?branchName=main)](https://dev.azure.com/SteeltoeOSS/Steeltoe/_build/latest?definitionId=13&branchName=main) | |
-| [CloudFoundry](Configuration/src/CloudFoundry) | [![Build Status](https://dev.azure.com/SteeltoeOSS/Steeltoe/_apis/build/status/Samples/SteeltoeOSS.Samples%20%5BConfiguration_CloudFoundry%5D?branchName=main)](https://dev.azure.com/SteeltoeOSS/Steeltoe/_build/latest?definitionId=15&branchName=main) | |
 | [Configuration](Configuration/src/Steeltoe.Samples.Configuration) | | [![Build Status](https://dev.azure.com/SteeltoeOSS/Steeltoe/_apis/build/status%2FSamples%2FConfiguration?branchName=latest)](https://dev.azure.com/SteeltoeOSS/Steeltoe/_build/latest?definitionId=73&branchName=latest) |
 
 ## [Discovery](Discovery)
@@ -44,11 +41,7 @@ Samples using the Steeltoe Connectors for connecting to backing services. Steelt
 
 ## [Security](Security)
 
-Samples using the Steeltoe Security packages for Authentication and Authorization with Cloud Foundry auth services, using a Redis cache for DataProtection KeyRing storage and for interacting with CredHub.
-
-| Sample | main | latest |
-| --- | --- | --- |
-| [CloudFoundrySingleSignon](Security/src/CloudFoundrySingleSignon) | [![Build Status](https://dev.azure.com/SteeltoeOSS/Steeltoe/_apis/build/status/Samples/SteeltoeOSS.Samples%20%5BSecurity_CloudFoundrySingleSignon%5D?branchName=main)](https://dev.azure.com/SteeltoeOSS/Steeltoe/_build/latest?definitionId=24&branchName=main) | [![Build Status](https://dev.azure.com/SteeltoeOSS/Steeltoe/_apis/build/status/Samples/SteeltoeOSS.Samples%20%5BSecurity_CloudFoundrySingleSignon%5D?branchName=latest)](https://dev.azure.com/SteeltoeOSS/Steeltoe/_build/latest?definitionId=24&branchName=latest) |
+Samples using the Steeltoe Security packages for Authentication and Authorization with Cloud Foundry auth services and using a Redis cache for DataProtection KeyRing storage.
 
 ## [MusicStore](MusicStore)
 

Security/README.md

@@ -0,0 +1,11 @@
+# Steeltoe Security Sample Applications
+
+This section of the Samples repository contains applications that use the [Steeltoe Security Packages](https://docs.steeltoe.io/api/v3/security/) for authentication, authorization, and data protection.
+
+## ASP.NET Core Samples
+
+* [AuthClient](src/AuthClient/README.md) and [AuthServer](src/AuthServer/README.md) - authenticate and authorize with OpenID Connect and JWT Bearer tokens using [Single Sign-On for VMware Tanzu Application Service](https://docs.vmware.com/en/Single-Sign-On-for-VMware-Tanzu-Application-Service)) and client certificates.
+* RedisDataProtectionKeyStore - use Redis provisioned on CloudFoundry as a DataProtection Key Store.  Sample illustrates sharing encrypted data stored in a Session across multiple instances of an application.
+
+---
+### See the Official [Steeltoe Security Documentation](https://docs.steeltoe.io/api/v3/security/) for more detailed information

Security/src/AuthClient/.cfignore

@@ -0,0 +1,3 @@
+bin
+obj
+GeneratedCertificates

Security/src/AuthClient/Controllers/HomeController.cs

@@ -0,0 +1,122 @@
+using System;
+using System.Diagnostics;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+using Steeltoe.Samples.AuthClient.Models;
+
+namespace Steeltoe.Samples.AuthClient.Controllers;
+
+public sealed class HomeController(IHttpClientFactory clientFactory, ILogger<HomeController> logger) : Controller
+{
+    public IActionResult Index()
+    {
+        return View();
+    }
+
+    public IActionResult Privacy()
+    {
+        return View();
+    }
+
+    [Authorize(Policy = Globals.RequiredJwtScope)]
+    public IActionResult TestGroup()
+    {
+        ViewData["Message"] = $"You have the '{Globals.RequiredJwtScope}' permission.";
+        return View();
+    }
+
+    [Authorize(Policy = Globals.UnknownJwtScope)]
+    public IActionResult AnotherTestGroup()
+    {
+        ViewData["Message"] = $"You have the '{Globals.UnknownJwtScope}' permission.";
+
+        return View("TestGroup");
+    }
+
+    [HttpGet]
+    [Authorize]
+    public IActionResult Login()
+    {
+        return RedirectToAction(nameof(Index), "Home");
+    }
+
+    public IActionResult Manage()
+    {
+        return View();
+    }
+
+    [HttpPost]
+    public async Task<IActionResult> Logout()
+    {
+        await HttpContext.SignOutAsync();
+        return RedirectToAction(nameof(Index), "Home");
+    }
+
+    [Authorize]
+    public async Task<IActionResult> InvokeJwtSample()
+    {
+        using HttpClient jwtHttpClient = clientFactory.CreateClient("default");
+        string? token = await HttpContext.GetTokenAsync("access_token");
+
+        if (!string.IsNullOrEmpty(token))
+        {
+            jwtHttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+            string model = await SendRequestToBackend(jwtHttpClient, "/api/JwtAuthorization");
+            return View("InvokeService", model);
+        }
+
+        return View("InvokeService",
+            "No access token found in user session. Perhaps you need to set Authentication:Schemes:OpenIdConnect:SaveTokens to 'true'?");
+    }
+
+    public async Task<IActionResult> InvokeSameOrgSample()
+    {
+        using HttpClient mutualTlsHttpClient = clientFactory.CreateClient("AppInstanceIdentity");
+        string model = await SendRequestToBackend(mutualTlsHttpClient, "/api/certificate/SameOrg");
+        return View("InvokeService", model);
+    }
+
+    public async Task<IActionResult> InvokeSameSpaceSample()
+    {
+        using HttpClient mutualTlsHttpClient = clientFactory.CreateClient("AppInstanceIdentity");
+        string model = await SendRequestToBackend(mutualTlsHttpClient, "/api/certificate/SameSpace");
+        return View("InvokeService", model);
+    }
+
+    public IActionResult AccessDenied()
+    {
+        ViewData["Message"] = "Insufficient permissions.";
+        return View();
+    }
+
+    [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
+    public IActionResult Error()
+    {
+        return View(new ErrorViewModel
+        {
+            RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier
+        });
+    }
+
+    private async Task<string> SendRequestToBackend(HttpClient client, string requestUri)
+    {
+        string result;
+
+        try
+        {
+            logger.LogTrace("Sending request to {requestUri}", requestUri);
+            result = await client.GetStringAsync(requestUri);
+        }
+        catch (Exception exception)
+        {
+            result = $"Request failed: {exception.Message}, at: {requestUri}";
+        }
+
+        return result;
+    }
+}

Security/src/AuthClient/Directory.Build.props

@@ -0,0 +1,5 @@
+<Project>
+  <PropertyGroup>
+    <SteeltoeVersion>4.0.*-*</SteeltoeVersion>
+  </PropertyGroup>
+</Project>

Security/src/AuthClient/Globals.cs

@@ -0,0 +1,7 @@
+namespace Steeltoe.Samples.AuthClient;
+
+internal static class Globals
+{
+    public const string RequiredJwtScope = "sampleapi.read";
+    public const string UnknownJwtScope = "sampleapi.unknown";
+}

Security/src/AuthClient/Models/ErrorViewModel.cs

@@ -0,0 +1,8 @@
+namespace Steeltoe.Samples.AuthClient.Models;
+
+public sealed class ErrorViewModel
+{
+    public string? RequestId { get; init; }
+
+    public bool ShowRequestId => !string.IsNullOrEmpty(RequestId);
+}