Initial IAuthenticationContext abstraction
#880
Conversation
martinothamar
added
the
feature
martinothamar
force-pushed
the
feat/authn-abstraction
branch
from
3935f27 to
9a48939
Compare
martinothamar
changed the title
IAuthenticationContext abstraction
martinothamar
force-pushed
the
feat/authn-abstraction
branch
from
9a48939 to
a1452cd
Compare
martinothamar
force-pushed
the
feat/authn-abstraction
branch
from
8b7e8aa to
3cb8eab
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
martinothamar
force-pushed
the
feat/authn-abstraction
branch
from
d49f6d4 to
029fd81
Compare
martinothamar
force-pushed
the
feat/authn-abstraction
branch
from
a1ab771 to
cfa4c3a
Compare
| @@ -334,7 +334,8 @@ | |||
| var mockHttpClientFactory = fixture.HttpClientFactoryMock; | |||
| var mockMaskinportenClient = fixture.MaskinportenClientMock; | |||
| var mockHttpClient = new Mock<HttpClient>(); | |||
| var altinnTokenResponse = PrincipalUtil.GetOrgToken("ttd"); | |||
| var correspondencePayload = PayloadFactory.Send(authorisation: CorrespondenceAuthorisation.Maskinporten); | |||
Check warning
Code scanning / CodeQL
Useless assignment to local variable Warning test
martinothamar
force-pushed
the
feat/authn-abstraction
branch
from
9973fa2 to
55a75b9
Compare
| { | ||
| _authenticationClient = authenticationClient; | ||
| _settings = settings.Value; | ||
| _authenticationContext = serviceProvider.GetRequiredService<IAuthenticationContext>(); |
There was a problem hiding this comment.
Could you add a comment about why you inject IServiceProvider instead of IAuthenticationContext?
There was a problem hiding this comment.
in code or just here? It's because the interface is internal for now
| /// <returns>Party id for selected party. If invalid, partyId for logged in user is returned.</returns> | ||
| [Authorize] | ||
| [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)] | ||
| [HttpGet("{org}/{app}/api/[controller]/current")] |
There was a problem hiding this comment.
Why /[controller]/ instead of authentication (with a lower case a)
There was a problem hiding this comment.
You also need to somehow annotate for swagger to document the possible response(s).
There was a problem hiding this comment.
I might remove or comment this out. I was orginally intending to replace 3 separate frontend requests with this endpoint, but put that on the backburner as it seemed difficult to refactor the frontend at the time. Wether a union is a good idea I'm not sure. I did have the start of a TS implementation that used the discriminator to figure which type it was, and a .NET client would be fine with it, but yeah it's not the most common thing
| [JsonDerivedType(typeof(OrgResponse), typeDiscriminator: "Org")] | ||
| [JsonDerivedType(typeof(ServiceOwnerResponse), typeDiscriminator: "ServiceOwner")] | ||
| [JsonDerivedType(typeof(SystemUserResponse), typeDiscriminator: "SystemUser")] | ||
| private abstract record CurrentAuthenticationBaseResponse { } |
There was a problem hiding this comment.
I'm not sure I like the idea of exposing a discriminated union in the api. Does OpenAPI generation support this nicely?
At least we need some docs on the properties
| { | ||
| public required UserProfile Profile { get; init; } | ||
|
|
||
| public required Party Party { get; init; } |
There was a problem hiding this comment.
Is this the party of the authenticated user or the party he currently intends to represent as specified by the AltinnPartyId cookie (which is kind of useless because it will be wrong for one of the tabs if you have multiple instances for multiple reportees open at the same time )?
| /// This means that the user has authenticated with a username/password, which can happen using | ||
| /// * Altinn "self registered users" | ||
| /// * IDporten through Ansattporten ("low"), MinID self registered eID | ||
| /// These have limited access to Altinn and can only represent themselves. |
There was a problem hiding this comment.
Is this correct? At least if you come through Ansattporten, you likely represent the org you're employed at?
There was a problem hiding this comment.
I think you end up as a user, and not with authentication_level = 0? I'll check...
| { | ||
| var authenticationContext = (AuthenticationContext) | ||
| context.RequestServices.GetRequiredService<IAuthenticationContext>(); | ||
| authenticationContext.ResolveCurrent(context); |
There was a problem hiding this comment.
Why do you need a middleware here? Don't we already have a middleware that sets IHttpContextAccessor.Current?
There was a problem hiding this comment.
I don't remember if there is a good reason anymore, I'll try to retrieve it lazily instead, without middleware
There was a problem hiding this comment.
This file has too many classes, records and interfaces. Would be nice to split it up.
martinothamar
force-pushed
the
feat/authn-abstraction
branch
from
df48e10 to
45863cc
Compare
…d party everywhere
|
|
||
| var lookupPartyTask = | ||
| SelectedPartyId == userProfile.PartyId | ||
| ? Task.FromResult((Party?)userProfile.Party) |
Check warning
Code scanning / CodeQL
Cast to same type Warning
|
Description
Initial proposal for #763
Related Issue(s)
process/nextwhen using org token as opposed to user token (frontend) #908Verification
Documentation