Add AuthenticatedSchemes option (#1047)

Author: Shane32

README.md

@@ -482,6 +482,28 @@ Note that `InvokeAsync` will execute even if the protocol is disabled in the opt
 disabling `HandleGet` or similar; `HandleAuthorizeAsync` and `HandleAuthorizeWebSocketConnectionAsync`
 will not.
 
+#### Authentication schemes
+
+By default the role and policy requirements are validated against the current user as defined by
+`HttpContext.User`. This is typically set by ASP.NET Core's authentication middleware and is based
+on the default authentication scheme set during the call to `AddAuthentication` in `Startup.cs`.
+You may override this behavior by specifying a different authentication scheme via the `AuthenticationSchemes`
+option. For instance, if you wish to authenticate using JWT authentication when Cookie authentication is
+the default, you may specify the scheme as follows:
+
+```csharp
+app.UseGraphQL("/graphql", config =>
+{
+ // specify a specific authentication scheme to use
+ config.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
+});
+```
+
+This will overwrite the `HttpContext.User` property when handling GraphQL requests, which will in turn
+set the `IResolveFieldContext.User` property to the same value (unless being overridden via an
+`IWebSocketAuthenticationService` implementation as shown above). So both endpoint authorization and
+field authorization will perform role and policy checks against the same authentication scheme.
+
 ### UI configuration
 
 There are four UI middleware projects included; Altair, GraphiQL, Playground and Voyager.

src/Transports.AspNetCore/GraphQLHttpMiddleware.cs

@@ -1,5 +1,6 @@
 #pragma warning disable CA1716 // Identifiers should not match keywords
 
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Primitives;
 using MediaTypeHeaderValueMs = Microsoft.Net.Http.Headers.MediaTypeHeaderValue;
 
@@ -270,6 +271,8 @@ protected virtual async Task InvokeAsync(HttpContext context, RequestDelegate ne
  /// </summary>
  protected virtual async ValueTask<bool> HandleAuthorizeAsync(HttpContext context, RequestDelegate next)
  {
+ await SetHttpContextUserAsync(context);
+
  var success = await AuthorizationHelper.AuthorizeAsync(
  new AuthorizationParameters<(GraphQLHttpMiddleware Middleware, HttpContext Context, RequestDelegate Next)>(
  context,
@@ -282,6 +285,26 @@ protected virtual async ValueTask<bool> HandleAuthorizeAsync(HttpContext context
  return !success;
  }
 
+ /// <summary>
+ /// If any authentication schemes are defined, set the <see cref="HttpContext.User"/> property.
+ /// </summary>
+ private async ValueTask SetHttpContextUserAsync(HttpContext context)
+ {
+ if (_options.AuthenticationSchemes.Count > 0)
+ {
+ ClaimsPrincipal? newPrincipal = null;
+ foreach (var scheme in _options.AuthenticationSchemes)
+ {
+ var result = await context.AuthenticateAsync(scheme);
+ if (result != null && result.Succeeded)
+ {
+ newPrincipal = SecurityHelper.MergeUserPrincipal(newPrincipal, result.Principal);
+ }
+ }
+ context.User = newPrincipal ?? new ClaimsPrincipal(new ClaimsIdentity());
+ }
+ }
+
  /// <summary>
  /// Perform authorization, if required, and return <see langword="true"/> if the
  /// request was handled (typically by returning an error message). If <see langword="false"/>
@@ -291,8 +314,11 @@ protected virtual async ValueTask<bool> HandleAuthorizeAsync(HttpContext context
  /// the WebSocket connection during the ConnectionInit message. Authorization checks for
  /// WebSocket connections occur then, after authorization has taken place.
  /// </summary>
- protected virtual ValueTask<bool> HandleAuthorizeWebSocketConnectionAsync(HttpContext context, RequestDelegate next)
- => new(false);
+ protected virtual async ValueTask<bool> HandleAuthorizeWebSocketConnectionAsync(HttpContext context, RequestDelegate next)
+ {
+ await SetHttpContextUserAsync(context);
+ return false;
+ }
 
  /// <summary>
  /// Handles a single GraphQL request.

src/Transports.AspNetCore/GraphQLHttpMiddlewareOptions.cs

@@ -84,6 +84,12 @@ public class GraphQLHttpMiddlewareOptions : IAuthorizationOptions
  /// </summary>
  public bool ReadExtensionsFromQueryString { get; set; } = true;
 
+ /// <summary>
+ /// Gets or sets a list of the authentication schemes the authentication requirements are evaluated against.
+ /// When no schemes are specified, the default authentication scheme is used.
+ /// </summary>
+ public List<string> AuthenticationSchemes { get; set; } = new();
+
  /// <inheritdoc/>
  /// <remarks>
  /// HTTP requests return <c>401 Forbidden</c> when the request is not authenticated.

src/Transports.AspNetCore/SecurityHelper.cs

@@ -0,0 +1,73 @@
+// source: https://github.com/dotnet/aspnetcore/blob/main/src/Shared/SecurityHelper/SecurityHelper.cs
+// permalink: https://github.com/dotnet/aspnetcore/blob/8b2fd3f7a3b3e18afc6f63c4a494cc733dcced64/src/Shared/SecurityHelper/SecurityHelper.cs
+// retrieved: 2023-07-05
+
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+/*
+
+The MIT License (MIT)
+
+Copyright (c) .NET Foundation and Contributors
+
+All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+*/
+
+namespace GraphQL.Server.Transports.AspNetCore;
+
+/// <summary>
+/// Helper code used when implementing authentication middleware
+/// </summary>
+internal static class SecurityHelper
+{
+ /// <summary>
+ /// Add all ClaimsIdentities from an additional ClaimPrincipal to the ClaimsPrincipal
+ /// Merges a new claims principal, placing all new identities first, and eliminating
+ /// any empty unauthenticated identities from context.User
+ /// </summary>
+ /// <param name="existingPrincipal">The <see cref="ClaimsPrincipal"/> containing existing <see cref="ClaimsIdentity"/>.</param>
+ /// <param name="additionalPrincipal">The <see cref="ClaimsPrincipal"/> containing <see cref="ClaimsIdentity"/> to be added.</param>
+ public static ClaimsPrincipal MergeUserPrincipal(ClaimsPrincipal? existingPrincipal, ClaimsPrincipal? additionalPrincipal)
+ {
+ // For the first principal, just use the new principal rather than copying it
+ if (existingPrincipal == null && additionalPrincipal != null)
+ {
+ return additionalPrincipal;
+ }
+
+ var newPrincipal = new ClaimsPrincipal();
+
+ // New principal identities go first
+ if (additionalPrincipal != null)
+ {
+ newPrincipal.AddIdentities(additionalPrincipal.Identities);
+ }
+
+ // Then add any existing non empty or authenticated identities
+ if (existingPrincipal != null)
+ {
+ newPrincipal.AddIdentities(existingPrincipal.Identities.Where(i => i.IsAuthenticated || i.Claims.Any()));
+ }
+ return newPrincipal;
+ }
+}

tests/ApiApprovalTests/net50+net60+netcoreapp31/GraphQL.Server.Transports.AspNetCore.approved.txt

@@ -111,6 +111,7 @@ namespace GraphQL.Server.Transports.AspNetCore
  public class GraphQLHttpMiddlewareOptions : GraphQL.Server.Transports.AspNetCore.IAuthorizationOptions
  {
  public GraphQLHttpMiddlewareOptions() { }
+ public System.Collections.Generic.List<string> AuthenticationSchemes { get; set; }
  public bool AuthorizationRequired { get; set; }
  public string? AuthorizedPolicy { get; set; }
  public System.Collections.Generic.List<string> AuthorizedRoles { get; set; }

tests/ApiApprovalTests/netcoreapp21+netstandard20/GraphQL.Server.Transports.AspNetCore.approved.txt

@@ -118,6 +118,7 @@ namespace GraphQL.Server.Transports.AspNetCore
  public class GraphQLHttpMiddlewareOptions : GraphQL.Server.Transports.AspNetCore.IAuthorizationOptions
  {
  public GraphQLHttpMiddlewareOptions() { }
+ public System.Collections.Generic.List<string> AuthenticationSchemes { get; set; }
  public bool AuthorizationRequired { get; set; }
  public string? AuthorizedPolicy { get; set; }
  public System.Collections.Generic.List<string> AuthorizedRoles { get; set; }

tests/Transports.AspNetCore.Tests/Middleware/AuthorizationTests.cs

@@ -3,6 +3,7 @@
 using System.Security.Claims;
 using GraphQL.Execution;
 using GraphQL.Server.Transports.AspNetCore.Errors;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 
 namespace Tests.Middleware;
@@ -11,9 +12,14 @@ public class AuthorizationTests : IDisposable
 {
  private GraphQLHttpMiddlewareOptions _options = null!;
  private bool _enableCustomErrorInfoProvider;
- private readonly TestServer _server;
+ private TestServer _server;
 
  public AuthorizationTests()
+ {
+ _server = CreateServer();
+ }
+
+ private TestServer CreateServer(Action<IServiceCollection>? configureServices = null)
  {
  var hostBuilder = new WebHostBuilder();
  hostBuilder.ConfigureServices(services =>
@@ -46,6 +52,7 @@ public AuthorizationTests()
 #if NETCOREAPP2_1 || NET48
  services.AddHostApplicationLifetime();
 #endif
+ configureServices?.Invoke(services);
  });
  hostBuilder.Configure(app =>
  {
@@ -59,7 +66,7 @@ public AuthorizationTests()
  _options = opts;
  });
  });
- _server = new TestServer(hostBuilder);
+ return new TestServer(hostBuilder);
  }
 
  public void Dispose() => _server.Dispose();
@@ -270,6 +277,95 @@ public async Task Authorized_Policy()
  actual.ShouldBe("""{"data":{"__typename":"Query"}}""");
  }
 
+ [Fact]
+ public async Task NotAuthorized_WrongScheme()
+ {
+ _server.Dispose();
+ _server = CreateServer(services =>
+ {
+ services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme); // change default scheme to Cookie authentication
+ });
+ _options.AuthorizationRequired = true;
+ using var response = await PostQueryAsync("{ __typename }", true); // send an authenticated request (with JWT bearer scheme)
+ response.StatusCode.ShouldBe(HttpStatusCode.Unauthorized);
+ var actual = await response.Content.ReadAsStringAsync();
+ actual.ShouldBe(@"{""errors"":[{""message"":""Access denied for schema."",""extensions"":{""code"":""ACCESS_DENIED"",""codes"":[""ACCESS_DENIED""]}}]}");
+ }
+
+ [Fact]
+ public async Task NotAuthorized_WrongScheme_2()
+ {
+ _server.Dispose();
+ _server = CreateServer(services =>
+ {
+ services.AddAuthentication().AddCookie(); // add Cookie authentication
+ });
+ _options.AuthorizationRequired = true;
+ _options.AuthenticationSchemes.Add(CookieAuthenticationDefaults.AuthenticationScheme); // change authentication scheme for GraphQL requests to Cookie (which is not used by the test client)
+ using var response = await PostQueryAsync("{ __typename }", true); // send an authenticated request (with JWT bearer scheme)
+ response.StatusCode.ShouldBe(HttpStatusCode.Unauthorized);
+ var actual = await response.Content.ReadAsStringAsync();
+ actual.ShouldBe(@"{""errors"":[{""message"":""Access denied for schema."",""extensions"":{""code"":""ACCESS_DENIED"",""codes"":[""ACCESS_DENIED""]}}]}");
+ }
+
+ [Fact]
+ public async Task NotAuthorized_WrongScheme_VerifyUser()
+ {
+ bool validatedUser = false;
+ _server.Dispose();
+ _server = CreateServer(services =>
+ {
+ services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme); // change default scheme to Cookie authentication
+ services.AddGraphQL(b => b
+ .ConfigureExecutionOptions(opts =>
+ {
+ opts.User.ShouldNotBeNull().Identity.ShouldNotBeNull().IsAuthenticated.ShouldBeFalse();
+ validatedUser = true;
+ }));
+ });
+ _options.AuthorizationRequired = false; // disable authorization requirements; we just want to verify that an anonymous user is passed to the execution options
+ using var response = await PostQueryAsync("{ __typename }", true); // send an authenticated request (with JWT bearer scheme)
+ response.StatusCode.ShouldBe(HttpStatusCode.OK);
+ var actual = await response.Content.ReadAsStringAsync();
+ actual.ShouldBe(@"{""data"":{""__typename"":""Query""}}");
+ validatedUser.ShouldBeTrue();
+ }
+
+ [Fact]
+ public async Task Authorized_DifferentScheme()
+ {
+ bool validatedUser = false;
+ _server.Dispose();
+ _server = CreateServer(services =>
+ {
+ services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme); // change default scheme to Cookie authentication
+ services.AddGraphQL(b => b.ConfigureExecutionOptions(opts =>
+ {
+ opts.User.ShouldNotBeNull().Identity.ShouldNotBeNull().IsAuthenticated.ShouldBeTrue();
+ validatedUser = true;
+ }));
+ });
+ _options.AuthorizationRequired = true;
+ _options.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
+ using var response = await PostQueryAsync("{ __typename }", true);
+ response.StatusCode.ShouldBe(HttpStatusCode.OK);
+ var actual = await response.Content.ReadAsStringAsync();
+ actual.ShouldBe(@"{""data"":{""__typename"":""Query""}}");
+ validatedUser.ShouldBeTrue();
+ }
+
+ [Fact]
+ public void SecurityHelperTests()
+ {
+ SecurityHelper.MergeUserPrincipal(null, null).ShouldNotBeNull().Identity.ShouldBeNull(); // Note that ASP.NET Core does not return null for anonymous user
+ var principal1 = new ClaimsPrincipal(new ClaimsIdentity()); // empty identity for primary identity (default for ASP.NET Core)
+ SecurityHelper.MergeUserPrincipal(null, principal1).ShouldBe(principal1);
+ var principal2 = new ClaimsPrincipal(new ClaimsIdentity("test1")); // non-empty identity for secondary identity
+ SecurityHelper.MergeUserPrincipal(principal1, principal2).Identities.ShouldHaveSingleItem().AuthenticationType.ShouldBe("test1");
+ var principal3 = new ClaimsPrincipal(new ClaimsIdentity("test2")); // merge two non-empty identities together
+ SecurityHelper.MergeUserPrincipal(principal2, principal3).Identities.Select(x => x.AuthenticationType).ShouldBe(new[] { "test2", "test1" }); // last one wins
+ }
+
  private class CustomErrorInfoProvider : ErrorInfoProvider
  {
  private readonly AuthorizationTests _authorizationTests;

tests/Transports.AspNetCore.Tests/Transports.AspNetCore.Tests.csproj

@@ -15,6 +15,7 @@
 
  <ItemGroup>
  <PackageReference Include="GraphQL.SystemTextJson" Version="$(GraphQLVersion)" />
+ <PackageReference Include="Microsoft.AspNetCore.Authentication.Cookies" Version="2.1.*" Condition="'$(TargetFramework)' == 'net48' OR '$(TargetFramework)' == 'netcoreapp2.1'" />
  </ItemGroup>
 
  <ItemGroup>