Add AuthenticationSchemes option (#59)

Author: Shane32

README.md

@@ -306,6 +306,97 @@ Similarly for unions, validation occurs on the exact type that is queried.  Be s
 consider placement of authorization rules when using interfaces and unions, especially when some
 fields are marked with `AllowAnonymous`.
 
+#### Custom authentication configuration for GET/POST requests
+
+To provide custom authentication code, bypassing ASP.NET Core's authentication, derive from the
+`GraphQLHttpMiddleware<T>` class and override `HandleAuthorizeAsync`, setting `HttpContext.User`
+to an appropriate `ClaimsPrincipal` instance.
+
+See 'Customizing middleware behavior' below for an example of deriving from `GraphQLHttpMiddleware`.
+
+#### Authentication for WebSocket requests
+
+Since WebSocket requests from browsers cannot typically carry a HTTP Authorization header, you
+will need to authorize requests via the `ConnectionInit` WebSocket message or carry the authorization
+token within the URL.  Below is a sample of the former:
+
+```cs
+builder.Services.AddGraphQL(b => b
+    .AddAutoSchema<Query>()
+    .AddSystemTextJson()
+    .AddAuthorizationRule()  // not required for endpoint authorization
+    .AddWebSocketAuthentication<MyAuthService>());
+
+app.UseGraphQL("/graphql", config =>
+{
+    // require that the user be authenticated
+    config.AuthorizationRequired = true;
+});
+
+class MyAuthService : IWebSocketAuthenticationService
+{
+    private readonly IGraphQLSerializer _serializer;
+
+    public MyAuthService(IGraphQLSerializer serializer)
+    {
+        _serializer = serializer;
+    }
+
+    public async ValueTask<bool> AuthenticateAsync(IWebSocketConnection connection, OperationMessage operationMessage)
+    {
+        // read payload of ConnectionInit message and look for an "Authorization" entry that starts with "Bearer "
+        var payload = _serializer.ReadNode<Inputs>(operationMessage.Payload);
+        if ((payload?.TryGetValue("Authorization", out var value) ?? false) && value is string valueString)
+        {
+            var user = ParseToken(valueString);
+            if (user != null)
+            {
+                // set user and indicate authentication was successful
+                connection.HttpContext.User = user;
+                return true;
+            }
+        }
+        return false; // authentication failed
+    }
+
+    private ClaimsPrincipal? ParseToken(string authorizationHeaderValue)
+    {
+        // parse header value and return user, or null if unable
+    }
+}
+```
+
+To authorize based on information within the query string, it is recommended to
+derive from `GraphQLHttpMiddleware<T>` and override `InvokeAsync`, setting
+`HttpContext.User` based on the query string parameters, and then calling `base.InvokeAsync`.
+Alternatively you may override `HandleAuthorizeAsync` which will execute for GET/POST requests,
+and `HandleAuthorizeWebSocketConnectionAsync` for WebSocket requests.
+Note that `InvokeAsync` will execute even if the protocol is disabled in the options via
+disabling `HandleGet` or similar; `HandleAuthorizeAsync` and `HandleAuthorizeWebSocketConnectionAsync`
+will not.
+
+#### Authentication schemes
+
+By default the role and policy requirements are validated against the current user as defined by
+`HttpContext.User`.  This is typically set by ASP.NET Core's authentication middleware and is based
+on the default authentication scheme set during the call to `AddAuthentication` in `Startup.cs`.
+You may override this behavior by specifying a different authentication scheme via the `AuthenticationSchemes`
+option.  For instance, if you wish to authenticate using JWT authentication when Cookie authentication is
+the default, you may specify the scheme as follows:
+
+```csharp
+app.UseGraphQL("/graphql", config =>
+{
+    // specify a specific authentication scheme to use
+    config.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
+});
+```
+
+This will overwrite the `HttpContext.User` property when handling GraphQL requests, which will in turn
+set the `IResolveFieldContext.User` property to the same value (unless being overridden via an
+`IWebSocketAuthenticationService` implementation as shown above).  So both endpoint authorization and
+field authorization will perform role and policy checks against the same authentication scheme.
+
 ### UI configuration
 
 This project does not include user interfaces, such as GraphiQL or Playground,

src/GraphQL.AspNetCore3/GraphQLHttpMiddleware.cs

@@ -1,5 +1,7 @@
 #pragma warning disable CA1716 // Identifiers should not match keywords
 
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 
 namespace GraphQL.AspNetCore3;
@@ -230,6 +232,8 @@ public virtual async Task InvokeAsync(HttpContext context)
     /// </summary>
     protected virtual async ValueTask<bool> HandleAuthorizeAsync(HttpContext context, RequestDelegate next)
     {
+        await SetHttpContextUserAsync(context);
+
         var success = await AuthorizationHelper.AuthorizeAsync(
             new AuthorizationParameters<(GraphQLHttpMiddleware Middleware, HttpContext Context, RequestDelegate Next)>(
                 context,
@@ -242,6 +246,23 @@ protected virtual async ValueTask<bool> HandleAuthorizeAsync(HttpContext context
         return !success;
     }
 
+    /// <summary>
+    /// If any authentication schemes are defined, set the <see cref="HttpContext.User"/> property.
+    /// </summary>
+    private async ValueTask SetHttpContextUserAsync(HttpContext context)
+    {
+        if (_options.AuthenticationSchemes.Count > 0) {
+            ClaimsPrincipal? newPrincipal = null;
+            foreach (var scheme in _options.AuthenticationSchemes) {
+                var result = await context.AuthenticateAsync(scheme);
+                if (result != null && result.Succeeded) {
+                    newPrincipal = SecurityHelper.MergeUserPrincipal(newPrincipal, result.Principal);
+                }
+            }
+            context.User = newPrincipal ?? new ClaimsPrincipal(new ClaimsIdentity());
+        }
+    }
+
     /// <summary>
     /// Perform authorization, if required, and return <see langword="true"/> if the
     /// request was handled (typically by returning an error message).  If <see langword="false"/>
@@ -251,8 +272,11 @@ protected virtual async ValueTask<bool> HandleAuthorizeAsync(HttpContext context
     /// the WebSocket connection during the ConnectionInit message.  Authorization checks for
     /// WebSocket connections occur then, after authorization has taken place.
     /// </summary>
-    protected virtual ValueTask<bool> HandleAuthorizeWebSocketConnectionAsync(HttpContext context, RequestDelegate next)
-        => new(false);
+    protected virtual async ValueTask<bool> HandleAuthorizeWebSocketConnectionAsync(HttpContext context, RequestDelegate next)
+    {
+        await SetHttpContextUserAsync(context);
+        return false;
+    }
 
     /// <summary>
     /// Handles a single GraphQL request.

src/GraphQL.AspNetCore3/GraphQLHttpMiddlewareOptions.cs

@@ -62,6 +62,12 @@ public class GraphQLHttpMiddlewareOptions : IAuthorizationOptions
     /// </summary>
     public bool ReadExtensionsFromQueryString { get; set; } = true;
 
+    /// <summary>
+    /// Gets or sets a list of the authentication schemes the authentication requirements are evaluated against.
+    /// When no schemes are specified, the default authentication scheme is used.
+    /// </summary>
+    public List<string> AuthenticationSchemes { get; set; } = new();
+
     /// <inheritdoc/>
     /// <remarks>
     /// HTTP requests return <c>401 Forbidden</c> when the request is not authenticated.

src/GraphQL.AspNetCore3/SecurityHelper.cs

@@ -0,0 +1,72 @@
+// source: https://github.com/dotnet/aspnetcore/blob/main/src/Shared/SecurityHelper/SecurityHelper.cs
+// permalink: https://github.com/dotnet/aspnetcore/blob/8b2fd3f7a3b3e18afc6f63c4a494cc733dcced64/src/Shared/SecurityHelper/SecurityHelper.cs
+// retrieved: 2023-07-05
+
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+/*
+
+The MIT License (MIT)
+
+Copyright (c) .NET Foundation and Contributors
+
+All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+*/
+
+using System.Security.Claims;
+
+namespace GraphQL.AspNetCore3;
+
+/// <summary>
+/// Helper code used when implementing authentication middleware
+/// </summary>
+internal static class SecurityHelper
+{
+    /// <summary>
+    /// Add all ClaimsIdentities from an additional ClaimPrincipal to the ClaimsPrincipal
+    /// Merges a new claims principal, placing all new identities first, and eliminating
+    /// any empty unauthenticated identities from context.User
+    /// </summary>
+    /// <param name="existingPrincipal">The <see cref="ClaimsPrincipal"/> containing existing <see cref="ClaimsIdentity"/>.</param>
+    /// <param name="additionalPrincipal">The <see cref="ClaimsPrincipal"/> containing <see cref="ClaimsIdentity"/> to be added.</param>
+    public static ClaimsPrincipal MergeUserPrincipal(ClaimsPrincipal? existingPrincipal, ClaimsPrincipal? additionalPrincipal)
+    {
+        // For the first principal, just use the new principal rather than copying it
+        if (existingPrincipal == null && additionalPrincipal != null) {
+            return additionalPrincipal;
+        }
+
+        var newPrincipal = new ClaimsPrincipal();
+
+        // New principal identities go first
+        if (additionalPrincipal != null) {
+            newPrincipal.AddIdentities(additionalPrincipal.Identities);
+        }
+
+        // Then add any existing non empty or authenticated identities
+        if (existingPrincipal != null) {
+            newPrincipal.AddIdentities(existingPrincipal.Identities.Where(i => i.IsAuthenticated || i.Claims.Any()));
+        }
+        return newPrincipal;
+    }
+}

src/Tests.ApiApprovals/GraphQL.AspNetCore3.approved.txt

@@ -141,6 +141,7 @@ namespace GraphQL.AspNetCore3
     public class GraphQLHttpMiddlewareOptions : GraphQL.AspNetCore3.IAuthorizationOptions
     {
         public GraphQLHttpMiddlewareOptions() { }
+        public System.Collections.Generic.List<string> AuthenticationSchemes { get; set; }
         public bool AuthorizationRequired { get; set; }
         public string? AuthorizedPolicy { get; set; }
         public System.Collections.Generic.List<string> AuthorizedRoles { get; set; }

src/Tests/Middleware/AuthorizationTests.cs

@@ -3,6 +3,7 @@
 using System.Security.Claims;
 using GraphQL.AspNetCore3.Errors;
 using GraphQL.Execution;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Extensions.Hosting;
 
@@ -12,9 +13,14 @@ public class AuthorizationTests
 {
     private GraphQLHttpMiddlewareOptions _options = null!;
     private bool _enableCustomErrorInfoProvider;
-    private readonly TestServer _server;
+    private TestServer _server;
 
     public AuthorizationTests()
+    {
+        _server = CreateServer();
+    }
+
+    private TestServer CreateServer(Action<IServiceCollection>? configureServices = null)
     {
         var hostBuilder = new WebHostBuilder();
         hostBuilder.ConfigureServices(services => {
@@ -42,6 +48,7 @@ public AuthorizationTests()
 #if NETCOREAPP2_1 || NET48
             services.AddHostApplicationLifetime();
 #endif
+            configureServices?.Invoke(services);
         });
         hostBuilder.Configure(app => {
             app.UseWebSockets();
@@ -53,7 +60,7 @@ public AuthorizationTests()
                 _options = opts;
             });
         });
-        _server = new TestServer(hostBuilder);
+        return new TestServer(hostBuilder);
     }
 
     private string CreateJwtToken()
@@ -254,6 +261,86 @@ public async Task Authorized_Policy()
         actual.ShouldBe(@"{""data"":{""__typename"":""Query""}}");
     }
 
+    [Fact]
+    public async Task NotAuthorized_WrongScheme()
+    {
+        _server = CreateServer(services => {
+            services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme); // change default scheme to Cookie authentication
+        });
+        _options.AuthorizationRequired = true;
+        using var response = await PostQueryAsync("{ __typename }", true); // send an authenticated request (with JWT bearer scheme)
+        response.StatusCode.ShouldBe(HttpStatusCode.Unauthorized);
+        var actual = await response.Content.ReadAsStringAsync();
+        actual.ShouldBe(@"{""errors"":[{""message"":""Access denied for schema."",""extensions"":{""code"":""ACCESS_DENIED"",""codes"":[""ACCESS_DENIED""]}}]}");
+    }
+
+    [Fact]
+    public async Task NotAuthorized_WrongScheme_2()
+    {
+        _server.Dispose();
+        _server = CreateServer(services => {
+            services.AddAuthentication().AddCookie(); // add Cookie authentication
+        });
+        _options.AuthorizationRequired = true;
+        _options.AuthenticationSchemes.Add(CookieAuthenticationDefaults.AuthenticationScheme); // change authentication scheme for GraphQL requests to Cookie (which is not used by the test client)
+        using var response = await PostQueryAsync("{ __typename }", true); // send an authenticated request (with JWT bearer scheme)
+        response.StatusCode.ShouldBe(HttpStatusCode.Unauthorized);
+        var actual = await response.Content.ReadAsStringAsync();
+        actual.ShouldBe(@"{""errors"":[{""message"":""Access denied for schema."",""extensions"":{""code"":""ACCESS_DENIED"",""codes"":[""ACCESS_DENIED""]}}]}");
+    }
+
+    [Fact]
+    public async Task NotAuthorized_WrongScheme_VerifyUser()
+    {
+        bool validatedUser = false;
+        _server = CreateServer(services => {
+            services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme); // change default scheme to Cookie authentication
+            services.AddGraphQL(b => b
+                .ConfigureExecutionOptions(opts => {
+                    opts.User.ShouldNotBeNull().Identity.ShouldNotBeNull().IsAuthenticated.ShouldBeFalse();
+                    validatedUser = true;
+                }));
+        });
+        _options.AuthorizationRequired = false; // disable authorization requirements; we just want to verify that an anonymous user is passed to the execution options
+        using var response = await PostQueryAsync("{ __typename }", true); // send an authenticated request (with JWT bearer scheme)
+        response.StatusCode.ShouldBe(HttpStatusCode.OK);
+        var actual = await response.Content.ReadAsStringAsync();
+        actual.ShouldBe(@"{""data"":{""__typename"":""Query""}}");
+        validatedUser.ShouldBeTrue();
+    }
+
+    [Fact]
+    public async Task Authorized_DifferentScheme()
+    {
+        bool validatedUser = false;
+        _server = CreateServer(services => {
+            services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme); // change default scheme to Cookie authentication
+            services.AddGraphQL(b => b.ConfigureExecutionOptions(opts => {
+                opts.User.ShouldNotBeNull().Identity.ShouldNotBeNull().IsAuthenticated.ShouldBeTrue();
+                validatedUser = true;
+            }));
+        });
+        _options.AuthorizationRequired = true;
+        _options.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
+        using var response = await PostQueryAsync("{ __typename }", true);
+        response.StatusCode.ShouldBe(HttpStatusCode.OK);
+        var actual = await response.Content.ReadAsStringAsync();
+        actual.ShouldBe(@"{""data"":{""__typename"":""Query""}}");
+        validatedUser.ShouldBeTrue();
+    }
+
+    [Fact]
+    public void SecurityHelperTests()
+    {
+        SecurityHelper.MergeUserPrincipal(null, null).ShouldNotBeNull().Identity.ShouldBeNull(); // Note that ASP.NET Core does not return null for anonymous user
+        var principal1 = new ClaimsPrincipal(new ClaimsIdentity()); // empty identity for primary identity (default for ASP.NET Core)
+        SecurityHelper.MergeUserPrincipal(null, principal1).ShouldBe(principal1);
+        var principal2 = new ClaimsPrincipal(new ClaimsIdentity("test1")); // non-empty identity for secondary identity
+        SecurityHelper.MergeUserPrincipal(principal1, principal2).Identities.ShouldHaveSingleItem().AuthenticationType.ShouldBe("test1");
+        var principal3 = new ClaimsPrincipal(new ClaimsIdentity("test2")); // merge two non-empty identities together
+        SecurityHelper.MergeUserPrincipal(principal2, principal3).Identities.Select(x => x.AuthenticationType).ShouldBe(new[] { "test2", "test1" }); // last one wins
+    }
+
     private class CustomErrorInfoProvider : ErrorInfoProvider
     {
         private readonly AuthorizationTests _authorizationTests;

src/Tests/Tests.csproj

@@ -26,6 +26,7 @@
     <ProjectReference Include="..\Samples\ChatSchema\Chat.csproj" />
     <ProjectReference Include="..\GraphQL.AspNetCore3\GraphQL.AspNetCore3.csproj" />
     <PackageReference Include="GraphQL.SystemTextJson" Version="$(GraphQLVersion)" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.Cookies" Version="2.1.*" Condition="'$(TargetFramework)' == 'net48' OR '$(TargetFramework)' == 'netcoreapp2.1'" />
   </ItemGroup>
 
   <ItemGroup>