Merge pull request #1280 from colinin/multi-audience

feat: Increase multi audience support

Author: colinin

aspnet-core/services/LY.MicroService.AuthServer.HttpApi.Host/AuthServerHttpApiHostModule.Configure.cs

@@ -484,6 +484,11 @@ private void ConfigureSecurity(IServiceCollection services, IConfiguration confi
                     options.TokenValidationParameters.ValidIssuers = validIssuers;
                     options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
                 }
+                var validAudiences = configuration.GetSection("AuthServer:ValidAudiences").Get<List<string>>();
+                if (validAudiences?.Count > 0)
+                {
+                    options.TokenValidationParameters.ValidAudiences = validAudiences;
+                }
             });
 
         if (!isDevelopment)

aspnet-core/services/LY.MicroService.AuthServer/DataSeeder/AuthServerDataSeedContributor.cs

@@ -1,8 +1,4 @@
-using LINGYUN.Abp.Identity;
-using LINGYUN.Abp.OpenIddict.LinkUser;
-using LINGYUN.Abp.OpenIddict.Sms;
-using LINGYUN.Abp.OpenIddict.WeChat;
-using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Configuration;
 using OpenIddict.Abstractions;
 using System;
 using System.Collections.Generic;
@@ -11,8 +7,6 @@
 using Volo.Abp.Authorization.Permissions;
 using Volo.Abp.Data;
 using Volo.Abp.DependencyInjection;
-using Volo.Abp.Guids;
-using Volo.Abp.Identity;
 using Volo.Abp.MultiTenancy;
 using Volo.Abp.OpenIddict.Applications;
 using Volo.Abp.OpenIddict.Scopes;
@@ -22,6 +16,30 @@ namespace LY.MicroService.AuthServer.DataSeeder;
 
 public class ServerDataSeedContributor : IDataSeedContributor, ITransientDependency
 {
+    public static HashSet<string> InitializeScopes = new HashSet<string>
+    {
+        // obsolete! microservice should be allocated separately
+        "lingyun-abp-application",
+        // admin service
+        "ams", 
+        // identity service
+        "ids", 
+        // localization service
+        "lts",
+        // platform service
+        "pts",
+        // message service
+        "mgs",
+        // task service
+        "tks",
+        // webhook service
+        "wks",
+        // workflow service
+        "wfs",
+        // wechat service
+        "was"
+    };
+
     private readonly IConfiguration _configuration;
     private readonly ICurrentTenant _currentTenant;
     private readonly IOpenIddictApplicationManager _applicationManager;
@@ -54,33 +72,37 @@ public async Task SeedAsync(DataSeedContext context)
     {
         using (_currentTenant.Change(context.TenantId))
         {
-            await CreateScopeAsync("lingyun-abp-application");
-            await CreateApplicationAsync("lingyun-abp-application");
+            await CreateScopeAsync(InitializeScopes);
+
+            await CreateApplicationAsync(InitializeScopes);
         }
     }
 
-    private async Task CreateScopeAsync(string scope)
+    private async Task CreateScopeAsync(IEnumerable<string> scopes)
     {
-        if (await _scopeRepository.FindByNameAsync(scope) == null)
+        foreach (var scope in scopes)
         {
-            await _scopeManager.CreateAsync(new OpenIddictScopeDescriptor()
+            if (await _scopeRepository.FindByNameAsync(scope) == null)
             {
-                Name = scope,
-                DisplayName = scope + " access",
-                DisplayNames =
-                {
-                    [CultureInfo.GetCultureInfo("zh-Hans")] = "Abp API 应用程序访问",
-                    [CultureInfo.GetCultureInfo("en")] = "Abp API Application Access"
-                },
-                Resources =
+                await _scopeManager.CreateAsync(new OpenIddictScopeDescriptor()
                 {
-                    scope
-                }
-            });
+                    Name = scope,
+                    DisplayName = scope + " access",
+                    DisplayNames =
+                    {
+                        [CultureInfo.GetCultureInfo("zh-Hans")] = "Abp API 应用程序访问",
+                        [CultureInfo.GetCultureInfo("en")] = "Abp API Application Access"
+                    },
+                    Resources =
+                    {
+                        scope
+                    }
+                });
+            }
         }
     }
 
-    private async Task CreateApplicationAsync(string scope)
+    private async Task CreateApplicationAsync(IEnumerable<string> scopes)
     {
         var configurationSection = _configuration.GetSection("OpenIddict:Applications");
 
@@ -91,7 +113,7 @@ private async Task CreateApplicationAsync(string scope)
 
             if (await _applicationRepository.FindByClientIdAsync(vueClientId) == null)
             {
-                await _applicationManager.CreateAsync(new OpenIddictApplicationDescriptor
+                var application = new OpenIddictApplicationDescriptor
                 {
                     ClientId = vueClientId,
                     ClientSecret = configurationSection["VueAdmin:ClientSecret"],
@@ -138,9 +160,14 @@ await _applicationManager.CreateAsync(new OpenIddictApplicationDescriptor
                         OpenIddictConstants.Permissions.Scopes.Email,
                         OpenIddictConstants.Permissions.Scopes.Address,
                         OpenIddictConstants.Permissions.Scopes.Phone,
-                        OpenIddictConstants.Permissions.Prefixes.Scope + scope
                     }
-                });
+                };
+                foreach (var scope in scopes)
+                {
+                    application.Permissions.AddIfNotContains(OpenIddictConstants.Permissions.Prefixes.Scope + scope);
+                }
+
+                await _applicationManager.CreateAsync(application);
 
                 var vueClientPermissions = new string[1]
                 {
@@ -155,7 +182,7 @@ await _applicationManager.CreateAsync(new OpenIddictApplicationDescriptor
         {
             if (await _applicationRepository.FindByClientIdAsync(internalServiceClientId) == null)
             {
-                await _applicationManager.CreateAsync(new OpenIddictApplicationDescriptor
+                var application = new OpenIddictApplicationDescriptor
                 {
                     ClientId = internalServiceClientId,
                     ClientSecret = configurationSection["InternalService:ClientSecret"],
@@ -193,9 +220,14 @@ await _applicationManager.CreateAsync(new OpenIddictApplicationDescriptor
                         OpenIddictConstants.Permissions.Scopes.Email,
                         OpenIddictConstants.Permissions.Scopes.Address,
                         OpenIddictConstants.Permissions.Scopes.Phone,
-                        OpenIddictConstants.Permissions.Prefixes.Scope + scope
                     }
-                });
+                };
+                foreach (var scope in scopes)
+                {
+                    application.Permissions.AddIfNotContains(OpenIddictConstants.Permissions.Prefixes.Scope + scope);
+                }
+
+                await _applicationManager.CreateAsync(application);
 
                 var internalServicePermissions = new string[2]
                 {
@@ -247,9 +279,12 @@ await _applicationManager.CreateAsync(new OpenIddictApplicationDescriptor
                         OpenIddictConstants.Permissions.Scopes.Email,
                         OpenIddictConstants.Permissions.Scopes.Address,
                         OpenIddictConstants.Permissions.Scopes.Phone,
-                        OpenIddictConstants.Permissions.Prefixes.Scope + scope
                     }
                 };
+                foreach (var scope in scopes)
+                {
+                    application.Permissions.AddIfNotContains(OpenIddictConstants.Permissions.Prefixes.Scope + scope);
+                }
 
                 oauthClientRootUrls.ForEach(url =>
                 {

aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/BackendAdminHttpApiHostModule.Configure.cs

@@ -449,6 +449,11 @@ private void ConfigureSecurity(IServiceCollection services, IConfiguration confi
                     options.TokenValidationParameters.ValidIssuers = validIssuers;
                     options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
                 }
+                var validAudiences = configuration.GetSection("AuthServer:ValidAudiences").Get<List<string>>();
+                if (validAudiences?.Count > 0)
+                {
+                    options.TokenValidationParameters.ValidAudiences = validAudiences;
+                }
             });
 
         if (!isDevelopment)

aspnet-core/services/LY.MicroService.IdentityServer.HttpApi.Host/IdentityServerHttpApiHostModule.Configure.cs

@@ -470,6 +470,11 @@ private void ConfigureSecurity(IServiceCollection services, IConfiguration confi
                     options.TokenValidationParameters.ValidIssuers = validIssuers;
                     options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
                 }
+                var validAudiences = configuration.GetSection("AuthServer:ValidAudiences").Get<List<string>>();
+                if (validAudiences?.Count > 0)
+                {
+                    options.TokenValidationParameters.ValidAudiences = validAudiences;
+                }
             });
 
         if (!isDevelopment)

aspnet-core/services/LY.MicroService.LocalizationManagement.HttpApi.Host/LocalizationManagementHttpApiHostModule.Configure.cs

@@ -355,6 +355,11 @@ private void ConfigureSecurity(IServiceCollection services, IConfiguration confi
                     options.TokenValidationParameters.ValidIssuers = validIssuers;
                     options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
                 }
+                var validAudiences = configuration.GetSection("AuthServer:ValidAudiences").Get<List<string>>();
+                if (validAudiences?.Count > 0)
+                {
+                    options.TokenValidationParameters.ValidAudiences = validAudiences;
+                }
             });
 
         if (isDevelopment)

aspnet-core/services/LY.MicroService.PlatformManagement.HttpApi.Host/PlatformManagementHttpApiHostModule.Configure.cs

@@ -432,6 +432,11 @@ private void ConfigureSecurity(IServiceCollection services, IConfiguration confi
                     options.TokenValidationParameters.ValidIssuers = validIssuers;
                     options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
                 }
+                var validAudiences = configuration.GetSection("AuthServer:ValidAudiences").Get<List<string>>();
+                if (validAudiences?.Count > 0)
+                {
+                    options.TokenValidationParameters.ValidAudiences = validAudiences;
+                }
 
                 options.Events = new JwtBearerEvents
                 {

aspnet-core/services/LY.MicroService.RealtimeMessage.HttpApi.Host/RealtimeMessageHttpApiHostModule.Configure.cs

@@ -458,6 +458,11 @@ private void ConfigureSecurity(IServiceCollection services, IConfiguration confi
                     options.TokenValidationParameters.ValidIssuers = validIssuers;
                     options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
                 }
+                var validAudiences = configuration.GetSection("AuthServer:ValidAudiences").Get<List<string>>();
+                if (validAudiences?.Count > 0)
+                {
+                    options.TokenValidationParameters.ValidAudiences = validAudiences;
+                }
 
                 options.Events = new JwtBearerEvents
                 {

aspnet-core/services/LY.MicroService.TaskManagement.HttpApi.Host/TaskManagementHttpApiHostModule.Configure.cs

@@ -409,6 +409,11 @@ private void ConfigureSecurity(IServiceCollection services, IConfiguration confi
                     options.TokenValidationParameters.ValidIssuers = validIssuers;
                     options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
                 }
+                var validAudiences = configuration.GetSection("AuthServer:ValidAudiences").Get<List<string>>();
+                if (validAudiences?.Count > 0)
+                {
+                    options.TokenValidationParameters.ValidAudiences = validAudiences;
+                }
             });
 
         if (!isDevelopment)

aspnet-core/services/LY.MicroService.WebhooksManagement.HttpApi.Host/WebhooksManagementHttpApiHostModule.Configure.cs

@@ -465,6 +465,11 @@ private void ConfigureSecurity(IServiceCollection services, IConfiguration confi
                     options.TokenValidationParameters.ValidIssuers = validIssuers;
                     options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
                 }
+                var validAudiences = configuration.GetSection("AuthServer:ValidAudiences").Get<List<string>>();
+                if (validAudiences?.Count > 0)
+                {
+                    options.TokenValidationParameters.ValidAudiences = validAudiences;
+                }
             });
 
         if (!isDevelopment)

aspnet-core/services/LY.MicroService.WechatManagement.HttpApi.Host/WechatManagementHttpApiHostModule.Configure.cs

@@ -401,6 +401,11 @@ private void ConfigureSecurity(IServiceCollection services, IConfiguration confi
                     options.TokenValidationParameters.ValidIssuers = validIssuers;
                     options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
                 }
+                var validAudiences = configuration.GetSection("AuthServer:ValidAudiences").Get<List<string>>();
+                if (validAudiences?.Count > 0)
+                {
+                    options.TokenValidationParameters.ValidAudiences = validAudiences;
+                }
             });
 
         if (!isDevelopment)