wip: security groups assingment from entra id

Author: pksorensen

src/EAVFW.Extensions.EasyAuth.MicrosoftEntraId/EAVFW.Extensions.EasyAuth.MicrosoftEntraId.csproj

@@ -17,12 +17,13 @@
     <ItemGroup Condition="$(UseEAVFromNuget) != 'false'">
         <PackageReference Include="EAVFramework" Version="$(EAVFrameworkVersion)" />
     </ItemGroup>
-  
+
   <ItemGroup>
 		<None Include="..\..\README.md" Link="README.md" Pack="true" PackagePath="\" />
 	</ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="EAVFW.Extensions.SecurityModel" Version="2.0.3" />
     <PackageReference Include="IdentityModel" Version="6.2.0" />
   </ItemGroup>
 </Project>

src/EAVFW.Extensions.EasyAuth.MicrosoftEntraId/IEntraIDSecurityGroup.cs

@@ -0,0 +1,16 @@
+
+
+using EAVFramework.Shared;
+using System;
+
+namespace EAVFW.Extensions.EasyAuth.MicrosoftEntraId
+{
+    [EntityInterface(EntityKey = "Security Group")]
+    public interface IEntraIDSecurityGroup
+    {
+       
+        public Guid? EntraIdGroupId { get; set; }
+    }
+
+    
+}

src/EAVFW.Extensions.EasyAuth.MicrosoftEntraId/MicrosoftEntraEasyAuthProvider.cs

@@ -1,5 +1,8 @@
+using EAVFramework;
 using EAVFramework.Authentication;
+using EAVFramework.Endpoints;
 using EAVFramework.Extensions;
+using EAVFW.Extensions.SecurityModel;
 using IdentityModel;
 using IdentityModel.Client;
 using Microsoft.AspNetCore.Http;
@@ -25,10 +28,13 @@
 namespace EAVFW.Extensions.EasyAuth.MicrosoftEntraId
 {
 
-    public class MicrosoftEntraEasyAuthProvider : IEasyAuthProvider
+    public class MicrosoftEntraEasyAuthProvider<TSecurityGroup,TSecurityGroupMember> : IEasyAuthProvider
+        where TSecurityGroup : DynamicEntity, IEntraIDSecurityGroup
+        where TSecurityGroupMember : DynamicEntity, ISecurityGroupMember
     {
         private readonly IOptions<MicrosoftEntraIdEasyAuthOptions> _options;
         private readonly IHttpClientFactory _clientFactory;
+        private readonly EAVDBContext<DynamicContext> _db;
 
         public string AuthenticationName => "MicrosoftEntraId";
 
@@ -38,10 +44,12 @@ public class MicrosoftEntraEasyAuthProvider : IEasyAuthProvider
 
         public MicrosoftEntraEasyAuthProvider() { }
 
-        public MicrosoftEntraEasyAuthProvider(IOptions<MicrosoftEntraIdEasyAuthOptions> options, IHttpClientFactory clientFactory)
+        public MicrosoftEntraEasyAuthProvider(IOptions<MicrosoftEntraIdEasyAuthOptions> options,
+            IHttpClientFactory clientFactory, EAVDBContext<DynamicContext> db)
         {
             _options = options ?? throw new System.ArgumentNullException(nameof(options));
             _clientFactory = clientFactory ?? throw new ArgumentNullException(nameof(clientFactory));
+            _db = db;
         }
 
         public async Task OnAuthenticate(HttpContext httpcontext, string handleId, string redirectUrl)
@@ -86,6 +94,27 @@ public async Task OnAuthenticate(HttpContext httpcontext, string handleId, strin
                 httpcontext.Response.Redirect($"{httpcontext.Request.Scheme}://{httpcontext.Request.Host}callback?error=access_denied&error_subcode=user_not_found");
                 //return;
             }
+
+            var handler = new JwtSecurityTokenHandler();
+            var jwtSecurityToken = handler.ReadJwtToken(response.IdentityToken);
+
+            var groupId = jwtSecurityToken.Claims.First(claim => claim.Type == "groups").Value;
+
+            var groupids = new string[] { "", "" };
+
+            var sgs = _db.Set<TSecurityGroup>();
+            var assignments = _db.Set<TSecurityGroupMember>();
+
+
+            //Add securityMember for the group ids where found
+
+
+            //Remove securirymember from existing that was not given in groupids.
+           
+
+
+
+
             return await Task.FromResult((new ClaimsPrincipal(identity), redirectUri, handleId));
         }
 

src/EAVFW.Extensions.EasyAuth.MicrosoftEntraId/MicrosoftEntraIdEasyAuthExtensions.cs

@@ -1,4 +1,6 @@
+using EAVFramework;
 using EAVFramework.Configuration;
+using EAVFW.Extensions.SecurityModel;
 using IdentityModel.Client;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -10,18 +12,30 @@
 
 namespace EAVFW.Extensions.EasyAuth.MicrosoftEntraId
 {
+    public class GroupMatcherService<TSecurityGroup>
+        where TSecurityGroup : DynamicEntity, IEntraIDSecurityGroup
+    {
+
+    }
     public static class MicrosoftEntraIdEasyAuthExtensions
     {
-        public static AuthenticatedEAVFrameworkBuilder AddMicrosoftEntraIdEasyAuth(this AuthenticatedEAVFrameworkBuilder builder, Func<HttpContext, string, TokenResponse, Task<ClaimsPrincipal>> validateUserAsync, Func<HttpContext, string> getMicrosoftAuthorizationUrl, Func<HttpContext, string> getMicrosoftTokenEndpoint)
+        public static AuthenticatedEAVFrameworkBuilder AddMicrosoftEntraIdEasyAuth<TSecurityGroup,TSecurityGroupMemeber>(
+            this AuthenticatedEAVFrameworkBuilder builder,
+            Func<HttpContext, string, TokenResponse, Task<ClaimsPrincipal>> validateUserAsync,
+            Func<HttpContext, string> getMicrosoftAuthorizationUrl, Func<HttpContext, string> getMicrosoftTokenEndpoint)
+            where TSecurityGroup : DynamicEntity, IEntraIDSecurityGroup
+            where TSecurityGroupMemeber : DynamicEntity, ISecurityGroupMember
         {
-            builder.AddAuthenticationProvider<MicrosoftEntraEasyAuthProvider, MicrosoftEntraIdEasyAuthOptions,IConfiguration>((options, config) =>
+            builder.AddAuthenticationProvider<MicrosoftEntraEasyAuthProvider<TSecurityGroup,TSecurityGroupMemeber>, MicrosoftEntraIdEasyAuthOptions,IConfiguration>((options, config) =>
             { 
                 config.GetSection("EAVEasyAuth:MicrosoftEntraId").Bind(options);
                 options.ValidateUserAsync = validateUserAsync;
                 options.GetMicrosoftAuthorizationUrl = getMicrosoftAuthorizationUrl;
                 options.GetMicrosoftTokenEndpoint = getMicrosoftTokenEndpoint;
 
             });
+            builder.Services.AddScoped<GroupMatcherService<TSecurityGroup>>();
+
             return builder;
         }
     }