Document OpenID authentication for API module

minhdn2 commented 4 years ago

Hello,

I was able to create an API module inside my Orchard Core CMS and now it is not secured. Could anyone please help to advise on how can I secure it correctly in Orchard Core?

Could please help to advise on where the authentication method for Bearer token for this API is stored in Orchard Core source code also?

Many thanks in advance.

deanmarcussen commented 4 years ago

Have you made your own controller? or are you using the graphql endpoint?

You can secure your controller as we do for the ContentApiController https://github.com/OrchardCMS/OrchardCore/blob/dev/src/OrchardCore.Modules/OrchardCore.Contents/Controllers/ApiController.cs


    [Route("api/content")]
    [ApiController]
    [Authorize(AuthenticationSchemes = "Api"), IgnoreAntiforgeryToken, AllowAnonymous]

And you can then enable to OpenID module to provide authentication tokens, and the IAuthorizationService to check for permissions

sebastienros commented 4 years ago

And you can then enable to OpenID module to provide authentication tokens

We need a guide for that

hung-doan commented 4 years ago

@deanmarcussen It doesn't work

using [Authorize(AuthenticationSchemes = "Api"), IgnoreAntiforgeryToken]
Enabled OpenId
Issued a token
Passed the token to Bearer

Is manual checking via IAuthorizationService required ?. In the simple scenario above, I just want to check if the user logged in or not.

deanmarcussen commented 4 years ago

@hung-doan you manually check IAuthorizationService to authorize against resources, i.e. content items, for the correct permissions, (or other alternate permissions you might have / be using.)

So for your simple scenario possibly not required, but still recommended.

Regardless it shouldn't stop it working.

Would need to understand what "doesn't work" to help further?

hung-doan commented 4 years ago

thanks, @deanmarcussen I managed to make it works. I didn't enable "OpenID Token Validation" so that It doesn't work.

To authorize a custom API we must

1. Add this attribute to your controller or action: [Authorize(AuthenticationSchemes = "Api"), IgnoreAntiforgeryToken]

Where:

AuthenticationSchemes = "Api": to tell the API to use "Api" schemes which is defined in the core - https://github.com/OrchardCMS/OrchardCore/blob/88ccec4adf0be6adb759c1f24c9a2bad327966ac/src/OrchardCore/OrchardCore.Infrastructure/Security/ServiceCollectionExtensions.cs#L22
IgnoreAntiforgeryToken: bypass the CSRF protection as we expect that the API request is stateless and there is no cookie management here => no CSRF issue to resolve. So that we will disable AntiforgeryToken in this case.

2. Enable OpendId module

You need to enable this module to issue a token from OpenId Connect flows

3. Enable "OpenID Token Validation" module

Without this module, you can issue a token from Open Id, however we can't use returned token to do the authorization.

sebastienros commented 4 years ago

Would you mind adding some documentation based on your findings ?

kevinchalet commented 3 months ago

Looks like we now have proper documentation in place for the OpenID module so closing 😃

OrchardCMS / OrchardCore