feat: add oauth2 (jwt + introspection) authentication & authorization

src/QuickstartTemplate.WebApi/QuickstartTemplate.WebApi.csproj

@@ -14,6 +14,9 @@
         <PackageReference Include="Serilog.AspNetCore" Version="6.0.1" />
         <PackageReference Include="Serilog.Expressions" Version="3.4.0" />
         <PackageReference Include="Swashbuckle.AspNetCore" Version="6.2.3" />
+        <PackageReference Include="IdentityModel.AspNetCore.AccessTokenValidation" Version="1.0.0-preview.3" />
+        <PackageReference Include="IdentityModel.AspNetCore.OAuth2Introspection" Version="6.1.0" />
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.7" />
     </ItemGroup>
 
     <ItemGroup>

src/QuickstartTemplate.WebApi/Startup.cs

@@ -1,4 +1,4 @@
-using Microsoft.AspNetCore.HttpLogging;
+using IdentityModel.AspNetCore.AccessTokenValidation;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Versioning;
 using QuickstartTemplate.ApplicationCore;
@@ -34,7 +34,41 @@ public void ConfigureServices(IServiceCollection services)
             o.ReportApiVersions = true;
             o.ApiVersionReader = new UrlSegmentApiVersionReader();
         });
+
+        services.AddAuthentication("Bearer")
+
+            // JWT tokens (default scheme)
+            .AddJwtBearer("Bearer", options =>
+            {
+                _configuration.Bind("Authentication", options);
+
+                options.MapInboundClaims = false;
+                options.TokenValidationParameters.ValidTypes = new[] { "at+jwt" };
+                options.SaveToken = true;
+                // if token does not contain a dot, it is a reference token
+                options.ForwardDefaultSelector = Selector.ForwardReferenceToken("Introspection");
+            })
+
+            // reference tokens
+            .AddOAuth2Introspection("Introspection", options =>
+            {
+                _configuration.Bind("Authentication", options);
+
+                options.EnableCaching = true;
+            });
+
+        services.AddScopeTransformation();
 
+        services.AddAuthorization(options =>
+        {
+            options.AddPolicy("admin",
+                policy => policy.RequireScope("QuickstartTemplate:admin"));
+            options.AddPolicy("read",
+                policy => policy.RequireScope("QuickstartTemplate:read"));
+            options.AddPolicy("write",
+                policy => policy.RequireScope("QuickstartTemplate:write"));
+        });
+
         services.AddInfrastructure();
         services.AddApplication();
 
@@ -71,6 +105,7 @@ public void Configure(WebApplication app)
         //https://josef.codes/asp-net-core-6-http-logging-log-requests-responses/
         app.UseHttpLogging();
 
+        app.UseAuthentication();
         app.UseAuthorization();
 
         app.MapControllers();

src/QuickstartTemplate.WebApi/appsettings.Development.json

@@ -23,6 +23,12 @@
       }
     ]
   },
+  "Authentication" : {
+    "Authority" : "https://demo.duendesoftware.com",
+    "Audience" : "api1",
+    "ClientId" : "api1",
+    "ClientSecret" : "secret"
+  },
   "HttpLogging": {
     "LoggingFields": "None"
   },

src/QuickstartTemplate.WebApi/appsettings.json

@@ -23,6 +23,12 @@
       }
     ]
   },
+  "Authentication" : {
+    "Authority" : "",
+    "Audience" : "",
+    "ClientId" : "",
+    "ClientSecret" : ""
+  },
   "HttpLogging": {
     "LoggingFields": "None"
   },