Simplified auto registration handler service registration and removed stale user roles from the OBO token

FrostyApeOne · FrostyApeOne · commit 4e988af14314 · 2025-10-07T16:05:37.000+01:00
diff --git a/src/DfE.ExternalApplications.Application/Users/Queries/ExchangeTokenQueryHandler.cs b/src/DfE.ExternalApplications.Application/Users/Queries/ExchangeTokenQueryHandler.cs
@@ -75,6 +75,14 @@ public async Task<ExchangeTokenDto> Handle(ExchangeTokenQuery req, CancellationT
             // Merge Azure Entra service roles, avoiding duplicates
             foreach (var svcRole in svcRoles)
             {
+                var isExcludedRole =
+                    (svcRole.Type == ClaimTypes.Role || svcRole.Type == "roles") &&
+                    (svcRole.Value.Equals("Admin", StringComparison.OrdinalIgnoreCase) ||
+                     svcRole.Value.Equals("User", StringComparison.OrdinalIgnoreCase));
+
+                if (isExcludedRole)
+                    continue;
+
                 if (!identity.HasClaim(c => c.Type == svcRole.Type && c.Value == svcRole.Value))
                 {
                     identity.AddClaim(svcRole);
diff --git a/src/GovUK.Dfe.ExternalApplications.Api.Client/Extensions/ServiceCollectionExtensions.cs b/src/GovUK.Dfe.ExternalApplications.Api.Client/Extensions/ServiceCollectionExtensions.cs
@@ -58,30 +58,15 @@ public static IServiceCollection AddExternalApplicationsApiClient<TClientInterfa
                         serviceProvider.GetRequiredService<ITokenStateManager>(),
                         serviceProvider.GetRequiredService<ILogger<TokenExchangeHandler>>());
                 });
-                
+
                 // Register UserAutoRegistrationHandler for auto-registering new users
                 if (apiSettings.AutoRegisterUsers)
                 {
-                    // Register a dedicated IUsersClient for the auto-registration handler
-                    // This uses Azure token (not OBO) to call the register endpoint
-                    services.AddHttpClient<IUsersClient, UsersClient>("UsersClient_ForRegistration", (httpClient, serviceProvider) =>
-                    {
-                        httpClient.BaseAddress = new Uri(apiSettings.BaseUrl!);
-                        return ActivatorUtilities.CreateInstance<UsersClient>(
-                            serviceProvider, httpClient, apiSettings.BaseUrl!);
-                    })
-                    .AddHttpMessageHandler<AzureBearerTokenHandler>(); // Uses Azure token, not OBO
-                    
+                    // Simple registration; the handler manually uses IHttpClientFactory and sets Azure token
                     services.AddTransient<UserAutoRegistrationHandler>(serviceProvider =>
                     {
-                        // Get the dedicated UsersClient for registration (with Azure token)
-                        var httpClientFactory = serviceProvider.GetRequiredService<IHttpClientFactory>();
-                        var httpClient = httpClientFactory.CreateClient("UsersClient_ForRegistration");
-                        var usersClient = ActivatorUtilities.CreateInstance<UsersClient>(
-                            serviceProvider, httpClient, apiSettings.BaseUrl!);
-                        
                         return new UserAutoRegistrationHandler(
-                            usersClient,
+                            serviceProvider.GetRequiredService<IHttpClientFactory>(),
                             serviceProvider.GetRequiredService<ITokenStateManager>(),
                             serviceProvider.GetRequiredService<ITokenAcquisitionService>(),
                             serviceProvider.GetRequiredService<IHttpContextAccessor>(),
@@ -117,7 +102,7 @@ public static IServiceCollection AddExternalApplicationsApiClient<TClientInterfa
                     {
                         // Tokens client always uses Azure token (for exchange endpoint authentication)
                         builder.AddHttpMessageHandler<AzureBearerTokenHandler>();
-                        
+
                         // Add auto-registration handler BEFORE token exchange
                         // This intercepts "user not found" errors and auto-registers the user
                         if (apiSettings.AutoRegisterUsers)
diff --git a/src/GovUK.Dfe.ExternalApplications.Api.Client/Security/TokenExchangeHandler.cs b/src/GovUK.Dfe.ExternalApplications.Api.Client/Security/TokenExchangeHandler.cs
@@ -1,17 +1,12 @@
-﻿using System;
+﻿using GovUK.Dfe.CoreLibs.Contracts.ExternalApplications.Models.Request;
+using GovUK.Dfe.CoreLibs.Http.Models;
+using GovUK.Dfe.ExternalApplications.Api.Client.Contracts;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
 using System.Diagnostics.CodeAnalysis;
 using System.Net;
-using System.Net.Http;
 using System.Text;
 using System.Text.Json;
-using System.Threading;
-using System.Threading.Tasks;
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Http;
-using Microsoft.Extensions.Logging;
-using GovUK.Dfe.CoreLibs.Http.Models;
-using GovUK.Dfe.CoreLibs.Contracts.ExternalApplications.Models.Request;
-using GovUK.Dfe.ExternalApplications.Api.Client.Contracts;
 
 namespace GovUK.Dfe.ExternalApplications.Api.Client.Security;
 
diff --git a/src/GovUK.Dfe.ExternalApplications.Api.Client/Security/UserAutoRegistrationHandler.cs b/src/GovUK.Dfe.ExternalApplications.Api.Client/Security/UserAutoRegistrationHandler.cs
@@ -13,6 +13,7 @@
 using GovUK.Dfe.CoreLibs.Http.Models;
 using GovUK.Dfe.CoreLibs.Contracts.ExternalApplications.Models.Request;
 using GovUK.Dfe.ExternalApplications.Api.Client.Contracts;
+using System.Net.Http.Headers;
 using GovUK.Dfe.ExternalApplications.Api.Client.Settings;
 
 namespace GovUK.Dfe.ExternalApplications.Api.Client.Security;
@@ -24,7 +25,7 @@ namespace GovUK.Dfe.ExternalApplications.Api.Client.Security;
 [ExcludeFromCodeCoverage]
 public class UserAutoRegistrationHandler : DelegatingHandler
 {
-    private readonly IUsersClient _usersClient;
+    private readonly IHttpClientFactory _httpClientFactory;
     private readonly ITokenStateManager _tokenStateManager;
     private readonly ITokenAcquisitionService _tokenAcquisitionService;
     private readonly IHttpContextAccessor _httpContextAccessor;
@@ -33,14 +34,14 @@ public class UserAutoRegistrationHandler : DelegatingHandler
     private readonly SemaphoreSlim _registrationLock = new(1, 1);
 
     public UserAutoRegistrationHandler(
-        IUsersClient usersClient,
+        IHttpClientFactory httpClientFactory,
         ITokenStateManager tokenStateManager,
         ITokenAcquisitionService tokenAcquisitionService,
         IHttpContextAccessor httpContextAccessor,
         ApiClientSettings settings,
         ILogger<UserAutoRegistrationHandler> logger)
     {
-        _usersClient = usersClient;
+        _httpClientFactory = httpClientFactory;
         _tokenStateManager = tokenStateManager;
         _tokenAcquisitionService = tokenAcquisitionService;
         _httpContextAccessor = httpContextAccessor;
@@ -184,9 +185,13 @@ private async Task<bool> TryAutoRegisterUserAsync(CancellationToken cancellation
                 TemplateId = templateId.Value
             };
 
-            // Call the register endpoint
-            // Note: IUsersClient is configured with AzureBearerTokenHandler, so it will use the Azure token
-            var result = await _usersClient.RegisterUserAsync(registerRequest, cancellationToken);
+            // Call the register endpoint using a local client with Azure token only for this request
+            var client = _httpClientFactory.CreateClient();
+            client.BaseAddress = new Uri(_settings.BaseUrl!);
+            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", azureToken);
+
+            var usersClient = new UsersClient(_settings.BaseUrl!, client);
+            var result = await usersClient.RegisterUserAsync(registerRequest, cancellationToken);
 
             _logger.LogInformation("User auto-registered successfully: {UserId} - {Email}", 
                 result.UserId, result.Email);
