Update transformation

Author: damienbod

.gitignore

@@ -397,3 +397,5 @@ FodyWeavers.xsd
 # JetBrains Rider
 *.sln.iml
 /_logs-IdentityProvider.txt
+
+/_logs**

bff/server/ApiClient/ApiTokenCacheClient.cs

@@ -0,0 +1,124 @@
+using IdentityModel.Client;
+using Microsoft.Extensions.Caching.Distributed;
+using Microsoft.Extensions.Options;
+
+namespace RazorPageOidcClient;
+
+public class ApiTokenCacheClient
+{
+    private readonly ILogger<ApiTokenCacheClient> _logger;
+    private readonly HttpClient _httpClient;
+    private readonly IOptions<AuthConfigurations> _authConfigurations;
+
+    private static readonly object _lock = new();
+    private readonly IDistributedCache _cache;
+
+    private const int cacheExpirationInDays = 1;
+
+    private class AccessTokenItem
+    {
+        public string AccessToken { get; set; } = string.Empty;
+        public DateTime ExpiresIn { get; set; }
+    }
+
+    public ApiTokenCacheClient(
+        IOptions<AuthConfigurations> authConfigurations,
+        IHttpClientFactory httpClientFactory,
+        ILoggerFactory loggerFactory,
+        IDistributedCache cache)
+    {
+        _authConfigurations = authConfigurations;
+        _httpClient = httpClientFactory.CreateClient();
+        _logger = loggerFactory.CreateLogger<ApiTokenCacheClient>();
+        _cache = cache;
+    }
+
+    public async Task<string> GetApiToken(string api_name, string api_scope, string secret)
+    {
+        var accessToken = GetFromCache(api_name);
+
+        if (accessToken != null)
+        {
+            if (accessToken.ExpiresIn > DateTime.UtcNow)
+            {
+                return accessToken.AccessToken;
+            }
+            else
+            {
+                // remove  => NOT Needed for this cache type
+            }
+        }
+
+        _logger.LogDebug("GetApiToken new from STS for {api_name}", api_name);
+
+        // add
+        var newAccessToken = await GetApiTokenInternal(api_name, api_scope, secret);
+        AddToCache(api_name, newAccessToken);
+
+        return newAccessToken.AccessToken;
+    }
+
+    private async Task<AccessTokenItem> GetApiTokenInternal(string api_name, string api_scope, string secret)
+    {
+        try
+        {
+            var disco = await HttpClientDiscoveryExtensions.GetDiscoveryDocumentAsync(
+                _httpClient,
+                _authConfigurations.Value.StsServer);
+
+            if (disco.IsError)
+            {
+                _logger.LogError("disco error Status code: {discoIsError}, Error: {discoError}", disco.IsError, disco.IsError);
+                throw new ApplicationException($"Status code: {disco.IsError}, Error: {disco.Error}");
+            }
+
+            var tokenResponse = await HttpClientTokenRequestExtensions.RequestClientCredentialsTokenAsync(_httpClient, new ClientCredentialsTokenRequest
+            {
+                Scope = api_scope,
+                ClientSecret = secret,
+                Address = disco.TokenEndpoint,
+                ClientId = api_name
+            });
+
+            if (tokenResponse.IsError || tokenResponse.AccessToken == null)
+            {
+                _logger.LogError("tokenResponse.IsError Status code: {tokenResponseIsError}, Error: {tokenResponseError}", tokenResponse.IsError, tokenResponse.Error);
+                throw new ApplicationException($"Status code: {tokenResponse.IsError}, Error: {tokenResponse.Error}");
+            }
+
+            return new AccessTokenItem
+            {
+                ExpiresIn = DateTime.UtcNow.AddSeconds(tokenResponse.ExpiresIn),
+                AccessToken = tokenResponse.AccessToken
+            };
+
+        }
+        catch (Exception e)
+        {
+            _logger.LogError("Exception {e}", e);
+            throw new ApplicationException($"Exception {e}");
+        }
+    }
+
+    private void AddToCache(string key, AccessTokenItem accessTokenItem)
+    {
+        var options = new DistributedCacheEntryOptions()
+            .SetSlidingExpiration(TimeSpan.FromDays(cacheExpirationInDays));
+
+        lock (_lock)
+        {
+            _cache.SetString(key, System.Text.Json.JsonSerializer.Serialize(accessTokenItem), options);
+        }
+    }
+
+    private AccessTokenItem? GetFromCache(string key)
+    {
+        var item = _cache.GetString(key);
+        if (item != null)
+        {
+            return System.Text.Json.JsonSerializer.Deserialize<AccessTokenItem>(item);
+        }
+
+        return null;
+    }
+}

bff/server/ApiClient/AuthConfigurations.cs

@@ -0,0 +1,7 @@
+namespace RazorPageOidcClient;
+
+public class AuthConfigurations
+{
+    public string StsServer { get; set; } = string.Empty;
+    public string ProtectedApiUrl { get; set; } = string.Empty;
+}

bff/server/ApiClient/JwtTransformProvider.cs

@@ -0,0 +1,40 @@
+using RazorPageOidcClient;
+using Yarp.ReverseProxy.Transforms;
+using Yarp.ReverseProxy.Transforms.Builder;
+
+namespace BffOpenIddict.Server.ApiClient;
+
+public class JwtTransformProvider : ITransformProvider
+{
+    private readonly ApiService _apiService;
+
+    public JwtTransformProvider(ApiService apiService)
+    {
+        _apiService = apiService;
+    }
+
+    public void Apply(TransformBuilderContext context)
+    {
+        if(context.Route.RouteId == "downstreamapiroute") 
+        {
+            _apiService.
+            context.AddRequestTransform(transformContext =>
+            {
+                transformContext.ProxyRequest
+                    .Options
+                    .Set(new HttpRequestOptionsKey<string>("CustomMetadata"), value);
+
+                return default;
+            });
+    }
+
+    public void ValidateCluster(TransformClusterValidationContext context)
+    {
+        var route = context.Cluster;
+    }
+
+    public void ValidateRoute(TransformRouteValidationContext context)
+    {
+        var route = context.Route;
+    }
+}

bff/server/BffOpenIddict.Server.csproj

@@ -13,6 +13,8 @@
 		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.21.0" />
 		<PackageReference Include="Yarp.ReverseProxy" Version="2.1.0" />
 
+    <PackageReference Include="IdentityModel" Version="6.2.0" />
+    
     <PackageReference Include="Serilog" Version="3.1.1" />
     <PackageReference Include="Serilog.AspNetCore" Version="8.0.1" />
     <PackageReference Include="Serilog.Settings.Configuration" Version="8.0.0" />

bff/server/Program.cs

@@ -1,12 +1,18 @@
 using BffOpenIddict.Server;
+using BffOpenIddict.Server.ApiClient;
 using BffOpenIddict.Server.Services;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Configuration;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Logging;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Microsoft.IdentityModel.Tokens;
+using RazorPageOidcClient;
+using System.Net.Security;
+using System.Runtime.ConstrainedExecution;
+using System.Security.Cryptography.X509Certificates;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -65,10 +71,14 @@
     //    .RequireAuthenticatedUser()
     //    .Build();
     //options.Filters.Add(new AuthorizeFilter(policy));
-});
+});
+
+builder.Services.AddTransient<ApiService>();
+builder.Services.AddSingleton<ApiTokenCacheClient>();
 
 builder.Services.AddReverseProxy()
-   .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy"));
+   .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy"))
+   .AddTransforms<JwtTransformProvider>();
 
 var app = builder.Build();