Apply V4 style in in-memory host and fix logout issue (#2060)

* in memory host in V4 style

* fix issue with logout

* introduce testmatrix to BackchannelLogoutEndpointTests

* introduce testmatrix to LoginEndpoint tests

* introduce testmatrix to UserEndpointTests

* introduce testmatrix to LocalEndpointTests

* implemented test matrix for yarp based tests

* removed empty files

* fix playwright tests

Author: Erwinvandervalk

bff/hosts/Hosts.Bff.InMemory/Extensions.cs

@@ -2,18 +2,116 @@
 // See LICENSE in the project root for license information.
 
 using Bff;
+using Duende.AccessTokenManagement.OpenIdConnect;
+using Duende.Bff;
+using Duende.Bff.AccessTokenManagement;
+using Duende.Bff.Configuration;
+using Duende.Bff.Yarp;
+using Hosts.ServiceDefaults;
 
 Console.Title = "BFF";
 
 var builder = WebApplication.CreateBuilder(args);
 builder.AddServiceDefaults();
 
-var serviceProviderAccessor = new ServiceProviderAccessor();
+var services = builder.Services;
 
-var app = builder
-    .ConfigureServices(() => serviceProviderAccessor.ServiceProvider ?? throw new InvalidOperationException("Service Provider must be set"))
-    .ConfigurePipeline();
+// Add BFF services to DI - also add server-side session management
+services.AddBff()
+    .WithDefaultOpenIdConnectOptions(options =>
+    {
+        var authority = ServiceDiscovery.ResolveService(AppHostServices.IdentityServer);
+        options.Authority = authority.ToString();
 
-serviceProviderAccessor.ServiceProvider = app.Services;
+        // confidential client using code flow + PKCE
+        options.ClientId = "bff";
+        options.ClientSecret = "secret";
+        options.ResponseType = "code";
+        options.ResponseMode = "query";
+
+        options.MapInboundClaims = false;
+        options.GetClaimsFromUserInfoEndpoint = true;
+        options.SaveTokens = true;
+
+        // request scopes + refresh tokens
+        options.Scope.Clear();
+        options.Scope.Add("openid");
+        options.Scope.Add("profile");
+        options.Scope.Add("api");
+        options.Scope.Add("scope-for-isolated-api");
+        options.Scope.Add("offline_access");
+
+        options.Resource = "urn:isolated-api";
+    })
+    .AddRemoteApis()
+    .AddServerSideSessions();
+
+// local APIs
+services.AddControllers();
+
+services.AddTransient<ImpersonationAccessTokenRetriever>();
+
+services.AddUserAccessTokenHttpClient("api",
+    configureClient: client => { client.BaseAddress = new Uri("https://localhost:5010/api"); });
+
+
+var app = builder.Build();
+app.UseHttpLogging();
+app.UseDeveloperExceptionPage();
+
+app.UseDefaultFiles();
+app.UseStaticFiles();
+
+app.UseAuthentication();
+app.UseRouting();
+
+// adds antiforgery protection for local APIs
+app.UseBff();
+
+// adds authorization for local and remote API endpoints
+app.UseAuthorization();
+
+// local APIs
+app.MapControllers()
+    .RequireAuthorization()
+    .AsBffApiEndpoint();
+
+// login, logout, user, backchannel logout...
+app.MapBffManagementEndpoints();
+
+//////////////////////////////////////
+// proxy app for cross-site APIs
+//////////////////////////////////////
+
+// On this path, we use a client credentials token
+app.MapRemoteBffApiEndpoint("/api/client-token", new Uri("https://localhost:5010"))
+    .WithAccessToken(RequiredTokenType.Client);
+
+// On this path, we use a user token if logged in, and fall back to a client credentials token if not
+app.MapRemoteBffApiEndpoint("/api/user-or-client-token", new Uri("https://localhost:5010"))
+    .WithAccessToken(RequiredTokenType.UserOrClient);
+
+// On this path, we make anonymous requests
+app.MapRemoteBffApiEndpoint("/api/anonymous", new Uri("https://localhost:5010"));
+
+// On this path, we use the client token only if the user is logged in
+app.MapRemoteBffApiEndpoint("/api/optional-user-token", new Uri("https://localhost:5010"))
+    .WithAccessToken(RequiredTokenType.UserOrNone);
+
+// On this path, we require the user token
+app.MapRemoteBffApiEndpoint("/api/user-token", new Uri("https://localhost:5010"))
+    .WithAccessToken();
+
+// On this path, we perform token exchange to impersonate a different user
+// before making the api request
+app.MapRemoteBffApiEndpoint("/api/impersonation", new Uri("https://localhost:5010"))
+    .WithAccessToken()
+    .WithAccessTokenRetriever<ImpersonationAccessTokenRetriever>();
+
+// On this path, we obtain an audience constrained token and invoke
+// a different api that requires such a token
+app.MapRemoteBffApiEndpoint("/api/audience-constrained", new Uri("https://localhost:5012"))
+    .WithAccessToken()
+    .WithUserAccessTokenParameter(new BffUserAccessTokenParameters { Resource = Resource.Parse("urn:isolated-api") });
 
 app.Run();

bff/hosts/Hosts.Bff.InMemory/Program.cs

@@ -184,14 +184,6 @@
 
 app.MapBffManagementEndpoints();
 
-
-
-
-
-
-
-
-
 app.Run();
 
 RouteConfig[] BuildYarpRoutes()

bff/hosts/Hosts.Bff.MultiFrontend/Program.cs

@@ -118,7 +118,7 @@ public static class Config
                         GrantType.ClientCredentials,
                         OidcConstants.GrantTypes.TokenExchange
                     },
-                    RedirectUris = { $"{bffMultiFrontendUrl}with-path/bff-signin" },
+                    RedirectUris = { $"{bffMultiFrontendUrl}with-path/signin-oidc" },
                     FrontChannelLogoutUri = $"{bffMultiFrontendUrl}signout-oidc",
                     PostLogoutRedirectUris = { $"{bffMultiFrontendUrl}signout-callback-oidc" },
 
@@ -140,7 +140,7 @@ public static class Config
                         GrantType.ClientCredentials,
                         OidcConstants.GrantTypes.TokenExchange
                     },
-                    RedirectUris = { $"https://app1.localhost:5005/bff-signin" },
+                    RedirectUris = { $"https://app1.localhost:5005/signin-oidc" },
                     FrontChannelLogoutUri = $"https://app1.localhost:5005/signout-oidc",
                     PostLogoutRedirectUris = { $"https://app1.localhost:5005/signout-callback-oidc" },
 

bff/hosts/Hosts.IdentityServer/Config.cs

@@ -9,5 +9,5 @@ namespace Duende.Bff.DynamicFrontends;
 public static class BffAuthenticationSchemes
 {
     public static readonly Scheme BffOpenIdConnect = Scheme.Parse("duende-bff-oidc");
-    public static readonly Scheme BffDefault = Scheme.Parse("duende-bff-default");
+    public static readonly Scheme BffCookie = Scheme.Parse("duende-bff-cookie");
 }

bff/src/Bff/DynamicFrontends/BffAuthenticationSchemes.cs

@@ -10,10 +10,21 @@ internal class BffConfigureAuthenticationOptions : IPostConfigureOptions<Authent
 {
     public void PostConfigure(string? name, AuthenticationOptions options)
     {
-        if (options.DefaultScheme == null && options.DefaultAuthenticateScheme == null && options.DefaultAuthenticateScheme == null)
+        if (options.DefaultScheme == null
+            && options.DefaultAuthenticateScheme == null
+            && options.DefaultSignOutScheme == null
+            )
         {
-            options.DefaultScheme = BffAuthenticationSchemes.BffDefault;
+            options.DefaultScheme = BffAuthenticationSchemes.BffCookie;
             options.DefaultChallengeScheme = BffAuthenticationSchemes.BffOpenIdConnect;
+            options.DefaultSignOutScheme = BffAuthenticationSchemes.BffOpenIdConnect;
+
+            // If we don't set this forbid scheme, when calling forbid, it can trigger a stackoverflow exception
+            // when calling HttpContext.Forbid(). 
+            if (options.DefaultForbidScheme == null)
+            {
+                options.DefaultForbidScheme = BffAuthenticationSchemes.BffCookie;
+            }
         }
     }
 }

bff/src/Bff/DynamicFrontends/BffConfigureAuthenticationOptions.cs

@@ -26,10 +26,6 @@ public void Configure(string? name, CookieAuthenticationOptions options)
         options.TimeProvider = timeProvider;
         if (selectedFrontend.TryGet(out var frontEnd))
         {
-
-            //TODO: EV: check if this is needed
-            //options.ForwardChallenge = frontEnd.OidcSchemeName;
-
             if (frontEnd.SelectionCriteria.MatchingPath != null)
             {
                 options.Cookie.Name = Constants.Cookies.SecurePrefix + "_" + frontEnd.Name;
@@ -44,12 +40,10 @@ public void Configure(string? name, CookieAuthenticationOptions options)
 
             frontEnd.ConfigureCookieOptions?.Invoke(options);
         }
-        else if (name == BffAuthenticationSchemes.BffDefault.ToString())
+        else if (name == BffAuthenticationSchemes.BffCookie.ToString())
         {
             options.Cookie.Name = Constants.Cookies.DefaultCookieName;
 
-            // Todo: EV: check if this is needed
-            //options.ForwardChallenge = ;
             ConfigureDefaults(options);
         }
     }

bff/src/Bff/DynamicFrontends/BffConfigureCookieOptions.cs

@@ -38,9 +38,9 @@ public override async Task<IEnumerable<AuthenticationScheme>> GetRequestHandlerS
     {
         selectedFrontend.TryGet(out var frontend);
 
-        if (name == frontend?.CookieSchemeName || name == BffAuthenticationSchemes.BffDefault)
+        if (name == frontend?.CookieSchemeName || name == BffAuthenticationSchemes.BffCookie)
         {
-            return new BffAuthenticationScheme(frontend?.CookieSchemeName ?? BffAuthenticationSchemes.BffDefault, "Duende Bff Cookie", typeof(CookieAuthenticationHandler));
+            return new BffAuthenticationScheme(frontend?.CookieSchemeName ?? BffAuthenticationSchemes.BffCookie, "Duende Bff Cookie", typeof(CookieAuthenticationHandler));
         }
 
         if (name == frontend?.OidcSchemeName || name == BffAuthenticationSchemes.BffOpenIdConnect)

bff/src/Bff/DynamicFrontends/Internal/BffAuthenticationSchemeProvider.cs

@@ -26,7 +26,8 @@ public void PostConfigure(string? name, CookieAuthenticationOptions options)
     {
         var isDefaultScheme = name == _scheme;
         var isForBffFrontend = selectedFrontend.TryGet(out var frontend) && name == frontend.CookieSchemeName;
-        if (isDefaultScheme || isForBffFrontend)
+        var isForImplicitConfig = BffAuthenticationSchemes.BffCookie == name;
+        if (isDefaultScheme || isForBffFrontend || isForImplicitConfig)
         {
             options.SessionStore = new TicketStoreShim(httpContextAccessor);
         }