Adding Access Token Headers

Author: MWClayson-NHS

application/CohortManager/src/Functions/Shared/Common/Authentication/AuthConfig.cs

@@ -4,10 +4,12 @@ namespace Common;
 
 public class AuthConfig
 {
-    [Required]
+    [Required, Url]
     public required string AuthMetaDataUrl { get; init; }
     [Required]
     public required string AuthClientId { get; init; }
+    [Required, Url]
+    public required string UserInfoUrl { get; init; }
 
 }
 

application/CohortManager/src/Functions/Shared/Common/Authentication/AuthHelper.cs

@@ -5,7 +5,17 @@ namespace Common;
 
 public static class AuthHelper
 {
-    public static bool TryGetTokenFromHeaders(FunctionContext context, out string token)
+    public static bool TryGetIdTokenFromHeaders(FunctionContext context, out string token)
+    {
+        return TryGetBearerTokenFromHeaders(context, "Authorization", out token);
+    }
+
+    public static bool TryGetAccessTokenFromHeaders(FunctionContext context, out string accessToken)
+    {
+        return TryGetBearerTokenFromHeaders(context, "X-Access-Token", out accessToken);
+    }
+
+    private static bool TryGetBearerTokenFromHeaders(FunctionContext context, string headerName, out string token)
     {
         token = null!;
 
@@ -15,18 +25,19 @@ public static bool TryGetTokenFromHeaders(FunctionContext context, out string to
         {
             return false;
         }
-         var headers = JsonSerializer.Deserialize<Dictionary<string, string>>(headersStr);
-         if(headers == null)
-         {
-             return false;
-         }
-
-         if(!headers.TryGetValue("Authorization", out var authHeader) || !authHeader.StartsWith("Bearer "))
-         {
-             return false;
-         }
-
-         token = authHeader.Substring("Bearer ".Length).Trim();
-         return true;
+
+        var headers = JsonSerializer.Deserialize<Dictionary<string, string>>(headersStr);
+        if(headers == null)
+        {
+            return false;
+        }
+
+        if(!headers.TryGetValue(headerName, out var authHeader) || !authHeader.StartsWith("Bearer "))
+        {
+            return false;
+        }
+
+        token = authHeader.Substring("Bearer ".Length).Trim();
+        return true;
     }
 }

application/CohortManager/src/Functions/Shared/Common/Authentication/CIS2AuthMiddleware.cs

@@ -2,6 +2,7 @@ namespace Common;
 
 using System.Net;
 using Microsoft.Azure.Functions.Worker;
+using Microsoft.Azure.Functions.Worker.Http;
 using Microsoft.Azure.Functions.Worker.Middleware;
 using Microsoft.Extensions.Logging;
 
@@ -11,39 +12,53 @@ public class Cis2AuthMiddleware : IFunctionsWorkerMiddleware
     private readonly ILogger<Cis2AuthMiddleware> _logger;
     private readonly ICreateResponse _createResponse;
     private readonly IAuthenticationService _authService;
+    private readonly ICis2UserService _cis2UserService;
 
-    public Cis2AuthMiddleware(ILogger<Cis2AuthMiddleware> logger, ICreateResponse createResponse, IAuthenticationService authService)
+    public Cis2AuthMiddleware(ILogger<Cis2AuthMiddleware> logger, ICreateResponse createResponse, IAuthenticationService authService, ICis2UserService cis2UserService)
     {
         _logger = logger;
         _createResponse = createResponse;
         _authService = authService;
+        _cis2UserService = cis2UserService;
     }
 
     public async Task Invoke(FunctionContext context, FunctionExecutionDelegate next)
     {
         var req = await context.GetHttpRequestDataAsync();
+        var accessToken = string.Empty;
+        var tokensExist = AuthHelper.TryGetIdTokenFromHeaders(context, out var token);
+        tokensExist = tokensExist && AuthHelper.TryGetAccessTokenFromHeaders(context, out accessToken);
 
-        var tokenExists = AuthHelper.TryGetTokenFromHeaders(context, out var token);
-
-        if(!tokenExists)
+        if(!tokensExist)
         {
-            _logger.LogWarning("Authorization header is missing or invalid");
-            var response = await _createResponse.CreateHttpResponseWithBodyAsync(HttpStatusCode.Unauthorized, req!, "Unauthorized: Missing or invalid Authorization header.");
-            context.GetInvocationResult().Value = response;
+            await HandleUnauthorizedAsync(context, req!, "Authorization header is missing or invalid", "Unauthorized: Missing or invalid Authorization header.");
             return;
         }
 
         var validateToken = await _authService.ValidateTokenAsync(token);
 
         if(!validateToken)
         {
-            _logger.LogWarning("Token validation failed");
-            var response = await _createResponse.CreateHttpResponseWithBodyAsync(HttpStatusCode.Unauthorized, req!, "Unauthorized: Invalid token.");
-            context.GetInvocationResult().Value = response;
+            await HandleUnauthorizedAsync(context, req!, "Token validation failed", "Unauthorized: Invalid token.");
+            return;
+        }
+
+        var cis2User = await _cis2UserService.GetUserFromToken(accessToken);
+        if(cis2User == null)
+        {
+            await HandleUnauthorizedAsync(context, req!, "Failed to retrieve user from token", "Unauthorized: Failed to retrieve user from token.");
             return;
         }
 
+        context.Items["Cis2User"] = cis2User;
         context.Items["AuthToken"] = token;
         await next(context);
     }
+
+    private async Task HandleUnauthorizedAsync(FunctionContext context, HttpRequestData request, string logMessage, string responseMessage)
+    {
+        _logger.LogWarning(logMessage);
+        var response = await _createResponse.CreateHttpResponseWithBodyAsync(HttpStatusCode.Unauthorized, request, responseMessage);
+        context.GetInvocationResult().Value = response;
+    }
 }

application/CohortManager/src/Functions/Shared/Common/Authentication/Cis2User.cs

@@ -0,0 +1,51 @@
+namespace Common;
+
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+public class Cis2User
+{
+    [JsonPropertyName("nhsid_useruid")]
+    public string NhsidUseruid { get; set; }
+
+    [JsonPropertyName("name")]
+    public string Name { get; set; }
+
+    [JsonPropertyName("nhsid_nrbac_roles")]
+    public List<NhsidNrbacRole> NhsidNrbacRoles { get; set; }
+
+    [JsonPropertyName("given_name")]
+    public string GivenName { get; set; }
+
+    [JsonPropertyName("family_name")]
+    public string FamilyName { get; set; }
+
+    [JsonPropertyName("uid")]
+    public string Uid { get; set; }
+
+    [JsonPropertyName("sub")]
+    public string Sub { get; set; }
+}
+public class NhsidNrbacRole
+{
+    [JsonPropertyName("person_orgid")]
+    public string PersonOrgid { get; set; }
+
+    [JsonPropertyName("person_roleid")]
+    public string PersonRoleid { get; set; }
+
+    [JsonPropertyName("org_code")]
+    public string OrgCode { get; set; }
+
+    [JsonPropertyName("role_name")]
+    public string RoleName { get; set; }
+
+    [JsonPropertyName("role_code")]
+    public string RoleCode { get; set; }
+
+    [JsonPropertyName("workgroups")]
+    public List<string> Workgroups { get; set; }
+
+    [JsonPropertyName("workgroups_codes")]
+    public List<string> WorkgroupsCodes { get; set; }
+}

application/CohortManager/src/Functions/Shared/Common/Authentication/Cis2UserService.cs

@@ -0,0 +1,41 @@
+namespace Common;
+
+using System.Text.Json;
+using Hl7.FhirPath.Sprache;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+public class Cis2UserService : ICis2UserService
+{
+    ILogger<Cis2UserService> _logger;
+    IHttpClientFunction _httpClient;
+    AuthConfig _authConfig;
+
+    public Cis2UserService(ILogger<Cis2UserService> logger, IHttpClientFunction httpClient, IOptions<AuthConfig> authConfig)
+    {
+        _logger = logger;
+        _httpClient = httpClient;
+        _authConfig = authConfig.Value;
+    }
+
+    public async Task<Cis2User?> GetUserFromToken(string token)
+    {
+        try{
+            _httpClient.SetBearerToken(token);
+            var response = await _httpClient.SendGetOrThrowAsync(_authConfig.UserInfoUrl);
+            if(response == null)
+            {
+                _logger.LogError("Failed to get user info from token, response is null");
+                return null;
+            }
+            var cis2User = JsonSerializer.Deserialize<Cis2User>(response);
+
+            return cis2User;
+        }
+        catch(Exception ex)
+        {
+            _logger.LogError(ex, "Failed to get user info from token, message: {Message}", ex.Message);
+            return null;
+        }
+    }
+}

application/CohortManager/src/Functions/Shared/Common/Authentication/ICis2UserService.cs

@@ -0,0 +1,11 @@
+namespace Common;
+
+public interface ICis2UserService
+{
+    /// <summary>
+    /// Gets the user information from the token using the configured UserInfo endpoint.
+    /// </summary>
+    /// <param name="token">The token to get the user information from.</param>
+    /// <returns>A Cis2User object containing the user information, or null if the user information could not be retrieved.</returns>
+    Task<Cis2User?> GetUserFromToken(string token);
+}

application/CohortManager/src/Functions/Shared/Common/Extensions/AuthenticationExtension.cs

@@ -16,6 +16,7 @@ public static IHostBuilder AddAuthentication(this IHostBuilder hostBuilder)
         hostBuilder.ConfigureServices((context, services) =>
         {
             services.AddSingleton<IAuthenticationService, JwtAuthentication>();
+            services.AddSingleton<ICis2UserService,Cis2UserService>();
         });
         return hostBuilder;
      }

application/CohortManager/src/Functions/Shared/Common/HttpClientFunction.cs

@@ -11,6 +11,7 @@ public class HttpClientFunction : IHttpClientFunction
     private readonly IHttpClientFactory _factory;
     public static readonly TimeSpan _timeout = TimeSpan.FromSeconds(300);
     private const string errorMessage = "Failed to execute request to {Url}, message: {Message}";
+    private string _bearerToken = string.Empty;
 
     public HttpClientFunction(ILogger<HttpClientFunction> logger, IHttpClientFactory factory)
     {
@@ -25,7 +26,7 @@ public async Task<HttpResponseMessage> SendPost(string url, string data)
 
         client.BaseAddress = new Uri(url);
         client.Timeout = _timeout;
-
+        SetClientBearerToken(client);
         try
         {
             HttpResponseMessage response = await client.PostAsync(url, jsonContent);
@@ -45,6 +46,7 @@ public async Task<HttpResponseMessage> SendPost(string url, Dictionary<string, s
 
         client.BaseAddress = new Uri(url);
         client.Timeout = _timeout;
+        SetClientBearerToken(client);
 
         try
         {
@@ -64,6 +66,7 @@ public async Task<string> SendGet(string url)
 
         client.BaseAddress = new Uri(url);
         client.Timeout = _timeout;
+        SetClientBearerToken(client);
 
         return await GetAsync(client);
     }
@@ -76,6 +79,7 @@ public async Task<string> SendGet(string url, Dictionary<string, string> paramet
 
         client.BaseAddress = new Uri(url);
         client.Timeout = _timeout;
+        SetClientBearerToken(client);
 
         return await GetAsync(client);
     }
@@ -88,6 +92,7 @@ public async Task<HttpResponseMessage> SendGetResponse(string url, Dictionary<st
 
         client.BaseAddress = new Uri(url);
         client.Timeout = _timeout;
+        SetClientBearerToken(client);
 
         return await client.GetAsync(url);
     }
@@ -99,6 +104,7 @@ public async Task<HttpResponseMessage> SendGetResponse(string url)
 
         client.BaseAddress = new Uri(url);
         client.Timeout = _timeout;
+        SetClientBearerToken(client);
 
         return await client.GetAsync(url);
     }
@@ -109,6 +115,7 @@ public async Task<string> SendGetOrThrowAsync(string url)
 
         client.BaseAddress = new Uri(url);
         client.Timeout = _timeout;
+        SetClientBearerToken(client);
 
         return await GetOrThrowAsync(client);
     }
@@ -155,6 +162,7 @@ public async Task<HttpResponseMessage> SendPut(string url, string data)
 
         client.BaseAddress = new Uri(url);
         client.Timeout = _timeout;
+        SetClientBearerToken(client);
 
         try
         {
@@ -174,6 +182,7 @@ public async Task<bool> SendDelete(string url)
 
         client.BaseAddress = new Uri(url);
         client.Timeout = _timeout;
+        SetClientBearerToken(client);
 
         try
         {
@@ -198,6 +207,19 @@ public async Task<string> GetResponseText(HttpResponseMessage response)
         return await response.Content.ReadAsStringAsync();
     }
 
+    public void SetBearerToken(string token)
+    {
+        _bearerToken = token;
+    }
+
+    private void SetClientBearerToken(HttpClient client)
+    {
+        if (!string.IsNullOrEmpty(_bearerToken))
+        {
+            client.DefaultRequestHeaders.Add("Authorization", "Bearer " + _bearerToken);
+        }
+    }
+
     /// <summary>
     /// Removes the query string from the URL to prevent us logging sensitive information.
     /// </summary>

application/CohortManager/src/Functions/Shared/Common/Interfaces/IHttpClientFunction.cs

@@ -85,4 +85,10 @@ public interface IHttpClientFunction
     /// <param name="response">HTTP response message.</param>
     /// <returns>string<returns>
     Task<string> GetResponseText(HttpResponseMessage response);
+
+    /// <summary>
+    /// Sets the bearer token to be used in HttpClient requests.
+    /// </summary>
+    /// <param name="token">Bearer token to be used in HttpClient requests.</param>
+    void SetBearerToken(string token);
 }

application/CohortManager/src/Web/app/lib/fetchExceptions.ts

@@ -43,14 +43,17 @@ function buildQueryString(params: FetchExceptionsParams): string {
 
 async function getAuthHeaders() {
   const session = await auth();
-  const bearerToken = session?.idToken ?? session?.accessToken;
+  const bearerToken = session?.idToken;
+  const accessToken = session?.accessToken;
 
-  if (!bearerToken) {
+  if (!bearerToken || !accessToken) {
     return undefined;
   }
 
+
   return {
     Authorization: `Bearer ${bearerToken}`,
+    "X-Access-Token": accessToken
   };
 }