Add JWT multi-scheme support, Cognito package, and Testing package#53
Merged
Conversation
JwtAuthServiceCollectionExtensions gains named-scheme overloads so hosts
can register more than one JWT issuer side by side (e.g. Cognito for
mobile clients + internal HS256 for server-to-server). Each named scheme
gets its own per-scheme policy ({name}-JwtPolicy) and contributes to the
combined TraxAuthPolicy.
AddTraxJwtDispatcher registers a policy scheme that picks the validating
scheme by peeking at the inbound token's iss claim. Unmapped issuers get
forwarded to a built-in reject handler that produces a clean 401.
Trax.Api.Auth.Jwt.Cognito is a new package with UseCognito(region,
userPoolId, clientId) and a CognitoJwtPrincipalResolver that normalizes
cognito:groups (roles), cognito:username (display name), and the
federated identities array (identity_provider claim). Handles both ID
tokens (aud check) and access tokens (client_id check), plus token_use
validation.
Trax.Api.Auth.Jwt.Testing is a new package with TestJwksServer (in-proc
Kestrel host serving a real JWKS endpoint over loopback) and
TestTokenIssuer (fluent RS256/HS256 token builder). For use in
integration tests only.
CustomizeTokenValidation and CustomizeBearerOptions are now additive
(multiple calls chain in registration order) so helpers and consumers
can layer customizations.
2 tasks
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
|
This PR is included in version 1.29.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Trax.Api.Auth.Jwtgains named-scheme overloads so hosts can register more than one JWT issuer side by side. Each named scheme exposes its own per-scheme policy ({name}-JwtPolicy) and joins the combinedTraxAuthPolicy.AddTraxJwtDispatcherpicks the validating scheme by inspecting the inbound token'sissclaim. Unmapped issuers fall through to a reject handler that returns 401.Trax.Api.Auth.Jwt.Cognitopackage:UseCognito(region, userPoolId, clientId, tokenUse)builder helper andCognitoJwtPrincipalResolverthat normalizescognito:groups,cognito:username, and the federatedidentitiesarray.Trax.Api.Auth.Jwt.Testingpackage:TestJwksServer(in-proc Kestrel host that serves a real JWKS endpoint) andTestTokenIssuerfor minting RS256/HS256 tokens in integration tests.JwtBuilder.CustomizeTokenValidation/CustomizeBearerOptionsnow chain (additive) instead of last-writer-wins so helpers can compose with consumer overrides.Existing single-scheme callers and tests are untouched. The default-scheme overloads (
AddTraxJwtAuth(authority, audience),AddTraxJwtAuth(Action<JwtBuilder>)) still register underJwtDefaults.SchemeNameand produce the same DI bindings as before.Coverage on the new code:
178 new tests added on top of the existing 406 auth tests; all 1277 tests in the project pass.
Docs PR: TraxSharp/Trax.Docs#TBD
Test plan
dotnet testagainst the full Trax.Api solution