Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ADMINAPI-1119] - DRAFT - SPIKE: Cross-tenant Admin API Access #215

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[ADMINAPI-1119] - DRAFT - SPIKE: Cross-tenant Admin API Access #215

wants to merge 1 commit into from

Conversation

DavidJGapCR
Copy link

No description provided.

DavidJGapCR
DavidJGapCR commented Jan 20, 2025
View reviewed changes
Application/EdFi.Ods.AdminApi/Features/Connect/RegisterService.cs
};
};

if (!string.IsNullOrEmpty(tenantIdentifier))
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On RegisterService, if a tenant as been sent on the request headers, add it to the application permissions.

DavidJGapCR
DavidJGapCR commented Jan 20, 2025
View reviewed changes
Application/EdFi.Ods.AdminApi/Features/Connect/TokenService.cs
@@ -56,7 +60,19 @@ public async Task<ClaimsPrincipal> Handle(OpenIddictRequest request)

var identity = new ClaimsIdentity(JwtBearerDefaults.AuthenticationScheme);
identity.AddClaim(OpenIddictConstants.Claims.Subject, request.ClientId!, OpenIddictConstants.Destinations.AccessToken);
identity.AddClaim(OpenIddictConstants.Claims.Name, displayName!, OpenIddictConstants.Destinations.AccessToken);
identity.AddClaim(OpenIddictConstants.Claims.Name, displayName!, OpenIddictConstants.Destinations.AccessToken);
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Include the tenant as a claim to the access token.

DavidJGapCR
DavidJGapCR commented Jan 20, 2025
View reviewed changes
Application/EdFi.Ods.AdminApi/Infrastructure/Security/SecurityExtensions.cs
@@ -104,6 +105,18 @@ IWebHostEnvironment webHostEnvironment
{
opt.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireClaim(OpenIddictConstants.Claims.Scope, SecurityConstants.Scopes.AdminApiFullAccess)
.RequireAssertion(ctx =>
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check if the tenant value on the header matches the one in the token.

@github-actions GitHub Actions
Copy link

Test Results

6 tests   6 ✅  0s ⏱️
1 suites  0 💤
1 files    0 ❌

Results for commit bd22b71.

@DavidJGapCR DavidJGapCR changed the title [ADMINAPI-1119] - SPIKE: Cross-tenant Admin API Access [ADMINAPI-1119] - DRAFT - SPIKE: Cross-tenant Admin API Access Jan 21, 2025
@DavidJGapCR DavidJGapCR marked this pull request as draft January 21, 2025 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@DavidJGapCR