| | | 1 | | <# |
| | | 2 | | .SYNOPSIS |
| | | 3 | | Adds JWT Bearer authentication to the Kestrun server. |
| | | 4 | | .DESCRIPTION |
| | | 5 | | Configures the Kestrun server to use JWT Bearer authentication for incoming requests. |
| | | 6 | | .PARAMETER Server |
| | | 7 | | The Kestrun server instance to configure. |
| | | 8 | | .PARAMETER Name |
| | | 9 | | The name of the authentication scheme. |
| | | 10 | | This name is used to identify the authentication scheme in the Kestrun server configuration. |
| | | 11 | | .PARAMETER ValidationParameter |
| | | 12 | | The token validation parameters used to validate incoming JWT tokens. |
| | | 13 | | This parameter is mandatory when using the 'ValParamOption' parameter set. |
| | | 14 | | .PARAMETER ClaimPolicy |
| | | 15 | | The claim policy configuration for the authentication scheme. |
| | | 16 | | .PARAMETER ValidIssuer |
| | | 17 | | The valid issuer for the JWT tokens. |
| | | 18 | | This parameter is used to validate the issuer of incoming tokens. |
| | | 19 | | .PARAMETER ValidIssuers |
| | | 20 | | An array of valid issuers for the JWT tokens. |
| | | 21 | | This parameter is used to validate the issuer of incoming tokens. |
| | | 22 | | .PARAMETER ValidAudiences |
| | | 23 | | An array of valid audiences for the JWT tokens. |
| | | 24 | | This parameter is used to validate the audience of incoming tokens. |
| | | 25 | | .PARAMETER ValidAlgorithms |
| | | 26 | | An array of valid algorithms for the JWT tokens. |
| | | 27 | | This parameter is used to validate the algorithm of incoming tokens. |
| | | 28 | | .PARAMETER SkipValidateIssuer |
| | | 29 | | A switch parameter that, when specified, skips validation of the issuer. |
| | | 30 | | .PARAMETER SkipValidateAudience |
| | | 31 | | A switch parameter that, when specified, skips validation of the audience. |
| | | 32 | | .PARAMETER SkipValidateLifetime |
| | | 33 | | A switch parameter that, when specified, skips validation of the token lifetime. |
| | | 34 | | .PARAMETER ValidateIssuerSigningKey |
| | | 35 | | A switch parameter that, when specified, validates the issuer signing key. |
| | | 36 | | .PARAMETER DoesNotRequireSignedTokens |
| | | 37 | | A switch parameter that, when specified, indicates that signed tokens are not required. |
| | | 38 | | .PARAMETER IssuerSigningKey |
| | | 39 | | The security key used to validate the issuer signing key. |
| | | 40 | | .PARAMETER IssuerSigningKeys |
| | | 41 | | An array of security keys used to validate the issuer signing key. |
| | | 42 | | .PARAMETER ClockSkew |
| | | 43 | | The amount of time the token validation should allow for clock skew. |
| | | 44 | | .PARAMETER DoesNotRequireExpirationTime |
| | | 45 | | A switch parameter that, when specified, indicates that expiration time validation is not required. |
| | | 46 | | .PARAMETER ValidAudience |
| | | 47 | | The valid audience for the JWT tokens. |
| | | 48 | | This parameter is used to validate the audience of incoming tokens. |
| | | 49 | | .PARAMETER PassThru |
| | | 50 | | A switch parameter that, when specified, returns the Kestrun server instance. |
| | | 51 | | .EXAMPLE |
| | | 52 | | Add-KrJWTBearerAuthentication -Server $server -Name "MyAuth" -ValidationParameter $validationParameter -ClaimPol |
| | | 53 | | Configure Kestrun server to use JWT Bearer authentication with the specified validation parameters and claim pol |
| | | 54 | | .EXAMPLE |
| | | 55 | | Add-KrJWTBearerAuthentication -Server $server -Name "MyAuth" -ValidIssuer "https://issuer" -ValidAudience "api" |
| | | 56 | | Configure Kestrun server to use JWT Bearer authentication with the specified issuer, audience, and algorithms, s |
| | | 57 | | .EXAMPLE |
| | | 58 | | Add-KrJWTBearerAuthentication -Server $server -Name "MyAuth" -ValidIssuer "https://issuer" -ValidAudience "api" |
| | | 59 | | Configure Kestrun server to use JWT Bearer authentication with the specified issuer, audience, and algorithms, s |
| | | 60 | | .EXAMPLE |
| | | 61 | | Add-KrJWTBearerAuthentication -Server $server -Name "MyAuth" -ValidIssuer "https://issuer" -ValidAudience "api" |
| | | 62 | | Configure Kestrun server to use JWT Bearer authentication with the specified issuer, audience, and algorithms, s |
| | | 63 | | .LINK |
| | | 64 | | https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.jwtbearer.jwtbearerauthenticati |
| | | 65 | | .NOTES |
| | | 66 | | This function is part of the Kestrun.Authentication module and is used to configure JWT Bearer authentication fo |
| | | 67 | | Maps to Kestrun.Hosting.KestrunHostAuthnExtensions.AddJwtBearerAuthentication |
| | | 68 | | #> |
| | | 69 | | function Add-KrJWTBearerAuthentication { |
| | | 70 | | [KestrunRuntimeApi('Definition')] |
| | | 71 | | [CmdletBinding(defaultParameterSetName = 'Items')] |
| | | 72 | | [OutputType([Kestrun.Hosting.KestrunHost])] |
| | | 73 | | param( |
| | | 74 | | [Parameter(Mandatory = $false, ValueFromPipeline)] |
| | | 75 | | [Kestrun.Hosting.KestrunHost]$Server, |
| | | 76 | | |
| | | 77 | | [Parameter(Mandatory = $true)] |
| | | 78 | | [string]$Name, |
| | | 79 | | |
| | | 80 | | [Parameter(Mandatory = $true, ParameterSetName = 'ValParamOption')] |
| | | 81 | | [Microsoft.IdentityModel.Tokens.TokenValidationParameters]$ValidationParameter, |
| | | 82 | | |
| | | 83 | | [Parameter()] |
| | | 84 | | [Kestrun.Claims.ClaimPolicyConfig]$ClaimPolicy, |
| | | 85 | | |
| | | 86 | | [Parameter(ParameterSetName = 'Items')] |
| | | 87 | | [string] $ValidIssuer, |
| | | 88 | | [Parameter(ParameterSetName = 'Items')] |
| | | 89 | | [string[]]$ValidIssuers, |
| | | 90 | | [Parameter(ParameterSetName = 'Items')] |
| | | 91 | | [string] $ValidAudience, |
| | | 92 | | [Parameter(ParameterSetName = 'Items')] |
| | | 93 | | [string[]]$ValidAudiences, |
| | | 94 | | [Parameter(ParameterSetName = 'Items')] |
| | | 95 | | [string[]]$ValidAlgorithms, |
| | | 96 | | [Parameter(ParameterSetName = 'Items')] |
| | | 97 | | [switch] $SkipValidateIssuer , |
| | | 98 | | [Parameter(ParameterSetName = 'Items')] |
| | | 99 | | [switch] $SkipValidateAudience , |
| | | 100 | | [Parameter(ParameterSetName = 'Items')] |
| | | 101 | | [switch] $SkipValidateLifetime , |
| | | 102 | | [Parameter(ParameterSetName = 'Items')] |
| | | 103 | | [switch] $ValidateIssuerSigningKey, |
| | | 104 | | [Parameter(ParameterSetName = 'Items')] |
| | | 105 | | [switch] $DoesNotRequireExpirationTime , |
| | | 106 | | [Parameter(ParameterSetName = 'Items')] |
| | | 107 | | [switch] $DoesNotRequireSignedTokens, |
| | | 108 | | [Parameter(ParameterSetName = 'Items')] |
| | | 109 | | [Microsoft.IdentityModel.Tokens.SecurityKey]$IssuerSigningKey, |
| | | 110 | | [Parameter(ParameterSetName = 'Items')] |
| | | 111 | | [Microsoft.IdentityModel.Tokens.SecurityKey[]]$IssuerSigningKeys, |
| | | 112 | | [Parameter(ParameterSetName = 'Items')] |
| | | 113 | | [TimeSpan]$ClockSkew, |
| | | 114 | | [Parameter()] |
| | | 115 | | [switch]$PassThru |
| | | 116 | | ) |
| | | 117 | | begin { |
| | | 118 | | # Ensure the server instance is resolved |
| | 0 | 119 | | $Server = Resolve-KestrunServer -Server $Server |
| | | 120 | | } |
| | | 121 | | process { |
| | 0 | 122 | | if ($PSCmdlet.ParameterSetName -ne 'ValParamOption') { |
| | 0 | 123 | | $ValidationParameter = [Microsoft.IdentityModel.Tokens.TokenValidationParameters]::new() |
| | 0 | 124 | | if ($PSBoundParameters.ContainsKey('ValidIssuer')) { $ValidationParameter.ValidIssuer = $ValidIssuer } |
| | 0 | 125 | | if ($PSBoundParameters.ContainsKey('ValidIssuers')) { $ValidationParameter.ValidIssuers = $ValidIssuers } |
| | 0 | 126 | | if ($PSBoundParameters.ContainsKey('ValidAudience')) { $ValidationParameter.ValidAudience = $ValidAudience } |
| | 0 | 127 | | if ($PSBoundParameters.ContainsKey('ValidAudiences')) { $ValidationParameter.ValidAudiences = $ValidAudience |
| | 0 | 128 | | if ($PSBoundParameters.ContainsKey('ValidAlgorithms')) { $ValidationParameter.ValidAlgorithms = $ValidAlgori |
| | 0 | 129 | | if ($PSBoundParameters.ContainsKey('SkipValidateIssuer')) { $ValidationParameter.ValidateIssuer = -not $Skip |
| | 0 | 130 | | if ($PSBoundParameters.ContainsKey('SkipValidateAudience')) { $ValidationParameter.ValidateAudience = -not $ |
| | 0 | 131 | | if ($PSBoundParameters.ContainsKey('SkipValidateLifetime')) { $ValidationParameter.ValidateLifetime = -not $ |
| | 0 | 132 | | if ($PSBoundParameters.ContainsKey('ValidateIssuerSigningKey')) { $ValidationParameter.ValidateIssuerSigning |
| | | 133 | | |
| | 0 | 134 | | if ($PSBoundParameters.ContainsKey('RequireExpirationTime')) { $ValidationParameter.RequireExpirationTime = |
| | 0 | 135 | | if ($PSBoundParameters.ContainsKey('RequireSignedTokens')) { $ValidationParameter.RequireSignedTokens = -not |
| | | 136 | | |
| | 0 | 137 | | if ($PSBoundParameters.ContainsKey('IssuerSigningKey')) { $ValidationParameter.IssuerSigningKey = $IssuerSig |
| | 0 | 138 | | if ($PSBoundParameters.ContainsKey('IssuerSigningKeys')) { $ValidationParameter.IssuerSigningKeys = $IssuerS |
| | | 139 | | |
| | 0 | 140 | | if ($PSBoundParameters.ContainsKey('ClockSkew')) { $ValidationParameter.ClockSkew = $ClockSkew } |
| | | 141 | | } |
| | | 142 | | |
| | 0 | 143 | | [Kestrun.Hosting.KestrunHostAuthnExtensions]::AddJwtBearerAuthentication( |
| | 0 | 144 | | $Server, $Name, $ValidationParameter, $null, $ClaimPolicy) | Out-Null |
| | 0 | 145 | | if ($PassThru.IsPresent) { |
| | | 146 | | # if the PassThru switch is specified, return the modified server instance |
| | 0 | 147 | | return $Server |
| | | 148 | | } |
| | | 149 | | } |
| | | 150 | | } |
| | | 151 | | |