< Summary - Kestrun — Combined Coverage

Information

Class:	Kestrun.Hosting.KestrunHostAuthnExtensions
Assembly:	Kestrun
File(s):	/home/runner/work/Kestrun/Kestrun/src/CSharp/Kestrun/Hosting/KestrunHostAuthnExtensions.cs
Tag:	Kestrun/Kestrun@eeafbe813231ed23417e7b339e170e307b2c86f9

Line coverage

51%

Covered lines:	360
Uncovered lines:	334
Coverable lines:	694
Total lines:	1656
Line coverage:	51.8%

Branch coverage

45%

Covered branches:	138
Total branches:	304
Branch coverage:	45.3%

Method coverage

Feature is only available for sponsors

Upgrade to PRO version

Coverage history

Coverage delta

Metrics

Method	Branch coverage	Crap Score	Cyclomatic complexity	Line coverage
AddBasicAuthentication(...)	100%	6	6	100%
AddBasicAuthentication(...)	100%	4	4	100%
ConfigureBasicAuthValidators(...)	81.25%	17	16	84.21%
ConfigureBasicIssueClaims(...)	81.25%	17	16	84.21%
AddGitHubOAuthAuthentication(...)	0%	20	4	0%
ConfigureGitHubOAuth2Options(...)	100%	2	1	0%
ConfigureGitHubClaimMappings(...)	100%	2	1	0%
FetchGitHubUserInfoAsync()	100%	2	1	0%
EnrichGitHubEmailClaimAsync()	0%	110	10	0%
FindPrimaryVerifiedEmail(...)	0%	110	10	0%
FindFirstVerifiedEmail(...)	0%	72	8	0%
AddJwtBearerAuthentication(...)	100%	6	6	94.73%
AddJwtBearerAuthentication(...)	75%	4	4	94.73%
AddCookieAuthentication(...)	100%	6	6	95.23%
AddCookieAuthentication(...)	0%	20	4	0%
AddWindowsAuthentication(...)	75%	4	4	85.71%
AddWindowsAuthentication(...)	0%	20	4	0%
AddWindowsAuthentication(...)	100%	1	1	100%
AddClientCertificateAuthentication(...)	100%	4	4	90%
AddClientCertificateAuthentication(...)	0%	20	4	0%
AddClientCertificateAuthentication(...)	100%	2	1	0%
AddApiKeyAuthentication(...)	100%	6	6	100%
AddApiKeyAuthentication(...)	100%	4	4	100%
ConfigureApiKeyValidators(...)	81.25%	17	16	84.21%
ConfigureApiKeyIssueClaims(...)	81.25%	17	16	84.21%
AddOAuth2Authentication(...)	0%	600	24	0%
ConfigureScopes(...)	83.33%	6	6	90.9%
BuildClaimPolicyFromScopes(...)	100%	2	2	100%
AddMissingScopesToClaimPolicy(...)	75%	4	4	91.66%
BackfillScopesFromClaimPolicy(...)	66.66%	6	6	83.33%
LogScopeAdded(...)	100%	2	2	100%
LogScopeAddedToClaimPolicy(...)	100%	2	2	100%
LogMissingScopes(...)	100%	2	2	100%
LogConfiguredScopes(...)	100%	2	2	100%
LogClaimPolicyConfigured(...)	100%	2	2	100%
AddOpenIdConnectAuthentication(...)	0%	1056	32	0%
GetSupportedScopes(...)	0%	342	18	0%
ConfigureOpenApi(...)	100%	6	6	100%
AddAuthentication(...)	81.25%	16	16	94%
HasAuthScheme(...)	100%	1	1	100%
AddAuthorization(...)	50%	2	2	100%
HasAuthPolicy(...)	100%	1	1	100%
.ctor(...)	0%	6	2	0%
get_LastTokenResponseBody()	100%	2	1	0%
SendAsync()	0%	812	28	0%

File(s)

/home/runner/work/Kestrun/Kestrun/src/CSharp/Kestrun/Hosting/KestrunHostAuthnExtensions.cs

#	Line	Line coverage
	`1`	`using Microsoft.AspNetCore.Authentication;`
	`2`	`using Microsoft.AspNetCore.Authorization;`
	`3`	`using Microsoft.Extensions.Options;`
	`4`	`using Kestrun.Authentication;`
	`5`	`using Serilog.Events;`
	`6`	`using Kestrun.Scripting;`
	`7`	`using Microsoft.AspNetCore.Authentication.Negotiate;`
	`8`	`using Kestrun.Claims;`
	`9`	`using Microsoft.AspNetCore.Authentication.OAuth;`
	`10`	`using System.Text.Json;`
	`11`	`using System.Security.Claims;`
	`12`	`using Microsoft.Extensions.DependencyInjection.Extensions;`
	`13`	`using Microsoft.AspNetCore.Authentication.OpenIdConnect;`
	`14`	`using Microsoft.IdentityModel.Protocols;`
	`15`	`using Microsoft.IdentityModel.Protocols.OpenIdConnect;`
	`16`	`using Kestrun.OpenApi;`
	`17`
	`18`	`namespace Kestrun.Hosting;`
	`19`
	`20`	`/// <summary>`
	`21`	`/// Provides extension methods for adding authentication schemes to the Kestrun host.`
	`22`	`/// </summary>`
	`23`	`public static class KestrunHostAuthnExtensions`
	`24`	`{`
	`25`	`#region Basic Authentication`
	`26`	`/// <summary>`
	`27`	`/// Adds Basic Authentication to the Kestrun host.`
	`28`	`/// <para>Use this for simple username/password authentication.</para>`
	`29`	`/// </summary>`
	`30`	`/// <param name="host">The Kestrun host instance.</param>`
	`31`	`/// <param name="scheme">The authentication scheme name (e.g. "Basic").</param>`
	`32`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`33`	`/// <param name="configure">Optional configuration for BasicAuthenticationOptions.</param>`
	`34`	`/// <returns>returns the KestrunHost instance.</returns>`
	`35`	`public static KestrunHost AddBasicAuthentication(`
	`36`	`this KestrunHost host,`
	`37`	`string scheme = AuthenticationDefaults.BasicSchemeName,`
	`38`	`string? displayName = AuthenticationDefaults.BasicDisplayName,`
	`39`	`Action<BasicAuthenticationOptions>? configure = null`
	`40`	`)`
	`41`	`{`
	`42`	`// Build a prototype options instance (single source of truth)`
8	`43`	`var prototype = new BasicAuthenticationOptions { Host = host };`
	`44`
	`45`	`// Let the caller mutate the prototype`
8	`46`	`configure?.Invoke(prototype);`
	`47`
	`48`	`// Configure validators / claims / OpenAPI on the prototype`
8	`49`	`ConfigureBasicAuthValidators(host, prototype);`
8	`50`	`ConfigureBasicIssueClaims(host, prototype);`
8	`51`	`ConfigureOpenApi(host, scheme, prototype);`
	`52`	`// register in host for introspection`
8	`53`	`_ = host.RegisteredAuthentications.Register(scheme, AuthenticationType.Basic, prototype);`
8	`54`	`var h = host.AddAuthentication(`
8	`55`	`defaultScheme: scheme,`
8	`56`	`buildSchemes: ab =>`
8	`57`	`{`
8	`58`	`_ = ab.AddScheme<BasicAuthenticationOptions, BasicAuthHandler>(`
8	`59`	`authenticationScheme: scheme,`
8	`60`	`displayName: displayName,`
8	`61`	`configureOptions: opts =>`
8	`62`	`{`
8	`63`	`// Copy from the prototype into the runtime instance`
6	`64`	`prototype.ApplyTo(opts);`
8	`65`
6	`66`	`host.Logger.Debug("Configured Basic Authentication using scheme {Scheme}", scheme);`
14	`67`	`});`
8	`68`	`}`
8	`69`	`);`
	`70`	`// register the post-configurer after the scheme so it can`
	`71`	`// read BasicAuthenticationOptions for <scheme>`
8	`72`	`return h.AddService(services =>`
8	`73`	`{`
8	`74`	`_ = services.AddSingleton<IPostConfigureOptions<AuthorizationOptions>>(`
11	`75`	`sp => new ClaimPolicyPostConfigurer(`
11	`76`	`scheme,`
11	`77`	`sp.GetRequiredService<`
11	`78`	`IOptionsMonitor<BasicAuthenticationOptions>>()));`
16	`79`	`});`
	`80`	`}`
	`81`
	`82`	`/// <summary>`
	`83`	`/// Adds Basic Authentication to the Kestrun host using the provided options object.`
	`84`	`/// </summary>`
	`85`	`/// <param name="host">The Kestrun host instance.</param>`
	`86`	`/// <param name="scheme">The authentication scheme name (e.g. "Basic").</param>`
	`87`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`88`	`/// <param name="configure">The BasicAuthenticationOptions object to configure the authentication.</param>`
	`89`	`/// <returns>The configured KestrunHost instance.</returns>`
	`90`	`public static KestrunHost AddBasicAuthentication(`
	`91`	`this KestrunHost host,`
	`92`	`string scheme,`
	`93`	`string? displayName,`
	`94`	`BasicAuthenticationOptions configure`
	`95`	`)`
	`96`	`{`
1	`97`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
	`98`	`{`
1	`99`	`host.Logger.Debug("Adding Basic Authentication with scheme: {Scheme}", scheme);`
	`100`	`}`
	`101`	`// Ensure the scheme is not null`
1	`102`	`ArgumentNullException.ThrowIfNull(host);`
1	`103`	`ArgumentNullException.ThrowIfNull(scheme);`
1	`104`	`ArgumentNullException.ThrowIfNull(configure);`
	`105`	`// Ensure host is set`
1	`106`	`if (configure.Host != host)`
	`107`	`{`
1	`108`	`configure.Host = host;`
	`109`	`}`
1	`110`	`return host.AddBasicAuthentication(`
1	`111`	`scheme: scheme,`
1	`112`	`displayName: displayName,`
1	`113`	`configure: configure.ApplyTo`
1	`114`	`);`
	`115`	`}`
	`116`
	`117`	`/// <summary>`
	`118`	`/// Configures the validators for Basic authentication.`
	`119`	`/// </summary>`
	`120`	`/// <param name="host">The Kestrun host instance.</param>`
	`121`	`/// <param name="opts">The options to configure.</param>`
	`122`	`private static void ConfigureBasicAuthValidators(KestrunHost host, BasicAuthenticationOptions opts)`
	`123`	`{`
8	`124`	`var settings = opts.ValidateCodeSettings;`
8	`125`	`if (string.IsNullOrWhiteSpace(settings.Code))`
	`126`	`{`
5	`127`	`return;`
	`128`	`}`
	`129`
3	`130`	`switch (settings.Language)`
	`131`	`{`
	`132`	`case ScriptLanguage.PowerShell:`
1	`133`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`134`	`{`
1	`135`	`opts.Logger.Debug("Building PowerShell validator for Basic authentication");`
	`136`	`}`
	`137`
1	`138`	`opts.ValidateCredentialsAsync = BasicAuthHandler.BuildPsValidator(host, settings);`
1	`139`	`break;`
	`140`	`case ScriptLanguage.CSharp:`
1	`141`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`142`	`{`
1	`143`	`opts.Logger.Debug("Building C# validator for Basic authentication");`
	`144`	`}`
	`145`
1	`146`	`opts.ValidateCredentialsAsync = BasicAuthHandler.BuildCsValidator(host, settings);`
1	`147`	`break;`
	`148`	`case ScriptLanguage.VBNet:`
1	`149`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`150`	`{`
1	`151`	`opts.Logger.Debug("Building VB.NET validator for Basic authentication");`
	`152`	`}`
	`153`
1	`154`	`opts.ValidateCredentialsAsync = BasicAuthHandler.BuildVBNetValidator(host, settings);`
1	`155`	`break;`
	`156`	`default:`
0	`157`	`if (opts.Logger.IsEnabled(LogEventLevel.Warning))`
	`158`	`{`
0	`159`	`opts.Logger.Warning("No valid language specified for Basic authentication");`
	`160`	`}`
	`161`	`break;`
	`162`	`}`
0	`163`	`}`
	`164`
	`165`	`/// <summary>`
	`166`	`/// Configures the issue claims for Basic authentication.`
	`167`	`/// </summary>`
	`168`	`/// <param name="host">The Kestrun host instance.</param>`
	`169`	`/// <param name="opts">The options to configure.</param>`
	`170`	`/// <exception cref="NotSupportedException">Thrown when the language is not supported.</exception>`
	`171`	`private static void ConfigureBasicIssueClaims(KestrunHost host, BasicAuthenticationOptions opts)`
	`172`	`{`
8	`173`	`var settings = opts.IssueClaimsCodeSettings;`
8	`174`	`if (string.IsNullOrWhiteSpace(settings.Code))`
	`175`	`{`
5	`176`	`return;`
	`177`	`}`
	`178`
3	`179`	`switch (settings.Language)`
	`180`	`{`
	`181`	`case ScriptLanguage.PowerShell:`
1	`182`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`183`	`{`
1	`184`	`opts.Logger.Debug("Building PowerShell Issue Claims for API Basic authentication");`
	`185`	`}`
	`186`
1	`187`	`opts.IssueClaims = IAuthHandler.BuildPsIssueClaims(host, settings);`
1	`188`	`break;`
	`189`	`case ScriptLanguage.CSharp:`
1	`190`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`191`	`{`
1	`192`	`opts.Logger.Debug("Building C# Issue Claims for API Basic authentication");`
	`193`	`}`
	`194`
1	`195`	`opts.IssueClaims = IAuthHandler.BuildCsIssueClaims(host, settings);`
1	`196`	`break;`
	`197`	`case ScriptLanguage.VBNet:`
1	`198`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`199`	`{`
1	`200`	`opts.Logger.Debug("Building VB.NET Issue Claims for API Basic authentication");`
	`201`	`}`
	`202`
1	`203`	`opts.IssueClaims = IAuthHandler.BuildVBNetIssueClaims(host, settings);`
1	`204`	`break;`
	`205`	`default:`
0	`206`	`if (opts.Logger.IsEnabled(LogEventLevel.Warning))`
	`207`	`{`
0	`208`	`opts.Logger.Warning("{language} is not supported for API Basic authentication", settings.Language);`
	`209`	`}`
0	`210`	`throw new NotSupportedException("Unsupported language");`
	`211`	`}`
	`212`	`}`
	`213`
	`214`	`#endregion`
	`215`	`#region GitHub OAuth Authentication`
	`216`	`/// <summary>`
	`217`	`/// Adds GitHub OAuth (Authorization Code) authentication with optional email enrichment.`
	`218`	`/// Creates three schemes: <paramref name="scheme"/>, <paramref name="scheme"/>.Cookies, <paramref name="scheme"/>.P`
	`219`	`/// </summary>`
	`220`	`/// <param name="host">The Kestrun host instance.</param>`
	`221`	`/// <param name="scheme">Base scheme name (e.g. "GitHub").</param>`
	`222`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`223`	`/// <param name="documentationId">Documentation IDs for the authentication scheme.</param>`
	`224`	`/// <param name="description">A description of the authentication scheme.</param>`
	`225`	`/// <param name="deprecated">If true, marks the authentication scheme as deprecated in OpenAPI documentation.</param`
	`226`	`/// <param name="clientId">GitHub OAuth App Client ID.</param>`
	`227`	`/// <param name="clientSecret">GitHub OAuth App Client Secret.</param>`
	`228`	`/// <param name="callbackPath">The callback path for OAuth redirection (e.g. "/signin-github").</param>`
	`229`	`/// <returns>The configured KestrunHost.</returns>`
	`230`	`public static KestrunHost AddGitHubOAuthAuthentication(`
	`231`	`this KestrunHost host,`
	`232`	`string scheme,`
	`233`	`string? displayName,`
	`234`	`string[]? documentationId,`
	`235`	`string? description,`
	`236`	`bool deprecated,`
	`237`	`string clientId,`
	`238`	`string clientSecret,`
	`239`	`string callbackPath)`
	`240`	`{`
0	`241`	`var opts = ConfigureGitHubOAuth2Options(host, clientId, clientSecret, callbackPath);`
0	`242`	`ConfigureGitHubClaimMappings(opts);`
0	`243`	`opts.DocumentationId = documentationId ?? [];`
0	`244`	`if (!string.IsNullOrWhiteSpace(description))`
	`245`	`{`
0	`246`	`opts.Description = description;`
	`247`	`}`
0	`248`	`opts.Deprecated = deprecated;`
0	`249`	`opts.Events = new OAuthEvents`
0	`250`	`{`
0	`251`	`OnCreatingTicket = async context =>`
0	`252`	`{`
0	`253`	`await FetchGitHubUserInfoAsync(context);`
0	`254`	`await EnrichGitHubEmailClaimAsync(context, host);`
0	`255`	`}`
0	`256`	`};`
0	`257`	`return host.AddOAuth2Authentication(scheme, displayName, opts);`
	`258`	`}`
	`259`
	`260`	`/// <summary>`
	`261`	`/// Configures OAuth2Options for GitHub authentication.`
	`262`	`/// </summary>`
	`263`	`/// <param name="host">The Kestrun host instance.</param>`
	`264`	`/// <param name="clientId">GitHub OAuth App Client ID.</param>`
	`265`	`/// <param name="clientSecret">GitHub OAuth App Client Secret.</param>`
	`266`	`/// <param name="callbackPath">The callback path for OAuth redirection (e.g. "/signin-github").</param>`
	`267`	`/// <returns>The configured OAuth2Options.</returns>`
	`268`	`private static OAuth2Options ConfigureGitHubOAuth2Options(KestrunHost host, string clientId, string clientSecret, st`
	`269`	`{`
0	`270`	`return new OAuth2Options()`
0	`271`	`{`
0	`272`	`Host = host,`
0	`273`	`ClientId = clientId,`
0	`274`	`ClientSecret = clientSecret,`
0	`275`	`CallbackPath = callbackPath,`
0	`276`	`AuthorizationEndpoint = "https://github.com/login/oauth/authorize",`
0	`277`	`TokenEndpoint = "https://github.com/login/oauth/access_token",`
0	`278`	`UserInformationEndpoint = "https://api.github.com/user",`
0	`279`	`SaveTokens = true,`
0	`280`	`Scope = { "read:user", "user:email" }`
0	`281`	`};`
	`282`	`}`
	`283`
	`284`	`/// <summary>`
	`285`	`/// Configures claim mappings for GitHub OAuth2Options.`
	`286`	`/// </summary>`
	`287`	`/// <param name="opts">The OAuth2Options to configure.</param>`
	`288`	`private static void ConfigureGitHubClaimMappings(OAuth2Options opts)`
	`289`	`{`
0	`290`	`opts.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");`
0	`291`	`opts.ClaimActions.MapJsonKey(ClaimTypes.Name, "login");`
0	`292`	`opts.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");`
0	`293`	`opts.ClaimActions.MapJsonKey("name", "name");`
0	`294`	`opts.ClaimActions.MapJsonKey("urn:github:login", "login");`
0	`295`	`opts.ClaimActions.MapJsonKey("urn:github:avatar_url", "avatar_url");`
0	`296`	`opts.ClaimActions.MapJsonKey("urn:github:html_url", "html_url");`
0	`297`	`}`
	`298`
	`299`	`/// <summary>`
	`300`	`/// Fetches GitHub user information and adds claims to the identity.`
	`301`	`/// </summary>`
	`302`	`/// <param name="context">The OAuthCreatingTicketContext.</param>`
	`303`	`/// <returns>A task representing the asynchronous operation.</returns>`
	`304`	`private static async Task FetchGitHubUserInfoAsync(OAuthCreatingTicketContext context)`
	`305`	`{`
0	`306`	`using var request = new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint);`
0	`307`	`request.Headers.Accept.Add(new("application/json"));`
0	`308`	`request.Headers.Add("User-Agent", "KestrunOAuth/1.0");`
0	`309`	`request.Headers.Authorization = new("Bearer", context.AccessToken);`
	`310`
0	`311`	`using var response = await context.Backchannel.SendAsync(request,`
0	`312`	`HttpCompletionOption.ResponseHeadersRead,`
0	`313`	`context.HttpContext.RequestAborted);`
	`314`
0	`315`	`_ = response.EnsureSuccessStatusCode();`
	`316`
0	`317`	`using var user = JsonDocument.Parse(await response.Content.ReadAsStringAsync(context.HttpContext.RequestAborted)`
0	`318`	`context.RunClaimActions(user.RootElement);`
0	`319`	`}`
	`320`
	`321`	`/// <summary>`
	`322`	`/// Fetches GitHub user emails and enriches the identity with the primary verified email claim.`
	`323`	`/// </summary>`
	`324`	`/// <param name="context">The OAuthCreatingTicketContext.</param>`
	`325`	`/// <param name="host">The KestrunHost instance for logging.</param>`
	`326`	`/// <returns>A task representing the asynchronous operation.</returns>`
	`327`	`private static async Task EnrichGitHubEmailClaimAsync(OAuthCreatingTicketContext context, KestrunHost host)`
	`328`	`{`
0	`329`	`if (context.Identity is null \|\| context.Identity.HasClaim(c => c.Type == ClaimTypes.Email))`
	`330`	`{`
0	`331`	`return;`
	`332`	`}`
	`333`
	`334`	`try`
	`335`	`{`
0	`336`	`using var emailRequest = new HttpRequestMessage(HttpMethod.Get, "https://api.github.com/user/emails");`
0	`337`	`emailRequest.Headers.Accept.Add(new("application/json"));`
0	`338`	`emailRequest.Headers.Add("User-Agent", "KestrunOAuth/1.0");`
0	`339`	`emailRequest.Headers.Authorization = new("Bearer", context.AccessToken);`
	`340`
0	`341`	`using var emailResponse = await context.Backchannel.SendAsync(emailRequest,`
0	`342`	`HttpCompletionOption.ResponseHeadersRead,`
0	`343`	`context.HttpContext.RequestAborted);`
	`344`
0	`345`	`if (!emailResponse.IsSuccessStatusCode)`
	`346`	`{`
0	`347`	`return;`
	`348`	`}`
	`349`
0	`350`	`using var emails = JsonDocument.Parse(await emailResponse.Content.ReadAsStringAsync(context.HttpContext.Requ`
0	`351`	`var primaryEmail = FindPrimaryVerifiedEmail(emails) ?? FindFirstVerifiedEmail(emails);`
	`352`
0	`353`	`if (!string.IsNullOrWhiteSpace(primaryEmail))`
	`354`	`{`
0	`355`	`context.Identity.AddClaim(new Claim(`
0	`356`	`ClaimTypes.Email,`
0	`357`	`primaryEmail,`
0	`358`	`ClaimValueTypes.String,`
0	`359`	`context.Options.ClaimsIssuer));`
	`360`	`}`
0	`361`	`}`
0	`362`	`catch (Exception ex)`
	`363`	`{`
0	`364`	`host.Logger.Verbose(exception: ex, messageTemplate: "Failed to enrich GitHub email claim.");`
0	`365`	`}`
0	`366`	`}`
	`367`
	`368`	`/// <summary>`
	`369`	`/// Finds the primary verified email from the GitHub emails JSON document.`
	`370`	`/// </summary>`
	`371`	`/// <param name="emails">The JSON document containing GitHub emails.</param>`
	`372`	`/// <returns>The primary verified email if found; otherwise, null.</returns>`
	`373`	`private static string? FindPrimaryVerifiedEmail(JsonDocument emails)`
	`374`	`{`
0	`375`	`foreach (var emailObj in emails.RootElement.EnumerateArray())`
	`376`	`{`
0	`377`	`var isPrimary = emailObj.TryGetProperty("primary", out var primaryProp) && primaryProp.GetBoolean();`
0	`378`	`var isVerified = emailObj.TryGetProperty("verified", out var verifiedProp) && verifiedProp.GetBoolean();`
	`379`
0	`380`	`if (isPrimary && isVerified && emailObj.TryGetProperty("email", out var emailProp))`
	`381`	`{`
0	`382`	`return emailProp.GetString();`
	`383`	`}`
	`384`	`}`
0	`385`	`return null;`
0	`386`	`}`
	`387`
	`388`	`/// <summary>`
	`389`	`/// Finds the primary verified email from the GitHub emails JSON document.`
	`390`	`/// </summary>`
	`391`	`/// <param name="emails">The JSON document containing GitHub emails.</param>`
	`392`	`/// <returns>The primary verified email if found; otherwise, null.</returns>`
	`393`	`private static string? FindFirstVerifiedEmail(JsonDocument emails)`
	`394`	`{`
0	`395`	`foreach (var emailObj in emails.RootElement.EnumerateArray())`
	`396`	`{`
0	`397`	`var isVerified = emailObj.TryGetProperty("verified", out var verifiedProp) && verifiedProp.GetBoolean();`
0	`398`	`if (isVerified && emailObj.TryGetProperty("email", out var emailProp))`
	`399`	`{`
0	`400`	`return emailProp.GetString();`
	`401`	`}`
	`402`	`}`
0	`403`	`return null;`
0	`404`	`}`
	`405`
	`406`	`#endregion`
	`407`	`#region JWT Bearer Authentication`
	`408`	`/// <summary>`
	`409`	`/// Adds JWT Bearer authentication to the Kestrun host.`
	`410`	`/// <para>Use this for APIs that require token-based authentication.</para>`
	`411`	`/// </summary>`
	`412`	`/// <param name="host">The Kestrun host instance.</param>`
	`413`	`/// <param name="authenticationScheme">The authentication scheme name (e.g. "Bearer").</param>`
	`414`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`415`	`/// <param name="configureOptions">Optional configuration for JwtAuthOptions.</param>`
	`416`	`/// <example>`
	`417`	`/// HS512 (HMAC-SHA-512, symmetric)`
	`418`	`/// </example>`
	`419`	`/// <code>`
	`420`	`/// var hmacKey = new SymmetricSecurityKey(`
	`421`	`/// Encoding.UTF8.GetBytes("32-bytes-or-more-secret……"));`
	`422`	`/// host.AddJwtBearerAuthentication(`
	`423`	`/// scheme: "Bearer",`
	`424`	`/// issuer: "KestrunApi",`
	`425`	`/// audience: "KestrunClients",`
	`426`	`/// validationKey: hmacKey,`
	`427`	`/// validAlgorithms: new[] { SecurityAlgorithms.HmacSha512 });`
	`428`	`/// </code>`
	`429`	`/// <example>`
	`430`	`/// RS256 (RSA-SHA-256, asymmetric)`
	`431`	`/// <para>Requires a PEM-encoded private key file.</para>`
	`432`	`/// <code>`
	`433`	`/// using var rsa = RSA.Create();`
	`434`	`/// rsa.ImportFromPem(File.ReadAllText("private-key.pem"));`
	`435`	`/// var rsaKey = new RsaSecurityKey(rsa);`
	`436`	`///`
	`437`	`/// host.AddJwtBearerAuthentication(`
	`438`	`/// scheme: "Rs256",`
	`439`	`/// issuer: "KestrunApi",`
	`440`	`/// audience: "KestrunClients",`
	`441`	`/// validationKey: rsaKey,`
	`442`	`/// validAlgorithms: new[] { SecurityAlgorithms.RsaSha256 });`
	`443`	`/// </code>`
	`444`	`/// </example>`
	`445`	`/// <example>`
	`446`	`/// ES256 (ECDSA-SHA-256, asymmetric)`
	`447`	`/// <para>Requires a PEM-encoded private key file.</para>`
	`448`	`/// <code>`
	`449`	`/// using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);`
	`450`	`/// var esKey = new ECDsaSecurityKey(ecdsa);`
	`451`	`/// host.AddJwtBearerAuthentication(`
	`452`	`/// "Es256", "KestrunApi", "KestrunClients",`
	`453`	`/// esKey, new[] { SecurityAlgorithms.EcdsaSha256 });`
	`454`	`/// </code>`
	`455`	`/// </example>`
	`456`	`/// <returns></returns>`
	`457`	`public static KestrunHost AddJwtBearerAuthentication(`
	`458`	`this KestrunHost host,`
	`459`	`string authenticationScheme = AuthenticationDefaults.JwtBearerSchemeName,`
	`460`	`string? displayName = AuthenticationDefaults.JwtBearerDisplayName,`
	`461`	`Action<JwtAuthOptions>? configureOptions = null)`
	`462`	`{`
3	`463`	`ArgumentNullException.ThrowIfNull(configureOptions);`
	`464`	`// Build a prototype options instance (single source of truth)`
3	`465`	`var prototype = new JwtAuthOptions { Host = host };`
3	`466`	`configureOptions?.Invoke(prototype);`
3	`467`	`ConfigureOpenApi(host, authenticationScheme, prototype);`
	`468`
	`469`	`// register in host for introspection`
3	`470`	`_ = host.RegisteredAuthentications.Register(authenticationScheme, AuthenticationType.Bearer, prototype);`
	`471`
3	`472`	`return host.AddAuthentication(`
3	`473`	`defaultScheme: authenticationScheme,`
3	`474`	`buildSchemes: ab =>`
3	`475`	`{`
3	`476`	`_ = ab.AddJwtBearer(`
3	`477`	`authenticationScheme: authenticationScheme,`
3	`478`	`displayName: displayName,`
3	`479`	`configureOptions: opts =>`
3	`480`	`{`
0	`481`	`prototype.ApplyTo(opts);`
3	`482`	`});`
3	`483`	`},`
3	`484`	`configureAuthz: prototype.ClaimPolicy?.ToAuthzDelegate()`
3	`485`	`);`
	`486`	`}`
	`487`
	`488`	`/// <summary>`
	`489`	`/// Adds JWT Bearer authentication to the Kestrun host using the provided options object.`
	`490`	`/// </summary>`
	`491`	`/// <param name="host">The Kestrun host instance.</param>`
	`492`	`/// <param name="authenticationScheme">The authentication scheme name.</param>`
	`493`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`494`	`/// <param name="configureOptions">Optional configuration for JwtAuthOptions.</param>`
	`495`	`/// <returns>The configured KestrunHost instance.</returns>`
	`496`	`public static KestrunHost AddJwtBearerAuthentication(`
	`497`	`this KestrunHost host,`
	`498`	`string authenticationScheme = AuthenticationDefaults.JwtBearerSchemeName,`
	`499`	`string? displayName = AuthenticationDefaults.JwtBearerDisplayName,`
	`500`	`JwtAuthOptions? configureOptions = null)`
	`501`	`{`
3	`502`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
	`503`	`{`
3	`504`	`host.Logger.Debug("Adding Jwt Bearer Authentication with scheme: {Scheme}", authenticationScheme);`
	`505`	`}`
	`506`	`// Ensure the scheme is not null`
3	`507`	`ArgumentNullException.ThrowIfNull(host);`
3	`508`	`ArgumentNullException.ThrowIfNull(authenticationScheme);`
3	`509`	`ArgumentNullException.ThrowIfNull(configureOptions);`
	`510`
	`511`	`// Ensure host is set`
3	`512`	`if (configureOptions.Host != host)`
	`513`	`{`
0	`514`	`configureOptions.Host = host;`
	`515`	`}`
	`516`
3	`517`	`return host.AddJwtBearerAuthentication(`
3	`518`	`authenticationScheme: authenticationScheme,`
3	`519`	`displayName: displayName,`
3	`520`	`configureOptions: opts =>`
3	`521`	`{`
3	`522`	`// Copy relevant properties from provided options instance to the framework-created one`
3	`523`	`configureOptions.ApplyTo(opts);`
3	`524`	`host.Logger.Debug(`
3	`525`	`"Configured JWT Authentication using scheme {Scheme}.",`
3	`526`	`authenticationScheme);`
3	`527`	`}`
3	`528`	`);`
	`529`	`}`
	`530`	`#endregion`
	`531`	`#region Cookie Authentication`
	`532`	`/// <summary>`
	`533`	`/// Adds Cookie Authentication to the Kestrun host.`
	`534`	`/// <para>Use this for browser-based authentication using cookies.</para>`
	`535`	`/// </summary>`
	`536`	`/// <param name="host">The Kestrun host instance.</param>`
	`537`	`/// <param name="authenticationScheme">The authentication scheme name (default is CookieAuthenticationDefaults.Authe`
	`538`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`539`	`/// <param name="configureOptions">Optional configuration for CookieAuthenticationOptions.</param>`
	`540`	`/// <param name="claimPolicy">Optional authorization policy configuration.</param>`
	`541`	`/// <returns>The configured KestrunHost instance.</returns>`
	`542`	`public static KestrunHost AddCookieAuthentication(`
	`543`	`this KestrunHost host,`
	`544`	`string authenticationScheme = AuthenticationDefaults.CookiesSchemeName,`
	`545`	`string? displayName = AuthenticationDefaults.CookiesDisplayName,`
	`546`	`Action<CookieAuthOptions>? configureOptions = null,`
	`547`	`ClaimPolicyConfig? claimPolicy = null)`
	`548`	`{`
	`549`	`// Build a prototype options instance (single source of truth)`
2	`550`	`var prototype = new CookieAuthOptions { Host = host };`
2	`551`	`configureOptions?.Invoke(prototype);`
2	`552`	`ConfigureOpenApi(host, authenticationScheme, prototype);`
	`553`
	`554`	`// register in host for introspection`
2	`555`	`_ = host.RegisteredAuthentications.Register(authenticationScheme, AuthenticationType.Cookie, prototype);`
	`556`
	`557`	`// Add authentication`
2	`558`	`return host.AddAuthentication(`
2	`559`	`defaultScheme: authenticationScheme,`
2	`560`	`buildSchemes: ab =>`
2	`561`	`{`
2	`562`	`_ = ab.AddCookie(`
2	`563`	`authenticationScheme: authenticationScheme,`
2	`564`	`displayName: displayName,`
2	`565`	`configureOptions: opts =>`
2	`566`	`{`
2	`567`	`// Copy everything from the prototype into the real options instance`
0	`568`	`prototype.ApplyTo(opts);`
2	`569`	`// let caller mutate everything first`
2	`570`	`//configure?.Invoke(opts);`
2	`571`	`});`
2	`572`	`},`
2	`573`	`configureAuthz: claimPolicy?.ToAuthzDelegate()`
2	`574`	`);`
	`575`	`}`
	`576`
	`577`	`/// <summary>`
	`578`	`/// Adds Cookie Authentication to the Kestrun host using the provided options object.`
	`579`	`/// </summary>`
	`580`	`/// <param name="host">The Kestrun host instance.</param>`
	`581`	`/// <param name="authenticationScheme">The authentication scheme name (default is CookieAuthenticationDefaults.Authe`
	`582`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`583`	`/// <param name="configureOptions">The CookieAuthenticationOptions object to configure the authentication.</param>`
	`584`	`/// <param name="claimPolicy">Optional authorization policy configuration.</param>`
	`585`	`/// <returns>The configured KestrunHost instance.</returns>`
	`586`	`public static KestrunHost AddCookieAuthentication(`
	`587`	`this KestrunHost host,`
	`588`	`string authenticationScheme = AuthenticationDefaults.CookiesSchemeName,`
	`589`	`string? displayName = AuthenticationDefaults.CookiesDisplayName,`
	`590`	`CookieAuthOptions? configureOptions = null,`
	`591`	`ClaimPolicyConfig? claimPolicy = null)`
	`592`	`{`
0	`593`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
	`594`	`{`
0	`595`	`host.Logger.Debug("Adding Cookie Authentication with scheme: {Scheme}", authenticationScheme);`
	`596`	`}`
	`597`	`// Ensure the scheme is not null`
0	`598`	`ArgumentNullException.ThrowIfNull(host);`
0	`599`	`ArgumentNullException.ThrowIfNull(authenticationScheme);`
0	`600`	`ArgumentNullException.ThrowIfNull(configureOptions);`
	`601`	`// Ensure host is set`
0	`602`	`if (configureOptions.Host != host)`
	`603`	`{`
0	`604`	`configureOptions.Host = host;`
	`605`	`}`
	`606`	`// Copy relevant properties from provided options instance to the framework-created one`
0	`607`	`return host.AddCookieAuthentication(`
0	`608`	`authenticationScheme: authenticationScheme,`
0	`609`	`displayName: displayName,`
0	`610`	`configureOptions: configureOptions.ApplyTo,`
0	`611`	`claimPolicy: claimPolicy`
0	`612`	`);`
	`613`	`}`
	`614`	`#endregion`
	`615`
	`616`	`/*`
	`617`	`public static KestrunHost AddClientCertificateAuthentication(`
	`618`	`this KestrunHost host,`
	`619`	`string scheme = CertificateAuthenticationDefaults.AuthenticationScheme,`
	`620`	`Action<CertificateAuthenticationOptions>? configure = null,`
	`621`	`Action<AuthorizationOptions>? configureAuthz = null)`
	`622`	`{`
	`623`	`return host.AddAuthentication(`
	`624`	`defaultScheme: scheme,`
	`625`	`buildSchemes: ab =>`
	`626`	`{`
	`627`	`ab.AddCertificate(`
	`628`	`authenticationScheme: scheme,`
	`629`	`configureOptions: configure ?? (opts => { }));`
	`630`	`},`
	`631`	`configureAuthz: configureAuthz`
	`632`	`);`
	`633`	`}`
	`634`	`*/`
	`635`
	`636`	`#region Windows Authentication`
	`637`
	`638`	`/// <summary>`
	`639`	`/// Adds Windows Authentication to the Kestrun host.`
	`640`	`/// <para>The authentication scheme name is <see cref="NegotiateDefaults.AuthenticationScheme"/>.`
	`641`	`/// This enables Kerberos and NTLM authentication.</para>`
	`642`	`/// </summary>`
	`643`	`/// <param name="host">The Kestrun host instance.</param>`
	`644`	`/// <param name="authenticationScheme">The authentication scheme name (default is NegotiateDefaults.AuthenticationSc`
	`645`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`646`	`/// <param name="configureOptions">The WindowsAuthOptions object to configure the authentication.</param>`
	`647`	`/// <returns>The configured KestrunHost instance.</returns>`
	`648`	`public static KestrunHost AddWindowsAuthentication(`
	`649`	`this KestrunHost host,`
	`650`	`string authenticationScheme = AuthenticationDefaults.WindowsSchemeName,`
	`651`	`string? displayName = AuthenticationDefaults.WindowsDisplayName,`
	`652`	`Action<WindowsAuthOptions>? configureOptions = null)`
	`653`	`{`
	`654`	`// Build a prototype options instance (single source of truth)`
1	`655`	`var prototype = new WindowsAuthOptions { Host = host };`
1	`656`	`configureOptions?.Invoke(prototype);`
1	`657`	`ConfigureOpenApi(host, authenticationScheme, prototype);`
	`658`
	`659`	`// register in host for introspection`
1	`660`	`_ = host.RegisteredAuthentications.Register(authenticationScheme, AuthenticationType.Cookie, prototype);`
	`661`
	`662`	`// Add authentication`
1	`663`	`return host.AddAuthentication(`
1	`664`	`defaultScheme: authenticationScheme,`
1	`665`	`buildSchemes: ab =>`
1	`666`	`{`
1	`667`	`_ = ab.AddNegotiate(`
1	`668`	`authenticationScheme: authenticationScheme,`
1	`669`	`displayName: displayName,`
1	`670`	`configureOptions: opts =>`
1	`671`	`{`
1	`672`	`// Copy everything from the prototype into the real options instance`
0	`673`	`prototype.ApplyTo(opts);`
1	`674`
0	`675`	`host.Logger.Debug("Configured Windows Authentication using scheme {Scheme}", authenticationSchem`
0	`676`	`}`
1	`677`	`);`
1	`678`	`}`
1	`679`	`);`
	`680`	`}`
	`681`	`/// <summary>`
	`682`	`/// Adds Windows Authentication to the Kestrun host.`
	`683`	`/// <para>`
	`684`	`/// The authentication scheme name is <see cref="NegotiateDefaults.AuthenticationScheme"/>.`
	`685`	`/// This enables Kerberos and NTLM authentication.`
	`686`	`/// </para>`
	`687`	`/// </summary>`
	`688`	`/// <param name="host">The Kestrun host instance.</param>`
	`689`	`/// <param name="authenticationScheme">The authentication scheme name (default is NegotiateDefaults.AuthenticationSc`
	`690`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`691`	`/// <param name="configureOptions">The WindowsAuthOptions object to configure the authentication.</param>`
	`692`	`/// <returns>The configured KestrunHost instance.</returns>`
	`693`	`public static KestrunHost AddWindowsAuthentication(`
	`694`	`this KestrunHost host,`
	`695`	`string authenticationScheme = AuthenticationDefaults.WindowsSchemeName,`
	`696`	`string? displayName = AuthenticationDefaults.WindowsDisplayName,`
	`697`	`WindowsAuthOptions? configureOptions = null)`
	`698`	`{`
0	`699`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
	`700`	`{`
0	`701`	`host.Logger.Debug("Adding Windows Authentication with scheme: {Scheme}", authenticationScheme);`
	`702`	`}`
	`703`	`// Ensure the scheme is not null`
0	`704`	`ArgumentNullException.ThrowIfNull(host);`
0	`705`	`ArgumentNullException.ThrowIfNull(configureOptions);`
	`706`	`// Ensure host is set`
0	`707`	`if (configureOptions.Host != host)`
	`708`	`{`
0	`709`	`configureOptions.Host = host;`
	`710`	`}`
	`711`	`// Copy relevant properties from provided options instance to the framework-created one`
	`712`	`// Add authentication`
0	`713`	`return host.AddWindowsAuthentication(`
0	`714`	`authenticationScheme: authenticationScheme,`
0	`715`	`displayName: displayName,`
0	`716`	`configureOptions: configureOptions.ApplyTo`
0	`717`	`);`
	`718`	`}`
	`719`
	`720`	`/// <summary>`
	`721`	`/// Adds Windows Authentication to the Kestrun host.`
	`722`	`/// <para>The authentication scheme name is <see cref="NegotiateDefaults.AuthenticationScheme"/>.`
	`723`	`/// This enables Kerberos and NTLM authentication.</para>`
	`724`	`/// </summary>`
	`725`	`/// <param name="host"> The Kestrun host instance.</param>`
	`726`	`/// <returns> The configured KestrunHost instance.</returns>`
	`727`	`public static KestrunHost AddWindowsAuthentication(this KestrunHost host) =>`
1	`728`	`host.AddWindowsAuthentication(`
1	`729`	`AuthenticationDefaults.WindowsSchemeName,`
1	`730`	`AuthenticationDefaults.WindowsDisplayName,`
1	`731`	`(Action<WindowsAuthOptions>?)null);`
	`732`
	`733`	`#endregion`
	`734`
	`735`	`#region Client Certificate Authentication`
	`736`
	`737`	`/// <summary>`
	`738`	`/// Adds Client Certificate Authentication to the Kestrun host.`
	`739`	`/// <para>Use this for authenticating clients using X.509 certificates.</para>`
	`740`	`/// </summary>`
	`741`	`/// <param name="host">The Kestrun host instance.</param>`
	`742`	`/// <param name="scheme">The authentication scheme name (default is "Certificate").</param>`
	`743`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`744`	`/// <param name="configure">Optional configuration for ClientCertificateAuthenticationOptions.</param>`
	`745`	`/// <returns>The configured KestrunHost instance.</returns>`
	`746`	`public static KestrunHost AddClientCertificateAuthentication(`
	`747`	`this KestrunHost host,`
	`748`	`string scheme = AuthenticationDefaults.CertificateSchemeName,`
	`749`	`string? displayName = AuthenticationDefaults.CertificateDisplayName,`
	`750`	`Action<ClientCertificateAuthenticationOptions>? configure = null)`
	`751`	`{`
	`752`	`// Build a prototype options instance (single source of truth)`
1	`753`	`var prototype = new ClientCertificateAuthenticationOptions { Host = host };`
	`754`
	`755`	`// Let the caller mutate the prototype`
1	`756`	`configure?.Invoke(prototype);`
	`757`
1	`758`	`ConfigureOpenApi(host, scheme, prototype);`
	`759`
	`760`	`// Register in host for introspection`
1	`761`	`_ = host.RegisteredAuthentications.Register(scheme, AuthenticationType.Certificate, prototype);`
	`762`
1	`763`	`return host.AddAuthentication(`
1	`764`	`defaultScheme: scheme,`
1	`765`	`buildSchemes: ab =>`
1	`766`	`{`
1	`767`	`_ = ab.AddScheme<ClientCertificateAuthenticationOptions, ClientCertificateAuthHandler>(`
1	`768`	`authenticationScheme: scheme,`
1	`769`	`displayName: displayName,`
1	`770`	`configureOptions: opts =>`
1	`771`	`{`
1	`772`	`// Copy from the prototype into the runtime instance`
0	`773`	`prototype.ApplyTo(opts);`
1	`774`
0	`775`	`host.Logger.Debug("Configured Client Certificate Authentication using scheme {Scheme}", scheme);`
1	`776`	`});`
1	`777`	`}`
1	`778`	`);`
	`779`	`}`
	`780`
	`781`	`/// <summary>`
	`782`	`/// Adds Client Certificate Authentication to the Kestrun host using the provided options object.`
	`783`	`/// </summary>`
	`784`	`/// <param name="host">The Kestrun host instance.</param>`
	`785`	`/// <param name="scheme">The authentication scheme name (default is "Certificate").</param>`
	`786`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`787`	`/// <param name="configure">The ClientCertificateAuthenticationOptions object to configure the authentication.</para`
	`788`	`/// <returns>The configured KestrunHost instance.</returns>`
	`789`	`public static KestrunHost AddClientCertificateAuthentication(`
	`790`	`this KestrunHost host,`
	`791`	`string scheme,`
	`792`	`string? displayName,`
	`793`	`ClientCertificateAuthenticationOptions configure)`
	`794`	`{`
0	`795`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
	`796`	`{`
0	`797`	`host.Logger.Debug("Adding Client Certificate Authentication with scheme: {Scheme}", scheme);`
	`798`	`}`
	`799`
	`800`	`// Ensure the scheme is not null`
0	`801`	`ArgumentNullException.ThrowIfNull(host);`
0	`802`	`ArgumentNullException.ThrowIfNull(scheme);`
0	`803`	`ArgumentNullException.ThrowIfNull(configure);`
	`804`
	`805`	`// Ensure host is set`
0	`806`	`if (configure.Host != host)`
	`807`	`{`
0	`808`	`configure.Host = host;`
	`809`	`}`
	`810`
0	`811`	`return host.AddClientCertificateAuthentication(`
0	`812`	`scheme: scheme,`
0	`813`	`displayName: displayName,`
0	`814`	`configure: configure.ApplyTo`
0	`815`	`);`
	`816`	`}`
	`817`
	`818`	`/// <summary>`
	`819`	`/// Adds Client Certificate Authentication to the Kestrun host with default settings.`
	`820`	`/// </summary>`
	`821`	`/// <param name="host">The Kestrun host instance.</param>`
	`822`	`/// <returns>The configured KestrunHost instance.</returns>`
	`823`	`public static KestrunHost AddClientCertificateAuthentication(this KestrunHost host) =>`
0	`824`	`host.AddClientCertificateAuthentication(`
0	`825`	`AuthenticationDefaults.CertificateSchemeName,`
0	`826`	`AuthenticationDefaults.CertificateDisplayName,`
0	`827`	`(Action<ClientCertificateAuthenticationOptions>?)null);`
	`828`
	`829`	`#endregion`
	`830`	`#region API Key Authentication`
	`831`	`/// <summary>`
	`832`	`/// Adds API Key Authentication to the Kestrun host.`
	`833`	`/// <para>Use this for endpoints that require an API key for access.</para>`
	`834`	`/// </summary>`
	`835`	`/// <param name="host">The Kestrun host instance.</param>`
	`836`	`/// <param name="authenticationScheme">The authentication scheme name (default is "ApiKey").</param>`
	`837`	`/// <param name="displayName">The display name for the authentication scheme (default is "API Key").</param>`
	`838`	`/// <param name="configureOptions">Optional configuration for ApiKeyAuthenticationOptions.</param>`
	`839`	`/// <returns>The configured KestrunHost instance.</returns>`
	`840`	`public static KestrunHost AddApiKeyAuthentication(`
	`841`	`this KestrunHost host,`
	`842`	`string authenticationScheme = AuthenticationDefaults.ApiKeySchemeName,`
	`843`	`string? displayName = AuthenticationDefaults.ApiKeyDisplayName,`
	`844`	`Action<ApiKeyAuthenticationOptions>? configureOptions = null)`
	`845`	`{`
	`846`	`// Build a prototype options instance (single source of truth)`
6	`847`	`var prototype = new ApiKeyAuthenticationOptions { Host = host };`
	`848`
	`849`	`// Let the caller mutate the prototype`
6	`850`	`configureOptions?.Invoke(prototype);`
	`851`
	`852`	`// Configure validators / claims / OpenAPI on the prototype`
6	`853`	`ConfigureApiKeyValidators(host, prototype);`
6	`854`	`ConfigureApiKeyIssueClaims(host, prototype);`
6	`855`	`ConfigureOpenApi(host, authenticationScheme, prototype);`
	`856`
	`857`	`// register in host for introspection`
6	`858`	`_ = host.RegisteredAuthentications.Register(authenticationScheme, AuthenticationType.ApiKey, prototype);`
	`859`	`// Add authentication`
6	`860`	`return host.AddAuthentication(`
6	`861`	`defaultScheme: authenticationScheme,`
6	`862`	`buildSchemes: ab =>`
6	`863`	`{`
6	`864`	`// ← TOptions == ApiKeyAuthenticationOptions`
6	`865`	`// THandler == ApiKeyAuthHandler`
6	`866`	`_ = ab.AddScheme<ApiKeyAuthenticationOptions, ApiKeyAuthHandler>(`
6	`867`	`authenticationScheme: authenticationScheme,`
6	`868`	`displayName: displayName,`
6	`869`	`configureOptions: opts =>`
6	`870`	`{`
6	`871`	`// Copy from the prototype into the runtime instance`
6	`872`	`prototype.ApplyTo(opts);`
6	`873`
6	`874`	`host.Logger.Debug(`
6	`875`	`"Configured API Key Authentication using scheme {Scheme} with header {Header} (In={In})",`
6	`876`	`authenticationScheme, prototype.ApiKeyName, prototype.In);`
12	`877`	`});`
6	`878`	`}`
6	`879`	`)`
6	`880`	`// register the post-configurer after the scheme so it can`
6	`881`	`// read BasicAuthenticationOptions for <scheme>`
6	`882`	`.AddService(services =>`
6	`883`	`{`
6	`884`	`_ = services.AddSingleton<IPostConfigureOptions<AuthorizationOptions>>(`
9	`885`	`sp => new ClaimPolicyPostConfigurer(`
9	`886`	`authenticationScheme,`
9	`887`	`sp.GetRequiredService<`
9	`888`	`IOptionsMonitor<ApiKeyAuthenticationOptions>>()));`
12	`889`	`});`
	`890`	`}`
	`891`
	`892`	`/// <summary>`
	`893`	`/// Adds API Key Authentication to the Kestrun host using the provided options object.`
	`894`	`/// </summary>`
	`895`	`/// <param name="host">The Kestrun host instance.</param>`
	`896`	`/// <param name="authenticationScheme">The authentication scheme name.</param>`
	`897`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`898`	`/// <param name="configureOptions">The ApiKeyAuthenticationOptions object to configure the authentication.</param>`
	`899`	`/// <returns>The configured KestrunHost instance.</returns>`
	`900`	`public static KestrunHost AddApiKeyAuthentication(`
	`901`	`this KestrunHost host,`
	`902`	`string authenticationScheme = AuthenticationDefaults.ApiKeySchemeName,`
	`903`	`string? displayName = AuthenticationDefaults.ApiKeyDisplayName,`
	`904`	`ApiKeyAuthenticationOptions? configureOptions = null)`
	`905`	`{`
1	`906`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
	`907`	`{`
1	`908`	`host.Logger.Debug("Adding API Key Authentication with scheme: {Scheme}", authenticationScheme);`
	`909`	`}`
	`910`	`// Ensure the scheme is not null`
1	`911`	`ArgumentNullException.ThrowIfNull(host);`
1	`912`	`ArgumentNullException.ThrowIfNull(authenticationScheme);`
1	`913`	`ArgumentNullException.ThrowIfNull(configureOptions);`
	`914`	`// Ensure host is set`
1	`915`	`if (configureOptions.Host != host)`
	`916`	`{`
1	`917`	`configureOptions.Host = host;`
	`918`	`}`
	`919`	`// Copy properties from the provided configure object`
1	`920`	`return host.AddApiKeyAuthentication(`
1	`921`	`authenticationScheme: authenticationScheme,`
1	`922`	`displayName: displayName,`
1	`923`	`configureOptions: configureOptions.ApplyTo`
1	`924`	`);`
	`925`	`}`
	`926`
	`927`	`/// <summary>`
	`928`	`/// Configures the API Key validators.`
	`929`	`/// </summary>`
	`930`	`/// <param name="host">The Kestrun host instance.</param>`
	`931`	`/// <param name="opts">The options to configure.</param>`
	`932`	`/// <exception cref="NotSupportedException">Thrown when the language is not supported.</exception>`
	`933`	`private static void ConfigureApiKeyValidators(KestrunHost host, ApiKeyAuthenticationOptions opts)`
	`934`	`{`
6	`935`	`var settings = opts.ValidateCodeSettings;`
6	`936`	`if (string.IsNullOrWhiteSpace(settings.Code))`
	`937`	`{`
3	`938`	`return;`
	`939`	`}`
	`940`
3	`941`	`switch (settings.Language)`
	`942`	`{`
	`943`	`case ScriptLanguage.PowerShell:`
1	`944`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`945`	`{`
1	`946`	`opts.Logger.Debug("Building PowerShell validator for API Key authentication");`
	`947`	`}`
	`948`
1	`949`	`opts.ValidateKeyAsync = ApiKeyAuthHandler.BuildPsValidator(host, settings);`
1	`950`	`break;`
	`951`	`case ScriptLanguage.CSharp:`
1	`952`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`953`	`{`
1	`954`	`opts.Logger.Debug("Building C# validator for API Key authentication");`
	`955`	`}`
	`956`
1	`957`	`opts.ValidateKeyAsync = ApiKeyAuthHandler.BuildCsValidator(host, settings);`
1	`958`	`break;`
	`959`	`case ScriptLanguage.VBNet:`
1	`960`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`961`	`{`
1	`962`	`opts.Logger.Debug("Building VB.NET validator for API Key authentication");`
	`963`	`}`
	`964`
1	`965`	`opts.ValidateKeyAsync = ApiKeyAuthHandler.BuildVBNetValidator(host, settings);`
1	`966`	`break;`
	`967`	`default:`
0	`968`	`if (opts.Logger.IsEnabled(LogEventLevel.Warning))`
	`969`	`{`
0	`970`	`opts.Logger.Warning("{language} is not supported for API Basic authentication", settings.Language);`
	`971`	`}`
0	`972`	`throw new NotSupportedException("Unsupported language");`
	`973`	`}`
	`974`	`}`
	`975`
	`976`	`/// <summary>`
	`977`	`/// Configures the API Key issue claims.`
	`978`	`/// </summary>`
	`979`	`/// <param name="host">The Kestrun host instance.</param>`
	`980`	`/// <param name="opts">The options to configure.</param>`
	`981`	`/// <exception cref="NotSupportedException">Thrown when the language is not supported.</exception>`
	`982`	`private static void ConfigureApiKeyIssueClaims(KestrunHost host, ApiKeyAuthenticationOptions opts)`
	`983`	`{`
6	`984`	`var settings = opts.IssueClaimsCodeSettings;`
6	`985`	`if (string.IsNullOrWhiteSpace(settings.Code))`
	`986`	`{`
3	`987`	`return;`
	`988`	`}`
	`989`
3	`990`	`switch (settings.Language)`
	`991`	`{`
	`992`	`case ScriptLanguage.PowerShell:`
1	`993`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`994`	`{`
1	`995`	`opts.Logger.Debug("Building PowerShell Issue Claims for API Key authentication");`
	`996`	`}`
	`997`
1	`998`	`opts.IssueClaims = IAuthHandler.BuildPsIssueClaims(host, settings);`
1	`999`	`break;`
	`1000`	`case ScriptLanguage.CSharp:`
1	`1001`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`1002`	`{`
1	`1003`	`opts.Logger.Debug("Building C# Issue Claims for API Key authentication");`
	`1004`	`}`
	`1005`
1	`1006`	`opts.IssueClaims = IAuthHandler.BuildCsIssueClaims(host, settings);`
1	`1007`	`break;`
	`1008`	`case ScriptLanguage.VBNet:`
1	`1009`	`if (opts.Logger.IsEnabled(LogEventLevel.Debug))`
	`1010`	`{`
1	`1011`	`opts.Logger.Debug("Building VB.NET Issue Claims for API Key authentication");`
	`1012`	`}`
	`1013`
1	`1014`	`opts.IssueClaims = IAuthHandler.BuildVBNetIssueClaims(host, settings);`
1	`1015`	`break;`
	`1016`	`default:`
0	`1017`	`if (opts.Logger.IsEnabled(LogEventLevel.Warning))`
	`1018`	`{`
0	`1019`	`opts.Logger.Warning("{language} is not supported for API Basic authentication", settings.Language);`
	`1020`	`}`
0	`1021`	`throw new NotSupportedException("Unsupported language");`
	`1022`	`}`
	`1023`	`}`
	`1024`
	`1025`	`#endregion`
	`1026`
	`1027`	`#region OAuth2 Authentication`
	`1028`
	`1029`	`/// <summary>`
	`1030`	`/// Adds OAuth2 authentication to the Kestrun host.`
	`1031`	`/// <para>Use this for applications that require OAuth2 authentication.</para>`
	`1032`	`/// </summary>`
	`1033`	`/// <param name="host">The Kestrun host instance.</param>`
	`1034`	`/// <param name="authenticationScheme">The authentication scheme name.</param>`
	`1035`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`1036`	`/// <param name="configureOptions">The OAuth2Options to configure the authentication.</param>`
	`1037`	`/// <returns>The configured KestrunHost instance.</returns>`
	`1038`	`public static KestrunHost AddOAuth2Authentication(`
	`1039`	`this KestrunHost host,`
	`1040`	`string authenticationScheme = AuthenticationDefaults.OAuth2SchemeName,`
	`1041`	`string? displayName = AuthenticationDefaults.OAuth2DisplayName,`
	`1042`	`OAuth2Options? configureOptions = null)`
	`1043`	`{`
0	`1044`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
	`1045`	`{`
0	`1046`	`host.Logger.Debug("Adding OAuth2 Authentication with scheme: {Scheme}", authenticationScheme);`
	`1047`	`}`
	`1048`	`// Ensure the scheme is not null`
0	`1049`	`ArgumentNullException.ThrowIfNull(host);`
0	`1050`	`ArgumentNullException.ThrowIfNull(authenticationScheme);`
0	`1051`	`ArgumentNullException.ThrowIfNull(configureOptions);`
	`1052`
	`1053`	`// Required for OAuth2`
0	`1054`	`if (string.IsNullOrWhiteSpace(configureOptions.ClientId))`
	`1055`	`{`
0	`1056`	`throw new ArgumentException("ClientId must be provided in OAuth2Options", nameof(configureOptions));`
	`1057`	`}`
	`1058`
0	`1059`	`if (string.IsNullOrWhiteSpace(configureOptions.AuthorizationEndpoint))`
	`1060`	`{`
0	`1061`	`throw new ArgumentException("AuthorizationEndpoint must be provided in OAuth2Options", nameof(configureOptio`
	`1062`	`}`
	`1063`
0	`1064`	`if (string.IsNullOrWhiteSpace(configureOptions.TokenEndpoint))`
	`1065`	`{`
0	`1066`	`throw new ArgumentException("TokenEndpoint must be provided in OAuth2Options", nameof(configureOptions));`
	`1067`	`}`
	`1068`
	`1069`	`// Default CallbackPath if not set: /signin-{scheme}`
0	`1070`	`if (string.IsNullOrWhiteSpace(configureOptions.CallbackPath))`
	`1071`	`{`
0	`1072`	`configureOptions.CallbackPath = $"/signin-{authenticationScheme.ToLowerInvariant()}";`
	`1073`	`}`
	`1074`	`// Ensure host is set`
0	`1075`	`if (configureOptions.Host != host)`
	`1076`	`{`
0	`1077`	`configureOptions.Host = host;`
	`1078`	`}`
	`1079`	`// Ensure scheme is set`
0	`1080`	`if (authenticationScheme != configureOptions.AuthenticationScheme)`
	`1081`	`{`
0	`1082`	`configureOptions.AuthenticationScheme = authenticationScheme;`
	`1083`	`}`
	`1084`	`// Configure scopes and claim policies`
0	`1085`	`ConfigureScopes(configureOptions, host.Logger);`
	`1086`	`// Configure OpenAPI`
0	`1087`	`ConfigureOpenApi(host, authenticationScheme, configureOptions);`
	`1088`
	`1089`	`// register in host for introspection`
0	`1090`	`_ = host.RegisteredAuthentications.Register(authenticationScheme, AuthenticationType.OAuth2, configureOptions);`
	`1091`
	`1092`	`// Add authentication`
0	`1093`	`return host.AddAuthentication(`
0	`1094`	`defaultScheme: configureOptions.CookieScheme,`
0	`1095`	`defaultChallengeScheme: authenticationScheme,`
0	`1096`	`buildSchemes: ab =>`
0	`1097`	`{`
0	`1098`	`// Add cookie scheme for sign-in`
0	`1099`	`_ = ab.AddCookie(configureOptions.CookieScheme, cookieOpts =>`
0	`1100`	`{`
0	`1101`	`configureOptions.CookieOptions.ApplyTo(cookieOpts);`
0	`1102`	`});`
0	`1103`	`// Add OAuth2 scheme`
0	`1104`	`_ = ab.AddOAuth(`
0	`1105`	`authenticationScheme: authenticationScheme,`
0	`1106`	`displayName: displayName ?? OAuthDefaults.DisplayName,`
0	`1107`	`configureOptions: oauthOpts =>`
0	`1108`	`{`
0	`1109`	`configureOptions.ApplyTo(oauthOpts);`
0	`1110`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
0	`1111`	`{`
0	`1112`	`host.Logger.Debug("Configured OpenID Connect with ClientId: {ClientId}, Scopes: {Scopes}",`
0	`1113`	`oauthOpts.ClientId, string.Join(", ", oauthOpts.Scope));`
0	`1114`	`}`
0	`1115`	`});`
0	`1116`	`},`
0	`1117`	`configureAuthz: configureOptions.ClaimPolicy?.ToAuthzDelegate()`
0	`1118`	`);`
	`1119`	`}`
	`1120`
	`1121`	`/// <summary>`
	`1122`	`/// Configures OAuth2 scopes and claim policies.`
	`1123`	`/// </summary>`
	`1124`	`/// <param name="configureOptions">The OAuth2 options to configure.</param>`
	`1125`	`/// <param name="logger">The logger for debug output.</param>`
	`1126`	`private static void ConfigureScopes(IOAuthCommonOptions configureOptions, Serilog.ILogger logger)`
	`1127`	`{`
3	`1128`	`if (configureOptions.Scope is null)`
	`1129`	`{`
0	`1130`	`return;`
	`1131`	`}`
	`1132`
3	`1133`	`if (configureOptions.Scope.Count == 0)`
	`1134`	`{`
1	`1135`	`BackfillScopesFromClaimPolicy(configureOptions, logger);`
1	`1136`	`return;`
	`1137`	`}`
	`1138`
2	`1139`	`LogConfiguredScopes(configureOptions.Scope, logger);`
	`1140`
2	`1141`	`if (configureOptions.ClaimPolicy is null)`
	`1142`	`{`
1	`1143`	`configureOptions.ClaimPolicy = BuildClaimPolicyFromScopes(configureOptions.Scope, logger);`
1	`1144`	`return;`
	`1145`	`}`
	`1146`
1	`1147`	`AddMissingScopesToClaimPolicy(configureOptions.Scope, configureOptions.ClaimPolicy, logger);`
1	`1148`	`}`
	`1149`
	`1150`	`private static ClaimPolicyConfig BuildClaimPolicyFromScopes(ICollection<string> scopes, Serilog.ILogger logger)`
	`1151`	`{`
1	`1152`	`var claimPolicyBuilder = new ClaimPolicyBuilder();`
6	`1153`	`foreach (var scope in scopes)`
	`1154`	`{`
2	`1155`	`LogScopeAdded(logger, scope);`
2	`1156`	`_ = claimPolicyBuilder.AddPolicy(policyName: scope, claimType: "scope", description: string.Empty, allowedVa`
	`1157`	`}`
	`1158`
1	`1159`	`return claimPolicyBuilder.Build();`
	`1160`	`}`
	`1161`
	`1162`	`private static void AddMissingScopesToClaimPolicy(ICollection<string> scopes, ClaimPolicyConfig claimPolicy, Serilog`
	`1163`	`{`
1	`1164`	`var missingScopes = scopes`
2	`1165`	`.Where(s => !claimPolicy.Policies.ContainsKey(s))`
1	`1166`	`.ToList();`
	`1167`
1	`1168`	`if (missingScopes.Count == 0)`
	`1169`	`{`
0	`1170`	`return;`
	`1171`	`}`
	`1172`
1	`1173`	`LogMissingScopes(missingScopes, logger);`
	`1174`
1	`1175`	`var claimPolicyBuilder = new ClaimPolicyBuilder();`
4	`1176`	`foreach (var scope in missingScopes)`
	`1177`	`{`
1	`1178`	`_ = claimPolicyBuilder.AddPolicy(policyName: scope, claimType: "scope", description: string.Empty, allowedVa`
1	`1179`	`LogScopeAddedToClaimPolicy(logger, scope);`
	`1180`	`}`
	`1181`
1	`1182`	`claimPolicy.AddPolicies(claimPolicyBuilder.Policies);`
1	`1183`	`}`
	`1184`
	`1185`	`private static void BackfillScopesFromClaimPolicy(IOAuthCommonOptions configureOptions, Serilog.ILogger logger)`
	`1186`	`{`
1	`1187`	`if (configureOptions.ClaimPolicy is null)`
	`1188`	`{`
0	`1189`	`return;`
	`1190`	`}`
	`1191`
6	`1192`	`foreach (var policy in configureOptions.ClaimPolicy.PolicyNames)`
	`1193`	`{`
2	`1194`	`LogClaimPolicyConfigured(logger, policy);`
2	`1195`	`configureOptions.Scope?.Add(policy);`
	`1196`	`}`
1	`1197`	`}`
	`1198`
	`1199`	`private static void LogScopeAdded(Serilog.ILogger logger, string scope)`
	`1200`	`{`
2	`1201`	`if (logger.IsEnabled(LogEventLevel.Debug))`
	`1202`	`{`
2	`1203`	`logger.Debug("OAuth2 scope added: {Scope}", scope);`
	`1204`	`}`
2	`1205`	`}`
	`1206`
	`1207`	`private static void LogScopeAddedToClaimPolicy(Serilog.ILogger logger, string scope)`
	`1208`	`{`
1	`1209`	`if (logger.IsEnabled(LogEventLevel.Debug))`
	`1210`	`{`
1	`1211`	`logger.Debug("OAuth2 scope added to claim policy: {Scope}", scope);`
	`1212`	`}`
1	`1213`	`}`
	`1214`
	`1215`	`private static void LogMissingScopes(IEnumerable<string> missingScopes, Serilog.ILogger logger)`
	`1216`	`{`
1	`1217`	`if (logger.IsEnabled(LogEventLevel.Debug))`
	`1218`	`{`
1	`1219`	`logger.Debug("Adding missing OAuth2 scopes to claim policy: {Scopes}", string.Join(", ", missingScopes));`
	`1220`	`}`
1	`1221`	`}`
	`1222`
	`1223`	`private static void LogConfiguredScopes(IEnumerable<string> scopes, Serilog.ILogger logger)`
	`1224`	`{`
2	`1225`	`if (logger.IsEnabled(LogEventLevel.Debug))`
	`1226`	`{`
2	`1227`	`logger.Debug("OAuth2 scopes configured: {Scopes}", string.Join(", ", scopes));`
	`1228`	`}`
2	`1229`	`}`
	`1230`
	`1231`	`private static void LogClaimPolicyConfigured(Serilog.ILogger logger, string policy)`
	`1232`	`{`
2	`1233`	`if (logger.IsEnabled(LogEventLevel.Debug))`
	`1234`	`{`
2	`1235`	`logger.Debug("OAuth2 claim policy configured: {Policy}", policy);`
	`1236`	`}`
2	`1237`	`}`
	`1238`
	`1239`	`#endregion`
	`1240`	`#region OpenID Connect Authentication`
	`1241`
	`1242`	`/// <summary>`
	`1243`	`/// Adds OpenID Connect authentication to the Kestrun host with private key JWT client assertion.`
	`1244`	`/// <para>Use this for applications that require OpenID Connect authentication with client credentials using JWT ass`
	`1245`	`/// </summary>`
	`1246`	`/// <param name="host">The Kestrun host instance.</param>`
	`1247`	`/// <param name="authenticationScheme">The authentication scheme name.</param>`
	`1248`	`/// <param name="displayName">The display name for the authentication scheme.</param>`
	`1249`	`/// <param name="configureOptions">The OpenIdConnectOptions to configure the authentication.</param>`
	`1250`	`/// <returns>The configured KestrunHost instance.</returns>`
	`1251`	`public static KestrunHost AddOpenIdConnectAuthentication(`
	`1252`	`this KestrunHost host,`
	`1253`	`string authenticationScheme = AuthenticationDefaults.OidcSchemeName,`
	`1254`	`string? displayName = AuthenticationDefaults.OidcDisplayName,`
	`1255`	`OidcOptions? configureOptions = null)`
	`1256`	`{`
0	`1257`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
	`1258`	`{`
0	`1259`	`host.Logger.Debug("Adding OpenID Connect Authentication with scheme: {Scheme}", authenticationScheme);`
	`1260`	`}`
	`1261`	`// Ensure the scheme is not null`
0	`1262`	`ArgumentNullException.ThrowIfNull(host);`
0	`1263`	`ArgumentNullException.ThrowIfNull(authenticationScheme);`
0	`1264`	`ArgumentNullException.ThrowIfNull(configureOptions);`
	`1265`
	`1266`	`// Ensure ClientId is set`
0	`1267`	`if (string.IsNullOrWhiteSpace(configureOptions.ClientId))`
	`1268`	`{`
0	`1269`	`throw new ArgumentException("ClientId must be provided in OpenIdConnectOptions", nameof(configureOptions));`
	`1270`	`}`
	`1271`	`// Ensure host is set`
0	`1272`	`if (configureOptions.Host != host)`
	`1273`	`{`
0	`1274`	`configureOptions.Host = host;`
	`1275`	`}`
	`1276`	`// Ensure scheme is set`
0	`1277`	`if (authenticationScheme != configureOptions.AuthenticationScheme)`
	`1278`	`{`
0	`1279`	`configureOptions.AuthenticationScheme = authenticationScheme;`
	`1280`	`}`
	`1281`	`// Retrieve supported scopes from the OIDC provider`
0	`1282`	`if (!string.IsNullOrWhiteSpace(configureOptions.Authority))`
	`1283`	`{`
0	`1284`	`configureOptions.ClaimPolicy = GetSupportedScopes(configureOptions.Authority, host.Logger);`
0	`1285`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
	`1286`	`{`
0	`1287`	`host.Logger.Debug("OIDC supported scopes: {Scopes}", string.Join(", ", configureOptions.ClaimPolicy?.Pol`
	`1288`	`}`
	`1289`	`}`
	`1290`	`// Configure scopes and claim policies`
0	`1291`	`ConfigureScopes(configureOptions, host.Logger);`
	`1292`	`// Configure OpenAPI`
0	`1293`	`ConfigureOpenApi(host, authenticationScheme, configureOptions);`
	`1294`
	`1295`	`// register in host for introspection`
0	`1296`	`_ = host.RegisteredAuthentications.Register(authenticationScheme, AuthenticationType.Oidc, configureOptions);`
	`1297`
	`1298`	`// CRITICAL: Register OidcEvents and AssertionService in DI before configuring authentication`
	`1299`	`// This is required because EventsType expects these to be available in the service provider`
0	`1300`	`return host.AddService(services =>`
0	`1301`	`{`
0	`1302`	`// Register AssertionService as a singleton with factory to pass clientId and jwkJson`
0	`1303`	`// Only register if JwkJson is provided (for private_key_jwt authentication)`
0	`1304`	`if (!string.IsNullOrWhiteSpace(configureOptions.JwkJson))`
0	`1305`	`{`
0	`1306`	`services.TryAddSingleton(sp => new AssertionService(configureOptions.ClientId, configureOptions.JwkJson`
0	`1307`	`// Register OidcEvents as scoped (per-request)`
0	`1308`	`services.TryAddScoped<OidcEvents>();`
0	`1309`	`}`
0	`1310`	`}).AddAuthentication(`
0	`1311`	`defaultScheme: configureOptions.CookieScheme,`
0	`1312`	`defaultChallengeScheme: authenticationScheme,`
0	`1313`	`buildSchemes: ab =>`
0	`1314`	`{`
0	`1315`	`// Add cookie scheme for sign-in`
0	`1316`	`_ = ab.AddCookie(configureOptions.CookieScheme, cookieOpts =>`
0	`1317`	`{`
0	`1318`	`// Copy cookie configuration from options.CookieOptions`
0	`1319`	`configureOptions.CookieOptions.ApplyTo(cookieOpts);`
0	`1320`	`});`
0	`1321`	`// Add OpenID Connect scheme`
0	`1322`	`_ = ab.AddOpenIdConnect(`
0	`1323`	`authenticationScheme: authenticationScheme,`
0	`1324`	`displayName: displayName ?? OpenIdConnectDefaults.DisplayName,`
0	`1325`	`configureOptions: oidcOpts =>`
0	`1326`	`{`
0	`1327`	`// Copy all properties from the provided options to the framework's options`
0	`1328`	`configureOptions.ApplyTo(oidcOpts);`
0	`1329`
0	`1330`	`// Inject private key JWT at code → token step (only if JwkJson is provided)`
0	`1331`	`// This will be resolved from DI at runtime`
0	`1332`	`if (!string.IsNullOrWhiteSpace(configureOptions.JwkJson))`
0	`1333`	`{`
0	`1334`	`oidcOpts.EventsType = typeof(OidcEvents);`
0	`1335`	`}`
0	`1336`	`if (host.Logger.IsEnabled(LogEventLevel.Debug))`
0	`1337`	`{`
0	`1338`	`host.Logger.Debug("Configured OpenID Connect with Authority: {Authority}, ClientId: {ClientId},`
0	`1339`	`oidcOpts.Authority, oidcOpts.ClientId, string.Join(", ", oidcOpts.Scope));`
0	`1340`	`}`
0	`1341`	`});`
0	`1342`	`},`
0	`1343`	`configureAuthz: configureOptions.ClaimPolicy?.ToAuthzDelegate()`
0	`1344`	`);`
	`1345`	`}`
	`1346`
	`1347`	`/// <summary>`
	`1348`	`/// Retrieves the supported scopes from the OpenID Connect provider's metadata.`
	`1349`	`/// </summary>`
	`1350`	`/// <param name="authority">The authority URL of the OpenID Connect provider.</param>`
	`1351`	`/// <param name="logger">The logger instance for logging.</param>`
	`1352`	`/// <returns>A ClaimPolicyConfig containing the supported scopes, or null if retrieval fails.</returns>`
	`1353`	`private static ClaimPolicyConfig? GetSupportedScopes(string authority, Serilog.ILogger logger)`
	`1354`	`{`
0	`1355`	`if (logger.IsEnabled(LogEventLevel.Debug))`
	`1356`	`{`
0	`1357`	`logger.Debug("Retrieving OpenID Connect configuration from authority: {Authority}", authority);`
	`1358`	`}`
0	`1359`	`var claimPolicy = new ClaimPolicyBuilder();`
0	`1360`	`if (string.IsNullOrWhiteSpace(authority))`
	`1361`	`{`
0	`1362`	`throw new ArgumentException("Authority must be provided to retrieve OpenID Connect scopes.", nameof(authorit`
	`1363`	`}`
	`1364`
0	`1365`	`var metadataAddress = authority.TrimEnd('/') + "/.well-known/openid-configuration";`
	`1366`
0	`1367`	`var documentRetriever = new HttpDocumentRetriever`
0	`1368`	`{`
0	`1369`	`RequireHttps = metadataAddress.StartsWith("https://", StringComparison.OrdinalIgnoreCase)`
0	`1370`	`};`
	`1371`
0	`1372`	`var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(`
0	`1373`	`metadataAddress,`
0	`1374`	`new OpenIdConnectConfigurationRetriever(),`
0	`1375`	`documentRetriever);`
	`1376`
	`1377`	`try`
	`1378`	`{`
0	`1379`	`var cfg = configManager.GetConfigurationAsync(CancellationToken.None)`
0	`1380`	`.GetAwaiter()`
0	`1381`	`.GetResult();`
	`1382`	`// First try the strongly-typed property`
0	`1383`	`var scopes = cfg.ScopesSupported;`
	`1384`
	`1385`	`// If it's null or empty, fall back to raw JSON`
0	`1386`	`if (scopes == null \|\| scopes.Count == 0)`
	`1387`	`{`
0	`1388`	`var json = documentRetriever.GetDocumentAsync(metadataAddress, CancellationToken.None)`
0	`1389`	`.GetAwaiter()`
0	`1390`	`.GetResult();`
	`1391`
0	`1392`	`using var doc = JsonDocument.Parse(json);`
0	`1393`	`if (doc.RootElement.TryGetProperty("scopes_supported", out var scopesElement) &&`
0	`1394`	`scopesElement.ValueKind == JsonValueKind.Array)`
	`1395`	`{`
0	`1396`	`foreach (var scope in scopesElement.EnumerateArray().Select(item => item.GetString()).Where(s => !st`
	`1397`	`{`
0	`1398`	`if (scope != null)`
	`1399`	`{`
0	`1400`	`_ = claimPolicy.AddPolicy(policyName: scope, claimType: "scope", description: string.Empty,`
	`1401`	`}`
	`1402`	`}`
	`1403`	`}`
	`1404`	`}`
	`1405`	`else`
	`1406`	`{`
	`1407`	`// Normal path: configuration object had scopes`
0	`1408`	`foreach (var scope in scopes)`
	`1409`	`{`
0	`1410`	`_ = claimPolicy.AddPolicy(policyName: scope, claimType: "scope", description: string.Empty, allowedV`
	`1411`	`}`
	`1412`	`}`
0	`1413`	`return claimPolicy.Build();`
	`1414`	`}`
0	`1415`	`catch (Exception ex)`
	`1416`	`{`
0	`1417`	`logger.Warning(ex, "Failed to retrieve OpenID Connect configuration from {MetadataAddress}", metadataAddress`
0	`1418`	`return null;`
	`1419`	`}`
0	`1420`	`}`
	`1421`
	`1422`	`#endregion`
	`1423`	`#region Helper Methods`
	`1424`	`/// <summary>`
	`1425`	`/// Configures OpenAPI security schemes for the given authentication options.`
	`1426`	`/// </summary>`
	`1427`	`/// <param name="host">The Kestrun host instance.</param>`
	`1428`	`/// <param name="scheme">The authentication scheme name.</param>`
	`1429`	`/// <param name="opts">The OpenAPI authentication options.</param>`
	`1430`	`private static void ConfigureOpenApi(KestrunHost host, string scheme, IOpenApiAuthenticationOptions opts)`
	`1431`	`{`
	`1432`	`// Apply to specified documentation IDs or all if none specified`
21	`1433`	`if (opts.DocumentationId == null \|\| opts.DocumentationId.Length == 0)`
	`1434`	`{`
21	`1435`	`opts.DocumentationId = OpenApiDocDescriptor.DefaultDocumentationIds;`
	`1436`	`}`
	`1437`
84	`1438`	`foreach (var docDescriptor in opts.DocumentationId`
21	`1439`	`.Select(host.GetOrCreateOpenApiDocument)`
42	`1440`	`.Where(docDescriptor => docDescriptor != null))`
	`1441`	`{`
21	`1442`	`docDescriptor.ApplySecurityScheme(scheme, opts);`
	`1443`	`}`
21	`1444`	`}`
	`1445`
	`1446`	`#endregion`
	`1447`
	`1448`	`/// <summary>`
	`1449`	`/// Adds authentication and authorization middleware to the Kestrun host.`
	`1450`	`/// </summary>`
	`1451`	`/// <param name="host">The Kestrun host instance.</param>`
	`1452`	`/// <param name="buildSchemes">A delegate to configure authentication schemes.</param>`
	`1453`	`/// <param name="defaultScheme">The default authentication scheme.</param>`
	`1454`	`/// <param name="configureAuthz">Optional authorization policy configuration.</param>`
	`1455`	`/// <param name="defaultChallengeScheme">The default challenge scheme .</param>`
	`1456`	`/// <returns>The configured KestrunHost instance.</returns>`
	`1457`	`internal static KestrunHost AddAuthentication(`
	`1458`	`this KestrunHost host,`
	`1459`	`string defaultScheme,`
	`1460`	`Action<AuthenticationBuilder>? buildSchemes = null, // e.g., ab => ab.AddCookie().AddOpenIdConnect("oidc", ...)`
	`1461`	`Action<AuthorizationOptions>? configureAuthz = null,`
	`1462`	`string? defaultChallengeScheme = null)`
	`1463`	`{`
21	`1464`	`ArgumentNullException.ThrowIfNull(buildSchemes);`
21	`1465`	`if (string.IsNullOrWhiteSpace(defaultScheme))`
	`1466`	`{`
0	`1467`	`throw new ArgumentException("Default scheme is required.", nameof(defaultScheme));`
	`1468`	`}`
	`1469`
21	`1470`	`_ = host.AddService(services =>`
21	`1471`	`{`
21	`1472`	`// CRITICAL: Check if authentication services are already registered`
21	`1473`	`// If they are, we only need to add new schemes, not reconfigure defaults`
2418	`1474`	`var authDescriptor = services.FirstOrDefault(d => d.ServiceType == typeof(IAuthenticationService));`
21	`1475`
21	`1476`	`AuthenticationBuilder authBuilder;`
21	`1477`	`if (authDescriptor != null)`
21	`1478`	`{`
21	`1479`	`// Authentication already registered - only add new schemes without changing defaults`
0	`1480`	`host.Logger.Debug("Authentication services already registered - adding schemes only (default={DefaultSch`
0	`1481`	`authBuilder = new AuthenticationBuilder(services);`
21	`1482`	`}`
21	`1483`	`else`
21	`1484`	`{`
21	`1485`	`// First time registration - configure defaults`
21	`1486`	`host.Logger.Debug(`
21	`1487`	`"Registering authentication services with defaults (default={DefaultScheme}, challenge={ChallengeSch`
21	`1488`	`defaultScheme,`
21	`1489`	`defaultChallengeScheme ?? defaultScheme);`
21	`1490`	`authBuilder = services.AddAuthentication(options =>`
21	`1491`	`{`
14	`1492`	`options.DefaultScheme = defaultScheme;`
14	`1493`	`options.DefaultChallengeScheme = defaultChallengeScheme ?? defaultScheme;`
35	`1494`	`});`
21	`1495`	`}`
21	`1496`
21	`1497`	`// Let caller add handlers/schemes`
21	`1498`	`buildSchemes?.Invoke(authBuilder);`
21	`1499`
21	`1500`	`// Ensure Authorization is available (with optional customization)`
21	`1501`	`// AddAuthorization is idempotent - safe to call multiple times`
21	`1502`	`_ = configureAuthz is not null ?`
21	`1503`	`services.AddAuthorization(configureAuthz) :`
21	`1504`	`services.AddAuthorization();`
24	`1505`	`});`
	`1506`
	`1507`	`// Add middleware once`
21	`1508`	`return host.Use(app =>`
21	`1509`	`{`
21	`1510`	`const string Key = "__kr.authmw";`
21	`1511`	`if (!app.Properties.ContainsKey(Key))`
21	`1512`	`{`
21	`1513`	`_ = app.UseAuthentication();`
21	`1514`	`_ = app.UseAuthorization();`
21	`1515`	`app.Properties[Key] = true;`
21	`1516`	`host.Logger.Information("Kestrun: Authentication & Authorization middleware added.");`
21	`1517`	`}`
42	`1518`	`});`
	`1519`	`}`
	`1520`
	`1521`	`/// <summary>`
	`1522`	`/// Checks if the specified authentication scheme is registered in the Kestrun host.`
	`1523`	`/// </summary>`
	`1524`	`/// <param name="host">The Kestrun host instance.</param>`
	`1525`	`/// <param name="schemeName">The name of the authentication scheme to check.</param>`
	`1526`	`/// <returns>True if the scheme is registered; otherwise, false.</returns>`
	`1527`	`public static bool HasAuthScheme(this KestrunHost host, string schemeName)`
	`1528`	`{`
14	`1529`	`var schemeProvider = host.App.Services.GetRequiredService<IAuthenticationSchemeProvider>();`
14	`1530`	`var scheme = schemeProvider.GetSchemeAsync(schemeName).GetAwaiter().GetResult();`
14	`1531`	`return scheme != null;`
	`1532`	`}`
	`1533`
	`1534`	`/// <summary>`
	`1535`	`/// Adds authorization services to the Kestrun host.`
	`1536`	`/// </summary>`
	`1537`	`/// <param name="host">The Kestrun host instance.</param>`
	`1538`	`/// <param name="cfg">Optional configuration for authorization options.</param>`
	`1539`	`/// <returns>The configured KestrunHost instance.</returns>`
	`1540`	`public static KestrunHost AddAuthorization(this KestrunHost host, Action<AuthorizationOptions>? cfg = null)`
	`1541`	`{`
1	`1542`	`return host.AddService(services =>`
1	`1543`	`{`
1	`1544`	`_ = cfg == null ? services.AddAuthorization() : services.AddAuthorization(cfg);`
2	`1545`	`});`
	`1546`	`}`
	`1547`
	`1548`	`/// <summary>`
	`1549`	`/// Checks if the specified authorization policy is registered in the Kestrun host.`
	`1550`	`/// </summary>`
	`1551`	`/// <param name="host">The Kestrun host instance.</param>`
	`1552`	`/// <param name="policyName">The name of the authorization policy to check.</param>`
	`1553`	`/// <returns>True if the policy is registered; otherwise, false.</returns>`
	`1554`	`public static bool HasAuthPolicy(this KestrunHost host, string policyName)`
	`1555`	`{`
13	`1556`	`var policyProvider = host.App.Services.GetRequiredService<IAuthorizationPolicyProvider>();`
13	`1557`	`var policy = policyProvider.GetPolicyAsync(policyName).GetAwaiter().GetResult();`
13	`1558`	`return policy != null;`
	`1559`	`}`
	`1560`
	`1561`	`/// <summary>`
	`1562`	`/// HTTP message handler that logs all HTTP requests and responses for debugging.`
	`1563`	`/// </summary>`
0	`1564`	`internal class LoggingHttpMessageHandler(HttpMessageHandler innerHandler, Serilog.ILogger logger) : DelegatingHandle`
	`1565`	`{`
0	`1566`	`private readonly Serilog.ILogger _logger = logger ?? throw new ArgumentNullException(nameof(logger));`
	`1567`
	`1568`	`// CRITICAL: Static field to store the last token response body so we can manually parse it`
	`1569`	`// The framework's OpenIdConnectMessage parser fails to populate AccessToken correctly`
0	`1570`	`internal static string? LastTokenResponseBody { get; private set; }`
	`1571`
	`1572`	`protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cance`
	`1573`	`{`
	`1574`	`// Log request`
0	`1575`	`_logger.Warning($"HTTP {request.Method} {request.RequestUri}");`
	`1576`
	`1577`	`// Check if this is a token endpoint request`
0	`1578`	`var isTokenEndpoint = request.RequestUri?.PathAndQuery?.Contains("/connect/token") == true \|\|`
0	`1579`	`request.RequestUri?.PathAndQuery?.Contains("/token") == true;`
	`1580`
0	`1581`	`if (request.Content != null && !isTokenEndpoint)`
	`1582`	`{`
	`1583`	`// Read request body without consuming it (only for non-token requests)`
0	`1584`	`var requestBytes = await request.Content.ReadAsByteArrayAsync(cancellationToken);`
0	`1585`	`var requestBody = System.Text.Encoding.UTF8.GetString(requestBytes);`
0	`1586`	`_logger.Warning($"Request Body: {requestBody}");`
	`1587`
	`1588`	`// Recreate the content so it can be read again`
0	`1589`	`request.Content = new ByteArrayContent(requestBytes);`
0	`1590`	`request.Content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/x-ww`
	`1591`	`}`
0	`1592`	`else if (request.Content != null && isTokenEndpoint)`
	`1593`	`{`
0	`1594`	`_logger.Warning("Token endpoint request - skipping body logging to preserve stream");`
	`1595`	`}`
	`1596`
	`1597`	`// Send request`
0	`1598`	`var response = await base.SendAsync(request, cancellationToken);`
	`1599`
	`1600`	`// Log response`
0	`1601`	`_logger.Warning($"HTTP Response: {(int)response.StatusCode} {response.StatusCode}");`
	`1602`
	`1603`	`// CRITICAL: For token endpoint responses, capture the body for manual parsing`
	`1604`	`// but then recreate the stream so the framework can also read it`
0	`1605`	`if (response.Content != null && isTokenEndpoint)`
	`1606`	`{`
	`1607`	`// Read the response body`
0	`1608`	`var responseBytes = await response.Content.ReadAsByteArrayAsync(cancellationToken);`
0	`1609`	`var responseBody = System.Text.Encoding.UTF8.GetString(responseBytes);`
	`1610`
	`1611`	`// Store it in static field for later manual parsing`
0	`1612`	`LastTokenResponseBody = responseBody;`
0	`1613`	`_logger.Warning($"Captured token response body ({responseBytes.Length} bytes) for manual parsing");`
	`1614`
	`1615`	`// Recreate the content stream with ALL original headers preserved`
0	`1616`	`var originalHeaders = response.Content.Headers.ToList();`
0	`1617`	`var newContent = new ByteArrayContent(responseBytes);`
	`1618`
0	`1619`	`foreach (var header in originalHeaders)`
	`1620`	`{`
0	`1621`	`_ = newContent.Headers.TryAddWithoutValidation(header.Key, header.Value);`
	`1622`	`}`
	`1623`
0	`1624`	`response.Content = newContent;`
0	`1625`	`_logger.Warning("Recreated token response stream for framework parsing");`
	`1626`	`}`
0	`1627`	`else if (response.Content != null && !isTokenEndpoint)`
	`1628`	`{`
	`1629`	`// Save original headers`
0	`1630`	`var originalHeaders = response.Content.Headers;`
	`1631`
	`1632`	`// Read response body and preserve it for the handler`
0	`1633`	`var responseBytes = await response.Content.ReadAsByteArrayAsync(cancellationToken);`
0	`1634`	`var responseBody = System.Text.Encoding.UTF8.GetString(responseBytes);`
0	`1635`	`_logger.Warning($"Response Body: {responseBody}");`
	`1636`
	`1637`	`// Recreate the content so it can be read again by the OIDC handler`
0	`1638`	`var newContent = new ByteArrayContent(responseBytes);`
	`1639`
	`1640`	`// Copy all original headers to the new content`
0	`1641`	`foreach (var header in originalHeaders)`
	`1642`	`{`
0	`1643`	`_ = newContent.Headers.TryAddWithoutValidation(header.Key, header.Value);`
	`1644`	`}`
	`1645`
0	`1646`	`response.Content = newContent;`
0	`1647`	`}`
0	`1648`	`else if (response.Content != null && isTokenEndpoint)`
	`1649`	`{`
0	`1650`	`_logger.Warning("Token endpoint response - skipping body logging to let framework parse it");`
	`1651`	`}`
	`1652`
0	`1653`	`return response;`
0	`1654`	`}`
	`1655`	`}`
	`1656`	`}`

Methods/Properties