Update Security Samples #301
Conversation
| { | ||
| _httpContextAccessor = httpContextAccessor; |
There was a problem hiding this comment.
This field is never used. Can it be removed (including the constructor parameter)?
| } | ||
| options.AccessDeniedPath = new PathString("/Home/AccessDenied"); | ||
| }) | ||
| // .AddCloudFoundryOAuth(builder.Configuration) |
There was a problem hiding this comment.
Do you think this commented-out code line should be removed? If not, a comment indicating its purpose would help.
|
|
||
| ASP.NET Core sample app illustrating how to make use of the Steeltoe [CloudFoundry External Security Provider](https://docs.steeltoe.io/api/v3/security/) for Authentication and Authorization against a CloudFoundry OAuth2 security service (e.g. [UAA Server](https://github.com/cloudfoundry/uaa) or [Tanzu Single Signon Service](https://docs.pivotal.io/p-identity/)). | ||
|
|
||
| > NOTE: For simplicity, we've moved the [instructions for utilizing the SSO Tile](README.md) with this sample |
There was a problem hiding this comment.
Can you clarify this sentence? To/into/included/copied?
There was a problem hiding this comment.
I'm removing everything related to the direct UAA approach, I don't think that's a real use case
| After authenticating, add a new `user` and `group` to the UAA Server database. Do NOT change the group name: `testgroup` as it is used for policy based authorization in the sample application. Feel free to change the username and password to anything you would like. | ||
|
|
||
| 1. uaac group add testgroup | ||
| 1. uaac user add dave --given_name Dave --family_name Tillman --emails dave@testcloud.com --password Password1! |
There was a problem hiding this comment.
Perhaps replace 'dave' with something else? (multiple places in this file and others)
|
|
||
| ### Add User-Provided Service with OAuth Details | ||
|
|
||
| Last, we will create a user-provide service that includes the appropriate UAA server configuration data. Use the sample below to pass the parameters directly to the `cf cups` command, replacing `<YOUR-CLOUDFOUNDRY-SYSTEM-DOMAIN>` with your domain. |
There was a problem hiding this comment.
| Last, we will create a user-provide service that includes the appropriate UAA server configuration data. Use the sample below to pass the parameters directly to the `cf cups` command, replacing `<YOUR-CLOUDFOUNDRY-SYSTEM-DOMAIN>` with your domain. | |
| Last, we will create a user-provided service that includes the appropriate UAA server configuration data. Use the sample below to pass the parameters directly to the `cf cups` command, replacing `<YOUR-CLOUDFOUNDRY-SYSTEM-DOMAIN>` with your domain. |
| * `dotnet publish -f netcoreapp3.1 -r win10-x64` | ||
| 1. Push the app using the appropriate manifest. | ||
| * `cf push -f manifest.yml -p bin/Debug/netcoreapp3.1/linux-x64/publish` | ||
| * `cf push -f manifest-windows.yml -p bin/Debug/netcoreapp3.1/win10-x64/publish` |
There was a problem hiding this comment.
| * `cf push -f manifest-windows.yml -p bin/Debug/netcoreapp3.1/win10-x64/publish` | |
| * `cf push -f manifest-windows.yml -p bin/Debug/netcoreapp3.1/win-x64/publish` |
| * `cf push -f manifest.yml -p bin/Debug/netcoreapp3.1/linux-x64/publish` | ||
| * `cf push -f manifest-windows.yml -p bin/Debug/netcoreapp3.1/win10-x64/publish` | ||
|
|
||
| > Note: The provided manifest(s) will create an app named `single-signon` and attempt to bind it to the user-provided service `myOAuthService`. |
There was a problem hiding this comment.
It looks like this was renamed to mySSOService in other places. Should this be renamed accordingly?
| > Note: The provided manifest(s) will create an app named `single-signon` and attempt to bind it to the user-provided service `myOAuthService`. | |
| > Note: The provided manifest(s) will create an app named `single-signon` and attempt to bind it to the user-provided service `mySSOService`. |
| var options = serviceProvider.GetService<IOptions<CertificateOptions>>(); | ||
| if (options?.Value.Certificate != null) |
There was a problem hiding this comment.
I don't think GetService for an IOptions<> ever returns null. If there's no configuration, you'll get a default instance.
| var options = serviceProvider.GetService<IOptions<CertificateOptions>>(); | |
| if (options?.Value.Certificate != null) | |
| var options = serviceProvider.GetRequiredService<IOptions<CertificateOptions>>(); | |
| if (options.Value.Certificate != null) |
The same suggestion applies to other places in this PR, which I haven't marked.
| options.AddPolicy("testgroup1", policy => policy.RequireClaim("scope", "testgroup1")); | ||
| }); | ||
|
|
||
| // Add Redis to allow scaling beyond a single instance |
There was a problem hiding this comment.
| // Add Redis to allow scaling beyond a single instance | |
| // Uncomment the code below to add Redis to allow scaling beyond a single instance |
| } | ||
| else | ||
| { | ||
| serviceHostname = serviceName + hostName.Substring(indx); | ||
| serviceHostname = string.Concat(serviceName, hostName.AsSpan(indexOfHost)); |
There was a problem hiding this comment.
Just out of curiosity, did you get this suggestion from an analyzer? Resharper suggests using range indexer syntax.
| serviceHostname = string.Concat(serviceName, hostName.AsSpan(indexOfHost)); | |
| serviceHostname = $"{serviceName}{hostName[indx..]}"; |
There was a problem hiding this comment.
This was probably a Visual Studio suggestion, Resharper's preference is fine with me
TimHess
force-pushed
the
security-refresh
branch
from
5d03e26
to
f605ce4
Compare
Use minimal API, add actuators, only listen over HTTPS, improve usability
TimHess
force-pushed
the
security-refresh
branch
from
f605ce4
to
77ee2e2
Compare
TimHess
force-pushed
the
security-refresh
branch
from
d1db821
to
b1d7f3d
Compare
Use minimal API, add actuators, only listen over HTTPS, improve usability
TODO: update integration test, help users understand how to enable UAA as a user store for the tile