OpenIdConnectOptions Don't Get Set With DelegateStrategy

[goforebroke]

Andrew,

Until you release a patch for the HttpContextStrategy, I took your advise and used the delegate strategy and I also set the OpenIdConnectOptions per tenant.

      services.AddMultiTenant<AppTenantInfo>()
          .WithClaimStrategy()
          .WithDelegateStrategy<DefaultHttpContext, AppTenantInfo>(httpContext =>
          {
              if (httpContext.Request.Query.TryGetValue("tenant", out StringValues tenantIdentifier) &&
                  !StringValues.IsNullOrEmpty(tenantIdentifier))
              {
                  return Task.FromResult<string?>(tenantIdentifier[0]);
              }

              return Task.FromResult<string?>(null);
          })
          // .WithStaticStrategy(defaultTenantIdentifier)
          .WithHttpRemoteStore(httpRemoteStore, clientBuilder =>
          {
              clientBuilder.AddHttpMessageHandler<TenantRemoteStoreDelegatingHandler>();
          })
         // .WithConfigurationStore()
          .WithPerTenantAuthentication();


           services.ConfigureAllPerTenant<OpenIdConnectOptions, AppTenantInfo>((options, tenant) =>
           {
               options.RequireHttpsMetadata = webHostEnvironment.IsProduction();
               options.Authority = $"http://identity.api:80/{tenant.Identifier}";
               options.Events = OpenIdConnectOptionsExtensions.CreateTenantAwareEvents(webHostEnvironment);
           });

Here is the static method

 public static OpenIdConnectEvents CreateTenantAwareEvents(IWebHostEnvironment env)
 {
     return new OpenIdConnectEvents
     {
         OnRedirectToIdentityProvider = context =>
         {
             var logger = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>()
                 .CreateLogger("OpenIdConnectEvents");

             // Read tenant info from the current HttpContext (Finbuckle)
             var multiTenantContext = context.HttpContext.GetMultiTenantContext<AppTenantInfo>();
             var tenant = multiTenantContext?.TenantInfo;

             logger.LogInformation("OnRedirectToIdentityProvider for tenant: {TenantId}", tenant?.Identifier ?? "null");

             if (tenant is not null)
             {
                 //context.Options.Authority = $"{tenant.JwtAuthority}/{tenant.Identifier}";

                 // Use tenant-specific issuer/authority for the redirect
                 context.ProtocolMessage.IssuerAddress = $"{tenant.JwtAuthority}/{tenant.Identifier}/connect/authorize";
                 context.ProtocolMessage.UiLocales = Thread.CurrentThread.CurrentUICulture.Name;

                 if (env.IsDevelopment())
                 {
                     // discovery metadata for dev environment
                     context.Options.RequireHttpsMetadata = false;
                     context.Options.MetadataAddress = $"http://identity.api:80/{tenant.Identifier}/.well-known/openid-configuration";
                 }
             }

             // carry forward any prompt stored in auth properties
             if (context.Properties.Items.TryGetValue("prompt", out var prompt))
             {
                 context.ProtocolMessage.Prompt = prompt;
             }

             return Task.CompletedTask;
         },

         OnRemoteFailure = context =>
         {
             context.Response.Redirect("/StatusCode?statusCode=500");
             context.HandleResponse();
             return Task.CompletedTask;
         },

         OnAccessDenied = context =>
         {
             if (context.Request.QueryString.Value is not null)
             {
                 var requestQuery = HttpUtility.ParseQueryString(context.Request.QueryString.Value);

                 const string descriptionField = "error_description";
                 const string cancelledCode = "user_canceled_login";

                 var descriptionFieldValue = requestQuery[descriptionField];

                 if (!string.IsNullOrEmpty(descriptionFieldValue) &&
                     descriptionFieldValue.Equals(cancelledCode, StringComparison.OrdinalIgnoreCase))
                 {
                     context.Response.Redirect("/");
                     context.HandleResponse();
                     return Task.CompletedTask;
                 }
             }

             context.Response.Redirect("/StatusCode?statusCode=401");
             context.HandleResponse();
             return Task.CompletedTask;
         }
     };
 }

When a tenant is found and resolved using the DelegateStrategy, the OpenIdConnectOptions are NOT set for the resolved tenant. However, if I use the StaticStrategy and ConfigurationStore the options do get set for the tenant when a challenge is made.

[AndrewTriesToCode]

thanks for all the detail, looking into it

[AndrewTriesToCode]

Quick question, if you set up non-per-tenant OpenID connect events and put a breakpoint in them can you tell if they are hitting after the multitenant middleware has been invoked? Also can you comment out the claim strategy and see if it impacts anything? It has some particular behavior that can make auth trickier.

[AndrewTriesToCode]

So far I can't reproduce it. My attempt might be too basic -- I'm just using the web api sample and in my mapped controller pulling IOptionsSnapshot and the option is set correctly. Can you post what your main app configuration looks like?

[goforebroke]

I removed the claim strategy, as you advised, but that strategy is only used after a successful logon with the identity server and a tenant claim is added.

I ran the application and the breakpoint for the OpenId events could not be reached. The open id events were set through the multitenant middleware for this 1st test.

I then commented out the open id events through the finbuckle middleware and enabled them when adding authentication services for this 2nd test. Unfortunately I got the same result and I could not reach the break point.

Each test results in the authority not getting set correctly.

Here is my main configuration Program.cs

using Common.Logging;
using Razor.Portal.Extensions;

var builder = WebApplication.CreateBuilder(args);

builder.Host.ConfigureSerilogLogging();

var app = builder
    .ConfigureServices()
    .ConfigurePipeline();

app.UseSerilogLogging();

app.Run();

Here are my hosting extensions HostingExtensions.cs

using AspNetCoreHero.ToastNotification;
using AspNetCoreHero.ToastNotification.Extensions;
using Common.AppTenant;
using Duende.AccessTokenManagement.OpenIdConnect;
using Duende.IdentityModel;
using Finbuckle.MultiTenant.AspNetCore.Extensions;
using Finbuckle.MultiTenant.Extensions;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Localization;
using Microsoft.AspNetCore.Mvc.Razor;
using Microsoft.Extensions.Options;
using Microsoft.Extensions.Primitives;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Net.Http.Headers;
using Razor.Portal.Abstractions.Identity;
using Razor.Portal.Abstractions.Localization;
using Razor.Portal.Filters;
using Razor.Portal.Infrastructure.Handlers;
using Razor.Portal.Middleware;
using Razor.Portal.Resources;
using Razor.Portal.Services.Gateway;
using Razor.Portal.Services.Identity;
using Razor.Portal.Services.Localization;
using System.Globalization;

namespace Razor.Portal.Extensions;

public static class HostingExtensions
{
    public static WebApplication ConfigureServices(this WebApplicationBuilder builder)
    {
        builder.Services.AddRazorPagesAndLocalizationServices();
        builder.Services.AddApplicationServices();
        builder.Services.AddAuthenticationServices(builder.Configuration, builder.Environment);
        builder.Services.AddMultiTenantServices(builder.Configuration, builder.Environment);
        builder.Services.AddApiGatewayClientServices(builder.Configuration);

        return builder.Build();
    }
    public static WebApplication ConfigurePipeline(this WebApplication app)
    {

        if (app.Environment.IsProduction())
        {
            app.UseHttpsRedirection();
            app.UseHsts();
        }

        app.UseExceptionHandler("/Error");
        app.UseStatusCodePagesWithReExecute("/StatusCode", "?statusCode={0}");
        app.UseRouting();
        app.UseMultiTenant();
        app.UseNotyf();
        app.UseStaticFiles();

        app.MapStaticAssets().ExcludeFromMultiTenantResolution();


        app.UseAuthentication();
        app.UseAuthorization();

        var localizationOptions = app.Services.GetRequiredService<IOptions<RequestLocalizationOptions>>().Value;
        app.UseRequestLocalization(localizationOptions);

        // Check if the tenant subscription is valid middleware
        //app.UseCheckTenantSubscriptionStatus();

        app.MapRazorPages();
        
        return app;
    }

    private static void AddRazorPagesAndLocalizationServices(this IServiceCollection services)
    {
        services.AddLocalization(options => options.ResourcesPath = "Resources");

        services.Configure<RequestLocalizationOptions>(options =>
        {
            var supportedCultures = new[]
            {
                    new CultureInfo("en-US"),
                    new CultureInfo("es-MX")
            };
            options.DefaultRequestCulture = new RequestCulture("en-US");
            options.SupportedCultures = supportedCultures;
            options.SupportedUICultures = supportedCultures;
        });

        services.AddRazorPages()
            .AddMvcOptions(options => 
            {
                options.Filters.Add(new ModelStatePageFilter());
            })
            .AddViewLocalization(LanguageViewLocationExpanderFormat.Suffix)
            .AddDataAnnotationsLocalization(options =>
            {
                options.DataAnnotationLocalizerProvider = (type, factory) => 
                    factory.Create(nameof(CommonResources), typeof(CommonResources).Assembly.GetName().FullName);
            });

        services.AddSingleton<ICommonLocalizationService, CommonLocalizationService>();
    }

    private static void AddAuthenticationServices(this IServiceCollection services, 
        IConfiguration configuration, IWebHostEnvironment webHostEnvironment)
    {
        var callBackUrl = configuration["CallBackUrl"] ??
                          throw new ArgumentNullException(nameof(configuration),
                              "Callback url is null or empty");

        var sessionCookieLifetime = configuration.GetValue("SessionCookieLifetimeMinutes", 60);

        services.AddAuthentication(options =>
        {
            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        })
        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
        {
            options.ExpireTimeSpan = TimeSpan.FromMinutes(sessionCookieLifetime);
            options.SlidingExpiration = false;
            options.Cookie.Name = "RazorPortalAuthCookie";
            options.Events.OnSigningOut = async e => { await e.HttpContext.RevokeRefreshTokenAsync(); };

        })
        .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
        {
            options.NonceCookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Unspecified;
            options.CorrelationCookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Unspecified;
            options.RequireHttpsMetadata = webHostEnvironment.IsProduction();
            options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.Authority = "https://someauth";
            options.SignedOutRedirectUri = callBackUrl;
            options.ClientId = "razorportal";
            options.ClientSecret = "secret";
            options.ResponseType = OpenIdConnectResponseType.Code;
            options.SaveTokens = true;
            options.MapInboundClaims = false;
            options.DisableTelemetry = true;

            options.Events = OpenIdConnectOptionsExtensions.CreateTenantAwareEvents(webHostEnvironment);

            options.TokenValidationParameters = new TokenValidationParameters()
            {
                RoleClaimType = "role",
                NameClaimType = "name",
            };

            options.Scope.Clear();
            options.Scope.Add("openid");
            options.Scope.Add("profile");
            options.Scope.Add("email");
            options.Scope.Add("offline_access");
            options.Scope.Add("stripedotnetapi");
            options.Scope.Add("tenantportalapi");
            options.Scope.Add("IdentityServerApi");
            options.Scope.Add("core");
            options.Scope.Add("roles");
            options.GetClaimsFromUserInfoEndpoint = true;

            options.ClaimActions.MapUniqueJsonKey("first_name", "first_name");
            options.ClaimActions.MapUniqueJsonKey("last_name", "last_name");
            options.ClaimActions.MapUniqueJsonKey("__tenant__", "__tenant__");
            options.ClaimActions.MapJsonKey(JwtClaimTypes.Role, JwtClaimTypes.Role);
        });

        services.AddOpenIdConnectAccessTokenManagement();
    }


    private static void AddApplicationServices(this IServiceCollection services)
    {
        services.AddExceptionHandler<ExceptionHandler>();
        services.AddTransient<IIdentityParser<AppUser>, IdentityParser>();

        // Toast notifications
        services.AddNotyf(config =>
        {
            config.DurationInSeconds = 7;
            config.IsDismissable = true;
            config.Position = NotyfPosition.BottomRight;
        });
    }

    private static void AddApiGatewayClientServices(this IServiceCollection services, 
        IConfiguration configuration)
    {
        var apiGatewayUrl = configuration["ApiGatewayUrl"] ??
                    throw new ArgumentNullException(nameof(configuration),
                "Api gateway url is null or empty");

        services.AddTransient<LocalizationDelegatingHandler>();
        services.AddTransient<HeaderDelegatingHandler>();
        services.AddTransient<ProblemDetailsDelegatingHandler>();

        services.AddHttpClient<MarketingService>((httpClient) =>
        {
            httpClient.BaseAddress = new Uri(apiGatewayUrl);
            httpClient.DefaultRequestHeaders.Clear();
            httpClient.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
        })
        .SetHandlerLifetime(TimeSpan.FromMinutes(5))
        .AddUserAccessTokenHandler()
        .AddHttpMessageHandler<ProblemDetailsDelegatingHandler>()
        .AddHttpMessageHandler<HeaderDelegatingHandler>()
        .AddHttpMessageHandler<LocalizationDelegatingHandler>();

        services.AddHttpClient<SeasonService>((httpClient) =>
            {
                httpClient.BaseAddress = new Uri(apiGatewayUrl);
                httpClient.DefaultRequestHeaders.Clear();
                httpClient.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
            })
            .SetHandlerLifetime(TimeSpan.FromMinutes(5))
            .AddUserAccessTokenHandler()
            .AddHttpMessageHandler<ProblemDetailsDelegatingHandler>()
            .AddHttpMessageHandler<HeaderDelegatingHandler>()
            .AddHttpMessageHandler<LocalizationDelegatingHandler>();

        services.AddHttpClient<EventService>((httpClient) =>
            {
                httpClient.BaseAddress = new Uri(apiGatewayUrl);
                httpClient.DefaultRequestHeaders.Clear();
                httpClient.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
            })
            .SetHandlerLifetime(TimeSpan.FromMinutes(5))
            .AddUserAccessTokenHandler()
            .AddHttpMessageHandler<ProblemDetailsDelegatingHandler>()
            .AddHttpMessageHandler<HeaderDelegatingHandler>()
            .AddHttpMessageHandler<LocalizationDelegatingHandler>();

        services.AddHttpClient<RoundService>((httpClient) =>
            {
                httpClient.BaseAddress = new Uri(apiGatewayUrl);
                httpClient.DefaultRequestHeaders.Clear();
                httpClient.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
            })
            .SetHandlerLifetime(TimeSpan.FromMinutes(5))
            .AddUserAccessTokenHandler()
            .AddHttpMessageHandler<ProblemDetailsDelegatingHandler>()
            .AddHttpMessageHandler<HeaderDelegatingHandler>()
            .AddHttpMessageHandler<LocalizationDelegatingHandler>();

        services.AddHttpClient<TournamentService>((httpClient) =>
            {
                httpClient.BaseAddress = new Uri(apiGatewayUrl);
                httpClient.DefaultRequestHeaders.Clear();
                httpClient.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
            })
            .SetHandlerLifetime(TimeSpan.FromMinutes(5))
            .AddUserAccessTokenHandler()
            .AddHttpMessageHandler<ProblemDetailsDelegatingHandler>()
            .AddHttpMessageHandler<HeaderDelegatingHandler>()
            .AddHttpMessageHandler<LocalizationDelegatingHandler>();


        services.AddHttpClient<SettingsService>((httpClient) =>
            {
                httpClient.BaseAddress = new Uri(apiGatewayUrl);
                httpClient.DefaultRequestHeaders.Clear();
                httpClient.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
            })
            .SetHandlerLifetime(TimeSpan.FromMinutes(5))
            .AddUserAccessTokenHandler()
            .AddHttpMessageHandler<ProblemDetailsDelegatingHandler>()
            .AddHttpMessageHandler<HeaderDelegatingHandler>()
            .AddHttpMessageHandler<LocalizationDelegatingHandler>();

        var authorityUrl = configuration["IdentityUrl"] ??
                          throw new ArgumentNullException(nameof(configuration),
                              "Identity url is null or empty");

        services.AddHttpClient<AuthorityService>((httpClient) =>
            {
                httpClient.BaseAddress = new Uri(authorityUrl);
                httpClient.DefaultRequestHeaders.Clear();
                httpClient.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
            })
            .ConfigurePrimaryHttpMessageHandler(() =>
                new HttpClientHandler
                {
                    ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
                })
            .SetHandlerLifetime(TimeSpan.FromMinutes(5))
            .AddUserAccessTokenHandler()
            .AddHttpMessageHandler<ProblemDetailsDelegatingHandler>()
            .AddHttpMessageHandler<HeaderDelegatingHandler>()
            .AddHttpMessageHandler<LocalizationDelegatingHandler>();

       
        services.AddHttpContextAccessor();
    }

    private static void AddMultiTenantServices(this IServiceCollection services,
        IConfiguration configuration, IWebHostEnvironment webHostEnvironment)
    {
        var defaultTenantIdentifier = configuration
                                .GetRequiredSection("Finbuckle:MultiTenant:Stores:ConfigurationStore:Tenants")
                                .GetChildren().FirstOrDefault()?.GetValue<string>("Identifier") ??
                            throw new ArgumentNullException(nameof(configuration),
                                "Default tenant identifier is null or empty");

        var httpRemoteStore = configuration.GetRequiredSection("TenantRemoteStore:Url").Value ??
                          throw new ArgumentNullException(nameof(configuration),
            "Tenant remote store is null or empty");

        services.AddTransient<TenantRemoteStoreDelegatingHandler>();

        services.AddMultiTenant<AppTenantInfo>()
            //.WithClaimStrategy()
            .WithDelegateStrategy<DefaultHttpContext, AppTenantInfo>(httpContext =>
            {
                if (httpContext.Request.Query.TryGetValue("tenant", out StringValues tenantIdentifier) &&
                    !StringValues.IsNullOrEmpty(tenantIdentifier))
                {
                    return Task.FromResult(tenantIdentifier[0]);
                }

                return Task.FromResult<string?>(null);
            })
            // .WithStaticStrategy(defaultTenantIdentifier)
            .WithHttpRemoteStore(httpRemoteStore, clientBuilder =>
            {
                clientBuilder.AddHttpMessageHandler<TenantRemoteStoreDelegatingHandler>();
            })
           // .WithConfigurationStore()
            .WithPerTenantAuthentication();

           //services.ConfigureAllPerTenant<OpenIdConnectOptions, AppTenantInfo>((options, tenant) =>
           //{
           //    options.RequireHttpsMetadata = webHostEnvironment.IsProduction();
           //    options.Authority = $"http://identity.api:80/{tenant.Identifier}";
           //    options.Events = OpenIdConnectOptionsExtensions.CreateTenantAwareEvents(webHostEnvironment);
           //});
    }
}

Here are the errors in seq. The authority is never set.

A little background.

I have a page where a user can search for their organization by name, and if found, the tenant identifier is returned. The user is redirected to login (identity server) and ultimately to their dashboard. The identity server uses the identifier that is returned by the search page to set its tenant.

If the organization is not found, the user is redirected to a new customer referral page.

Prior to the upgrade to .NET 10, I had all this working using the ClaimsStrategy and Static Strategy. Changing the Tenant Object from a class to a record (immutable properties) caused me to change a couple of things.

If more information is needed let me know

[goforebroke]

Prior to the upgrade to .NET 10, the tenant object was not a record, and its properties had standard getters and setters.

The project would start up using a default tenant (i.e., StaticStrategy, ConfigurationStore).

When an organization was found on my search page, the default tenant’s properties—such as Id, Identifier, JwtAuthority, and others—were updated to match the organization before initiating the challenge.

Additionally, the OpenID events would fire and set the authority and other OpenID properties based on the updated tenant values.

At that point, the tenant was correctly set for IdentityServer, redirecting the user to the log in page.

After upgrading, the tenant became immutable (a record), so I needed to adopt a different strategy (HttpStrategy) to support users searching for their organization.

However, the HTTP strategy currently has a bug. Until the patch is released, the OpenID events will not be triggered with the delegate strategy, even when the tenant is resolved.

[AndrewTriesToCode]

Do I understand correctly that you would mutate the tenant as a part of your workflow intentionally? You should be able to get similar results by using IMultiTenantContextSetter to assign a new multi tenant context with tenant info as “current”.

[goforebroke]

That is correct. I would mutate the default tenant id and identifier prior to making the challenge. Once the user logged in with Identity server, the client was redirected back with a tenant claim, and the Claim strategy would then resolve the tenant. I will try with IMultiTenantContextSetter tomorrow and report back to you

[goforebroke]

I switched back to my original strategies (Claim and Static) with the default tenant.

A challenge was made, but the tenant did not change. It stayed with the default tenant. Am I doing something wrong with the search page and IMultiTenantContextSetter ?

public async Task<IActionResult> OnPostAsync()
{
    if (!ModelState.IsValid)
    {
        return Page();
    }

    try
    {
        var response = await _settingsService.SearchForOrganizationAsync(Input.Organization);

        var tenantInfo = new AppTenantInfo(response.TenantId, response.TenantIdentifier, string.Empty);

        var multiTenantContext = new MultiTenantContext<AppTenantInfo>(tenantInfo);

        _multiTenantContextSetter.MultiTenantContext = multiTenantContext;

        return RedirectToPage("/Dashboard/Index");
    }
    catch(ProblemDetailsNotFoundException)
    {
        return RedirectToPage("/Refer/Index", new { organization = Input.Organization });
    }
    catch (ProblemDetailsException problemDetailsException)
    {
        problemDetailsException.AddErrorsToModelState(ModelState);
    }

    return Page();
} 

[AndrewTriesToCode]

Hey I have some time this afternoon if you want to jump on a teams call. Shoot me an email if you want to do that. I want to make sure this is resolved for you.

[goforebroke]

sure what time is good for you

[AndrewTriesToCode]

I sent you an email to take coordination offline.