[OIDC] Add basic Entra ID token validation (#10251)

This handles issuer, audience, expiration, and signature validation

Author: joelverhagen

src/NuGetGallery.Services/Authentication/Federated/EntraIdTokenValidator.cs

@@ -0,0 +1,73 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Threading.Tasks;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Tokens;
+using Microsoft.IdentityModel.Validators;
+
+#nullable enable
+
+namespace NuGetGallery.Services.Authentication
+{
+    /// <summary>
+    /// This interface is used to ensure a given token is issued by Entra ID.
+    /// </summary>
+    public interface IEntraIdTokenValidator
+    {
+        /// <summary>
+        /// Perform minimal validation of the token to ensure it was issued by Entra ID. Validations:
+        /// - Expected issuer (Entra ID)
+        /// - Expected audience
+        /// - Valid signature
+        /// - Not expired
+        /// </summary>
+        /// <param name="token">The parsed JWT</param>
+        /// <returns>The token validation result, check the <see cref="TokenValidationResult.IsValid"/> for success or failure.</returns>
+        Task<TokenValidationResult> ValidateAsync(JsonWebToken token);
+    }
+
+    public class EntraIdTokenValidator : IEntraIdTokenValidator
+    {
+        private static string EntraIdAuthority { get; } = "https://login.microsoftonline.com/common/v2.0";
+        public static string MetadataAddress { get; } = $"{EntraIdAuthority}/.well-known/openid-configuration";
+
+        private readonly ConfigurationManager<OpenIdConnectConfiguration> _oidcConfigManager;
+        private readonly JsonWebTokenHandler _jsonWebTokenHandler;
+        private readonly IFederatedCredentialConfiguration _configuration;
+
+        public EntraIdTokenValidator(
+            ConfigurationManager<OpenIdConnectConfiguration> oidcConfigManager,
+            JsonWebTokenHandler jsonWebTokenHandler,
+            IFederatedCredentialConfiguration configuration)
+        {
+            _oidcConfigManager = oidcConfigManager ?? throw new ArgumentNullException(nameof(oidcConfigManager));
+            _jsonWebTokenHandler = jsonWebTokenHandler ?? throw new ArgumentNullException(nameof(jsonWebTokenHandler));
+            _configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
+        }
+
+        public async Task<TokenValidationResult> ValidateAsync(JsonWebToken token)
+        {
+            if (string.IsNullOrWhiteSpace(_configuration.EntraIdAudience))
+            {
+                throw new InvalidOperationException("Unable to validate Entra ID token. Entra ID audience is not configured.");
+            }
+
+            var tokenValidationParameters = new TokenValidationParameters
+            {
+                IssuerValidator = AadIssuerValidator.GetAadIssuerValidator(EntraIdAuthority).Validate,
+                ValidAudience = _configuration.EntraIdAudience,
+                ConfigurationManager = _oidcConfigManager,
+            };
+
+            tokenValidationParameters.EnableAadSigningKeyIssuerValidation();
+
+            var result = await _jsonWebTokenHandler.ValidateTokenAsync(token, tokenValidationParameters);
+
+            return result;
+        }
+    }
+}

src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialConfiguration.cs

@@ -0,0 +1,21 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#nullable enable
+
+namespace NuGetGallery.Services.Authentication
+{
+    public interface IFederatedCredentialConfiguration
+    {
+        /// <summary>
+        /// The expected audience for the incoming token. This is the "aud" claim and should be specific to the gallery
+        /// service itself (not shared between multiple services). This is used only for Entra ID token validation.
+        /// </summary>
+        string? EntraIdAudience { get; }
+    }
+
+    public class FederatedCredentialConfiguration : IFederatedCredentialConfiguration
+    {
+        public string? EntraIdAudience { get; set; }
+    }
+}

src/NuGetGallery.Services/Configuration/ConfigurationService.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -14,6 +14,7 @@
 using NuGet.Services.Configuration;
 using NuGet.Services.KeyVault;
 using NuGetGallery.Configuration.SecretReader;
+using NuGetGallery.Services.Authentication;
 
 namespace NuGetGallery.Configuration
 {
@@ -23,6 +24,7 @@ public class ConfigurationService : IGalleryConfigurationService, IConfiguration
         protected const string FeaturePrefix = "Feature.";
         protected const string ServiceBusPrefix = "AzureServiceBus.";
         protected const string PackageDeletePrefix = "PackageDelete.";
+        protected const string FederatedCredentialPrefix = "FederatedCredential.";
 
         private readonly Lazy<string> _httpSiteRootThunk;
         private readonly Lazy<string> _httpsSiteRootThunk;
@@ -31,6 +33,7 @@ public class ConfigurationService : IGalleryConfigurationService, IConfiguration
         private readonly Lazy<FeatureConfiguration> _lazyFeatureConfiguration;
         private readonly Lazy<IServiceBusConfiguration> _lazyServiceBusConfiguration;
         private readonly Lazy<IPackageDeleteConfiguration> _lazyPackageDeleteConfiguration;
+        private readonly Lazy<FederatedCredentialConfiguration> _lazyFederatedCredentialConfiguration;
 
         private static readonly HashSet<string> NotInjectedSettingNames = new HashSet<string>(StringComparer.OrdinalIgnoreCase) {
             SettingPrefix + "SqlServer",
@@ -66,6 +69,7 @@ public ConfigurationService()
             _lazyFeatureConfiguration = new Lazy<FeatureConfiguration>(() => ResolveFeatures().Result);
             _lazyServiceBusConfiguration = new Lazy<IServiceBusConfiguration>(() => ResolveServiceBus().Result);
             _lazyPackageDeleteConfiguration = new Lazy<IPackageDeleteConfiguration>(() => ResolvePackageDelete().Result);
+            _lazyFederatedCredentialConfiguration = new Lazy<FederatedCredentialConfiguration>(() => ResolveFederatedCredential().Result);
         }
 
         public static IEnumerable<PropertyDescriptor> GetConfigProperties<T>(T instance)
@@ -81,6 +85,8 @@ public static IEnumerable<PropertyDescriptor> GetConfigProperties<T>(T instance)
 
         public IPackageDeleteConfiguration PackageDelete => _lazyPackageDeleteConfiguration.Value;
 
+        public FederatedCredentialConfiguration FederatedCredential => _lazyFederatedCredentialConfiguration.Value;
+
         /// <summary>
         /// Gets the site root using the specified protocol
         /// </summary>
@@ -206,6 +212,11 @@ private async Task<IPackageDeleteConfiguration> ResolvePackageDelete()
             return await ResolveConfigObject(new PackageDeleteConfiguration(), PackageDeletePrefix);
         }
 
+        private async Task<FederatedCredentialConfiguration> ResolveFederatedCredential()
+        {
+            return await ResolveConfigObject(new FederatedCredentialConfiguration(), FederatedCredentialPrefix);
+        }
+
         protected virtual string GetAppSetting(string settingName)
         {
             return WebConfigurationManager.AppSettings[settingName];
@@ -273,4 +284,4 @@ private void CheckValidSiteRoot(string siteRoot)
             }
         }
     }
-}
+}

src/NuGetGallery/App_Start/DefaultDependenciesModule.cs

@@ -25,6 +25,9 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Http;
 using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Protocols;
 using Microsoft.WindowsAzure.ServiceRuntime;
 using NuGet.Services.Configuration;
 using NuGet.Services.Entities;
@@ -55,6 +58,7 @@
 using NuGetGallery.Infrastructure.Search.Correlation;
 using NuGetGallery.Security;
 using NuGetGallery.Services;
+using NuGetGallery.Services.Authentication;
 using Role = NuGet.Services.Entities.Role;
 
 namespace NuGetGallery
@@ -151,6 +155,8 @@ protected override void Load(ContainerBuilder builder)
             builder.Register(c => configuration.PackageDelete)
                 .As<IPackageDeleteConfiguration>();
 
+            ConfigureFederatedCredentials(builder, configuration);
+
             var telemetryService = new TelemetryService(
                 new TraceDiagnosticsSource(nameof(TelemetryService), telemetryClient),
                 telemetryClient);
@@ -531,6 +537,39 @@ protected override void Load(ContainerBuilder builder)
             builder.Populate(services);
         }
 
+        private static void ConfigureFederatedCredentials(ContainerBuilder builder, ConfigurationService configuration)
+        {
+            builder
+                .Register(c => configuration.FederatedCredential)
+                .As<IFederatedCredentialConfiguration>();
+
+            builder
+                .Register(_ => new OpenIdConnectConfigurationRetriever())
+                .As<IConfigurationRetriever<OpenIdConnectConfiguration>>();
+
+            const string EntraIdKey = "EntraId";
+
+            // this is a singleton to provide caching of the OIDC metadata
+            builder
+                .Register(p => new ConfigurationManager<OpenIdConnectConfiguration>(
+                    metadataAddress: EntraIdTokenValidator.MetadataAddress,
+                    p.Resolve<IConfigurationRetriever<OpenIdConnectConfiguration>>()))
+                .SingleInstance()
+                .Keyed<ConfigurationManager<OpenIdConnectConfiguration>>(EntraIdKey);
+
+            builder
+                .RegisterType<JsonWebTokenHandler>()
+                .InstancePerLifetimeScope();
+
+            builder
+                .Register(p => new EntraIdTokenValidator(
+                    p.ResolveKeyed<ConfigurationManager<OpenIdConnectConfiguration>>(EntraIdKey),
+                    p.Resolve<JsonWebTokenHandler>(),
+                    p.Resolve<IFederatedCredentialConfiguration>()))
+                .As<IEntraIdTokenValidator>()
+                .InstancePerLifetimeScope();
+        }
+
         // Internal for testing purposes
         internal static ApplicationInsightsConfiguration ConfigureApplicationInsights(
             IAppConfiguration configuration,

src/NuGetGallery/Web.config

@@ -203,6 +203,7 @@
     <add key="PackageDelete.MaximumDownloadsForPackageVersion" value=""/>
     <add key="Gallery.BlockLegacyLicenseUrl" value="false"/>
     <add key="Gallery.AllowLicenselessPackages" value="true"/>
+    <add key="FederatedCredential.EntraIdAudience" value=""/>
   </appSettings>
   <connectionStrings>
     <add name="Gallery.SqlServer" connectionString="Data Source=(localdb)\mssqllocaldb; Initial Catalog=NuGetGallery; Integrated Security=True; MultipleActiveResultSets=True" providerName="System.Data.SqlClient"/>