Remove the client secret from AAD V2 authenticator (#9340)

joelverhagen · web-flow · commit d18bf1c5ea78 · 2023-01-09T06:25:30.000-08:00
We were only ever using the id_token which contains enough detail for NuGet.org sign in. The code response is not used. Progress on NuGet/Engineering#4099
diff --git a/src/NuGetGallery.Services/Authentication/Providers/AzureActiveDirectoryV2/AzureActiveDirectoryV2Authenticator.cs b/src/NuGetGallery.Services/Authentication/Providers/AzureActiveDirectoryV2/AzureActiveDirectoryV2Authenticator.cs
@@ -101,12 +101,13 @@ protected override void AttachToOwinApp(IGalleryConfigurationService config, IAp
                 RedirectUri = siteRoot + _callbackPath,
                 PostLogoutRedirectUri = siteRoot,
                 Scope = OpenIdConnectScope.OpenIdProfile + " email",
-                ResponseType = OpenIdConnectResponseType.CodeIdToken,
+                ResponseType = OpenIdConnectResponseType.IdToken,
                 TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters() { ValidateIssuer = false },
                 Notifications = new OpenIdConnectAuthenticationNotifications
                 {
                     AuthenticationFailed = AuthenticationFailed,
-                    RedirectToIdentityProvider = RedirectToIdentityProvider
+                    RedirectToIdentityProvider = RedirectToIdentityProvider,
+                    AuthorizationCodeReceived = AuthorizationCodeReceived,
                 }
             };
 
@@ -257,7 +258,7 @@ private Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification<O
             // Set the redirect_uri token for the alternate domains of same gallery instance
             if (_alternateSiteRootList != null && _alternateSiteRootList.Contains(notification.Request.Uri.Host))
             {
-                notification.ProtocolMessage.RedirectUri = "https://" + notification.Request.Uri.Host + "/" + _callbackPath ;
+                notification.ProtocolMessage.RedirectUri = "https://" + notification.Request.Uri.Host + "/" + _callbackPath;
             }
 
             // We always want to show the options to select account when signing in and while changing account.
@@ -271,5 +272,13 @@ private AuthenticationProperties GetAuthenticationPropertiesFromProtocolMessage(
             var authenticationPropertiesEncodedString = message.State.Split('=');
             return options.StateDataFormat.Unprotect(authenticationPropertiesEncodedString[1]);
         }
+
+        private Task AuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
+        {
+            // Explicitly set the access_token to null. The access_token is used for authorized requests to AAD on
+            // behalf of the end user. We do not use this feature. We only use the id_token.
+            context.HandleCodeRedemption(accessToken: null, idToken: context.JwtSecurityToken.RawData);
+            return Task.CompletedTask;
+        }
     }
 }
diff --git a/src/NuGetGallery.Services/Authentication/Providers/AzureActiveDirectoryV2/AzureActiveDirectoryV2AuthenticatorConfiguration.cs b/src/NuGetGallery.Services/Authentication/Providers/AzureActiveDirectoryV2/AzureActiveDirectoryV2AuthenticatorConfiguration.cs
@@ -12,7 +12,6 @@ namespace NuGetGallery.Authentication.Providers.AzureActiveDirectoryV2
     public class AzureActiveDirectoryV2AuthenticatorConfiguration : AuthenticatorConfiguration
     {
         public string ClientId { get; set; }
-        public string ClientSecret { get; set; }
 
         public AzureActiveDirectoryV2AuthenticatorConfiguration()
         {
@@ -31,7 +30,7 @@ public override void ApplyToOwinSecurityOptions(AuthenticationOptions options)
                 // the auth flow.
                 openIdOptions.AuthenticationMode = AuthenticationMode.Passive;
 
-                // Make sure ClientId and ClientSecret is configured
+                // Make sure ClientId is configured
                 if (String.IsNullOrEmpty(ClientId))
                 {
                     throw new ConfigurationErrorsException(String.Format(
@@ -40,16 +39,7 @@ public override void ApplyToOwinSecurityOptions(AuthenticationOptions options)
                         "Auth.CommonAuth.ClientId"));
                 }
 
-                if (String.IsNullOrEmpty(ClientSecret))
-                {
-                    throw new ConfigurationErrorsException(String.Format(
-                        CultureInfo.CurrentCulture,
-                        ServicesStrings.MissingRequiredConfigurationValue,
-                        "Auth.CommonAuth.ClientSecret"));
-                }
-
                 openIdOptions.ClientId = ClientId;
-                openIdOptions.ClientSecret = ClientSecret;
                 openIdOptions.Authority = String.Format(CultureInfo.InvariantCulture, AzureActiveDirectoryV2Authenticator.Authority, AzureActiveDirectoryV2Authenticator.V2CommonTenant);
             }
         }
diff --git a/src/NuGetGallery/Web.config b/src/NuGetGallery/Web.config
@@ -101,7 +101,6 @@
     <add key="Auth.MicrosoftAccount.ClientSecret" value=""/>
     <add key="Auth.AzureActiveDirectoryV2.Enabled" value="false"/>
     <add key="Auth.AzureActiveDirectoryV2.ClientId" value=""/>
-    <add key="Auth.AzureActiveDirectoryV2.ClientSecret" value=""/>
     <add key="Auth.AzureActiveDirectory.Enabled" value="false"/>
     <add key="Auth.AzureActiveDirectory.ClientId" value=""/>
     <add key="Auth.AzureActiveDirectory.Authority" value=""/>

Original file line number	Diff line number	Diff line change
`@@ -101,12 +101,13 @@ protected override void AttachToOwinApp(IGalleryConfigurationService config, IAp`
`101`	`101`	`RedirectUri = siteRoot + _callbackPath,`
`102`	`102`	`PostLogoutRedirectUri = siteRoot,`
`103`	`103`	`Scope = OpenIdConnectScope.OpenIdProfile + " email",`
`104`		`- ResponseType = OpenIdConnectResponseType.CodeIdToken,`
	`104`	`+ ResponseType = OpenIdConnectResponseType.IdToken,`
`105`	`105`	`TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters() { ValidateIssuer = false },`
`106`	`106`	`Notifications = new OpenIdConnectAuthenticationNotifications`
`107`	`107`	`{`
`108`	`108`	`AuthenticationFailed = AuthenticationFailed,`
`109`		`- RedirectToIdentityProvider = RedirectToIdentityProvider`
	`109`	`+ RedirectToIdentityProvider = RedirectToIdentityProvider,`
	`110`	`+ AuthorizationCodeReceived = AuthorizationCodeReceived,`
`110`	`111`	`}`
`111`	`112`	`};`
`112`	`113`
`@@ -257,7 +258,7 @@ private Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification<O`
`257`	`258`	`// Set the redirect_uri token for the alternate domains of same gallery instance`
`258`	`259`	`if (_alternateSiteRootList != null && _alternateSiteRootList.Contains(notification.Request.Uri.Host))`
`259`	`260`	`{`
`260`		`- notification.ProtocolMessage.RedirectUri = "https://" + notification.Request.Uri.Host + "/" + _callbackPath ;`
	`261`	`+ notification.ProtocolMessage.RedirectUri = "https://" + notification.Request.Uri.Host + "/" + _callbackPath;`
`261`	`262`	`}`
`262`	`263`
`263`	`264`	`// We always want to show the options to select account when signing in and while changing account.`
`@@ -271,5 +272,13 @@ private AuthenticationProperties GetAuthenticationPropertiesFromProtocolMessage(`
`271`	`272`	`var authenticationPropertiesEncodedString = message.State.Split('=');`
`272`	`273`	`return options.StateDataFormat.Unprotect(authenticationPropertiesEncodedString[1]);`
`273`	`274`	`}`
	`275`	`+`
	`276`	`+ private Task AuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)`
	`277`	`+ {`
	`278`	`+ // Explicitly set the access_token to null. The access_token is used for authorized requests to AAD on`
	`279`	`+ // behalf of the end user. We do not use this feature. We only use the id_token.`
	`280`	`+ context.HandleCodeRedemption(accessToken: null, idToken: context.JwtSecurityToken.RawData);`
	`281`	`+ return Task.CompletedTask;`
	`282`	`+ }`
`274`	`283`	`}`
`275`	`284`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,6 @@ namespace NuGetGallery.Authentication.Providers.AzureActiveDirectoryV2`
`12`	`12`	`public class AzureActiveDirectoryV2AuthenticatorConfiguration : AuthenticatorConfiguration`
`13`	`13`	`{`
`14`	`14`	`public string ClientId { get; set; }`
`15`		`- public string ClientSecret { get; set; }`
`16`	`15`
`17`	`16`	`public AzureActiveDirectoryV2AuthenticatorConfiguration()`
`18`	`17`	`{`
`@@ -31,7 +30,7 @@ public override void ApplyToOwinSecurityOptions(AuthenticationOptions options)`
`31`	`30`	`// the auth flow.`
`32`	`31`	`openIdOptions.AuthenticationMode = AuthenticationMode.Passive;`
`33`	`32`
`34`		`- // Make sure ClientId and ClientSecret is configured`
	`33`	`+ // Make sure ClientId is configured`
`35`	`34`	`if (String.IsNullOrEmpty(ClientId))`
`36`	`35`	`{`
`37`	`36`	`throw new ConfigurationErrorsException(String.Format(`
`@@ -40,16 +39,7 @@ public override void ApplyToOwinSecurityOptions(AuthenticationOptions options)`
`40`	`39`	`"Auth.CommonAuth.ClientId"));`
`41`	`40`	`}`
`42`	`41`
`43`		`- if (String.IsNullOrEmpty(ClientSecret))`
`44`		`- {`
`45`		`- throw new ConfigurationErrorsException(String.Format(`
`46`		`- CultureInfo.CurrentCulture,`
`47`		`- ServicesStrings.MissingRequiredConfigurationValue,`
`48`		`- "Auth.CommonAuth.ClientSecret"));`
`49`		`- }`
`50`		`-`
`51`	`42`	`openIdOptions.ClientId = ClientId;`
`52`		`- openIdOptions.ClientSecret = ClientSecret;`
`53`	`43`	`openIdOptions.Authority = String.Format(CultureInfo.InvariantCulture, AzureActiveDirectoryV2Authenticator.Authority, AzureActiveDirectoryV2Authenticator.V2CommonTenant);`
`54`	`44`	`}`
`55`	`45`	`}`