feat: platform access token handling #433
Open
+1,583
−66
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request introduces comprehensive platform access token handling functionality to the Altinn authorization framework. The implementation adds JWT-based token validation for platform-to-platform authentication, with support for multiple token issuers, certificate-based signing key validation, and seamless integration with ASP.NET Core authorization policies and Swagger/OpenAPI documentation.
Key Changes
- Platform Access Token Infrastructure: New authorization requirements, handlers, and attributes for validating JWT-based platform access tokens with configurable issuer approval
- Swashbuckle Integration: OpenAPI documentation support for platform access token authentication schemes
- Security Normalization Improvements: Enhanced security requirement deduplication logic using HashSet-based comparisons to handle duplicate requirements more efficiently
Reviewed changes
Copilot reviewed 31 out of 31 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| SecurityInfoTests.cs | Adds test case for duplicate security requirement handling |
| RequirementAuthorizationPolicySecurityProviderTests.cs | Renames method to align with updated interface |
| DefaultPlatformAccessTokenHandlerTests.cs | New comprehensive test suite for platform access token validation |
| ApprovedIssuersCheckTests.cs | Tests for issuer validation logic |
| TestPlatformAccessTokenSigningKeyProvider.cs | Mock implementation for certificate-based signing key provider |
| TestOptionsMonitor.cs | Test helper for IOptionsMonitor implementation |
| TestHybridCache.cs | Test implementation of HybridCache for .NET 9+ |
| SwaggerPlatformAccessTokenRequirementConditionProvider.cs | Maps platform token requirements to OpenAPI security schemes |
| SwaggerAnyOfScopeAuthorizationRequirementConditionProvider.cs | Class renamed for consistency |
| AltinnSecurityOptions.cs | Updates default values for platform token scheme |
| AltinnSwashbuckleServiceCollectionExtensions.cs | Registers platform token condition provider |
| WellKnownPlatformAccessTokenIssuers.cs | Enum for well-known platform token issuers |
| PlatformAccessTokenSigningKeyProvider.cs | Azure Key Vault-based certificate retrieval |
| PlatformAccessTokenSettings.cs | Configuration settings for platform token validation |
| PlatformAccessTokenRequirement.cs | Internal authorization requirement implementation |
| IPlatformAccessTokenRequirement.cs | Interface for platform token authorization requirements |
| PlatformAccessTokenAuthorizeAttribute.cs | Attribute for platform token authorization |
| PlatformAccessTokenOrScopeAnyOfAuthorizeAttribute.cs | Attribute for platform token OR scope authorization |
| PlatformAccessTokenOrScopeAnyOfAuthorizationRequirement.cs | OR-based authorization requirement |
| DefaultPlatformAccessTokenHandler.cs | Core JWT validation handler |
| IPlatformAccessTokenSigningKeyProvider.cs | Interface for certificate key providers |
| BasePlatformAccessTokenSigningKeyProvider.cs | Base implementation with caching support |
| ApprovedIssuersCheck.cs | Issuer validation logic with optimized lookups |
| AltinnServiceDefaultsAuthorizationServiceCollectionExtensions.cs | DI registration for platform token handlers |
| AltinnAuthorizationPolicyBuilderExtensions.cs | Extension methods for policy configuration |
| SecurityInfo.cs | Improved security requirement normalization with HashSet deduplication |
| OpenApiAuthorizationRequirementConditionProvider.cs | Method renamed for clarity |
| Directory.Packages.props | Package version definitions for new dependencies |
| Altinn.Authorization.ServiceDefaults.Authorization.csproj | Project dependencies for platform token support |
| ResourceController.cs | Sample API demonstrating platform token authorization |
| AdminController.cs | Sample API with platform token attribute |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
...zation/Scopes/PlatformAccessToken/PlatformAccessTokenOrScopeAnyOfAuthorizationRequirement.cs
Outdated
Show resolved
Hide resolved
...thorization/Microsoft.AspNetCore.Authorization/AltinnAuthorizationPolicyBuilderExtensions.cs
Show resolved
Hide resolved
...thorization/Microsoft.AspNetCore.Authorization/AltinnAuthorizationPolicyBuilderExtensions.cs
Show resolved
Hide resolved
src/Altinn.Swashbuckle/src/Altinn.Swashbuckle.Abstractions/Security/SecurityInfo.cs
Show resolved
Hide resolved
...erviceDefaults.Authorization/Scopes/PlatformAccessToken/DefaultPlatformAccessTokenHandler.cs
Show resolved
Hide resolved
src/Altinn.Swashbuckle/src/Altinn.Swashbuckle.Abstractions/Security/SecurityInfo.cs
Show resolved
Hide resolved
.../src/ServiceDefaults.Authorization/Scopes/PlatformAccessToken/PlatformAccessTokenSettings.cs
Show resolved
Hide resolved
...eDefaults/test/ServiceDefaults.Authorization.Tests/DefaultPlatformAccessTokenHandlerTests.cs
Outdated
Show resolved
Hide resolved
...eDefaults/test/ServiceDefaults.Authorization.Tests/DefaultPlatformAccessTokenHandlerTests.cs
Outdated
Show resolved
Hide resolved
...eDefaults/test/ServiceDefaults.Authorization.Tests/DefaultPlatformAccessTokenHandlerTests.cs
Outdated
Show resolved
Hide resolved
Alxandr
force-pushed
the
feat/platform-access-token-handling
branch
3 times, most recently
from
4a48857 to
d411151
Compare
Alxandr
force-pushed
the
feat/platform-access-token-handling
branch
from
d411151 to
a24e642
Compare
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is part 2 of 2 in a stack made with GitButler: