Merge pull request #347 from ITfoxtec/test

Test

FoxIDs.sln

@@ -39,6 +39,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 		docs\certificates.md = docs\certificates.md
 		docs\claim-transform.md = docs\claim-transform.md
 		docs\control.md = docs\control.md
+		docs\custom-domain.md = docs\custom-domain.md
 		docs\customization.md = docs\customization.md
 		docs\deployment.md = docs\deployment.md
 		docs\development.md = docs\development.md
@@ -57,6 +58,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 		docs\oidc.md = docs\oidc.md
 		docs\parties.md = docs\parties.md
 		docs\README.md = docs\README.md
+		docs\reverse-proxy.md = docs\reverse-proxy.md
 		docs\saml-2.0.md = docs\saml-2.0.md
 		docs\samples.md = docs\samples.md
 		docs\standard-support.md = docs\standard-support.md
@@ -102,11 +104,13 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\configure-parties.png = docs\images\configure-parties.png
 		docs\images\configure-resource-scopes-client.png = docs\images\configure-resource-scopes-client.png
 		docs\images\configure-resource-scopes-resource.png = docs\images\configure-resource-scopes-resource.png
+		docs\images\configure-reverse-proxy-secret.png = docs\images\configure-reverse-proxy-secret.png
 		docs\images\configure-saml-adfs-up-party.png = docs\images\configure-saml-adfs-up-party.png
 		docs\images\configure-saml-down-party.png = docs\images\configure-saml-down-party.png
 		docs\images\configure-saml-manual-up-party.png = docs\images\configure-saml-manual-up-party.png
 		docs\images\configure-saml-up-party.png = docs\images\configure-saml-up-party.png
 		docs\images\configure-tenant-adminuser.png = docs\images\configure-tenant-adminuser.png
+		docs\images\configure-tenant-custom-domain-my-track.png = docs\images\configure-tenant-custom-domain-my-track.png
 		docs\images\configure-tenant-text.png = docs\images\configure-tenant-text.png
 		docs\images\configure-tenant.png = docs\images\configure-tenant.png
 		docs\images\configure-track-setting.png = docs\images\configure-track-setting.png

docs/_sidebar.md

@@ -17,6 +17,8 @@
   - [Samples](samples.md)
 - [Customization](customization.md)
   - [Title, Icon and CSS](title-icon-css.md)
+  - [Custom domain](custom-domain.md)
   - [Languages](language.md)
 - [Deployment](deployment.md)
+  - [Reverse proxy](reverse-proxy.md)
 - [FAQ](faq.md)

docs/control.md

@@ -60,15 +60,19 @@ The track properties can be configured by clicking the top right setting icon.
 ## FoxIDs Control API
 FoxIDs Control API is a REST API. The API expose a Swagger (OpenApi) interface document.
 
-FoxIDs Control API require that the client calling the API is granted the `foxids:master` scope to access master data or the `foxids:tenant` scope access tenant data. Normally only tenant data is accessed.
-The client can be an OAuth 2.0 client granted the administrator role `foxids:tenant.admin` acting as the client itself. Or a OpenID Connect client with an authenticated user granted the administrator role `foxids:tenant.admin`. 
+FoxIDs Control API require that the client calling the API is granted the `foxids:master` scope to access master tenant data or the `foxids:tenant` scope access tenant data in a particular tenant. Normally only tenant data is accessed.
 
-This shows the FoxIDs Control API configuration in the master track with a scope that grants access to tenant data.
+ - The client can be an OAuth 2.0 client. Where the client is granted the administrator role `foxids:tenant.admin` acting as the client itself using client credentials grant.  
+ Her is how the [sample seed tool](https://localhost:44333/docs/samples#configure-the-sample-seed-tool) client is granted access.
+ - Or a OpenID Connect client with an authenticated master track user. Where the user is granted the administrator role `foxids:tenant.admin`. 
+
+This shows the FoxIDs Control API configuration in a tenants master track with a scope that grants access to tenant data.
 
 ![Configure foxids_control_api](images/configure-foxids_control_api.png)
 
-FoxIDs Control API is called with an access token as described in the OAuth 2.0 Bearer Token standard.
+FoxIDs Control API is called with an access token as described in the [OAuth 2.0 Bearer Token (RFC 6750)](https://datatracker.ietf.org/doc/html/rfc6750) standard.
 
 The Swagger (OpenApi) interface document is exposed on `.../api/swagger/v1/swagger.json`.  
-You can also find the Swagger (OpenApi) [interface document](https://control.foxids.com/api/swagger/v1/swagger.json) online.
+
+You can also find the FoxIDs.com Swagger (OpenApi) [interface document](https://control.foxids.com/api/swagger/v1/swagger.json) online.
 

docs/custom-domain.md

@@ -0,0 +1,27 @@
+# Custom domain
+
+Each FoxIDs tenant can be configured with a custom domain. The custom domain can be configured with [Control Client](control.md#foxids-control-client) 
+in your tenants master track under Settings --> Tenant settings. 
+
+![Configure reverse proxy secret](images/configure-tenant-custom-domain-my-track.png)
+
+> When a new custom domain is added it needs to be verified.
+
+## FoxIDs.com
+Configuring a custom domain in a FoxIDs.com tenant:
+
+ 1. In your DNS, add a CNAME with your custom domain and the target `custom-domains.foxids.com`
+ 2. Configure your custom domain in your FoxIDs tenants master track.
+ 3. Write an email to [FoxIDs support ([email protected])](mailto:[email protected]) and ask for a custom domain verification.
+ 4. FoxIDs support will ask you to add one or two TXT records to your DNS for verification.
+ 5. After successfully verification your domain become active.
+
+## Your own private cloud FoxIDs
+Custom domains is only supported if the FoxIDs service is behind a [reverse proxy](reverse-proxy.md) that can do domain rewrite.
+
+A domain is marked as verified in the master tenants master track and is thereafter accepted by FoxIDs.
+
+All custom domains on all tenants can be configured with [Control Client](control.md#foxids-control-client) and [Control API](control.md#foxids-control-api) in the master tenants master track. 
+Where also the domain can be marked as verified at the same time. 
+
+![Configure reverse proxy secret](images/configure-tenant-custom-domain-track.png)

docs/deployment.md

@@ -54,16 +54,17 @@ Download the `SHA-1` pwned passwords `ordered by prevalence` from [haveibeenpwne
 
 It is possible to run the sample applications after they are configured in a FoxIDs track. The sample configuration can be added with the [sample seed tool](samples.md#configure-samples-in-foxids-track).
 
-## Custom domains
+## Custom primary domains
 
-The FoxIDs and FoxIDs Control domains can be customized.  
+The FoxIDs service and FoxIDs Control primary domains can be customized. 
 
 > Important: change the primary domain before adding tenants.
 
-FoxIDs default domain is `https://foxidsxxxx.azurewebsites.net` which can be changed to a custom a domain like e.g., `https://foxidsxxxx.com` or `https://foxids.xxxx.com`  
-FoxIDs Control default domain is `https://foxidscontrolxxxx.azurewebsites.net` which can be changed to a domain like e.g., `https://control.foxidsxxxx.com` or `https://foxidscontrol.xxxx.com`
+FoxIDs service default domain is `https://foxidsxxxx.azurewebsites.net` which can be changed to a custom primary domain like e.g., `https://foxidsxxxx.com` or `https://foxids.xxxx.com`  
+FoxIDs Control default domain is `https://foxidscontrolxxxx.azurewebsites.net` which can be changed to a custom primary domain like e.g., `https://control.foxidsxxxx.com` or `https://foxidscontrol.xxxx.com`
 
-Custom domains are configured in Azure portal on the FoxIDs App Service and the FoxIDs Control App Service production slot under the `Custom domains` tab and by clicking the `Add custom domain` link. The FoxIDs site support one primary domain and multiple secondary domains, where the FoxIDs Control only support one primary domain.
+Custom primary domains are configured in Azure portal on the FoxIDs App Service and the FoxIDs Control App Service production slot under the `Custom domains` tab and by clicking the `Add custom domain` link.
+The FoxIDs site support one primary domain and multiple secondary domains, where the FoxIDs Control only support one primary domain.
 
 Configure new primary custom domain:
 
@@ -79,6 +80,9 @@ Configure new primary custom domain:
 - The setting `Settings:FoxIDsEndpoint` is changed to the FoxIDs sites primary custom domains.
 - The setting `Settings:FoxIDsControlEndpoint` is changed to the FoxIDs Control sites primary custom domains.
 
+## Reverse proxy
+It is recommended to place FoxIDs behind a [reverse proxy](reverse-proxy.md). If optionally using a reverse proxy, the [custom primary domains](#custom-primary-domains) exposed on the proxy need to be the same as on the Azure App services. 
+
 ## Specify default page
 
 An alternative default page can be configured for the FoxIDs site using the `Settings:WebsiteUrl` setting. If configured a full URL is required like e.g., `https://www.foxidsxxxx.com`.

docs/reverse-proxy.md

@@ -0,0 +1,62 @@
+# Reverse proxy
+It is recommended to place FoxIDs behind a reverse proxy. 
+
+The [custom primary domains](deployment.md#custom-primary-domains) exposed on the reverse proxy need to be the same as on the FoxIDs and FoxIDs Control Azure App services.  
+The FoxIDs service support [custom domains](custom-domain.md) which is handled with domain rewrite through the reverse proxy.
+
+> FoxIDs only support [custom domains](custom-domain.md) if it is behind a reverse proxy and the access is restricted by the `X-FoxIDs-Secret` HTTP header.
+
+## Restrict access
+Both the FoxIDs service and FoxIDs Control sites can restrict access based on the `X-FoxIDs-Secret` HTTP header.  
+The access restriction is activated by adding a secret with the name `Settings--ProxySecret` in Key Vault.
+
+![Configure reverse proxy secret](images/configure-reverse-proxy-secret.png)
+
+> The sites needs to be restarted to read the secret.
+
+After the reverse proxy secret has been configured in Key Vault the reverse proxy needs to add the `X-FoxIDs-Secret` HTTP header in all backed calls to FoxIDs to get access.
+
+## Read HTTP headers
+FoxIDs service support reading the client IP address in the following prioritized HTTP headers:
+
+ 1. `CF-Connecting-IP`
+ 2. `X-Azure-ClientIP`
+ 3. `X-Forwarded-For`
+
+FoxIDs service support reading the [custom domain](custom-domain.md) (host name) exposed on the revers proxy in the following prioritized HTTP headers:
+
+ 1. `X-ORIGINAL-HOST`
+ 2. `X-Forwarded-Host`
+
+ > The host header is only read if access is restricted by the `X-FoxIDs-Secret` HTTP header.
+
+## Tested reverse proxies
+FoxIDs is tested with the following reverse proxies.
+
+### Azure Front Door
+Azure Front Door can be configured as a reverse proxy with close to the default setup. Azure Front Door rewrite domains by default. 
+The `X-FoxIDs-Secret` HTTP header can optionally be added but is required to support [custom domain](custom-domain.md).
+
+### Cloudflare
+Cloudflare can be configured as a reverse proxy. But Cloudflare require a Enterprise plan to rewrite domains (host headers). The `X-FoxIDs-Secret` HTTP header should can be added.
+
+### IIS ARR Proxy
+Internet Information Services (IIS) Application Request Routing (ARR) Proxy require a Windows server. ARR Proxy rewrite domains with a rewrite rule. 
+The `X-FoxIDs-Secret` HTTP header can optionally be added (recommended depended on the infrastructure) but is required to support [custom domain](custom-domain.md).
+
+An accept all external exposed domains rule can be configured. This example is a global rule, rules can also be added to websites.  
+Optionally both requiring (`secret1`) and sending (`secret2`) in a `X-FoxIDs-Secret` HTTP header. You could require a `X-FoxIDs-Secret` HTTP header if you have a reverse proxy in front of the ARR Proxy.
+
+    <globalRules>
+        <rule name="my-rule-name" patternSyntax="Wildcard" stopProcessing="true">
+            <match url="*" />
+            <conditions>
+                <add input="{HTTP_X-FoxIDs-Secret}" pattern="... secret1 ..." ignoreCase="false" />
+            </conditions>                                                
+            <action type="Rewrite" url="https://my-foxids-installation.com/{R:1}" />
+            <serverVariables>
+                <set name="HTTP_X-ORIGINAL-HOST" value="{HTTP_HOST}" />
+                <set name="HTTP_X-FoxIDs-Secret" value="... secret2 ..." />
+            </serverVariables>
+        </rule>
+    </globalRules>

docs/standard-support.md

@@ -1,15 +1,20 @@
 # Standard support
 
-- All tokens are [JSON Web Token (JWT) (RFC 7519)](https://tools.ietf.org/html/rfc7519)
+- All tokens are JSON Web Token (JWT)
+  - [RFC 7519](https://tools.ietf.org/html/rfc7519)
 - OpenID Connect 1.0 supported in both down-parties and up-parties
    - [OpenID Connect Core 1.0](http://openid.net/specs/openid-connect-core-1_0.html)
    - [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html)
    - [OpenID Connect Session Management 1.0 ](http://openid.net/specs/openid-connect-session-1_0.html)
    - [OpenID Connect Front-Channel Logout 1.0](http://openid.net/specs/openid-connect-frontchannel-1_0.html)
    - [OpenID Connect RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)
--  [Proof Key for Code Exchange (PKCE) (RFC 7636)](https://tools.ietf.org/html/rfc7636) supported in OpenID Connect down-parties and up-parties
+- Proof Key for Code Exchange (PKCE) supported in OpenID Connect down-parties and up-parties
+  - [RFC 7636](https://tools.ietf.org/html/rfc7636)
 - SAML 2.0 supported in both down-parties and up-parties
   - [SAML 2.0 Core](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)
   - [SAML 2.0 bindings](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) limited to POST and redirect binding
   - [SAML 2.0 metadata](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf)
-- OAuth 2.0 ([RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749)) limited to down-party [Client Credential Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4)
+- OAuth 2.0 limited to down-party [Client Credential Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4)
+  - [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749)
+- One-Time Password (OPT) supported by MFA
+  - [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238)

src/FoxIDs.Control/FoxIDs.Control.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net6.0</TargetFramework>
-		<Version>1.0.2.8</Version>
+		<Version>1.0.3.2</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
@@ -25,9 +25,9 @@
     <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.3.0" />
     <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.20.0" />
     <PackageReference Include="Microsoft.Azure.ApplicationInsights.Query" Version="1.0.0" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="6.0.4" />
-    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.3.0" />
-    <PackageReference Include="Swashbuckle.AspNetCore.Annotations" Version="6.3.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="6.0.6" />
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.3.1" />
+    <PackageReference Include="Swashbuckle.AspNetCore.Annotations" Version="6.3.1" />
   </ItemGroup>
 
   <ItemGroup>

src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj

@@ -13,8 +13,8 @@
     <PackageReference Include="Blazored.Toast" Version="3.2.2" />
     <PackageReference Include="BlazorInputFile" Version="0.2.0" />
     <PackageReference Include="ITfoxtec.Identity.BlazorWebAssembly.OpenidConnect" Version="1.6.3" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="6.0.4" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="6.0.4" PrivateAssets="all" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="6.0.6" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="6.0.6" PrivateAssets="all" />
     <PackageReference Include="Tewr.Blazor.FileReader" Version="3.3.1.21360" />
   </ItemGroup>
 

src/FoxIDs.ControlClient/Shared/MainLayout.razor

@@ -7,7 +7,7 @@
     <div class=container-fluid>
 
         <nav class="navbar navbar-expand navbar-light bg-light navbar-main">
-            <a class="navbar-brand">FoxIDs</a>
+            <a class="navbar-brand">Fox<span class="navbar-subbrand">ID</span>s</a>
             <AuthorizeView>
                 <Authorized>
                     <ul class="navbar-nav mr-auto">

src/FoxIDs.ControlClient/wwwroot/css/app.css

@@ -103,6 +103,11 @@ h4 {
 
 .navbar .navbar-brand {
     font-size: 1.5rem;
+    color: #ef8310 !important;
+}
+
+.navbar .navbar-subbrand {
+    color: #bbbbbb !important;
 }
 
 .navbar .searchDropdown {

src/FoxIDs.Shared/FoxIDs.Shared.csproj

@@ -30,12 +30,12 @@
 	<ItemGroup>
 		<FrameworkReference Include="Microsoft.AspNetCore.App" />
 		<PackageReference Include="Microsoft.ApplicationInsights" Version="2.20.0" />
-		<PackageReference Include="Microsoft.Azure.Cosmos" Version="3.26.1" />
+		<PackageReference Include="Microsoft.Azure.Cosmos" Version="3.28.0" />
 		<PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.3.0" />
 		<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.3.0" />
 		<PackageReference Include="Microsoft.Azure.Services.AppAuthentication" Version="1.6.2" />
-		<PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="6.0.4" />
-		<PackageReference Include="SendGrid" Version="9.27.0" />
+		<PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="6.0.6" />
+		<PackageReference Include="SendGrid" Version="9.28.0" />
 		<PackageReference Include="UrlCombine" Version="2.0.0" />
 	</ItemGroup>
 

src/FoxIDs.Shared/Infrastructure/Hosting/ProxyHeadersMiddleware.cs

@@ -19,14 +19,17 @@ public ProxyHeadersMiddleware(RequestDelegate next)
 
         public async Task Invoke(HttpContext context)
         {
-            var hasSecret = Secret(context);
-
             ClientIp(context);
-            var host = Host(context);
 
-            if (hasSecret && !host.IsNullOrWhiteSpace())
+            var hasVerifiedSecret = Secret(context);
+            if (hasVerifiedSecret)
             {
-                context.Items[Constants.Routes.RouteBindingCustomDomainHeader] = host;
+                var host = Host(context);
+
+                if (!host.IsNullOrWhiteSpace())
+                {
+                    context.Items[Constants.Routes.RouteBindingCustomDomainHeader] = host;
+                }
             }
 
             await next.Invoke(context);

src/FoxIDs.Shared/Models/Config/CacheSettings.cs

@@ -1,16 +1,10 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
-
-namespace FoxIDs.Models.Config
+namespace FoxIDs.Models.Config
 {
     public class CacheSettings
     {
         /// <summary>
-        /// Time to cache custom domains in seconds (default 12 hours).
+        /// Time to cache custom domains in seconds (default 24 hours).
         /// </summary>
-        public int CustomDomainCacheLifetime { get; set; } = 43200;
+        public int CustomDomainCacheLifetime { get; set; } = 86400;
     }
 }

src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj

@@ -9,7 +9,7 @@
 	</PropertyGroup>
 
 	<ItemGroup>
-		<PackageReference Include="ITfoxtec.Identity" Version="2.5.6" />
+		<PackageReference Include="ITfoxtec.Identity" Version="2.5.7" />
 		<PackageReference Include="ITfoxtec.Identity.Saml2" Version="4.8.2" />
 		<PackageReference Include="Microsoft.AspNetCore.Components.DataAnnotations.Validation" Version="3.2.0-rc1.20223.4" />
 		<PackageReference Include="System.Net.Http.Json" Version="6.0.0" />