Add authentication in Swagger UI

CHANGELOG.md

@@ -11,6 +11,7 @@
 - Added grid to manage organisations in administration area.
 - Added grid to manage users in administration area.
 - Added local Keycloak server for development.
+- Added authentication in Swagger UI.
 
 ### Changed
 

config/realms/keycloak-geopilot.json

@@ -14,11 +14,29 @@
       "alwaysDisplayInConsole": true,
       "redirectUris": [
         "https://localhost:5173",
-        "http://localhost:5173"
+        "http://localhost:5173",
+        "https://localhost:7188/swagger/oauth2-redirect.html",
+        "http://localhost:5173/swagger/oauth2-redirect.html"
       ],
       "webOrigins": [
         "https://localhost:5173",
-        "http://localhost:5173"
+        "http://localhost:5173",
+        "https://localhost:7188"
+      ],
+      "protocolMappers": [
+        {
+          "name": "geopilot-audience-mapper",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-mapper",
+          "consentRequired": false,
+          "config": {
+            "included.client.audience": "geopilot-client",
+            "id.token.claim": "false",
+            "lightweight.claim": "false",
+            "access.token.claim": "true",
+            "introspection.token.claim": "true"
+          }
+        }
       ]
     }
   ],

docker-compose.yml

@@ -65,6 +65,9 @@ services:
       ReverseProxy__Clusters__stacBrowserCluster__Destinations__stacBrowserDestination__Address: http://stac-browser:8080/
       Auth__Authority: http://localhost:4011/realms/geopilot
       Auth__ClientId: geopilot-client
+      Auth__AuthorizationUrl: http://localhost:4011/realms/geopilot/protocol/openid-connect/auth
+      Auth__TokenUrl: http://localhost:4011/realms/geopilot/protocol/openid-connect/token
+      Auth__ApiOrigin: http://localhost:5173
       Validation__InterlisCheckServiceUrl: http://interlis-check-service/
     volumes:
       - ./src/Geopilot.Api/Uploads:/uploads

src/Geopilot.Api/Program.cs

@@ -102,6 +102,53 @@
 
     // Workaround for STAC API having multiple actions mapped to the "search" route.
     options.ResolveConflictingActions(apiDescriptions => apiDescriptions.First());
+
+    var scopes = new Dictionary<string, string>
+    {
+        { "openid", "Open Id" },
+        { "email", "User Email" },
+        { "profile", "User Profile" },
+    };
+    var apiScope = builder.Configuration["Auth:ApiScope"];
+    if (apiScope != null)
+    {
+        scopes.Add(apiScope, "geopilot API (required)");
+    }
+
+    options.AddSecurityDefinition(JwtBearerDefaults.AuthenticationScheme, new OpenApiSecurityScheme
+    {
+        Name = "Authorization",
+        Scheme = JwtBearerDefaults.AuthenticationScheme,
+        In = ParameterLocation.Header,
+        Type = SecuritySchemeType.OAuth2,
+        Flows = new OpenApiOAuthFlows
+        {
+            AuthorizationCode = new OpenApiOAuthFlow
+            {
+                Scopes = scopes,
+                AuthorizationUrl = new Uri(builder.Configuration["Auth:AuthorizationUrl"] !),
+                TokenUrl = new Uri(builder.Configuration["Auth:TokenUrl"] !),
+                RefreshUrl = new Uri(builder.Configuration["Auth:TokenUrl"] !),
+            },
+        },
+    });
+    options.AddSecurityRequirement(new OpenApiSecurityRequirement
+    {
+        {
+            new OpenApiSecurityScheme
+            {
+                Reference = new OpenApiReference
+                {
+                    Type = ReferenceType.SecurityScheme,
+                    Id = JwtBearerDefaults.AuthenticationScheme,
+                },
+                Scheme = "oauth2",
+                Name = JwtBearerDefaults.AuthenticationScheme,
+                In = ParameterLocation.Header,
+            },
+            Array.Empty<string>()
+        },
+    });
 });
 
 builder.Services
@@ -189,6 +236,10 @@
 app.UseSwaggerUI(options =>
 {
     options.SwaggerEndpoint("/swagger/v1/swagger.json", "geopilot API v1.0");
+
+    options.OAuthClientId(builder.Configuration["Auth:ClientId"]);
+    options.OAuth2RedirectUrl($"{builder.Configuration["Auth:ApiOrigin"]}/swagger/oauth2-redirect.html");
+    options.OAuthUsePkce();
 });
 
 app.UseHttpsRedirection();

src/Geopilot.Api/appsettings.Development.json

@@ -1,7 +1,10 @@
 {
   "Auth": {
     "Authority": "http://localhost:4011/realms/geopilot",
-    "ClientId": "geopilot-client"
+    "ClientId": "geopilot-client",
+    "AuthorizationUrl": "http://localhost:4011/realms/geopilot/protocol/openid-connect/auth",
+    "TokenUrl": "http://localhost:4011/realms/geopilot/protocol/openid-connect/token",
+    "ApiOrigin": "https://localhost:7188"
   },
   "Logging": {
     "LogLevel": {