Add dotnet user-jwts tool and runtime support

[captainsafia]

Part of #39857

❯ dotnet ~/github.com/captainsafia/aspnetcore/artifacts/bin/dotnet-dev-jwts/Debug/net7.0/dotnet-dev-jwts.dll list       
Project: /Users/captainsafia/github.com/AspNetCoreDevJwts/SampleWebApi/SampleWebApi.csproj
User Secrets Id: 17ab27f7-a844-4b14-9f44-a0a363d57fdb
 ---------------------------------------------------------------------------------------------------------------------------- 
 |       Id |         Name |               Audience |                            Issued |                           Expires |
 ---------------------------------------------------------------------------------------------------------------------------- 
 | 394d4cd2 | captainsafia | https://localhost:7157 | 2022-05-05T17:39:23.0000000+00:00 | 2022-11-05T17:39:23.0000000+00:00 |
 ---------------------------------------------------------------------------------------------------------------------------- 
 | 7613954c | captainsafia | https://localhost:7157 | 2022-05-05T22:23:51.0000000+00:00 | 2022-11-05T22:23:50.0000000+00:00 |
 ---------------------------------------------------------------------------------------------------------------------------- 


~/github.com/AspNetCoreDevJwts/SampleWebApi main*
❯ dotnet ~/github.com/captainsafia/aspnetcore/artifacts/bin/dotnet-dev-jwts/Debug/net7.0/dotnet-dev-jwts.dll print --help


Usage: dotnet dev-jwts print [arguments] [options]

Arguments:
  id  The ID of the JWT to print

Options:
  --project    The path of the project to operate on. Defaults to the project in the current directory.
  --show-full  Whether to show the full JWT contents in addition to the compact serialized format
  -h|--help    Show help information


~/github.com/AspNetCoreDevJwts/SampleWebApi main*
❯ dotnet ~/github.com/captainsafia/aspnetcore/artifacts/bin/dotnet-dev-jwts/Debug/net7.0/dotnet-dev-jwts.dll print 7613954c --show-full
Found JWT with ID '7613954c'
 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 
 |     Name |           Id |               Audience |                           Expires |                            Issued | Scopes | Roles | Custom Claims |                Token Header |                                                                                                                                                                 Token Payload |
 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 
 | 7613954c | captainsafia | https://localhost:7157 | 2022-11-05T22:23:50.0000000+00:00 | 2022-05-05T22:23:51.0000000+00:00 |        |       |        [none] | {"alg":"HS256","typ":"JWT"} | {"unique_name":"captainsafia","sub":"captainsafia","jti":"7613954c","nbf":1651789430,"exp":1667687030,"iat":1651789431,"iss":"dotnet-dev-jwt","aud":"https://localhost:7157"} |
 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 

Compact Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6ImNhcHRhaW5zYWZpYSIsInN1YiI6ImNhcHRhaW5zYWZpYSIsImp0aSI6Ijc2MTM5NTRjIiwibmJmIjoxNjUxNzg5NDMwLCJleHAiOjE2Njc2ODcwMzAsImlhdCI6MTY1MTc4OTQzMSwiaXNzIjoiZG90bmV0LWRldi1qd3QiLCJhdWQiOiJodHRwczovL2xvY2FsaG9zdDo3MTU3In0.0_XltrGVHvHDJSX6GQEk8FzcPSCFB-l04voIg0fk_fo

~/github.com/AspNetCoreDevJwts/SampleWebApi main*
❯ dotnet ~/github.com/captainsafia/aspnetcore/artifacts/bin/dotnet-dev-jwts/Debug/net7.0/dotnet-dev-jwts.dll create --help             


Usage: dotnet dev-jwts create [options]

Options:
  --project     The path of the project to operate on. Defaults to the project in the current directory.
  --name        The name of the user to create the JWT for. Defaults to the current environment user.
  --audience    The audience to create the JWT for. Defaults to the first HTTPS URL configured in the project's launchSettings.json
  --issuer      The issuer of the JWT. Defaults to the dotnet-dev-jwt
  --scope       The issuer of the JWT. Defaults to the dotnet-dev-jwt
  --role        A role claim to add to the JWT. Specify once for each role
  --claim       Claims to add to the JWT. Specify once for each claim in the format "name=value"
  --not-before  The UTC date & time the JWT should not be valid before in the format 'yyyy-MM-dd [[HH:mm[[:ss]]]]'. Defaults to the date & time the JWT is created
  --expires-on  The UTC date & time the JWT should expire in the format 'yyyy-MM-dd [[[[HH:mm]]:ss]]'. Defaults to 6 months after the --not-before date. Do not use this option in conjunction with the --valid-for option.
  --valid-for   The period the JWT should expire after. Specify using a number followed by a period type like 'd' for days, 'h' for hours, 'm' for minutes, and 's' for seconds, e.g. '365d'. Do not use this option in conjunction with the --expires-on option.
  -h|--help     Show help information

[wtgodbe]

Build bits look good

[captainsafia]

🆙 📅 :

• Addressed feedback from above reviews
• Renamed CLI name to dotnet user-jwts

[DamianEdwards]

Do we need to guard this so that the middleware are only added if they're not already added in the app pipeline (like we do with the call to UseRouting() above)? Otherwise we'll be forcing auth to run earlier than the app wants to, which can cause problems, e.g. CORS.

[halter73]

Suggested change

	if (Authentication is WebApplicationAuthenticationBuilder webAuthBuilder && webAuthBuilder.IsAuthenticationConfigured is true)
	if (_webAuthBuilder.IsAuthenticationConfigured)

[halter73]

Can we add something to WebApplicationTests (or another test class since that's already kinda big) to verify we register services and add middleware when methods are called on the WebApplicationAuthenticationBuilder? And another test verifying that just accessing the Authentication getter doesn't do this?

[captainsafia]

Yep, will add this to verify changes for #41520 (comment)

[davidfowl]

This check shouldn't be there. The user needs to be able to re-run auth if they add this to the pipeline again.

[Tratcher]

Why would you re-run auth? The AuthN middleware is not route aware and only reacts to the default auth scheme setting.

[davidfowl]

That's exactly why you'd want to re-run it later in the pipeline to force setting the User based on the default scheme.

[davidfowl]

I guess your point is that there's never a situation where running UseAuthentication can change based on where it is in the pipeline. Is that right?

[HaoK]

Well a custom IAuthenticationSchemeProvider doesn't have to return the same value every time, so it is valid that rerunning the authentication middleware could result in a different User being set on a second call

[davidfowl]

The performance of auth already sucks, and this doesn't make it better enough to warrant the breaking change.

They can avoid it by not interacting with WebApplicationBuilder.Authentication and instead calling their methods directly on WebApplicationBuilder.

We can still mark that the middleware was added to avoid adding the one in the web application builder.

[captainsafia]

Can we add a flag to let them explicitly turn it off? WebApplicationBuider.Authenticaiton.AutoAddMiddleware = false?

That feels a little strange to me. The WebApplicationBuilder.Authentication pattern is an opt-in to the more simplified approach. It feels weird to have an opt-out to that when the more obvious choice of not using the new Authentication property at all exists.

[captainsafia]

How can someone that wants to manually add the middleware prevent the automatic one?

Our check in the WebApplicationBuilder prevents this from happening. We'll set a flag in UseAuthentication that is read and avoids re-registering automatically in the WAB.

[DamianEdwards]

That feels a little strange to me. The WebApplicationBuilder.Authentication pattern is an opt-in to the more simplified approach. It feels weird to have an opt-out to that when the more obvious choice of not using the new Authentication property at all exists.

It feels strange to me that there'd be scenarios we're consciously aware of where we'd say the workaround is to not use the new property. Can we simply make it so that the WebApplicationBuilder does not add the middlewares if the app pipeline has already added the authentication middleware? Why is any more than that needed?

[captainsafia]

Can we simply make it so that the WebApplicationBuilder does not add the middlewares if the app pipeline has already added the authentication middleware? Why is any more than that needed?

It already does that. To clarify, my point was that we didn't need to do anything additional here.

[captainsafia]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[captainsafia]

/backport release/7.0-preview5