feat(notifications): configurable OAuth2 authority + scope per SMTP configuration (defaults preserve M365) — entity + EF + migration + token service

Claude-Session: https://claude.ai/code/session_01MtdgwpEeCUn6cUA5f1LMPj
This commit is contained in:
Joseph Doherty
2026-07-10 04:07:13 -04:00
parent 178ae35308
commit 9e60347bde
8 changed files with 2201 additions and 5 deletions
@@ -25,6 +25,20 @@ public class SmtpConfiguration
/// <summary>Gets or sets the delay between retry attempts.</summary>
public TimeSpan RetryDelay { get; set; }
/// <summary>
/// Gets or sets the OAuth2 token-endpoint authority template, or null to use the
/// Microsoft 365 default (<c>https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token</c>).
/// The stored value is the full token-endpoint URL with an optional <c>{tenant}</c>
/// placeholder substituted from the credential's tenant id.
/// </summary>
public string? OAuth2Authority { get; set; }
/// <summary>
/// Gets or sets the OAuth2 scope requested from the token endpoint, or null to use the
/// Microsoft 365 default (<c>https://outlook.office365.com/.default</c>).
/// </summary>
public string? OAuth2Scope { get; set; }
/// <summary>
/// Initializes a new <see cref="SmtpConfiguration"/> with required fields.
/// </summary>
@@ -126,5 +126,14 @@ public class SmtpConfigurationConfiguration : IEntityTypeConfiguration<SmtpConfi
builder.Property(s => s.FromAddress)
.IsRequired()
.HasMaxLength(500);
// Optional OAuth2 token-endpoint overrides — null preserves the M365 defaults.
builder.Property(s => s.OAuth2Authority)
.IsRequired(false)
.HasMaxLength(500);
builder.Property(s => s.OAuth2Scope)
.IsRequired(false)
.HasMaxLength(500);
}
}
@@ -0,0 +1,40 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace ZB.MOM.WW.ScadaBridge.ConfigurationDatabase.Migrations
{
/// <inheritdoc />
public partial class AddSmtpOAuth2AuthorityScope : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.AddColumn<string>(
name: "OAuth2Authority",
table: "SmtpConfigurations",
type: "nvarchar(500)",
maxLength: 500,
nullable: true);
migrationBuilder.AddColumn<string>(
name: "OAuth2Scope",
table: "SmtpConfigurations",
type: "nvarchar(500)",
maxLength: 500,
nullable: true);
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropColumn(
name: "OAuth2Authority",
table: "SmtpConfigurations");
migrationBuilder.DropColumn(
name: "OAuth2Scope",
table: "SmtpConfigurations");
}
}
}
@@ -984,6 +984,14 @@ namespace ZB.MOM.WW.ScadaBridge.ConfigurationDatabase.Migrations
b.Property<int>("MaxRetries")
.HasColumnType("int");
b.Property<string>("OAuth2Authority")
.HasMaxLength(500)
.HasColumnType("nvarchar(500)");
b.Property<string>("OAuth2Scope")
.HasMaxLength(500)
.HasColumnType("nvarchar(500)");
b.Property<int>("Port")
.HasColumnType("int");
@@ -185,7 +185,11 @@ public sealed class EmailNotificationDeliveryAdapter : INotificationDeliveryAdap
if (config.AuthType.Equals("oauth2", StringComparison.OrdinalIgnoreCase)
&& _tokenService != null && credentials != null)
{
credentials = await _tokenService.GetTokenAsync(credentials, cancellationToken);
credentials = await _tokenService.GetTokenAsync(
credentials,
config.OAuth2Authority,
config.OAuth2Scope,
cancellationToken);
}
// OAuth2 XOAUTH2 requires the user identity (FromAddress)
@@ -38,11 +38,22 @@ public class OAuth2TokenService
/// Credentials format: "tenantId:clientId:clientSecret"
/// </summary>
/// <param name="credentials">Colon-separated string in the form <c>tenantId:clientId:clientSecret</c>.</param>
/// <param name="authority">
/// Optional token-endpoint authority template (may contain a <c>{tenant}</c> placeholder);
/// null preserves the Microsoft 365 default endpoint.
/// </param>
/// <param name="scope">Optional OAuth2 scope; null preserves the Microsoft 365 default scope.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A valid OAuth2 access token string.</returns>
public async Task<string> GetTokenAsync(string credentials, CancellationToken cancellationToken = default)
public async Task<string> GetTokenAsync(
string credentials,
string? authority = null,
string? scope = null,
CancellationToken cancellationToken = default)
{
var key = CredentialKey(credentials);
// Cache key incorporates authority + scope so two configurations with the same
// credentials but different endpoints/scopes never share a token.
var key = CredentialKey($"{credentials}|{authority}|{scope}");
var entry = _cache.GetOrAdd(key, _ => new CacheEntry());
if (entry.Token != null && DateTimeOffset.UtcNow < entry.Expiry)
@@ -70,14 +81,22 @@ public class OAuth2TokenService
var clientSecret = parts[2];
var client = _httpClientFactory.CreateClient("OAuth2");
var tokenUrl = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token";
// Authority: null → today's hardcoded M365 endpoint; otherwise the stored
// template with an optional {tenant} placeholder resolved from the credential.
var tokenUrl = authority == null
? $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token"
: authority.Replace("{tenant}", tenantId);
// Scope: null → the M365 default.
var tokenScope = scope ?? "https://outlook.office365.com/.default";
var form = new FormUrlEncodedContent(new Dictionary<string, string>
{
["grant_type"] = "client_credentials",
["client_id"] = clientId,
["client_secret"] = clientSecret,
["scope"] = "https://outlook.office365.com/.default"
["scope"] = tokenScope
});
var response = await client.PostAsync(tokenUrl, form, cancellationToken);
@@ -169,6 +169,48 @@ public class OAuth2TokenServiceTests
Assert.Equal(1, handler.CallCount);
}
// ── Task 19: configurable OAuth2 authority + scope per SMTP configuration ──
[Fact]
public async Task GetTokenAsync_CustomAuthorityAndScope_PostsToConfiguredEndpoint()
{
// A non-M365 IdP: the stored authority template carries a {tenant} placeholder
// and the scope is provider-specific. Both must flow verbatim into the request.
var handler = new CapturingHttpMessageHandler(
TokenJson("custom-token", expiresIn: 3600));
var client = new HttpClient(handler);
var factory = CreateMockFactory(client);
var service = new OAuth2TokenService(factory, NullLogger<OAuth2TokenService>.Instance);
var token = await service.GetTokenAsync(
"T1:client:secret",
authority: "https://idp.example/{tenant}/token",
scope: "smtp.send");
Assert.Equal("custom-token", token);
Assert.Equal("https://idp.example/T1/token", handler.LastRequestUri!.ToString());
Assert.Equal("smtp.send", handler.LastForm!["scope"]);
}
[Fact]
public async Task GetTokenAsync_DefaultsPreserved_M365()
{
// No authority/scope → today's hardcoded Microsoft 365 endpoint + scope.
var handler = new CapturingHttpMessageHandler(
TokenJson("m365-token", expiresIn: 3600));
var client = new HttpClient(handler);
var factory = CreateMockFactory(client);
var service = new OAuth2TokenService(factory, NullLogger<OAuth2TokenService>.Instance);
var token = await service.GetTokenAsync("tenant:client:secret");
Assert.Equal("m365-token", token);
Assert.Equal(
"https://login.microsoftonline.com/tenant/oauth2/v2.0/token",
handler.LastRequestUri!.ToString());
Assert.Equal("https://outlook.office365.com/.default", handler.LastForm!["scope"]);
}
private static string TokenJson(string accessToken, int expiresIn) =>
JsonSerializer.Serialize(new
{
@@ -250,6 +292,38 @@ public class OAuth2TokenServiceTests
}
}
/// <summary>
/// HTTP handler that captures the request URI and the posted form fields so a
/// test can assert the token endpoint and scope actually sent.
/// </summary>
private class CapturingHttpMessageHandler : HttpMessageHandler
{
private readonly string _response;
public Uri? LastRequestUri { get; private set; }
public IReadOnlyDictionary<string, string>? LastForm { get; private set; }
public CapturingHttpMessageHandler(string response) => _response = response;
protected override async Task<HttpResponseMessage> SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
LastRequestUri = request.RequestUri;
var body = request.Content == null
? string.Empty
: await request.Content.ReadAsStringAsync(cancellationToken);
LastForm = body
.Split('&', StringSplitOptions.RemoveEmptyEntries)
.Select(pair => pair.Split('=', 2))
.ToDictionary(
p => Uri.UnescapeDataString(p[0]),
p => p.Length > 1 ? Uri.UnescapeDataString(p[1]) : string.Empty);
return new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(_response)
};
}
}
/// <summary>
/// Simple mock HTTP handler that returns a fixed response.
/// </summary>