dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): OtOpcUa adopt ZbClaimTypes + ZbCookieDefaults, keep cookie name (Task 1.5)

Browse Source 
Add ZB.MOM.WW.Auth.AspNetCore package ref to Security project (version 0.1.1
from central PM). Alias JwtTokenService.UsernameClaimType and DisplayNameClaimType
to ZbClaimTypes.Username ("zb:username") and ZbClaimTypes.DisplayName ("zb:displayname")
so every mint/read site inherits the canonical spelling. AuthEndpoints login path now
emits ZbClaimTypes.Name (= ClaimTypes.Name, populates Identity.Name) instead of
ClaimTypes.NameIdentifier (no other read site used it), and references ZbClaimTypes.Role
(= ClaimTypes.Role) for role claims so [Authorize(Roles=...)] continues to resolve.
Cookie hardening now flows through ZbCookieDefaults.Apply (sets HttpOnly, SameSite=Strict,
SlidingExpiration, SecurePolicy, ExpireTimeSpan) followed by opts.Cookie.Name = v.Name to
preserve the OtOpcUa-specific "ZB.MOM.WW.OtOpcUa.Auth" cookie name. Two new tests added
to AuthEndpointsIntegrationTests assert canonical ZbClaimTypes on the cookie principal and
canonical zb: keys in the JWT payload; all 35 security tests green.
This commit is contained in:
Joseph Doherty
2026-06-02 06:11:00 -04:00
parent c4f315ec90
commit 83856b7c27
5 changed files with 179 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Server/ZB.MOM.WW.OtOpcUa.Security/Jwt/JwtTokenService.cs
+18 -2
View File
@@ -4,13 +4,29 @@ using System.Text;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
using ZB.MOM.WW.Auth.AspNetCore;
namespace ZB.MOM.WW.OtOpcUa.Security.Jwt;
public sealed class JwtTokenService
{
public const string DisplayNameClaimType = "DisplayName";
public const string UsernameClaimType = "Username";
/// <summary>
/// Alias of <see cref="ZbClaimTypes.DisplayName"/> — the canonical "zb:displayname" claim.
/// All read and mint sites inherit the canonical spelling through this constant.
/// </summary>
public const string DisplayNameClaimType = ZbClaimTypes.DisplayName;
/// <summary>
/// Alias of <see cref="ZbClaimTypes.Username"/> — the canonical "zb:username" claim.
/// All read and mint sites inherit the canonical spelling through this constant.
/// </summary>
public const string UsernameClaimType = ZbClaimTypes.Username;
/// <summary>
/// Role claim type used in the JWT payload. Kept as the short "Role" key for the
/// bearer token payload; the cookie-principal uses <see cref="ZbClaimTypes.Role"/>
/// (= <see cref="ClaimTypes.Role"/>) for framework role resolution.
/// </summary>
public const string RoleClaimType = "Role";
private readonly JwtOptions _options;