diff --git a/Microsoft.SCIM.WebHostSample/Controllers/TokenController.cs b/Microsoft.SCIM.WebHostSample/Controllers/TokenController.cs index c51f8f80..8b859d5f 100644 --- a/Microsoft.SCIM.WebHostSample/Controllers/TokenController.cs +++ b/Microsoft.SCIM.WebHostSample/Controllers/TokenController.cs @@ -1,6 +1,21 @@ //------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //------------------------------------------------------------ +// +// ⚠️ DO NOT USE IN PRODUCTION ⚠️ +// +// This controller exists solely to issue self-signed JWTs for the SCIM sample/ +// integration-test flow. It is anonymously reachable and uses a symmetric key +// from configuration with no rotation, no revocation, and no authentication +// of the requester. Combined with the dev-mode JWT validation in Startup.cs +// (guarded by #if DEBUG), it allows any anonymous caller to mint a token that +// the sample host will accept. +// +// Any consumer who copies this sample for a production SCIM endpoint MUST +// either delete this controller entirely or replace it with a properly +// authenticated, audience-scoped token issuer. +// +//------------------------------------------------------------ namespace Microsoft.SCIM.WebHostSample.Controllers { @@ -13,6 +28,7 @@ namespace Microsoft.SCIM.WebHostSample.Controllers // Controller for generating a bearer token for authorization during testing. // This is not meant to replace proper Oauth for authentication purposes. + [Obsolete("Sample only - remove this controller or replace with a properly authenticated OAuth token issuer before deploying to any non-sample environment.", error: true)] [Route("scim/token")] [ApiController] public class TokenController : ControllerBase diff --git a/Microsoft.SCIM.WebHostSample/Startup.cs b/Microsoft.SCIM.WebHostSample/Startup.cs index 11531c3a..3787451e 100644 --- a/Microsoft.SCIM.WebHostSample/Startup.cs +++ b/Microsoft.SCIM.WebHostSample/Startup.cs @@ -50,6 +50,15 @@ void ConfigureAuthenticationOptions(AuthenticationOptions options) void ConfigureJwtBearerOptons( JwtBearerOptions options) { + // The development branch below disables every JWT validation + // (issuer, audience, lifetime, signing-key) and is intended only + // for local end-to-end testing of the sample. Guarding it with + // #if DEBUG ensures that a Release build of this sample cannot + // accidentally ship the bypass to a production environment - the + // preprocessor strips the dev branch (and the surrounding 'if'), + // leaving only the production branch which enforces real + // Authority / Audience checks. +#if DEBUG if (this.environment.IsDevelopment()) { options.TokenValidationParameters = @@ -65,6 +74,8 @@ void ConfigureJwtBearerOptons( JwtBearerOptions options) }; } else +#endif + // Release: always enforce production JWT validation (dev-mode block is stripped by preprocessor). { options.Authority = this.configuration["Token:TokenIssuer"]; options.Audience = this.configuration["Token:TokenAudience"]; diff --git a/README.md b/README.md index c4d3a6a1..09c33f01 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,9 @@ The SCIM standard leaves authentication and authorization relatively open. You c > **[NOTE]** > These authorization methods provided by this repo are solely for testing. When integrating with Azure AD, review the authorization guidance provided [here](https://docs.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#authorization-for-provisioning-connectors-in-the-application-gallery). +> **⚠️ [DO NOT USE IN PRODUCTION]** +> The `TokenController` in `Microsoft.SCIM.WebHostSample` is an anonymously reachable JWT issuer intended only for local sample/integration-test flows. The dev-mode `TokenValidationParameters` in `Startup.cs.ConfigureJwtBearerOptons` disables every JWT validation check (issuer, audience, lifetime, signing key) and is guarded by `#if DEBUG` so Release builds physically cannot ship the bypass. **Before deploying any SCIM endpoint derived from this sample to a non-sample environment, delete `TokenController` and the dev-mode branch, and replace them with a properly authenticated, audience-scoped OAuth token issuer.** + ## Contributing to the reference code