Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions Microsoft.SCIM.WebHostSample/Controllers/TokenController.cs
Original file line number Diff line number Diff line change
@@ -1,6 +1,21 @@
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------
//
// ⚠️ DO NOT USE IN PRODUCTION ⚠️
//
// This controller exists solely to issue self-signed JWTs for the SCIM sample/
// integration-test flow. It is anonymously reachable and uses a symmetric key
// from configuration with no rotation, no revocation, and no authentication
// of the requester. Combined with the dev-mode JWT validation in Startup.cs
// (guarded by #if DEBUG), it allows any anonymous caller to mint a token that
// the sample host will accept.
//
// Any consumer who copies this sample for a production SCIM endpoint MUST
// either delete this controller entirely or replace it with a properly
// authenticated, audience-scoped token issuer.
//
//------------------------------------------------------------

namespace Microsoft.SCIM.WebHostSample.Controllers
{
Expand All @@ -13,6 +28,7 @@ namespace Microsoft.SCIM.WebHostSample.Controllers

// Controller for generating a bearer token for authorization during testing.
// This is not meant to replace proper Oauth for authentication purposes.
[Obsolete("Sample only - remove this controller or replace with a properly authenticated OAuth token issuer before deploying to any non-sample environment.", error: true)]
[Route("scim/token")]
[ApiController]
public class TokenController : ControllerBase
Expand Down
11 changes: 11 additions & 0 deletions Microsoft.SCIM.WebHostSample/Startup.cs
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,15 @@ void ConfigureAuthenticationOptions(AuthenticationOptions options)

void ConfigureJwtBearerOptons( JwtBearerOptions options)
{
// The development branch below disables every JWT validation
// (issuer, audience, lifetime, signing-key) and is intended only
// for local end-to-end testing of the sample. Guarding it with
// #if DEBUG ensures that a Release build of this sample cannot
// accidentally ship the bypass to a production environment - the
// preprocessor strips the dev branch (and the surrounding 'if'),
// leaving only the production branch which enforces real
// Authority / Audience checks.
#if DEBUG
if (this.environment.IsDevelopment())
{
options.TokenValidationParameters =
Expand All @@ -65,6 +74,8 @@ void ConfigureJwtBearerOptons( JwtBearerOptions options)
};
}
else
Comment thread
himanshusainig marked this conversation as resolved.
#endif
// Release: always enforce production JWT validation (dev-mode block is stripped by preprocessor).
{
options.Authority = this.configuration["Token:TokenIssuer"];
options.Audience = this.configuration["Token:TokenAudience"];
Expand Down
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@ The SCIM standard leaves authentication and authorization relatively open. You c
> **[NOTE]**
> These authorization methods provided by this repo are solely for testing. When integrating with Azure AD, review the authorization guidance provided [here](https://docs.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#authorization-for-provisioning-connectors-in-the-application-gallery).

> **⚠️ [DO NOT USE IN PRODUCTION]**
> The `TokenController` in `Microsoft.SCIM.WebHostSample` is an anonymously reachable JWT issuer intended only for local sample/integration-test flows. The dev-mode `TokenValidationParameters` in `Startup.cs.ConfigureJwtBearerOptons` disables every JWT validation check (issuer, audience, lifetime, signing key) and is guarded by `#if DEBUG` so Release builds physically cannot ship the bypass. **Before deploying any SCIM endpoint derived from this sample to a non-sample environment, delete `TokenController` and the dev-mode branch, and replace them with a properly authenticated, audience-scoped OAuth token issuer.**


## Contributing to the reference code

Expand Down