defining your own identity server

[AhsanSpica]

defining your own identityserver and your own dbstore
resulting in succesfully finding client in db but filing authetnicoation and cause given invalid client

   public virtual void ConfigureServices(IServiceCollection services)
{
    instanceId = $"{Configuration["WEBSITE_ROLE_INSTANCE_ID"]}--{Configuration["WEBSITE_INSTANCE_ID"]}--{Guid.NewGuid()}";
    var smartScopes = GenerateSmartClinicalScopes();
    string apiScope = "fhirUser";
    string rolesClaim = "roles";

   // services.AddDevelopmentIdentityProvider(Configuration);

    // DQ_DEV_AHSAN
    services.AddLogging(logging =>
    {
        logging.SetMinimumLevel(Microsoft.Extensions.Logging.LogLevel.Debug);

        logging.AddConsole();

       // logging.AddFile("logs/app.log"); // Adjust the file path and name as needed
    });

    // DQ_DEV_AHSAN
    // services.AddLogging(loggingBuilder =>
    // {
    // loggingBuilder.AddSerilog(); // Add Serilog as a logging provider
    // });

    var configuration = new ConfigurationBuilder()

.SetBasePath(System.IO.Directory.GetCurrentDirectory())
.AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
.Build();
var secretConfig = new ConfigurationBuilder()
.SetBasePath(System.IO.Directory.GetCurrentDirectory())
.AddJsonFile("secrets.json", optional: true, reloadOnChange: true)
.Build();

    var clientId = configuration["AzureAd:ClientId"];
    var clientSecret = configuration["AzureAD:ClientSecret"];
    clientSecret = "RDl8Q~XPKH8tR1owqDef7KuTIrASXfCgWNl3eb1r";
    var tenantId = configuration["AzureAd:TenantId"];
    ImportClientsToDatabase(services, clientId, clientSecret, tenantId);

    services.AddDbContext<PersistedGrantSQLDbContext>(options =>
    {
        options.UseSqlServer(Configuration.GetConnectionString("IdentityServerConnectionString"));
    });
    services.AddScoped<IConfigurationDbContext, PersistedGrantSQLDbContext>();
    services.AddScoped<PersistedGrantSQLDbContext>();

    services.AddIdentity<IdentityUser, IdentityRole>()
        .AddEntityFrameworkStores<PersistedGrantSQLDbContext>()
        .AddDefaultTokenProviders();

    services.AddIdentityServer()
.AddDeveloperSigningCredential()

 .AddConfigurationStore(options =>
 {
     options.ConfigureDbContext = builder =>
     builder.UseSqlServer(
     Configuration.GetConnectionString("IdentityServerConnectionString"),
     sql => sql.MigrationsAssembly(typeof(PersistedGrantSQLDbContext).Assembly.GetName().Name));
 })
 .AddOperationalStore(options =>
 {
     options.ConfigureDbContext = builder =>
     builder.UseSqlServer(
     Configuration.GetConnectionString("IdentityServerConnectionString"),
     sql => sql.MigrationsAssembly(typeof(PersistedGrantSQLDbContext).Assembly.GetName().Name));
 })
 .AddInMemoryApiScopes(new[]
            {
                new IdentityServer4.Models.ApiScope(DevelopmentIdentityProviderConfiguration.Audience),
                new IdentityServer4.Models.ApiScope(WrongAudienceClient),
                new IdentityServer4.Models.ApiScope("fhirUser"),
            }.Concat(smartScopes))
            .AddInMemoryApiResources(new[]
            {
                new IdentityServer4.Models.ApiResource(
                    DevelopmentIdentityProviderConfiguration.Audience,
                    userClaims: new[] { rolesClaim, apiScope })
                {
                    Scopes = new[] { DevelopmentIdentityProviderConfiguration.Audience, "fhirUser" }.Concat(smartScopes.Select(s => s.Name)).ToList(),
                },
                new IdentityServer4.Models.ApiResource(
                WrongAudienceClient,
                userClaims: new[] { rolesClaim })
                {
                    Scopes = { WrongAudienceClient },
                },
            })

// .AddTestUsers(new List
// {
// new TestUser
// {
// Username = "Tulaib.Siddiqui",
// Password = "!Harbinger2024",
// IsActive = true,
// SubjectId = "testuser",
// Claims = new List<System.Security.Claims.Claim>
// {
// new System.Security.Claims.Claim("roles", "FHIRClaim"),
// new System.Security.Claims.Claim("FhirUser", "https://localhost:44348/Patient/testuser"),
// },
// },
// })
// .AddInMemoryClients(new List<IdentityServer4.Models.Client>
// {
// new IdentityServer4.Models.Client
// {
// ClientId = clientId,
// ClientSecrets = { new IdentityServer4.Models.Secret(clientSecret.Sha256()) },
// AllowedGrantTypes = new List { "client_credentials", "password" },
// AllowedScopes = new[] { DevelopmentIdentityProviderConfiguration.Audience, WrongAudienceClient, "fhirUser" }.Concat(smartScopes.Select(s => s.Name)).ToList(),
// Claims = new List<IdentityServer4.Models.ClientClaim>
// {
// new IdentityServer4.Models.ClientClaim("roles", "FHIRClaim"),
// }.Concat(CreateFhirUserClaims(clientId, "https://localhost:44348/")).ToList(),
// ClientClaimsPrefix = string.Empty,
// },
// })

  .AddClientStore<CustomClientStore>()
.AddAspNetIdentity<IdentityUser>();

    Startup.InitializeTestUser(services);

    Core.Registration.IFhirServerBuilder fhirServerBuilder =
        services.AddFhirServer(
            Configuration,
            fhirServerConfiguration =>
            fhirServerConfiguration.Security.AddAuthenticationLibrary = AddAuthenticationLibrary)
        .AddAzureExportDestinationClient()
        .AddAzureExportClientInitializer(Configuration)
        .AddContainerRegistryTokenProvider()
        .AddContainerRegistryAccessValidator()
         .AddAzureIntegrationDataStoreClient(Configuration)
         .AddConvertData()
         .AddMemberMatch()
        ;

    IFhirRuntimeConfiguration runtimeConfiguration = AddRuntimeConfiguration(Configuration, fhirServerBuilder);

    AddDataStore(services, fhirServerBuilder, runtimeConfiguration);

     if (bool.TryParse(Configuration["TaskHosting:Enabled"], out bool taskHostingsOn) && taskHostingsOn)
    {
        AddTaskHostingService(services);
    }

    fhirServerBuilder.AddBackgroundWorkers(runtimeConfiguration);

     fhirServerBuilder.AddBundleOrchestrator(Configuration);

    if (string.Equals(Configuration["ASPNETCORE_FORWARDEDHEADERS_ENABLED"], "true", StringComparison.OrdinalIgnoreCase))
    {
        services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.ForwardedHeaders = ForwardedHeaders.XForwardedFor |
                ForwardedHeaders.XForwardedProto;

            options.KnownNetworks.Clear();
            options.KnownProxies.Clear();
        });
    }

    if (bool.TryParse(Configuration["PrometheusMetrics:enabled"], out bool prometheusOn) && prometheusOn)
    {
        services.AddPrometheusMetrics(Configuration);
    }

    AddApplicationInsightsTelemetry(services);
    AddAzureMonitorOpenTelemetry(services);
}

  public class CustomClientStore : IClientStore

{
private readonly PersistedGrantSQLDbContext _dbContext;
private readonly ILogger _logger;

  public CustomClientStore(PersistedGrantSQLDbContext dbContext, ILogger<CustomClientStore> logger)
  {
      _dbContext = dbContext ?? throw new ArgumentNullException(nameof(dbContext));
      _logger = logger ?? throw new ArgumentNullException(nameof(logger));
  }

  public virtual async Task<IdentityServer4.Models.Client> FindClientByIdAsync(string clientId)
  {
      IQueryable<IdentityServer4.EntityFramework.Entities.Client> baseQuery = _dbContext.Clients
          .Where(x => x.ClientId == clientId);

      var client = (await baseQuery.ToArrayAsync())
          .SingleOrDefault(x => x.ClientId == clientId);
      if (client == null)
      {
          return null;
      }

      await baseQuery.Include(x => x.AllowedCorsOrigins).SelectMany(c => c.AllowedCorsOrigins).LoadAsync();
      await baseQuery.Include(x => x.AllowedGrantTypes).SelectMany(c => c.AllowedGrantTypes).LoadAsync();
      await baseQuery.Include(x => x.AllowedScopes).SelectMany(c => c.AllowedScopes).LoadAsync();
      await baseQuery.Include(x => x.Claims).SelectMany(c => c.Claims).LoadAsync();
      await baseQuery.Include(x => x.ClientSecrets).SelectMany(c => c.ClientSecrets).LoadAsync();

      await baseQuery.Include(x => x.IdentityProviderRestrictions).SelectMany(c => c.IdentityProviderRestrictions).LoadAsync();
      await baseQuery.Include(x => x.PostLogoutRedirectUris).SelectMany(c => c.PostLogoutRedirectUris).LoadAsync();
      await baseQuery.Include(x => x.Properties).SelectMany(c => c.Properties).LoadAsync();
      await baseQuery.Include(x => x.RedirectUris).SelectMany(c => c.RedirectUris).LoadAsync();
      var model = CustomClientMapper.ToModel(client);

      _logger.LogDebug($"{clientId} found in database: ", clientId, model != null);

      return model;
  }
  
          private static void ImportClientsToDatabase(IServiceCollection services, string clientId, string clientSecret, string tenantId)
    {
        ClientSecret clientSecret1 = new ClientSecret();
        clientSecret1.Value = clientSecret;
        var smartScopes = GenerateSmartClinicalScopes();
        var clientsToAdd = new List<IdentityServer4.EntityFramework.Entities.Client>

{
new IdentityServer4.EntityFramework.Entities.Client
{
ClientId = clientId,
ClientSecrets = new List<IdentityServer4.EntityFramework.Entities.ClientSecret> { clientSecret1 },
AllowedGrantTypes = new List<IdentityServer4.EntityFramework.Entities.ClientGrantType>
{
new IdentityServer4.EntityFramework.Entities.ClientGrantType { GrantType = "client_credentials" },
new IdentityServer4.EntityFramework.Entities.ClientGrantType { GrantType = "password" },
},
AllowedScopes = new List<IdentityServer4.EntityFramework.Entities.ClientScope>
{
new IdentityServer4.EntityFramework.Entities.ClientScope { Scope = DevelopmentIdentityProviderConfiguration.Audience },
new IdentityServer4.EntityFramework.Entities.ClientScope { Scope = WrongAudienceClient },
new IdentityServer4.EntityFramework.Entities.ClientScope { Scope = "fhirUser" },

        // Add smartScopes as ClientScopes here, assuming smartScopes is a collection of strings
       // smartScopes.Select(s => new IdentityServer4.EntityFramework.Entities.ClientScope { Scope = s }).ToList(),
    },

    Claims = new List<IdentityServer4.EntityFramework.Entities.ClientClaim>
     {
     new IdentityServer4.EntityFramework.Entities.ClientClaim { Type = "roles", Value = "FHIRClaim" },
     },

    // .Concat(CreateFhirUserClaims(clientId, "https://localhost:44348/"))
    // .ToList(),

    ClientClaimsPrefix = string.Empty,
},

};

        using (var serviceProvider = services.BuildServiceProvider())
        {
            var dbContext = serviceProvider.GetRequiredService<PersistedGrantSQLDbContext>();

            var existingClient = dbContext.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId).GetAwaiter().GetResult();

            if (existingClient == null)
            {
                dbContext.Clients.AddRangeAsync(clientsToAdd).GetAwaiter().GetResult();
                dbContext.SaveChangesAsync().GetAwaiter().GetResult();
            }
        }
    }

[EXPEkesheth]

@AhsanSpica - can you please provide details on what you are trying to seek help on or would like to discuss with us about?

[AhsanSpica]

HI. So as I detailed above maybe it wasnt clear. What i am trying to do is trying to attach via code a logic for the authentication and authorization to be performed via attached identityServer database. while keeping the access logic described by smart scopes.
For this purpose i defined my dbcontext. inserted into db the client and client secret from connected services appsetting description, one time only, used the dbcontext to fetch the client details, created my own clientstore class to debug and observe client details fetch. defined some of the additional details via in process.
so after I observed the client details are being fetched all correctly from the db the result of this token post request is still returning 'invalid client'. i saw when i defined the client as in process with the same few properties as in the in-process identity Server I was ableto obtain a token as response.
POST {{fhirurl}}/connect/token
this client and client secret correspond to the client application created in azure

[AhsanSpica]

@EXPEkesheth Hi. Any ideas? I provided you details as you requested. Can you let me know if it can be done at all with the current opensource microsft fhir repo? or by some alternate mechanism?

[EXPEkesheth]

@AhsanSpica - Can you please provide information on the use case? There are details on how, we would like to understand the scenario and why you need your own IDP vs EntraID. Curious to know if this is a production use case.

[AhsanSpica]

Respectfully, I personally found the official repo and Microsoft documentation very confusing.

So the Entra id process works is via the authentication and smart turned on so, so the way this open source is built. if the authentication is turned on the authentication flow goes to the dummy in-application clients and roles described in the two json files the roles.json and the authneticaiontest.json (not exact name) .

Why : Naturally as you said production. yes for production I/We/Company wants any of our client applications being able to access this FHIR Server. thus making authentication and authorization possible. for our client applications.
Why : In my humble attempt i was unable to demonstrate with success the authentication and authorization via Entra Id without smart launcher UI Interface. I attempted via postman.
I used the same steps as described below.

I understand what you are talking about is using the ENTRA-ID client applications while they are registered with the Azure resource application and that resource applications tenant id is the authority and the FHIR server path the audience. But from the documentation I understood that the demonstration is only possible via smart launcher usage, and my bosses were less then keen for using Smart.

Question : if I am to suggest to my bosses to use the entra id for authentication and authorization can you kindly provide me the steps here as to;
How to implement authentication and authorization via entra Id and to demonstrate it, both with or without smart launcher. So to make sure i am not doing anything wrong or missing something.

Our requirements :
we want our developed solutions to connect to this FHIR server like a hub so various client applications with various users (azure id) need to be giving individual specified scopes of access to this FHIR SERVER. based on roles. roles also be allowed to be modified.

@EXPEkesheth, thank you very kindly for support. And please let me know soon.

[EXPEkesheth]

@AhsanSpica - please look into the below documentation to help setup auth using EntralD
Register-Resource-Application
Register Client App

Let us know if you have any additional questions and will be happy to help.

[AhsanSpica]

Thank you for your response!
We had tried with these directions. we found that these EntraID instructions were not catering to the open source FHIR repo scenario.
We want to customize the Microsoft FHIR server opensource to our needs.
If you have any ideas and suggestion in this regard that how to modify the instructions provided for EntraID Authentication authorization to match our needs.
Please let me know!
Alternately I will get back to you with exact issues encountered in some time.
Since right now I am focusing on another aspect of the FHIR interoperability for USCDI V3.
That is I don't want this issue to be marked as answered, yet.