Implemented client and updated README

Author: hvalfangst

.gitignore

@@ -1,4 +1,4 @@
-/.env_oauth
+client/.env_oauth
 /infra/terraform.tfvars
 /.idea/.gitignore
 /infra/.terraform.lock.hcl

README.md

@@ -28,12 +28,60 @@ The file structure is as follows:
 ![screenshot](images/terraform_tfvars.png)
 
 
+## Register server on Entra ID
+
+Before deploying our server we need to create an app registration on Entra ID. 
+
+### Create a new app registration
+
+Log into your Azure account on the web. Search for **Microsoft Entra ID**. Navigate to the **App registrations** blade and click on **New registration** button in the top left tab.
+
+![screenshot](images/azuread_app_registrations.png)
+
+Choose a suitable name. Here I have chosen the name "Hvalfangst Server" as the registration will be utilized by an API we are to deploy to Azure Web Apps in the coming sections. The client which is to interact with our server resource will **NOT** be deployed. It will merely run locally. The fact that
+both the newly deployed server and the not-to-be-deployed local client are both Python APIs (using the FastAPI framework) may seem confusing, but this is just for demonstration purposes. We do not need to set up a redirect URI for our server as it merely validates token received in the authentication header of the client request
+and invoke services if the request has the necessary scopes. We will set the redirect URL for our client in later sections.
+
+
+![screenshot](images/azure_entra_id_register_hvalfangst_server_api.png)
+
+Once the app registration has been created, store the application and tenant id for later use. We will make use of these when setting up the CI/CD pipeline - which deploys the server API to Azure Web Apps.
+
+![screenshot](images/hvalfangst_server_api_app_registration.png)
+
+
+### Create Scope
+
+We will now proceed to create scopes. Scopes are in essence fully customizable access right labels, meaning that you may are free to pick any name. It is, however common to conform to the following pattern: **{RESOURCE}.{ACCESS_LEVEL}**. 
+Say that you have implemented a CRUD API in the domain of wines. Since the domain is wine, the prefix would naturally be **Wines**. Access levels **could** be **READ**, **WRITE** and **DELETE**.
+For instance, the scope **Wines.Read** grants you access to **read** wines - which in the API translates to the right to perform any **HTTP GET** requests, which commonly would be actions such as listing metadata of all wines or to get information about a specific wine.
+
+Click on the **Add a scope** button under the **Expose an API** section, which is accessible from the **Expose an API** blade under **Manage**.
+
+![screenshot](images/hvalfangst_server_api_expose_api.png)
+
+Set the scope name to **Heroes.Read**. Clients with this scope may list and view heroes. As for consent, choose **Admins only**.
+For the remainder of fields you are free to choose whatever describes the scope.
+
+![screenshot](images/hvalfangst_server_api_add_scope.png)
+
+Repeat the above for scopes **Heroes.Write** and **Heroes.Delete**.
+
+![screenshot](images/hvalfangst_server_api_all_scopes.png)
+
+It goes without saying that the chosen scopes are just simple examples. Feel free to adapt as you see fit. It is important to mention that the newly created scopes 
+are absolutely junk in and of itself. You **must** reference the scopes names exactly as defined in your [server code](server/security/auth.py) for it to have any effect.
+That is, you must implement logic in your endpoints which verifies the signature associated with the token derived from the auth header, ensure that the
+audience is the client id of the server app registration and that the scopes included in the decoded claims matches that of what is required for that specific endpoint.
+In order to [create heroes](server/services/hero_service.py) one must have the scope **Heroes.Create** as specified in the [router](server/routers/heroes.py).
+
 ## Set up CI/CD via Deployment Center
 
-Now that we have our new Web App resource up and running on Azure, we may proceed to set up our means of deploying our code to the
-aforementioned Web App. We will do so by connecting our Web App to our GitHub repository. Azure Web Apps has the ability
+Now that we have provisioned necessary infrastructure and created an app registration for the server, we may proceed to create the pipeline used to deploy our code to Azure Web Apps.
+We will do so by integrating our Web App to our GitHub repository. Azure Web Apps has the ability
 to create a fully fledged CI/CD pipeline in the form of a GitHub Action Workflows script, which it commits on our behalf. As part of this pipeline a managed identify
-will be created in Azure in order to authenticate requests. Secrets will be automatically created and referenced in the CI/CD script by Azure. 
+will be created in Azure in order to authenticate requests. Secrets will be automatically created and referenced in the CI/CD script by Azure. Once the
+pipeline script has been created, we must adapt it slightly for it to work. More on this later.
 
 Click on the **Deployment Center** section under the **Deployment** blade. Choose GitHub as source and set the appropriate organization, repository and branch.
 For authentication keep it as is (user-assigned identity). Click on the **Save** button in the top left corner.
@@ -56,7 +104,17 @@ For the CI/CD workflow script to actually work, we have to make some adjustments
 which are located in their own directories. The autogenerated script assumes that the files are located in the root folder, which is not the case here.
 Thus, we need to change the script to reference files located under the server directory, as we are to deploy our server. 
 
-The final pipeline definition should look like [this](.github/workflows/main_hvalfangstlinuxwebapp.yml).
+We are storing configuration values for our API in a class named [AzureConfig](server/config/config.py). Notice how the values for fields **TENANT_ID**
+and **SERVER_CLIENT_ID** are retrieved from the runtime environment - which means that these environment variables must be set somehow. When running the
+API locally for sake of testing one should **NOT** hardcode the associated values due to the risk of accidentally committing to SCM. Instead, you should
+either set the environment values on your system or retrieve them from an .env file, which, naturally, **HAS** to be added your .gitignore.
+
+Proceed to add two new GitHub Action secrets. These should be your tenant ID and the client ID associated with your newly created **Hvalfangst Server API** app registration.
+
+![screenshot](images/github_actions_hvalfangst_secrets.png)
+
+We now need to modify our GitHub Actions Workflow script to set the environment variables in our Azure Web App itself. We do so by the use of the az CLI
+command **az webapp config appsettings set** where the associated values are retrieved from our repository secrets we set above.
 
 ## Deploy API 
 
@@ -72,45 +130,115 @@ Navigate to the **Deployment Center** section of your Azure Web App. A new deplo
 
 ![screenshot](images/deployment_center_post_action.png)
 
+Click on the **Environment variables** section of your Web App to ensure that the App setting environment variables **HVALFANGST_TENANT_ID** and **HVALFANGST_SERVER_CLIENT_ID**
+have been set. The environment variable **SCM_DO_BUILD_DURING_DEPLOYMENT** was set by our [Terraform script](infra/terraform.tf) when creating the Azure Web App. It instructs our container to
+build the virtual environment based on our [requirements](server/requirements.txt) file on deploy as opposed to utilizing some pre-built virtual environment that has been transmitted.
+
+![screenshot](images/hvalfangstlinuxwebapp_environment_variables.png)
+
 Now that we know that it deployed successfully it is finally time to access the API. Click on URI associated with **Default Domain**
 
 ![screenshot](images/overview_default_domain.png)
 
-You will be prompted with the following default page, which indicates that the API is up and running.
+You will be prompted with the following index page, which indicates that the API is up and running.
 
 ![screenshot](images/firefox_api_home.png)
 
+The index page is available for all users and as such is not protected by any token validation logic. What is protected by token validation logic is our [heroes route](server/routers/heroes.py).
+This route exposes 4 endpoints: "POST /heroes/", "GET /heroes/", "GET /heroes{hero_id}" and "DELETE /heroes/{hero_id}".
+Notice how one in each endpoint always start by awaiting a function called [authorize](server/security/auth.py), passing in a token and a scope.
+The scope names referenced in aforementioned function call are exactly what was defined earlier. Hence, my little
+rant about scopes in and of itself being useless unless there is logic in place to actually enforce
+required scopes. We will utilize our [local client](client/main.py) to make HTTP calls to the server we deployed in previous sections. But first we must register it on Entra ID
+and assign it the appropriate permissions so that the scopes contained in tokens received from the authorization server matches that of protected in the server code.
+
 
-## Register API on Azure AD
+## Register client on Azure Entra ID
+
+Now that have our server deployed and configured, it is time to talk about the client. As mentioned before, the client is **NOT** deployed to Azure - it is merely a local API which may be spun up via our [run_client](client/run_client.sh) shell script.
 
-Now that we have deployed our API to Azure Web Apps, we need to register it on Microsoft Entra ID.
 
 ### Create a new app registration
 
-Navigate to the **App registrations** blade and click on **New registration** button in the top left tab
+As usual, one must create a new app registration akin to what was done with the server.
 
-![screenshot](images/azuread_app_registrations.png)
+![screenshot](images/hvalfangst_api_client_app_reg.png)
 
-![screenshot](images/azure_entra_id_register_hvalfangst_server_api.png)
+Again, take note of the **Client ID**.
 
-![screenshot](images/hvalfangst_server_api_app_registration.png)
+![screenshot](images/hvalfangst_client.png)
 
+### Create Secret
 
-### Expose API
+Recall earlier when we mentioned that the server does not need secrets? Well, the client does. It is called **Client Secret** for a reason (naturally).
 
+Head over to the **Certificates & secrets** blade. Click on the **New client secret** button.
 
-![screenshot](images/hvalfangst_server_api_expose_api.png)
+![screenshot](images/hvalfangst_client_new_secret.png)
 
+Pick a suitable name.
 
-![screenshot](images/hvalfangst_server_api_add_scope.png)
+![screenshot](images/hvalfangst_client_add_secret.png)
 
-![screenshot](images/hvalfangst_server_api_all_scopes.png)
+Note down the secret (clipboard or otherwise).
+
+![screenshot](images/hvalfangst_client_secrets.png)
+
+### Add Redirect URL
+
+Now it's time for the confusing part... as Bane would say - **FOR YOU**.
+
+![screenshot](images/hvalfangst_client_authentication.png)
+
+![screenshot](images/hvalfangst_client_api_configure_web.png)
+
+When the client application starts, it opens a browser window and directs the user to Azure's authorization endpoint. 
+This prompts the user to log in with their Microsoft account and to authorize specific permissions, which in our case are **openid**, profile, email and User.Read.
+These are mandatory permissions for the Open ID Connect flow to work.
+If the user successfully logs in and consents, Azure redirects the user to a pre-configured URL known as the redirect, or callback URI.
+When the user authorizes the application, Azure needs a secure location to send the authorization code. The redirect URI is this location. 
+The client application must "listen" at this URI to receive the code, which is necessary for exchanging it for tokens.
+In practical terms, this is quite simple as one merely has to expose an HTTP endpoint in the API. In our case we have chosen the redirect URI of **http://localhost:8000/auth/callback**, 
+because our client application runs locally on port 8000, the name of our router is called auth and our designated endpoint to handle the logic is named **callback**. 
+As is evident from peeking at our [callback endpoint](client/routers/auth.py), it extracts a value from the query parameter named **code**. 
+It then proceeds to call the OIDC flow handler function named [handle_openid_connect_flow](client/services/auth_service.py) with the aforementioned code retrieved from the authorization server in the callback endpoint. 
+The OIDC function calls yet another function named **get_access_token**, which attempt to exchange our authorization code for an actual access token by issuing a POST request to the token endpoint exposed by MS Entra ID.
+As may be observed, the request body must be populated with our client id & secret, the authorization code and the grant type. Access and ID tokens will be fetched from the response on success and stored in our
+[token_storage](client/services/token_storage.py) class so that we may utilize the token in the endpoint associated with the [heroes router](client/routers/heroes.py). 
+It goes without saying that this is just a silly example on how to easily store the tokens in-memory. The MSAL library has their own, proper, caching implementation baked in.
+
+### Add API permissions
+
+
+
+![screenshot](images/hvalfangst_client_api_permissions.png)
+
+![screenshot](images/hvalfangst_client_request_permission_graph.png)
+
+![screenshot](images/hvalfangst_client_api_permissions_graph_openid.png)
+
+![screenshot](images/hvalfangst_client_api_permissions_hvalfangst_search.png)
+
+
+![screenshot](images/hvalfangst_client_api_permissions_hvalfangst_server_heroes_read.png)
+
+![screenshot](images/hvalfangst_client_all_permissions_added.png)
+
+![screenshot](images/hvalfangst_client_grant_admin_consent_prompt.png)
+
+![screenshot](images/hvalfangst_client_permissions_granted_admin_consent_for.png)
 
+### Create .env file
 
+For the local client to work, one must create a file named ".env_oauth", which is to hold client and tenant id, secret and callback URI. This information
+may be retrieved from our Client App registration. If you forgot to copy the client secret to your clipboard you may create a new one and use that instead.
+The fields will be mapped to our [OAuthSettings](client/config/oauth.py) on startup and used when making calls to the authorization server in order to obtain tokens. 
 
+The final file should look as follows:
+![screenshot](images/env_oauth.png)
 
 
-## Running API
+## Running local Client API
 ```bash
-python -m uvicorn app.main:app --reload
+sh client/run_client.sh
 ```

client/__init__.py

@@ -1,5 +1,3 @@
-# client/config/__init__.py
-
 from .oauth import oauth_settings
 
 __all__ = ["oauth_settings"]

client/config/__init__.py

@@ -1,17 +1,15 @@
-# client/config/oauth.py
-
 from dotenv import load_dotenv
 from fastapi import HTTPException
 from pydantic_settings import BaseSettings
-from client import logger
+from client.logger import logger
 
 load_dotenv()
 
+
 class OAuthSettings(BaseSettings):
     AZURE_CLIENT_ID: str
     AZURE_CLIENT_SECRET: str
     AZURE_TENANT_ID: str
-    API_SCOPE: str
     REDIRECT_URI: str
 
     class Config:
@@ -21,21 +19,21 @@ class Config:
 def initialize_oauth_settings():
     try:
         # Create an instance of OAuthSettings
-        internal_oauth_settings = OAuthSettings()
+        settings = OAuthSettings()
 
         # Check if the required OAuth fields are set
-        if not internal_oauth_settings.AZURE_CLIENT_ID or not internal_oauth_settings.AZURE_CLIENT_SECRET or not internal_oauth_settings.AZURE_TENANT_ID or not internal_oauth_settings.API_SCOPE:
-            logger.logger.error("One or more required OAuth environment variables are missing.")
+        if not settings.AZURE_CLIENT_ID or not settings.AZURE_CLIENT_SECRET or not settings.AZURE_TENANT_ID:
+            logger.error("One or more required OAuth environment variables are missing.")
             raise HTTPException(status_code=500,
                                 detail="Configuration error: Required OAuth environment variables are missing.")
 
-        logger.logger.info("OAuth settings loaded successfully.")
-        return internal_oauth_settings
+        logger.info("OAuth settings loaded successfully.")
+        return settings
     except FileNotFoundError:
-        logger.logger.critical(".env file not found.")
+        logger.critical(".env file not found.")
         raise HTTPException(status_code=500, detail="Configuration error: .env file not found.")
     except Exception as e:
-        logger.logger.critical(f"Error loading OAuth settings: {e}")
+        logger.critical(f"Error loading OAuth settings: {e}")
         raise HTTPException(status_code=500,
                             detail="Configuration error: An error occurred while loading OAuth settings.")
 

client/config/oauth.py

@@ -0,0 +1,3 @@
+from .logger import logger
+
+__all__ = ["logger"]

client/logger.py

@@ -0,0 +1,8 @@
+import logging
+
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+)
+
+logger = logging.getLogger("logger")

client/logger/__init__.py

@@ -4,8 +4,8 @@
 from client.routers import auth, heroes
 
 app = FastAPI(
-    title="Hero API",
-    description="An API to manage heroes secure by OAuth 2.0 auth code flow",
+    title="Hvalfangst Client",
+    description="Client accessing our server deployed on Azure Web Apps secured by OAuth 2.0 authorization code flow with OIDC",
     version="1.0.0"
 )
 

client/logger/logger.py

@@ -1,5 +1,3 @@
-# client/models/__init__.py
+from .hero import Hero
 
-from .dnd_hero import DnDHero, AbilityScores, SkillProficiencies, Equipment, Spell
-
-__all__ = ["DnDHero", "AbilityScores", "SkillProficiencies", "Equipment", "Spell"]
+__all__ = ["Hero"]