Post Connect-a-thon catch up#40
Merged
Merged
Conversation
…cilitated-FHIR-Implementation
Item 1: TEFCA Certification JWT
- TefcaCertificationDocument.cs in Udap.Tefca.Model — subclass of UdapCertificationAndEndorsementDocument that:
- Defaults certification_name to "TEFCA Basic App Certification"
- Defaults certification_uris to the RCE basic-app-certification URI
- Adds exchange_purposes and home_community_id properties
- Overrides SerializeToJson() to include the TEFCA-specific claims
- Works with existing SignedSoftwareStatementBuilder<T> for signing
Item 2: TEFCA Error Extension
- TEFCAAuthorizationErrorExtension.cs in Udap.Tefca.Model — model with consent_required and consent_form
- Generic plumbing in Udap.Server:
- AuthorizationExtensionValidationResult.ErrorExtensions — dictionary for carrying custom error data
- UdapCustomTokenRequestValidator — stores error extensions in HttpContext.Items when validation fails
- UdapTokenResponseMiddleware — injects extensions JSON object into error responses
A custom IUdapAuthorizationExtensionValidator implementation (which a TEFCA server would register) can now return error
extensions like:
return AuthorizationExtensionValidationResult.Failure(
"invalid_grant",
"Consent policy required",
new Dictionary<string, object>
{
["hl7-b2b"] = new TEFCAAuthorizationErrorExtension
{
ConsentRequired = ["urn:oid:2.16.840.1.113883.3.7204.1.1.1.1.2.1"]
}
});
…tration and token issuance Introduces ICommunityRegistrationValidator and ICommunityTokenValidator interfaces in Udap.Server that enable community-specific validation without hardcoding profile logic into core packages. Implementations are registered as DI collections, following the same pattern as IAuthorizationExtensionDeserializer. New Udap.Tefca.Server project provides TEFCA implementations: - TefcaRegistrationValidator: validates that the client certificate SAN URI contains a valid TEFCA Exchange Purpose (XP) code per SOP v2.0 Section 6.11 #5a - TefcaTokenValidator: enforces that the hl7-b2b purpose_of_use matches the exchange purpose from the client's registered SAN URI Pipeline changes: - ChainValidationResult now carries CommunityName from the matched trust anchor - UdapDynamicClientRegistrationEndpoint calls community registration validators after core validation succeeds, before persisting the client - DefaultUdapAuthorizationExtensionValidator calls community token validators after purpose_of_use validation completes - UdapAuthorizationExtensionValidationContext gains SanUri and CommunityName properties - TEFCAIASAuthorizationExtension.GetPurposeOfUse() now returns actual value instead of null Also: - Wires AddUdapTefcaExtensions() and AddUdapTefcaValidation() into Udap.Auth.Server - Adds Udap.Tefca.Server pack and push to release and prerelease CI workflows - 26 unit tests covering valid/invalid XP codes, matching/mismatching purpose_of_use, edge cases, and non-TEFCA community regression
…edentialsExtensionsRequired, and AuthorizationCodeExtensionsRequired properties. These can no longer be set via appsettings. All this logic is in implemented in ICommunityTokenValidators
Planning what it would take to move to a API that is a free alternative to Duende Identity Server.
…erties so per-community values in JSON config are now deserialized
Created Claud skill for turning a full zip FHIR IG download into an AI friendly content.
Udap.Model changes: - AccessTokenRequestForAuthorizationCodeBuilder — changed _certificate to _certificates (list), added Create(clientId, tokenEndpoint, List<X509Certificate2>, redirectUri, code) overload, single-cert Create wraps in a list, BuildClientAssertion passes the list to SignedSoftwareStatementBuilder - AccessTokenRequestForClientCredentialsBuilder — same pattern Tests added (AccessTokenTests.cs): - ClientCredentials_WithCertificateChain_IncludesMultipleX5cEntries — uses real SureFhirLabs_Intermediate.cer, verifies 2 x5c entries - AuthorizationCode_WithCertificateChain_IncludesMultipleX5cEntries — same with auth code builder - ClientCredentials_SingleCert_StillWorks — verifies backward compatibility - AuthorizationCode_SingleCert_StillWorks — same
Using MS Aspire to orchestrate.
Next up KSM experiment.
…re status Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix copy-paste title errors, fill empty placeholder docs, remove stale references to UdapEd (now separate repo), update API names and feature descriptions to match current codebase. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…roviders, project renames - Add Hangfire with PostgreSQL storage for job scheduling - Replace custom Job/JobExecution entities with Hangfire's built-in storage - Add CrlGenerationService with local PFX and remote signing (ISigningProvider) support - Add CrlAutoRenewalJob (recurring, configurable cron via UI or appsettings) - Add Jobs page with recurring job management (edit cron, run now) and CRL status grouped by community - Add IPublishingProvider interface with domain-based URL routing via PublishingCoordinator - Add Sigil.FileSystem publisher (writes CRL/cert files to disk) - Add Sigil.Gcp publisher (uploads to GCS bucket) - Add Sigil.Certificate.Server (static file server for CRLs/certs, modeled after Udap.Certificates.Server) - Rename Sigil.Vault.Transit -> Sigil.Vault, merge Sigil.Gcp.Kms + Sigil.Gcp.Publisher -> Sigil.Gcp - Add RevocationReason to IssuedCertificate entity - Update Dockerfiles for renamed projects Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bumps [dotnet-sdk](https://github.com/dotnet/sdk) from 10.0.104 to 10.0.202. - [Release notes](https://github.com/dotnet/sdk/releases) - [Commits](https://github.com/dotnet/sdk/commits) --- updated-dependencies: - dependency-name: dotnet-sdk dependency-version: 10.0.202 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
- CA certificate revocation with IsRevoked/RevokedAt/RevocationReason fields
- Revoke UI in CertificateExplorer with reason code selection and automatic CRL regeneration
- CRL generation now includes revoked child CAs in parent CRL
- Community BaseUrl for {BaseUrl} token expansion in certificate template URLs
- Communities page edit dialog for Name/Description/BaseUrl
- Fix re-key dialog not pre-filling subject DN for intermediate certificates
- Improve PublishingCoordinator logging when no provider matches a domain
- Update .NET SDK to 10.0.202
Bumps OpenTelemetry from 1.15.0 to 1.15.3 Bumps OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.15.0 to 1.15.3 --- updated-dependencies: - dependency-name: OpenTelemetry dependency-version: 1.15.3 dependency-type: direct:production dependency-group: nuget - dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol dependency-version: 1.15.3 dependency-type: direct:production dependency-group: nuget ... Signed-off-by: dependabot[bot] <support@github.com>
…Auth.Server/nuget-02b6c62f1f Bump the nuget group with 2 updates
…otnet-sdk-10.0.202 Bump dotnet-sdk from 10.0.104 to 10.0.202
Bumps OpenTelemetry from 1.15.0 to 1.15.3 Bumps OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.15.0 to 1.15.3 --- updated-dependencies: - dependency-name: OpenTelemetry dependency-version: 1.15.3 dependency-type: direct:production dependency-group: nuget - dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol dependency-version: 1.15.3 dependency-type: direct:production dependency-group: nuget - dependency-name: OpenTelemetry dependency-version: 1.15.3 dependency-type: direct:production dependency-group: nuget - dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol dependency-version: 1.15.3 dependency-type: direct:production dependency-group: nuget ... Signed-off-by: dependabot[bot] <support@github.com>
…mprovements - Similar button clones cert metadata into issuance dialog for quick reissue - AutoRenew flag on CA and issued certs to exclude from Hangfire auto-renewal - Cross-algorithm signing: RSA CA can now sign ECDSA child certs (X509SignatureGenerator) - ECDSA template UX: curve auto-sets hash algorithm, hides redundant dropdown - Template clone opens editor instead of saving immediately - Preserve user-entered data (subject DN, SANs) when switching templates - Ensure issuing CA cert/CRL published before endpoint URL validation - Import area close button, template dropdown reflects programmatic selection - Visual separation for CRL/AIA resolution labels, revocation date in local time - Roadmap: planned rename of Community to Trust Domain Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…orage - New TimeDisplayService with event notification for live UI updates - Settings gear icon in header opens popover with theme and timezone toggles - All date displays across Dashboard, Certificate Explorer, and Jobs use the service - Preference persisted to browser localStorage, survives page reloads - Click-away dismissal for settings popover Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…Identity.Provider.2/nuget-d65c606cf2 Bump the nuget group with 2 updates
The examples/Udap.CA directory was renamed to examples/CA (Sigil) and does not need the host.docker.internal.pfx SSL certificate.
Implement TEFCA authorization extension and community validation features
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See PRs in https://github.com/JoeShook/udap-dotnet for history.