oauth2_middleware.h

Go to the documentation of this file.

// BSD 3-Clause License
// Copyright (c) 2021-2025, 🍀☀🌕🌥 🌊
// See the LICENSE file in the project root for full license information.
 
#pragma once
 
#include "kcenon/pacs/web/auth/jwks_provider.h"
#include "kcenon/pacs/web/auth/jwt_validator.h"
#include "kcenon/pacs/web/auth/oauth2_config.h"
 
#include <memory>
#include <optional>
#include <string>
#include <string_view>
#include <vector>
 
// Forward declarations
namespace crow {
struct request;
struct response;
}  // namespace crow
 
namespace kcenon::pacs::security {
class access_control_manager;
}  // namespace kcenon::pacs::security
 
// user_context must be fully defined for std::optional<user_context>
#include "kcenon/pacs/security/user_context.h"
 
namespace kcenon::pacs::web::auth {
 
// =============================================================================
// DICOMweb OAuth Scopes
// =============================================================================
 
namespace dicomweb_scopes {
constexpr std::string_view read = "dicomweb.read";
constexpr std::string_view search = "dicomweb.search";
constexpr std::string_view write = "dicomweb.write";
constexpr std::string_view delete_resource = "dicomweb.delete";
}  // namespace dicomweb_scopes
 
// =============================================================================
// Authentication Result
// =============================================================================
 
struct auth_result {
    security::user_context context;
    jwt_claims claims;
};
 
// =============================================================================
// OAuth 2.0 Middleware
// =============================================================================
 
class oauth2_middleware {
public:
    explicit oauth2_middleware(const oauth2_config& config);
 
    void set_jwks_provider(std::shared_ptr<jwks_provider> provider);
 
    void set_access_control_manager(
        std::shared_ptr<security::access_control_manager> manager);
 
    [[nodiscard]] std::optional<auth_result> authenticate(
        const crow::request& req, crow::response& res) const;
 
    [[nodiscard]] bool require_scope(
        const jwt_claims& claims,
        crow::response& res,
        std::string_view required_scope) const;
 
    [[nodiscard]] bool require_any_scope(
        const jwt_claims& claims,
        crow::response& res,
        const std::vector<std::string>& required_scopes) const;
 
    [[nodiscard]] bool enabled() const noexcept;
 
    [[nodiscard]] const jwt_validator& validator() const noexcept;
 
private:
    oauth2_config config_;
    jwt_validator validator_;
    std::shared_ptr<jwks_provider> jwks_provider_;
    std::shared_ptr<security::access_control_manager> security_manager_;
 
    [[nodiscard]] std::optional<std::string_view> extract_bearer_token(
        const crow::request& req) const;
 
    [[nodiscard]] bool verify_signature(const jwt_token& token) const;
 
    static void set_unauthorized(crow::response& res,
                                 std::string_view message);
 
    static void set_forbidden(crow::response& res,
                              std::string_view message);
};
 
}  // namespace kcenon::pacs::web::auth