Use IHttpMessageHandlerFactory For HTTP Communication

2025-05-02 18:22:19 -05:00 · 2025-04-08 13:28:14 -04:00 · 2025-04-08 13:28:14 -04:00 · 31a758f687
commit 31a758f687
parent 2716d52709
12 changed files with 47 additions and 2 deletions
--- a/bitwarden_license/src/Scim/Startup.cs
+++ b/bitwarden_license/src/Scim/Startup.cs
@ -89,6 +89,9 @@ public class Startup
        services.AddScimGroupQueries();
        services.AddScimUserQueries();
        services.AddScimUserCommands();
+
+        // This should be registered last because it customizes the primary http message handler and we want it to win.
+        services.AddX509ChainCustomization();
    }

    public void Configure(
--- a/bitwarden_license/src/Sso/Startup.cs
+++ b/bitwarden_license/src/Sso/Startup.cs
@ -86,6 +86,9 @@ public class Startup
        // TODO: Remove when OrganizationUser methods are moved out of OrganizationService, this noop dependency should
        // TODO: no longer be required - see PM-1880
        services.AddScoped<IServiceAccountRepository, NoopServiceAccountRepository>();
+
+        // This should be registered last because it customizes the primary http message handler and we want it to win.
+        services.AddX509ChainCustomization();
    }

    public void Configure(
--- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
+++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
@ -35,7 +35,7 @@ public class DynamicAuthenticationSchemeProvider : AuthenticationSchemeProvider
    private readonly Dictionary<string, DynamicAuthenticationScheme> _cachedHandlerSchemes;
    private readonly SemaphoreSlim _semaphore;
    private readonly IServiceProvider _serviceProvider;
-
+    private readonly IHttpMessageHandlerFactory _httpMessageHandlerFactory;
    private DateTime? _lastSchemeLoad;
    private IEnumerable<DynamicAuthenticationScheme> _schemesCopy = Array.Empty<DynamicAuthenticationScheme>();
    private IEnumerable<DynamicAuthenticationScheme> _handlerSchemesCopy = Array.Empty<DynamicAuthenticationScheme>();
@ -50,7 +50,8 @@ public class DynamicAuthenticationSchemeProvider : AuthenticationSchemeProvider
        ILogger<DynamicAuthenticationSchemeProvider> logger,
        GlobalSettings globalSettings,
        SamlEnvironment samlEnvironment,
-        IServiceProvider serviceProvider)
+        IServiceProvider serviceProvider,
+        IHttpMessageHandlerFactory httpMessageHandlerFactory)
        : base(options)
    {
        _oidcPostConfigureOptions = oidcPostConfigureOptions;
@ -78,6 +79,7 @@ public class DynamicAuthenticationSchemeProvider : AuthenticationSchemeProvider
        _cachedHandlerSchemes = new Dictionary<string, DynamicAuthenticationScheme>();
        _semaphore = new SemaphoreSlim(1);
        _serviceProvider = serviceProvider ?? throw new ArgumentNullException(nameof(serviceProvider));
+        _httpMessageHandlerFactory = httpMessageHandlerFactory;
    }

    private bool CacheIsValid
@ -310,6 +312,8 @@ public class DynamicAuthenticationSchemeProvider : AuthenticationSchemeProvider
            // Prevents URLs that go beyond 1024 characters which may break for some servers
            AuthenticationMethod = config.RedirectBehavior,
            GetClaimsFromUserInfoEndpoint = config.GetClaimsFromUserInfoEndpoint,
+            // Make sure all communication goes through the Platform supplied HttpMessageHandler
+            BackchannelHttpHandler = _httpMessageHandlerFactory.CreateHandler(),
        };
        oidcOptions.Scope
            .AddIfNotExists(OpenIdConnectScopes.OpenId)
--- a/src/Admin/Startup.cs
+++ b/src/Admin/Startup.cs
@ -129,6 +129,9 @@ public class Startup
                services.AddHostedService<HostedServices.AzureQueueMailHostedService>();
            }
        }
+
+        // This should be registered last because it customizes the primary http message handler and we want it to win.
+        services.AddX509ChainCustomization();
    }

    public void Configure(
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -215,6 +215,9 @@ public class Startup
        {
            services.AddHostedService<Core.HostedServices.ApplicationCacheHostedService>();
        }
+
+        // This should be registered last because it customizes the primary http message handler and we want it to win.
+        services.AddX509ChainCustomization();
    }

    public void Configure(
--- a/src/Billing/Startup.cs
+++ b/src/Billing/Startup.cs
@ -121,6 +121,9 @@ public class Startup
        // Swagger
        services.AddEndpointsApiExplorer();
        services.AddSwaggerGen();
+
+        // This should be registered last because it customizes the primary http message handler and we want it to win.
+        services.AddX509ChainCustomization();
    }

    public void Configure(
--- a/src/Events/Startup.cs
+++ b/src/Events/Startup.cs
@ -130,6 +130,9 @@ public class Startup
                        globalSettings.EventLogging.RabbitMq.WebhookQueueName));
            }
        }
+
+        // This should be registered last because it customizes the primary http message handler and we want it to win.
+        services.AddX509ChainCustomization();
    }

    public void Configure(
--- a/src/EventsProcessor/Startup.cs
+++ b/src/EventsProcessor/Startup.cs
@ -59,6 +59,9 @@ public class Startup
            }
        }
        services.AddHostedService<AzureQueueHostedService>();
+
+        // This should be registered last because it customizes the primary http message handler and we want it to win.
+        services.AddX509ChainCustomization();
    }

    public void Configure(
--- a/src/Icons/Startup.cs
+++ b/src/Icons/Startup.cs
@ -47,6 +47,9 @@ public class Startup

        // Mvc
        services.AddMvc();
+
+        // This should be registered last because it customizes the primary http message handler and we want it to win.
+        services.AddX509ChainCustomization();
    }

    public void Configure(
--- a/src/Identity/Startup.cs
+++ b/src/Identity/Startup.cs
@ -163,6 +163,9 @@ public class Startup
        {
            client.BaseAddress = new Uri(globalSettings.BaseServiceUri.InternalSso);
        });
+
+        // This should be registered last because it customizes the primary http message handler and we want it to win.
+        services.AddX509ChainCustomization();
    }

    public void Configure(
--- a/src/Notifications/Startup.cs
+++ b/src/Notifications/Startup.cs
@ -76,6 +76,9 @@ public class Startup
                services.AddHostedService<AzureQueueHostedService>();
            }
        }
+
+        // This should be registered last because it customizes the primary http message handler and we want it to win.
+        services.AddX509ChainCustomization();
    }

    public void Configure(
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@ -483,6 +483,8 @@ public static class ServiceCollectionExtensions
        Action<AuthorizationOptions> addAuthorization)
    {
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            // If we ever use the overload here with a different authentication scheme name then 
+            // we need to change the AddOptions call below.
            .AddJwtBearer(options =>
            {
                options.MapInboundClaims = false;
@ -502,6 +504,15 @@ public static class ServiceCollectionExtensions
                };
            });

+        // This is done through a Configure method instead of above so that we can avoid
+        // an early creation of services but still use a service that should centrally control how HttpMessageHandlers
+        // are created.
+        services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)
+            .Configure<IHttpMessageHandlerFactory>((options, httpMessageHandlerFactory) =>
+            {
+                options.BackchannelHttpHandler = httpMessageHandlerFactory.CreateHandler();
+            });
+
        if (addAuthorization != null)
        {
            services.AddAuthorization(config =>