Project-MONAI
diff --git a/‎src/Authentication/Configurations/AuthenticationOptions.cs
Lines changed: 43 additions & 11 deletions b/‎src/Authentication/Configurations/AuthenticationOptions.cs
Lines changed: 43 additions & 11 deletions
diff --git a/‎src/Authentication/Configurations/Claims.cs renamed to ‎src/Authentication/Configurations/ClaimMappings.cs
Lines changed: 12 additions & 9 deletions b/‎src/Authentication/Configurations/Claims.cs renamed to ‎src/Authentication/Configurations/ClaimMappings.cs
Lines changed: 12 additions & 9 deletions
diff --git a/‎src/Authentication/Configurations/OpenIdOptions.cs
Lines changed: 15 additions & 8 deletions b/‎src/Authentication/Configurations/OpenIdOptions.cs
Lines changed: 15 additions & 8 deletions
diff --git a/‎src/Authentication/Extensions/AuthKeys.cs
Lines changed: 0 additions & 1 deletion b/‎src/Authentication/Extensions/AuthKeys.cs
Lines changed: 0 additions & 1 deletion
diff --git a/‎src/Authentication/Extensions/HttpContextExtension.cs
Lines changed: 25 additions & 8 deletions b/‎src/Authentication/Extensions/HttpContextExtension.cs
Lines changed: 25 additions & 8 deletions
diff --git a/‎src/Authentication/Extensions/MonaiAuthenticationExtensions.cs
Lines changed: 27 additions & 41 deletions b/‎src/Authentication/Extensions/MonaiAuthenticationExtensions.cs
Lines changed: 27 additions & 41 deletions
diff --git a/‎src/Authentication/Logging.cs
Lines changed: 13 additions & 1 deletion b/‎src/Authentication/Logging.cs
Lines changed: 13 additions & 1 deletion
@@ -24,10 +24,10 @@ namespace Monai.Deploy.Security.Authentication.Configurations
 {
     public class AuthenticationOptions
     {
-        [ConfigurationKeyName("BypassAuthentication")]
+        [ConfigurationKeyName("bypassAuthentication")]
         public bool? BypassAuthentication { get; set; }
 
-        [ConfigurationKeyName("OpenId")]
+        [ConfigurationKeyName("openId")]
         public OpenIdOptions? OpenId { get; set; }
 
         public bool BypassAuth(ILogger logger)
@@ -42,26 +42,58 @@ public bool BypassAuth(ILogger logger)
 
             if (OpenId is null)
             {
-                throw new InvalidOperationException("OpenId configuration is invalid.");
+                throw new InvalidOperationException("openId configuration is invalid.");
             }
-            if (OpenId.Claims is null || OpenId.Claims.RequiredUserClaims!.IsNullOrEmpty() || OpenId.Claims.RequiredAdminClaims!.IsNullOrEmpty())
+            if (string.IsNullOrWhiteSpace(OpenId.ClientId))
             {
-                throw new InvalidOperationException("No claims defined for OpenId.");
+                throw new InvalidOperationException("No clientId defined for OpenId.");
             }
-            if (string.IsNullOrWhiteSpace(OpenId.ClientId))
+            if (string.IsNullOrWhiteSpace(OpenId.RealmKey))
             {
-                throw new InvalidOperationException("No ClientId defined for OpenId.");
+                throw new InvalidOperationException("No realmKey defined for OpenId.");
             }
-            if (string.IsNullOrWhiteSpace(OpenId.ServerRealmKey))
+            if (string.IsNullOrWhiteSpace(OpenId.Realm))
             {
-                throw new InvalidOperationException("No ServerRealmKey defined for OpenId.");
+                throw new InvalidOperationException("No realm defined for OpenId.");
             }
-            if (string.IsNullOrWhiteSpace(OpenId.ServerRealm))
+            if (OpenId.Claims is null || OpenId.Claims.UserClaims!.IsNullOrEmpty() || OpenId.Claims.AdminClaims!.IsNullOrEmpty())
             {
-                throw new InvalidOperationException("No ServerRealm defined for OpenId.");
+                throw new InvalidOperationException("No claimMappings defined for OpenId.");
             }
 
+            ValidateClaims(OpenId.Claims.UserClaims!, true);
+            ValidateClaims(OpenId.Claims.AdminClaims!, false);
+
             return false;
         }
+
+        private void ValidateClaims(List<ClaimMapping> claims, bool validateEndpoints)
+        {
+            foreach (var claim in claims)
+            {
+                if (string.IsNullOrWhiteSpace(claim.ClaimType))
+                {
+                    throw new InvalidOperationException("Value for claimType is invalid.");
+                }
+
+                if (claim.ClaimValues.IsNullOrEmpty())
+                {
+                    throw new InvalidOperationException("Value for claimType is invalid.");
+                }
+
+                foreach (var claimValue in claim.ClaimValues)
+                {
+                    if (string.IsNullOrWhiteSpace(claimValue))
+                    {
+                        throw new InvalidOperationException($"Invalid claimValue for {claim.ClaimType}.");
+                    }
+                }
+
+                if (validateEndpoints && claim.Endpoints.IsNullOrEmpty())
+                {
+                    throw new InvalidOperationException("Value for claimType is invalid.");
+                }
+            }
+        }
     }
 }
@@ -18,21 +18,24 @@
 
 namespace Monai.Deploy.Security.Authentication.Configurations
 {
-    public class Claims
+    public class ClaimMappings
     {
-        [ConfigurationKeyName("RequiredUserClaims")]
-        public List<Claim>? RequiredUserClaims { get; set; }
+        [ConfigurationKeyName("userClaims")]
+        public List<ClaimMapping>? UserClaims { get; set; }
 
-        [ConfigurationKeyName("RequiredAdminClaims")]
-        public List<Claim>? RequiredAdminClaims { get; set; }
+        [ConfigurationKeyName("adminClaims")]
+        public List<ClaimMapping>? AdminClaims { get; set; }
     }
 
-    public class Claim
+    public class ClaimMapping
     {
-        [ConfigurationKeyName("user_roles")]
-        public string? UserRoles { get; set; }
+        [ConfigurationKeyName("claimType")]
+        public string ClaimType { get; set; } = string.Empty;
+
+        [ConfigurationKeyName("claimValues")]
+        public List<string> ClaimValues { get; set; } = new List<string>();
 
         [ConfigurationKeyName("endpoints")]
-        public List<string>? Endpoints { get; set; }
+        public List<string>? Endpoints { get; set; } = default;
     }
 }
@@ -14,25 +14,32 @@
  * limitations under the License.
  */
 
+using System.Security.Claims;
 using Microsoft.Extensions.Configuration;
 
 namespace Monai.Deploy.Security.Authentication.Configurations
 {
     public class OpenIdOptions
     {
-        [ConfigurationKeyName("ServerRealm")]
-        public string? ServerRealm { get; set; }
+        [ConfigurationKeyName("realm")]
+        public string? Realm { get; set; }
 
-        [ConfigurationKeyName("ServerRealmKey")]
-        public string? ServerRealmKey { get; set; }
+        [ConfigurationKeyName("realmKey")]
+        public string? RealmKey { get; set; }
 
-        [ConfigurationKeyName("ClientId")]
+        [ConfigurationKeyName("clientId")]
         public string? ClientId { get; set; }
 
-        [ConfigurationKeyName("Claims")]
-        public Claims? Claims { get; set; }
+        [ConfigurationKeyName("claimMappings")]
+        public ClaimMappings? Claims { get; set; }
 
-        [ConfigurationKeyName("Audiences")]
+        [ConfigurationKeyName("audiences")]
         public IList<string>? Audiences { get; set; }
+
+        [ConfigurationKeyName("roleClaimType")]
+        public string RoleClaimType { get; set; } = ClaimTypes.Role;
+
+        [ConfigurationKeyName("clearDefaultRoleMappigns")]
+        public bool ClearDefaultRoleMappigns { get; set; } = true;
     }
 }
@@ -25,6 +25,5 @@ public static class AuthKeys
 
         // Configuration Keys
         public const string OpenId = "OpenId";
-        public const string UserRoles = "user_roles";
     }
 }
@@ -16,6 +16,9 @@
 
 using Ardalis.GuardClauses;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using Monai.Deploy.Security.Authentication.Middleware;
+using Monai.Deploy.WorkflowManager.Logging;
 
 namespace Monai.Deploy.Security.Authentication.Extensions
 {
@@ -24,32 +27,46 @@ public static class HttpContextExtension
         /// <summary>
         /// Gets endpoints specified in config for roles in claims.
         /// </summary>
-        /// <param name="httpcontext"></param>
+        /// <param name="httpContext"></param>
         /// <param name="requiredClaims"></param>
         /// <returns></returns>
-        public static List<string> GetValidEndpoints(this HttpContext httpcontext, List<Configurations.Claim> adminClaims, List<Configurations.Claim> userClaims)
+        public static List<string> GetValidEndpoints(this HttpContext httpContext, ILogger<EndpointAuthorizationMiddleware> logger, List<Configurations.ClaimMapping> adminClaims, List<Configurations.ClaimMapping> userClaims)
         {
             Guard.Against.Null(adminClaims);
             Guard.Against.Null(userClaims);
 
+            foreach (var claim in httpContext.User.Claims)
+            {
+                logger.UserClaimFound(claim.Type, claim.Value);
+
+            }
+
             foreach (var claim in adminClaims!)
             {
-                if (httpcontext.User.HasClaim(AuthKeys.UserRoles, claim.UserRoles!))
+                foreach (var role in claim.ClaimValues)
                 {
-                    return new List<string> { "all" };
+                    logger.CheckingUserClaim(claim.ClaimType, role);
+                    if (httpContext.User.HasClaim(claim.ClaimType, role))
+                    {
+                        return new List<string> { "*" };
+                    }
                 }
             }
 
+            var endpoints = new List<string>();
             foreach (var claim in userClaims!)
             {
-                if (httpcontext.User.HasClaim(AuthKeys.UserRoles, claim.UserRoles!))
+                foreach (var role in claim.ClaimValues)
                 {
-                    return claim.Endpoints!;
+                    logger.CheckingUserClaim(claim.ClaimType, role);
+                    if (httpContext.User.HasClaim(claim.ClaimType, role))
+                    {
+                        endpoints.AddRange(claim.Endpoints!);
+                    }
                 }
-
             }
 
-            return new List<string>();
+            return endpoints.Distinct().ToList();
         }
     }
 }
@@ -14,10 +14,10 @@
  * limitations under the License.
  */
 
+using System.IdentityModel.Tokens.Jwt;
 using System.Text;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
-using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
@@ -49,53 +49,39 @@ public static IServiceCollection AddMonaiAuthentication(
                 return services;
             }
 
-            services.AddAuthentication(options =>
+            if (configurations.Value.OpenId?.ClearDefaultRoleMappigns ?? false)
             {
-                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
-                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
-            })
-            .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, AuthKeys.OpenId, options =>
-            {
-                options.Authority = configurations.Value.OpenId!.ServerRealm;
-                options.Audience = configurations.Value.OpenId!.ServerRealm;
-                options.RequireHttpsMetadata = false;
+                JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("role");
+                JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("roles");
+            }
 
-                options.TokenValidationParameters = new TokenValidationParameters
+            services
+                .AddAuthentication(options =>
                 {
-                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configurations.Value.OpenId!.ServerRealmKey!)),
-                    ValidIssuer = configurations.Value.OpenId.ServerRealm,
-                    ValidAudiences = configurations.Value.OpenId.Audiences,
-                    ValidateIssuerSigningKey = true,
-                    ValidateIssuer = true,
-                    ValidateLifetime = true,
-                    ValidateAudience = true,
-                };
-            });
-
-            services.AddAuthorization(options =>
-            {
-                if (configurations.Value.OpenId!.Claims!.RequiredAdminClaims!.Any())
+                    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
+                    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+                })
+                .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, AuthKeys.OpenId, options =>
                 {
-                    AddPolicy(options, configurations.Value.OpenId!.Claims!.RequiredAdminClaims!, AuthKeys.AdminPolicyName);
-                }
+                    options.Authority = configurations.Value.OpenId!.Realm;
+                    options.Audience = configurations.Value.OpenId!.Realm;
+                    options.RequireHttpsMetadata = false;
 
-                if (configurations.Value.OpenId!.Claims!.RequiredUserClaims!.Any())
-                {
-                    AddPolicy(options, configurations.Value.OpenId!.Claims!.RequiredUserClaims!, AuthKeys.UserPolicyName);
-                }
-            });
+                    options.TokenValidationParameters = new TokenValidationParameters
+                    {
+                        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configurations.Value.OpenId!.RealmKey!)),
+                        RoleClaimType = configurations.Value.OpenId.RoleClaimType,
+                        ValidIssuer = configurations.Value.OpenId.Realm,
+                        ValidAudiences = configurations.Value.OpenId.Audiences,
+                        ValidateIssuerSigningKey = true,
+                        ValidateIssuer = true,
+                        ValidateLifetime = true,
+                        ValidateAudience = true,
+                    };
+                });
 
+            services.AddAuthorization();
             return services;
         }
-
-        private static void AddPolicy(AuthorizationOptions options, List<Configurations.Claim> claims, string policyName)
-        {
-            foreach (var dict in claims)
-            {
-                options.AddPolicy(policyName, policy => policy
-                    .RequireAuthenticatedUser()
-                    .RequireClaim("user_roles", dict.UserRoles!));
-            }
-        }
     }
 }
@@ -20,7 +20,19 @@ namespace Monai.Deploy.WorkflowManager.Logging
 {
     public static partial class Log
     {
-        [LoggerMessage(EventId = 500000, Level = LogLevel.Information, Message = "BYpass authentication.")]
+        [LoggerMessage(EventId = 500000, Level = LogLevel.Information, Message = "Bypass authentication.")]
         public static partial void BypassAuthentication(this ILogger logger);
+
+        [LoggerMessage(EventId = 500001, Level = LogLevel.Debug, Message = "User '{user}' attempting to access controller '{controller}'.")]
+        public static partial void UserAccessingController(this ILogger logger, string? user, string controller);
+
+        [LoggerMessage(EventId = 500002, Level = LogLevel.Debug, Message = "User '{user}' access denied due to limited permissions: '{permissions}'.")]
+        public static partial void UserAccessDenied(this ILogger logger, string? user, string? permissions);
+
+        [LoggerMessage(EventId = 500003, Level = LogLevel.Trace, Message = "User claim {claim}={value}.")]
+        public static partial void UserClaimFound(this ILogger logger, string? claim, string? value);
+
+        [LoggerMessage(EventId = 500004, Level = LogLevel.Trace, Message = "Checking user claim {claim}={value}.")]
+        public static partial void CheckingUserClaim(this ILogger logger, string? claim, string? value);
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -24,10 +24,10 @@ namespace Monai.Deploy.Security.Authentication.Configurations`
`24`	`24`	`{`
`25`	`25`	`public class AuthenticationOptions`
`26`	`26`	`{`
`27`		`- [ConfigurationKeyName("BypassAuthentication")]`
	`27`	`+ [ConfigurationKeyName("bypassAuthentication")]`
`28`	`28`	`public bool? BypassAuthentication { get; set; }`
`29`	`29`
`30`		`- [ConfigurationKeyName("OpenId")]`
	`30`	`+ [ConfigurationKeyName("openId")]`
`31`	`31`	`public OpenIdOptions? OpenId { get; set; }`
`32`	`32`
`33`	`33`	`public bool BypassAuth(ILogger logger)`
`@@ -42,26 +42,58 @@ public bool BypassAuth(ILogger logger)`
`42`	`42`
`43`	`43`	`if (OpenId is null)`
`44`	`44`	`{`
`45`		`- throw new InvalidOperationException("OpenId configuration is invalid.");`
	`45`	`+ throw new InvalidOperationException("openId configuration is invalid.");`
`46`	`46`	`}`
`47`		`- if (OpenId.Claims is null \|\| OpenId.Claims.RequiredUserClaims!.IsNullOrEmpty() \|\| OpenId.Claims.RequiredAdminClaims!.IsNullOrEmpty())`
	`47`	`+ if (string.IsNullOrWhiteSpace(OpenId.ClientId))`
`48`	`48`	`{`
`49`		`- throw new InvalidOperationException("No claims defined for OpenId.");`
	`49`	`+ throw new InvalidOperationException("No clientId defined for OpenId.");`
`50`	`50`	`}`
`51`		`- if (string.IsNullOrWhiteSpace(OpenId.ClientId))`
	`51`	`+ if (string.IsNullOrWhiteSpace(OpenId.RealmKey))`
`52`	`52`	`{`
`53`		`- throw new InvalidOperationException("No ClientId defined for OpenId.");`
	`53`	`+ throw new InvalidOperationException("No realmKey defined for OpenId.");`
`54`	`54`	`}`
`55`		`- if (string.IsNullOrWhiteSpace(OpenId.ServerRealmKey))`
	`55`	`+ if (string.IsNullOrWhiteSpace(OpenId.Realm))`
`56`	`56`	`{`
`57`		`- throw new InvalidOperationException("No ServerRealmKey defined for OpenId.");`
	`57`	`+ throw new InvalidOperationException("No realm defined for OpenId.");`
`58`	`58`	`}`
`59`		`- if (string.IsNullOrWhiteSpace(OpenId.ServerRealm))`
	`59`	`+ if (OpenId.Claims is null \|\| OpenId.Claims.UserClaims!.IsNullOrEmpty() \|\| OpenId.Claims.AdminClaims!.IsNullOrEmpty())`
`60`	`60`	`{`
`61`		`- throw new InvalidOperationException("No ServerRealm defined for OpenId.");`
	`61`	`+ throw new InvalidOperationException("No claimMappings defined for OpenId.");`
`62`	`62`	`}`
`63`	`63`
	`64`	`+ ValidateClaims(OpenId.Claims.UserClaims!, true);`
	`65`	`+ ValidateClaims(OpenId.Claims.AdminClaims!, false);`
	`66`	`+`
`64`	`67`	`return false;`
`65`	`68`	`}`
	`69`	`+`
	`70`	`+ private void ValidateClaims(List<ClaimMapping> claims, bool validateEndpoints)`
	`71`	`+ {`
	`72`	`+ foreach (var claim in claims)`
	`73`	`+ {`
	`74`	`+ if (string.IsNullOrWhiteSpace(claim.ClaimType))`
	`75`	`+ {`
	`76`	`+ throw new InvalidOperationException("Value for claimType is invalid.");`
	`77`	`+ }`
	`78`	`+`
	`79`	`+ if (claim.ClaimValues.IsNullOrEmpty())`
	`80`	`+ {`
	`81`	`+ throw new InvalidOperationException("Value for claimType is invalid.");`
	`82`	`+ }`
	`83`	`+`
	`84`	`+ foreach (var claimValue in claim.ClaimValues)`
	`85`	`+ {`
	`86`	`+ if (string.IsNullOrWhiteSpace(claimValue))`
	`87`	`+ {`
	`88`	`+ throw new InvalidOperationException($"Invalid claimValue for {claim.ClaimType}.");`
	`89`	`+ }`
	`90`	`+ }`
	`91`	`+`
	`92`	`+ if (validateEndpoints && claim.Endpoints.IsNullOrEmpty())`
	`93`	`+ {`
	`94`	`+ throw new InvalidOperationException("Value for claimType is invalid.");`
	`95`	`+ }`
	`96`	`+ }`
	`97`	`+ }`
`66`	`98`	`}`
`67`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,21 +18,24 @@`
`18`	`18`
`19`	`19`	`namespace Monai.Deploy.Security.Authentication.Configurations`
`20`	`20`	`{`
`21`		`- public class Claims`
	`21`	`+ public class ClaimMappings`
`22`	`22`	`{`
`23`		`- [ConfigurationKeyName("RequiredUserClaims")]`
`24`		`- public List<Claim>? RequiredUserClaims { get; set; }`
	`23`	`+ [ConfigurationKeyName("userClaims")]`
	`24`	`+ public List<ClaimMapping>? UserClaims { get; set; }`
`25`	`25`
`26`		`- [ConfigurationKeyName("RequiredAdminClaims")]`
`27`		`- public List<Claim>? RequiredAdminClaims { get; set; }`
	`26`	`+ [ConfigurationKeyName("adminClaims")]`
	`27`	`+ public List<ClaimMapping>? AdminClaims { get; set; }`
`28`	`28`	`}`
`29`	`29`
`30`		`- public class Claim`
	`30`	`+ public class ClaimMapping`
`31`	`31`	`{`
`32`		`- [ConfigurationKeyName("user_roles")]`
`33`		`- public string? UserRoles { get; set; }`
	`32`	`+ [ConfigurationKeyName("claimType")]`
	`33`	`+ public string ClaimType { get; set; } = string.Empty;`
	`34`	`+`
	`35`	`+ [ConfigurationKeyName("claimValues")]`
	`36`	`+ public List<string> ClaimValues { get; set; } = new List<string>();`
`34`	`37`
`35`	`38`	`[ConfigurationKeyName("endpoints")]`
`36`		`- public List<string>? Endpoints { get; set; }`
	`39`	`+ public List<string>? Endpoints { get; set; } = default;`
`37`	`40`	`}`
`38`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,5 @@ public static class AuthKeys`
`25`	`25`
`26`	`26`	`// Configuration Keys`
`27`	`27`	`public const string OpenId = "OpenId";`
`28`		`- public const string UserRoles = "user_roles";`
`29`	`28`	`}`
`30`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,9 @@`
`16`	`16`
`17`	`17`	`using Ardalis.GuardClauses;`
`18`	`18`	`using Microsoft.AspNetCore.Http;`
	`19`	`+using Microsoft.Extensions.Logging;`
	`20`	`+using Monai.Deploy.Security.Authentication.Middleware;`
	`21`	`+using Monai.Deploy.WorkflowManager.Logging;`
`19`	`22`
`20`	`23`	`namespace Monai.Deploy.Security.Authentication.Extensions`
`21`	`24`	`{`
`@@ -24,32 +27,46 @@ public static class HttpContextExtension`
`24`	`27`	`/// <summary>`
`25`	`28`	`/// Gets endpoints specified in config for roles in claims.`
`26`	`29`	`/// </summary>`
`27`		`- /// <param name="httpcontext"></param>`
	`30`	`+ /// <param name="httpContext"></param>`
`28`	`31`	`/// <param name="requiredClaims"></param>`
`29`	`32`	`/// <returns></returns>`
`30`		`- public static List<string> GetValidEndpoints(this HttpContext httpcontext, List<Configurations.Claim> adminClaims, List<Configurations.Claim> userClaims)`
	`33`	`+ public static List<string> GetValidEndpoints(this HttpContext httpContext, ILogger<EndpointAuthorizationMiddleware> logger, List<Configurations.ClaimMapping> adminClaims, List<Configurations.ClaimMapping> userClaims)`
`31`	`34`	`{`
`32`	`35`	`Guard.Against.Null(adminClaims);`
`33`	`36`	`Guard.Against.Null(userClaims);`
`34`	`37`
	`38`	`+ foreach (var claim in httpContext.User.Claims)`
	`39`	`+ {`
	`40`	`+ logger.UserClaimFound(claim.Type, claim.Value);`
	`41`	`+`
	`42`	`+ }`
	`43`	`+`
`35`	`44`	`foreach (var claim in adminClaims!)`
`36`	`45`	`{`
`37`		`- if (httpcontext.User.HasClaim(AuthKeys.UserRoles, claim.UserRoles!))`
	`46`	`+ foreach (var role in claim.ClaimValues)`
`38`	`47`	`{`
`39`		`- return new List<string> { "all" };`
	`48`	`+ logger.CheckingUserClaim(claim.ClaimType, role);`
	`49`	`+ if (httpContext.User.HasClaim(claim.ClaimType, role))`
	`50`	`+ {`
	`51`	`+ return new List<string> { "*" };`
	`52`	`+ }`
`40`	`53`	`}`
`41`	`54`	`}`
`42`	`55`
	`56`	`+ var endpoints = new List<string>();`
`43`	`57`	`foreach (var claim in userClaims!)`
`44`	`58`	`{`
`45`		`- if (httpcontext.User.HasClaim(AuthKeys.UserRoles, claim.UserRoles!))`
	`59`	`+ foreach (var role in claim.ClaimValues)`
`46`	`60`	`{`
`47`		`- return claim.Endpoints!;`
	`61`	`+ logger.CheckingUserClaim(claim.ClaimType, role);`
	`62`	`+ if (httpContext.User.HasClaim(claim.ClaimType, role))`
	`63`	`+ {`
	`64`	`+ endpoints.AddRange(claim.Endpoints!);`
	`65`	`+ }`
`48`	`66`	`}`
`49`		`-`
`50`	`67`	`}`
`51`	`68`
`52`		`- return new List<string>();`
	`69`	`+ return endpoints.Distinct().ToList();`
`53`	`70`	`}`
`54`	`71`	`}`
`55`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,19 @@ namespace Monai.Deploy.WorkflowManager.Logging`
`20`	`20`	`{`
`21`	`21`	`public static partial class Log`
`22`	`22`	`{`
`23`		`- [LoggerMessage(EventId = 500000, Level = LogLevel.Information, Message = "BYpass authentication.")]`
	`23`	`+ [LoggerMessage(EventId = 500000, Level = LogLevel.Information, Message = "Bypass authentication.")]`
`24`	`24`	`public static partial void BypassAuthentication(this ILogger logger);`
	`25`	`+`
	`26`	`+ [LoggerMessage(EventId = 500001, Level = LogLevel.Debug, Message = "User '{user}' attempting to access controller '{controller}'.")]`
	`27`	`+ public static partial void UserAccessingController(this ILogger logger, string? user, string controller);`
	`28`	`+`
	`29`	`+ [LoggerMessage(EventId = 500002, Level = LogLevel.Debug, Message = "User '{user}' access denied due to limited permissions: '{permissions}'.")]`
	`30`	`+ public static partial void UserAccessDenied(this ILogger logger, string? user, string? permissions);`
	`31`	`+`
	`32`	`+ [LoggerMessage(EventId = 500003, Level = LogLevel.Trace, Message = "User claim {claim}={value}.")]`
	`33`	`+ public static partial void UserClaimFound(this ILogger logger, string? claim, string? value);`
	`34`	`+`
	`35`	`+ [LoggerMessage(EventId = 500004, Level = LogLevel.Trace, Message = "Checking user claim {claim}={value}.")]`
	`36`	`+ public static partial void CheckingUserClaim(this ILogger logger, string? claim, string? value);`
`25`	`37`	`}`
`26`	`38`	`}`