Extract IDP configuration to external JSON file

Move all hard-coded identity server settings (API resource, scope, client,
users/roles) from Program.cs into config/idp-config.json and add parsing
logic. The config file is copied to the output directory so it works for
local development and is available at /app/config/idp-config.json in the
Docker image, making it straightforward to override via a volume mount.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Program.cs

@@ -1,9 +1,10 @@
-// Copyright (c) SimpleIdServer. All rights reserved.
+// Copyright (c) SimpleIdServer. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 using System;
 using System.Collections.Generic;
+using System.IO;
 using System.Linq;
-using System.Security.Claims;
+using System.Text.Json;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.DependencyInjection;
 using SimpleIdServer.IdServer.Builders;
@@ -14,83 +15,48 @@ using SimpleIdServer.IdServer.Stores;
 
 var corsPolicyName = "AllowAll";
 
+// ── Load configuration ────────────────────────────────────────────────────────
+var configPath = Path.Combine(AppContext.BaseDirectory, "config", "idp-config.json");
+if (!File.Exists(configPath))
+    throw new FileNotFoundException(
+        $"IDP configuration file not found at '{configPath}'. " +
+        "Mount your config file to /app/config/idp-config.json when running in Docker.");
+
+var idpConfig = JsonSerializer.Deserialize<IdpConfig>(
+    File.ReadAllText(configPath),
+    new JsonSerializerOptions { PropertyNameCaseInsensitive = true })
+    ?? throw new InvalidOperationException("Failed to deserialize IDP configuration.");
+
+// ── Build realm ───────────────────────────────────────────────────────────────
 var realm = RealmBuilder.CreateMaster().Build();
 
-//api.Audience = "urn:bighand:api:bi:portal";
+// ── Build API resource ────────────────────────────────────────────────────────
-
-var users = new List<User>
-{
-    UserBuilder
-        .Create("administrator", "password", "Administrator")
-        .SetEmail("adm@mail.com")
-        .SetFirstname("Administrator")
-        .AddRole("BI.PORTAL_ADMIN")
-        .AddRole("BI.TENANT_ADMIN")
-        .AddClaim("tid", "cbaa13c2-e95b-470a-bbcb-18911d5a6025")
-        .AddClaim("aud","urn:bighand:api:bi:portal")
-        .AddConsent("master","212C9DB96C2A4B6DA0AFDB2222F6EEAA.bighand.com","bi.portal")
-        .SetEmailVerified(true)
-        .Build(),
-
-};
-
-var rUser = new RealmUser
-{
-    Realm = realm,
-    User = users[0],
-};
-
-users[0].Realms.Add(rUser);
-
-
 var api = new ApiResource
 {
     Realms = { realm },
-    Name = "BI Portal API",
+    Name = idpConfig.Api.Name,
-    Audience = "urn:bighand:api:bi:portal"
+    Audience = idpConfig.Api.Audience
 };
 
-//var scopes = new List<Scope> { ScopeBuilder.CreateRoleScope(clients[0], "bi.portal", "").Build() };
+// ── Build custom scope with claim mappers ─────────────────────────────────────
-var biScope = new Scope()
+var biScope = new Scope
 {
     Realms = { realm },
     ApiResources = { api },
     Protocol = ScopeProtocols.OAUTH,
     Type = ScopeTypes.APIRESOURCE,
-    Name = "bi.portal",
+    Name = idpConfig.Scope.Name,
-    Description = "BI Portal Scope",
+    Description = idpConfig.Scope.Description,
-    ClaimMappers =
+    ClaimMappers = idpConfig.Scope.ClaimMappers.Select(cm => new ScopeClaimMapper
-    {
-        new ScopeClaimMapper()
     {
         IncludeInAccessToken = true,
-            TokenClaimJsonType = TokenClaimJsonTypes.STRING,
+        TokenClaimJsonType = Enum.Parse<TokenClaimJsonTypes>(cm.TokenClaimJsonType, ignoreCase: true),
-            TargetClaimPath = "roles",
+        TargetClaimPath = cm.TargetClaimPath,
         MapperType = MappingRuleTypes.USERATTRIBUTE,
-            IsMultiValued=true,
+        IsMultiValued = cm.IsMultiValued,
-            SourceUserAttribute = "role",
+        SourceUserAttribute = cm.SourceUserAttribute,
-            SourceUserProperty = "role",
+        SourceUserProperty = cm.SourceUserAttribute,
-        },
+    }).ToList(),
-        new ScopeClaimMapper()
-        {
-            IncludeInAccessToken = true,
-            TokenClaimJsonType = TokenClaimJsonTypes.STRING,
-            TargetClaimPath = "tid",
-            MapperType = MappingRuleTypes.USERATTRIBUTE,
-            SourceUserAttribute = "tid",
-            SourceUserProperty = "tid",
-        },
-         new ScopeClaimMapper()
-        {
-            IncludeInAccessToken = true,
-            TokenClaimJsonType = TokenClaimJsonTypes.STRING,
-            TargetClaimPath = "upn",
-            MapperType = MappingRuleTypes.USERATTRIBUTE,
-            SourceUserAttribute = "email",
-            SourceUserProperty = "email",
-        },
-
-    },
 };
 
 api.Scopes.Add(biScope);
@@ -103,37 +69,65 @@ var scopes = new List<Scope>
     new Scope("offline_access") { Realms = { realm } },
     biScope
 };
-var clients = new List<Client>
+
-{
+// ── Build client ──────────────────────────────────────────────────────────────
-    ClientBuilder
+var client = ClientBuilder
-        .BuildUserAgentClient("212C9DB96C2A4B6DA0AFDB2222F6EEAA.bighand.com", null, realm, new[] { "http://localhost:4200/loggedin" })
+    .BuildUserAgentClient(
-        .SetClientName("BI Portal")
+        idpConfig.Client.ClientId,
+        null,
+        realm,
+        idpConfig.Client.RedirectUris.ToArray())
+    .SetClientName(idpConfig.Client.Name)
     .AddScope(scopes.ToArray())
     .AddRefreshToken()
-        .Build(),
+    .Build();
-};
 
+client.IsPublic = idpConfig.Client.IsPublic;
+client.Realms.Add(realm);
 
-clients[0].IsPublic = true;
+var clients = new List<Client> { client };
-clients[0].Realms.Add(realm);
 
-realm.Clients.Add(clients[0]);
+// ── Build users ───────────────────────────────────────────────────────────────
-realm.ApiResources.Add(api);
+var users = idpConfig.Users.Select(u =>
+{
+    var userBuilder = UserBuilder
+        .Create(u.Login, u.Password, u.Name)
+        .SetEmail(u.Email)
+        .SetFirstname(u.Firstname)
+        .SetEmailVerified(u.EmailVerified);
+
+    foreach (var role in u.Roles)
+        userBuilder = userBuilder.AddRole(role);
+
+    foreach (var claim in u.Claims)
+        userBuilder = userBuilder.AddClaim(claim.Key, claim.Value);
+
+    foreach (var consent in u.Consents)
+        userBuilder = userBuilder.AddConsent(consent.Realm, consent.ClientId, consent.Scope);
+
+    return userBuilder.Build();
+}).ToList();
+
+// ── Wire up realm relationships ───────────────────────────────────────────────
+foreach (var user in users)
+{
+    var rUser = new RealmUser { Realm = realm, User = user };
+    user.Realms.Add(rUser);
     realm.Users.Add(rUser);
+}
+
+realm.Clients.Add(client);
+realm.ApiResources.Add(api);
 scopes.ForEach(s => realm.Scopes.Add(s));
 
-
+// ── Configure services ────────────────────────────────────────────────────────
 var builder = WebApplication.CreateBuilder(args);
 
 builder.Services.AddCors(options =>
 {
     options.AddPolicy(
         name: corsPolicyName,
-        policy =>
+        policy => policy.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader());
-        {
-            policy.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
-        }
-    );
 });
 
 builder
@@ -146,7 +140,6 @@ builder
     .AddInMemoryLanguages(DefaultLanguages.All)
     .AddPwdAuthentication(true);
 
-
 var app = builder.Build();
 
 using (var sc = app.Services.CreateScope())
@@ -160,3 +153,48 @@ app.UseSid();
 app.UseCors(corsPolicyName);
 
 await app.RunAsync();
+
+// ── Configuration model ───────────────────────────────────────────────────────
+
+record IdpConfig(
+    ApiConfig Api,
+    ScopeConfig Scope,
+    ClientConfig Client,
+    List<UserConfig> Users);
+
+record ApiConfig(
+    string Name,
+    string Audience);
+
+record ScopeConfig(
+    string Name,
+    string Description,
+    List<ClaimMapperConfig> ClaimMappers);
+
+record ClaimMapperConfig(
+    string TargetClaimPath,
+    string SourceUserAttribute,
+    string TokenClaimJsonType,
+    bool IsMultiValued = false);
+
+record ClientConfig(
+    string ClientId,
+    string Name,
+    List<string> RedirectUris,
+    bool IsPublic = true);
+
+record UserConfig(
+    string Login,
+    string Password,
+    string Name,
+    string Email,
+    string Firstname,
+    bool EmailVerified,
+    List<string> Roles,
+    Dictionary<string, string> Claims,
+    List<ConsentConfig> Consents);
+
+record ConsentConfig(
+    string Realm,
+    string ClientId,
+    string Scope);

SimpleIdp.csproj

@@ -10,6 +10,11 @@
 		<PackageReference Include="SimpleIdServer.IdServer" Version="6.0.*-*" />
 		<PackageReference Include="Microsoft.Web.LibraryManager.Build" Version="2.1.175" />
 	</ItemGroup>
+	<ItemGroup>
+	  <Content Include="config\idp-config.json">
+	    <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+	  </Content>
+	</ItemGroup>
 	<ItemGroup>
 	  <Compile Update="Resources\AccountsResource.Designer.cs">
 	    <DependentUpon>AccountsResource.resx</DependentUpon>

config/idp-config.json

@@ -0,0 +1,64 @@
+{
+  "realm": "master",
+  "api": {
+    "name": "BI Portal API",
+    "audience": "urn:bighand:api:bi:portal"
+  },
+  "scope": {
+    "name": "bi.portal",
+    "description": "BI Portal Scope",
+    "claimMappers": [
+      {
+        "targetClaimPath": "roles",
+        "sourceUserAttribute": "role",
+        "tokenClaimJsonType": "STRING",
+        "isMultiValued": true
+      },
+      {
+        "targetClaimPath": "tid",
+        "sourceUserAttribute": "tid",
+        "tokenClaimJsonType": "STRING",
+        "isMultiValued": false
+      },
+      {
+        "targetClaimPath": "upn",
+        "sourceUserAttribute": "email",
+        "tokenClaimJsonType": "STRING",
+        "isMultiValued": false
+      }
+    ]
+  },
+  "client": {
+    "clientId": "212C9DB96C2A4B6DA0AFDB2222F6EEAA.bighand.com",
+    "name": "BI Portal",
+    "redirectUris": [
+      "http://localhost:4200/loggedin"
+    ],
+    "isPublic": true
+  },
+  "users": [
+    {
+      "login": "administrator",
+      "password": "password",
+      "name": "Administrator",
+      "email": "adm@mail.com",
+      "firstname": "Administrator",
+      "emailVerified": true,
+      "roles": [
+        "BI.PORTAL_ADMIN",
+        "BI.TENANT_ADMIN"
+      ],
+      "claims": {
+        "tid": "cbaa13c2-e95b-470a-bbcb-18911d5a6025",
+        "aud": "urn:bighand:api:bi:portal"
+      },
+      "consents": [
+        {
+          "realm": "master",
+          "clientId": "212C9DB96C2A4B6DA0AFDB2222F6EEAA.bighand.com",
+          "scope": "bi.portal"
+        }
+      ]
+    }
+  ]
+}