/// <summary>
/// Performs the SSO flow to authenticate and get credentials
/// </summary>
/// <param name="oidc">SSO OIDC client</param>
/// <param name="sso">SSO client</param>
/// <returns>Resolved credentials</returns>
private ImmutableCredentials GetSsoCredentials(ICoreAmazonSSOOIDC oidc, ICoreAmazonSSO sso)
{
var tokenCache = new SsoTokenCache(StartUrl);
var token = tokenCache.GetAccessToken();
// Get and cache a SSO token if necessary
if (string.IsNullOrWhiteSpace(token))
{
var response = oidc.GetSsoToken(new GetSsoTokenRequest()
{
ClientName = GetSsoClientName(),
ClientType = SsoClientTypePublic,
StartUrl = StartUrl,
SsoVerificationCallback = Options.SsoVerificationCallback,
});
// If save fails, token will not be cached
tokenCache.TrySave(new SsoToken()
{
AccessToken = response.AccessToken,
Region = Region,
ExpiresAt = response.ExpiresAt,
StartUrl = StartUrl,
});
token = response.AccessToken;
}
// Use SSO token to get credentials
return(GetSsoRoleCredentials(sso, token));
}
/// <summary>
/// Get resolved credentials from an AWS SSO access token
/// </summary>
/// <param name="sso">AWS SSO Client</param>
/// <param name="accessToken">AWS SSO access token obtained from a user's authorization</param>
/// <returns>Resolved credentials</returns>
private async Task <ImmutableCredentials> GetSsoRoleCredentialsAsync(ICoreAmazonSSO sso, string accessToken)
{
return(await sso.CredentialsFromSsoAccessTokenAsync(AccountId, RoleName, accessToken, null)
.ConfigureAwait(false));
}
/// <summary>
/// Get resolved credentials from an AWS SSO access token
/// </summary>
/// <param name="sso">AWS SSO Client</param>
/// <param name="accessToken">AWS SSO access token obtained from a user's authorization</param>
/// <returns>Resolved credentials</returns>
private ImmutableCredentials GetSsoRoleCredentials(ICoreAmazonSSO sso, string accessToken)
{
return(sso.CredentialsFromSsoAccessToken(AccountId, RoleName, accessToken, null));
}
/// <summary>
/// Performs the SSO flow to authenticate and get credentials
/// </summary>
/// <param name="oidc">SSO OIDC client</param>
/// <param name="sso">SSO client</param>
/// <returns>Resolved credentials</returns>
private async Task <ImmutableCredentials> GetSsoCredentialsAsync(ICoreAmazonSSOOIDC oidc, ICoreAmazonSSO sso)
{
var tokenCache = new SsoTokenCache(StartUrl);
var token = tokenCache.GetAccessToken();
// Get and cache a SSO token if necessary
if (string.IsNullOrWhiteSpace(token))
{
if (string.IsNullOrEmpty(Options.ClientName))
{
throw new ArgumentNullException($"Options property cannot be empty: {nameof(Options.ClientName)}");
}
if (Options.SsoVerificationCallback == null)
{
throw new ArgumentNullException($"Options property cannot be empty: {nameof(Options.SsoVerificationCallback)}");
}
var response = await oidc.GetSsoTokenAsync(new GetSsoTokenRequest()
{
ClientName = GetSsoClientName(),
ClientType = SsoClientTypePublic,
StartUrl = StartUrl,
SsoVerificationCallback = Options.SsoVerificationCallback,
}).ConfigureAwait(false);
// If save fails, token will not be cached
tokenCache.TrySave(new SsoToken()
{
AccessToken = response.AccessToken,
Region = Region,
ExpiresAt = response.ExpiresAt,
StartUrl = StartUrl,
});
token = response.AccessToken;
}
// Use SSO token to get credentials
return(await GetSsoRoleCredentialsAsync(sso, token).ConfigureAwait(false));
}
