public async Task <TokenResponse> GetAccessTokenAsync(string clientId, string accessTokenEndpoint, string scope, string keyVaultKeyString)
{
TokenResponse errorResponse = ValidateParameters((nameof(clientId), clientId), (nameof(accessTokenEndpoint), accessTokenEndpoint), (nameof(scope), scope), (nameof(keyVaultKeyString), keyVaultKeyString));
if (errorResponse != null)
{
return(errorResponse);
}
// Use a signed JWT as client credentials.
var payload = new JwtPayload();
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, clientId));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Sub, clientId));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, accessTokenEndpoint));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString(), ClaimValueTypes.Integer64));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Nbf, EpochTime.GetIntDate(DateTime.UtcNow.AddSeconds(-5)).ToString(), ClaimValueTypes.Integer64));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(DateTime.UtcNow.AddMinutes(5)).ToString(), ClaimValueTypes.Integer64));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Jti, CryptoRandom.CreateUniqueId()));
var handler = new JwtSecurityTokenHandler();
var credentials = GetSigningCredentialsFromKeyVault(keyVaultKeyString);
var jwt = handler.WriteToken(new JwtSecurityToken(new JwtHeader(credentials), payload));
var request = new JwtClientCredentialsTokenRequest {
Address = accessTokenEndpoint, ClientId = clientId, Jwt = jwt, Scope = scope
};
return(await _httpClientFactory
.CreateClient(EdnaExternalHttpHandler.Name)
.RequestClientCredentialsTokenWithJwtAsync(request));
}
/// <summary>
/// Get an access token from the issuer.
/// </summary>
/// <param name="issuer">The issuer.</param>
/// <param name="scope">The scope to request.</param>
/// <returns>The token response.</returns>
public async Task <TokenResponse> GetAccessTokenAsync(string signingIssuer, string issuer, string scope)
{
if (issuer.IsMissing())
{
return(TokenResponse.FromException <TokenResponse>(new ArgumentNullException(nameof(issuer))));
}
if (scope.IsMissing())
{
return(TokenResponse.FromException <TokenResponse>(new ArgumentNullException(nameof(scope))));
}
var platform = await _context.GetPlatformByIssuerAsync(issuer);
if (platform == null)
{
return(TokenResponse.FromException <TokenResponse>(new Exception("Cannot find platform registration.")));
}
// Use a signed JWT as client credentials.
var payload = new JwtPayload();
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, signingIssuer));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Sub, platform.ClientId));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, platform.AccessTokenUrl));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString()));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Nbf, EpochTime.GetIntDate(DateTime.UtcNow.AddSeconds(-5)).ToString()));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(DateTime.UtcNow.AddMinutes(5)).ToString()));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Jti, CryptoRandom.CreateUniqueId(32)));
var handler = new JwtSecurityTokenHandler();
var credentials = PemHelper.SigningCredentialsFromPemString(platform.PrivateKey);
var jwt = handler.WriteToken(new JwtSecurityToken(new JwtHeader(credentials), payload));
var jwtClientCredentials = new JwtClientCredentialsTokenRequest
{
Address = platform.AccessTokenUrl,
ClientId = platform.ClientId,
Jwt = jwt,
Scope = scope,
ClientAssertion = new ClientAssertion()
{
Type = OidcConstants.ClientAssertionTypes.JwtBearer, Value = jwt
},
Parameters = !string.IsNullOrWhiteSpace(scope) ? new Dictionary <string, string>()
{
{ OidcConstants.TokenRequest.Scope, scope }
} : null,
GrantType = OidcConstants.GrantTypes.ClientCredentials
};
var httpClient = _httpClientFactory.CreateClient();
return(await httpClient.RequestTokenAsync(jwtClientCredentials, default)); //RequestClientCredentialsTokenWithJwtAsync(jwtClientCredentials);
}
