/// <summary>
/// Get an access token from the issuer.
/// </summary>
/// <param name="issuer">The issuer.</param>
/// <param name="scope">The scope to request.</param>
/// <returns>The token response.</returns>
public async Task <TokenResponse> GetAccessTokenAsync(string signingIssuer, string issuer, string scope)
{
if (issuer.IsMissing())
{
return(TokenResponse.FromException <TokenResponse>(new ArgumentNullException(nameof(issuer))));
}
if (scope.IsMissing())
{
return(TokenResponse.FromException <TokenResponse>(new ArgumentNullException(nameof(scope))));
}
var platform = await _context.GetPlatformByIssuerAsync(issuer);
if (platform == null)
{
return(TokenResponse.FromException <TokenResponse>(new Exception("Cannot find platform registration.")));
}
// Use a signed JWT as client credentials.
var payload = new JwtPayload();
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, signingIssuer));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Sub, platform.ClientId));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, platform.AccessTokenUrl));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString()));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Nbf, EpochTime.GetIntDate(DateTime.UtcNow.AddSeconds(-5)).ToString()));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(DateTime.UtcNow.AddMinutes(5)).ToString()));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Jti, CryptoRandom.CreateUniqueId(32)));
var handler = new JwtSecurityTokenHandler();
var credentials = PemHelper.SigningCredentialsFromPemString(platform.PrivateKey);
var jwt = handler.WriteToken(new JwtSecurityToken(new JwtHeader(credentials), payload));
var jwtClientCredentials = new JwtClientCredentialsTokenRequest
{
Address = platform.AccessTokenUrl,
ClientId = platform.ClientId,
Jwt = jwt,
Scope = scope,
ClientAssertion = new ClientAssertion()
{
Type = OidcConstants.ClientAssertionTypes.JwtBearer, Value = jwt
},
Parameters = !string.IsNullOrWhiteSpace(scope) ? new Dictionary <string, string>()
{
{ OidcConstants.TokenRequest.Scope, scope }
} : null,
GrantType = OidcConstants.GrantTypes.ClientCredentials
};
var httpClient = _httpClientFactory.CreateClient();
return(await httpClient.RequestTokenAsync(jwtClientCredentials, default)); //RequestClientCredentialsTokenWithJwtAsync(jwtClientCredentials);
}
/// <summary>
/// Get an access token from the issuer.
/// </summary>
/// <param name="issuer">The issuer.</param>
/// <param name="scope">The scope to request.</param>
/// <returns>The token response.</returns>
public async Task <TokenResponse> GetAccessTokenAsync(string issuer, string scope)
{
if (issuer.IsMissing())
{
return(new TokenResponse(new ArgumentNullException(nameof(issuer))));
}
if (scope.IsMissing())
{
return(new TokenResponse(new ArgumentNullException(nameof(scope))));
}
var platform = await _context.GetPlatformByIssuerAsync(issuer);
if (platform == null)
{
return(new TokenResponse(new Exception("Cannot find platform registration.")));
}
// Use a signed JWT as client credentials.
var payload = new JwtPayload();
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, platform.ClientId));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Sub, platform.ClientId));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, platform.AccessTokenUrl));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString()));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Nbf, EpochTime.GetIntDate(DateTime.UtcNow.AddSeconds(-5)).ToString()));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(DateTime.UtcNow.AddMinutes(5)).ToString()));
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Jti, CryptoRandom.CreateRandomKeyString(32)));
var handler = new JwtSecurityTokenHandler();
var credentials = PemHelper.SigningCredentialsFromPemString(platform.PrivateKey);
var jwt = handler.WriteToken(new JwtSecurityToken(new JwtHeader(credentials), payload));
var httpClient = _httpClientFactory.CreateClient();
return(await httpClient.RequestClientCredentialsTokenWithJwtAsync(
new JwtClientCredentialsTokenRequest
{
Address = platform.AccessTokenUrl,
ClientId = platform.ClientId,
Jwt = jwt,
Scope = scope
}));
}
