/// <summary> /// Create JWT token for access to server /// </summary> /// <param name="context">context</param> /// <param name="requestToken"></param> /// <returns></returns> public async Task <string> CreateAutorizationToken(IWorkContext context, string requestToken) { Verify.IsNotNull(nameof(context), context); Verify.IsNotEmpty(nameof(requestToken), requestToken); context = context.WithTag(_tag); var certificateList = new List <X509Certificate2>(); foreach (var item in _configuration.TokenAuthorizationRequestCertificateKeys) { certificateList.Add(await _certificateRepository.GetCertificate(context, item, true)); } JwtTokenParser requestTokenParser = new JwtTokenParserBuilder() .AddCertificates(certificateList) .AddValidIssuers(_configuration.ValidIssuers) .Build(); JwtTokenDetails details = requestTokenParser.Parse(context, requestToken); if (details == null || details.JwtSecurityToken.Payload.Sub.IsEmpty()) { NetEventSource.Log.Verbose(context, "Payload.Sub is empty"); return(null); } IdentityPrincipal identity = await _identityRepository.GetAsync(context, new PrincipalId(details.JwtSecurityToken.Payload.Sub)); // If JWT subject is a valid issuer, then this should be a service principal if (_configuration.ValidIssuers.Any(x => x == details.JwtSecurityToken.Payload.Sub)) { if (identity == null) { identity = new IdentityPrincipal(new PrincipalId(details.JwtSecurityToken.Payload.Sub), IdentityPrincipalType.Service); } else { if (identity.PrincipalType != IdentityPrincipalType.Service) { NetEventSource.Log.Verbose(context, $"Identity {details.JwtSecurityToken.Payload.Sub} is not a service principal"); return(null); } } } else { // Identity principal does not exist if (identity == null) { NetEventSource.Log.Verbose(context, $"Identity {details.JwtSecurityToken.Payload.Sub} does not exist"); return(null); } } DateTime expires = DateTime.UtcNow + _configuration.TokenAuthorization.GoodFor; identity = identity.With(ApiKey.CreateApiKey(expires)); await _identityRepository.SetAsync(context, identity); X509Certificate2 certificate = await _certificateRepository.GetCertificate( context, _configuration.TokenAuthorization.AuthorizationSigningCertificateKey, throwOnNotFound : true); string token = new JwtTokenBuilder() .AddSubject(identity.PrincipalId) .SetAudience(_configuration.TokenAuthorization.Audience) .SetIssuer(_configuration.TokenAuthorization.Issuer) .SetExpires(expires) .SetIssuedAt(DateTime.Now) .SetWebKey(identity.ApiKey.Value) .SetCertificate(certificate) .Build(); return(token); }