public async Task <TokenResponse> GetAccessTokenAsync(string clientId, string accessTokenEndpoint, string scope, string keyVaultKeyString) { TokenResponse errorResponse = ValidateParameters((nameof(clientId), clientId), (nameof(accessTokenEndpoint), accessTokenEndpoint), (nameof(scope), scope), (nameof(keyVaultKeyString), keyVaultKeyString)); if (errorResponse != null) { return(errorResponse); } // Use a signed JWT as client credentials. var payload = new JwtPayload(); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, clientId)); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Sub, clientId)); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, accessTokenEndpoint)); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString(), ClaimValueTypes.Integer64)); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Nbf, EpochTime.GetIntDate(DateTime.UtcNow.AddSeconds(-5)).ToString(), ClaimValueTypes.Integer64)); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(DateTime.UtcNow.AddMinutes(5)).ToString(), ClaimValueTypes.Integer64)); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Jti, CryptoRandom.CreateUniqueId())); var handler = new JwtSecurityTokenHandler(); var credentials = GetSigningCredentialsFromKeyVault(keyVaultKeyString); var jwt = handler.WriteToken(new JwtSecurityToken(new JwtHeader(credentials), payload)); var request = new JwtClientCredentialsTokenRequest { Address = accessTokenEndpoint, ClientId = clientId, Jwt = jwt, Scope = scope }; return(await _httpClientFactory .CreateClient(EdnaExternalHttpHandler.Name) .RequestClientCredentialsTokenWithJwtAsync(request)); }
/// <summary> /// Get an access token from the issuer. /// </summary> /// <param name="issuer">The issuer.</param> /// <param name="scope">The scope to request.</param> /// <returns>The token response.</returns> public async Task <TokenResponse> GetAccessTokenAsync(string signingIssuer, string issuer, string scope) { if (issuer.IsMissing()) { return(TokenResponse.FromException <TokenResponse>(new ArgumentNullException(nameof(issuer)))); } if (scope.IsMissing()) { return(TokenResponse.FromException <TokenResponse>(new ArgumentNullException(nameof(scope)))); } var platform = await _context.GetPlatformByIssuerAsync(issuer); if (platform == null) { return(TokenResponse.FromException <TokenResponse>(new Exception("Cannot find platform registration."))); } // Use a signed JWT as client credentials. var payload = new JwtPayload(); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, signingIssuer)); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Sub, platform.ClientId)); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, platform.AccessTokenUrl)); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString())); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Nbf, EpochTime.GetIntDate(DateTime.UtcNow.AddSeconds(-5)).ToString())); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(DateTime.UtcNow.AddMinutes(5)).ToString())); payload.AddClaim(new Claim(JwtRegisteredClaimNames.Jti, CryptoRandom.CreateUniqueId(32))); var handler = new JwtSecurityTokenHandler(); var credentials = PemHelper.SigningCredentialsFromPemString(platform.PrivateKey); var jwt = handler.WriteToken(new JwtSecurityToken(new JwtHeader(credentials), payload)); var jwtClientCredentials = new JwtClientCredentialsTokenRequest { Address = platform.AccessTokenUrl, ClientId = platform.ClientId, Jwt = jwt, Scope = scope, ClientAssertion = new ClientAssertion() { Type = OidcConstants.ClientAssertionTypes.JwtBearer, Value = jwt }, Parameters = !string.IsNullOrWhiteSpace(scope) ? new Dictionary <string, string>() { { OidcConstants.TokenRequest.Scope, scope } } : null, GrantType = OidcConstants.GrantTypes.ClientCredentials }; var httpClient = _httpClientFactory.CreateClient(); return(await httpClient.RequestTokenAsync(jwtClientCredentials, default)); //RequestClientCredentialsTokenWithJwtAsync(jwtClientCredentials); }