public async Task <IHttpActionResult> ExchangeToken(OAuthTokenExchangeRequest request) { if (request.Grant_type != "client_credentials") { return(BadRequest($"grant_type ({request.Grant_type}) not supported")); } bool token_signed = false; string access_token = string.Empty; if (request.Service == "facebook" && !string.IsNullOrEmpty(request.Code)) { access_token = ValidateSignatureOther(request.Code, request.Service); token_signed = !string.IsNullOrEmpty(access_token); } else { token_signed = ValidateSignatureJwt(request.Id_token, request.Service); } if (!token_signed) { return(Unauthorized()); } PersonIdentityModel person = null; if (!string.IsNullOrEmpty(access_token)) { person = await GetPersonInformationByService(access_token, request.Service); } else { person = await ValidateJwt(request.Id_token, request.Service); } if (person == null) { return(Unauthorized()); } var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config.GetSetting("Jwt:Key"))); var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256); var expiresInMinutes = Convert.ToInt32(_config.GetSetting("Jwt:ExpiresInMinutes")); var token = new JwtSecurityToken( _config.GetSetting("Jwt:Issuer"), _config.GetSetting("Jwt:Audience"), expires: DateTime.Now.AddMinutes(expiresInMinutes), claims: GetClaims(person), signingCredentials: creds ); var model = new OAuthResponse { Access_token = await Task.Run(() => new JwtSecurityTokenHandler().WriteToken(token)), Expires_in = expiresInMinutes * 60, Token_type = "Bearer" }; return(Ok(model)); }