// Arrange
 static void Configure(AppleAuthenticationOptions options)
 {
     options.ClientId = "my-client-id";
     options.ClientSecretExpiresAfter = TimeSpan.FromMinutes(1);
     options.KeyId           = "my-key-id";
     options.TeamId          = "my-team-id";
     options.PrivateKeyBytes = (_) => TestKeys.GetPrivateKeyBytesAsync();
 }
        public static async Task GenerateAsync_Generates_Valid_Signed_Jwt()
        {
            // Arrange
            var options = new AppleAuthenticationOptions()
            {
                ClientId = "my-client-id",
                ClientSecretExpiresAfter = TimeSpan.FromMinutes(1),
                KeyId           = "my-key-id",
                TeamId          = "my-team-id",
                PrivateKeyBytes = (keyId) => TestKeys.GetPrivateKeyBytesAsync(),
            };

            await GenerateTokenAsync(options, async (generator, context) =>
            {
                var utcNow = DateTimeOffset.UtcNow;

                // Act
                string token = await generator.GenerateAsync(context);

                // Assert
                token.ShouldNotBeNullOrWhiteSpace();
                token.Count((c) => c == '.').ShouldBe(2); // Format: "{header}.{body}.{signature}"

                // Act
                var validator     = new JwtSecurityTokenHandler();
                var securityToken = validator.ReadJwtToken(token);

                // Assert - See https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens
                securityToken.ShouldNotBeNull();

                securityToken.Header.ShouldNotBeNull();
                securityToken.Header.ShouldContainKeyAndValue("alg", "ES256");
                securityToken.Header.ShouldContainKeyAndValue("kid", "my-key-id");

                securityToken.Payload.ShouldNotBeNull();
                securityToken.Payload.ShouldContainKey("exp");
                securityToken.Payload.ShouldContainKey("iat");
                securityToken.Payload.ShouldContainKeyAndValue("aud", "https://appleid.apple.com");
                securityToken.Payload.ShouldContainKeyAndValue("iss", "my-team-id");
                securityToken.Payload.ShouldContainKeyAndValue("sub", "my-client-id");
                securityToken.Payload.Iat.HasValue.ShouldBeTrue();
                securityToken.Payload.Exp.HasValue.ShouldBeTrue();

                ((long)securityToken.Payload.Iat !.Value).ShouldBeGreaterThanOrEqualTo(utcNow.ToUnixTimeSeconds());
                ((long)securityToken.Payload.Exp !.Value).ShouldBeGreaterThanOrEqualTo(utcNow.AddSeconds(60).ToUnixTimeSeconds());
                ((long)securityToken.Payload.Exp.Value).ShouldBeLessThanOrEqualTo(utcNow.AddSeconds(70).ToUnixTimeSeconds());
            });
        }