private string GetJwtAssertion()
{
X509SecurityKey securityKey = new X509SecurityKey(_certificate);
JwtHeader header = new JwtHeader(new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256))
{
{ "x5c", new List <string> {
Convert.ToBase64String(_certificate.GetRawCertData())
} }
};
header.Remove("typ");
header.Remove("kid");
DateTimeOffset dateTimeOffset = new DateTimeOffset(DateTime.UtcNow);
JwtPayload payload = new JwtPayload
{
{ "aud", _generalSettings.MaskinportenBaseAddress },
{ "resource", _generalSettings.MaskinportenResource },
{ "scope", _generalSettings.MaskinportenScopes },
{ "iss", _generalSettings.MaskinportenClientId },
{ "exp", dateTimeOffset.ToUnixTimeSeconds() + 10 },
{ "iat", dateTimeOffset.ToUnixTimeSeconds() },
{ "jti", Guid.NewGuid().ToString() },
};
JwtSecurityToken securityToken = new JwtSecurityToken(header, payload);
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
return(handler.WriteToken(securityToken));
}
public string GetJwtAssertion()
{
var dateTimeOffset = new DateTimeOffset(DateTime.UtcNow);
var cert = GetCertificateFromKeyStore(_certificateThumbPrint, StoreName.My, StoreLocation.LocalMachine);
var securityKey = new X509SecurityKey(cert);
var header = new JwtHeader(new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256))
{
{ "x5c", new List <string>()
{
Convert.ToBase64String(cert.GetRawCertData())
} }
};
header.Remove("typ");
header.Remove("kid");
var payload = new JwtPayload
{
{ "aud", _audience },
{ "resource", _resource },
{ "scope", _scopes },
{ "iss", _issuer },
{ "exp", dateTimeOffset.ToUnixTimeSeconds() + _tokenTtl },
{ "iat", dateTimeOffset.ToUnixTimeSeconds() },
{ "jti", Guid.NewGuid().ToString() },
};
var securityToken = new JwtSecurityToken(header, payload);
var handler = new JwtSecurityTokenHandler();
return(handler.WriteToken(securityToken));
}
static string Authorization()
{
string apiKey = Environment.GetEnvironmentVariable("ID4I_API_KEY");
string apiSecret = Environment.GetEnvironmentVariable("ID4I_API_SECRET");
if (apiKey == null || apiSecret == null)
{
Console.WriteLine("ID4I_API_KEY or ID4I_API_SECRET not set in environment");
Environment.Exit(-1);
}
var secureKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(apiSecret));
SigningCredentials credentials = new SigningCredentials
(secureKey, SecurityAlgorithms.HmacSha512); // SecurityAlgorithms.HmacSha512 = HS512 | SecurityAlgorithms.RsaSha256 = RS256
var header = new JwtHeader(credentials);
header.Remove("typ");
header.Add("typ", "API"); // force typ to be "API"
var payload = new JwtPayload
{
{ "sub", apiKey },
{ "iat", DateTime.UtcNow },
};
var secToken = new JwtSecurityToken(header, payload);
var handler = new JwtSecurityTokenHandler();
var tokenString = handler.WriteToken(secToken);
return(tokenString);
}
// This method creates a JWT Grant as specified on https://docs.digdir.no/maskinporten_protocol_jwtgrant.html
// The JWT-grant is the request we sendt to Maskinporten in order to get a access token.
private string GetJwtAssertion()
{
var dateTimeOffset = new DateTimeOffset(DateTime.UtcNow);
var securityKey = new X509SecurityKey(_signingCertificate);
// The JWT has three parts: header, payload and signature which are base64-encoded JSON objects seperated by "."
// First we create a header containing the public part of the certificate we use to sign the JWT
// Maskinporten only supports the signing algorithm RSA-SHA256
var header = new JwtHeader(new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256))
{
{ "x5c", new List <string>()
{
Convert.ToBase64String(_signingCertificate.GetRawCertData())
} }
};
// The library we use will include claims that will confuse Maskinporten, so remove them.
header.Remove("typ");
header.Remove("kid");
var payload = new JwtPayload
{
{ "aud", _audience }, // The environment in Maskinporten this requiest is for
{ "scope", _scopes }, // What scopes we want
{ "iss", _issuer }, // Note that "issuer" in this context is the client_id
// The following is generic JWT information
{ "exp", dateTimeOffset.ToUnixTimeSeconds() + 60 }, // expiry date for JWT Grant
{ "iat", dateTimeOffset.ToUnixTimeSeconds() }, // JWT grant issued at
{ "jti", Guid.NewGuid().ToString() }, // unique identifier for this JWT grant
};
var securityToken = new JwtSecurityToken(header, payload);
var handler = new JwtSecurityTokenHandler();
// This signs the header and payload and returns the JWT as a string
return(handler.WriteToken(securityToken));
}
private async Task <JwtHeader> BuildJwtHeader()
{
var header = new JwtHeader();
header.Remove("alg");
var keys = await GetCertificates();
header.Add("x5c", keys);
header.Add("alg", SecurityAlgorithms.RsaSha256);
header.Add("typ", "JWT");
return(header);
}
public string GetJwtAssertion()
{
var dateTimeOffset = new DateTimeOffset(DateTime.UtcNow);
string certificateThumbPrint = (string)GetOptionValue("thumbprint");
Guid clientId = (Guid)GetOptionValue("clientid");
var cert = GetCertificateFromKeyStore(certificateThumbPrint, StoreName.My, StoreLocation.CurrentUser);
var securityKey = new X509SecurityKey(cert);
var header = new JwtHeader(new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256))
{
{ "x5c", new List <string>()
{
Convert.ToBase64String(cert.GetRawCertData())
} }
};
header.Remove("typ");
header.Remove("kid");
var payload = new JwtPayload
{
{ "aud", "https://ver2.maskinporten.no/" },
{ "resource", "https://tt02.altinn.no/maskinporten-api/" },
{ "scope", "altinn:serviceowner/instances.read altinn:serviceowner/instances.write" },
{ "iss", clientId },
{ "exp", dateTimeOffset.ToUnixTimeSeconds() + 10 },
{ "iat", dateTimeOffset.ToUnixTimeSeconds() },
{ "jti", Guid.NewGuid().ToString() },
};
var securityToken = new JwtSecurityToken(header, payload);
var handler = new JwtSecurityTokenHandler();
return(handler.WriteToken(securityToken));
}
/// <summary>
/// Creates a pop/HMAC token using the payload and signature key specified.
/// </summary>
/// <param name="parameters"></param>
/// <param name="key"></param>
/// <returns></returns>
public JwtSecurityToken CreatePopToken(JwtPayload payload, SigningCredentials signer)
{
if (payload == null)
{
throw new ArgumentNullException("payload");
}
if (signer == null)
{
throw new ArgumentNullException("signer");
}
var jHeader = new JwtHeader(signer);
jHeader.Remove("kid"); //Other implementations seem to omit this - and it maybe best since either introspection or the access token will have the key used to validate.
var jwt = new JwtSecurityToken(jHeader, payload);
return(jwt);
}