Skip to content
This repository has been archived by the owner on Nov 19, 2024. It is now read-only.

Client Assertions

Dominick Baier edited this page Jul 28, 2022 · 6 revisions

If your token client is using a client assertion instead of a shared secret, you can provide the assertion in two ways

  • use the request parameter mechanism to pass a client assertion to the management
  • implement the IClientAssertionService interface to centralize client assertion creation

Here's a sample client assertion service using the Microsoft JWT library:

public class ClientAssertionService : IClientAssertionService
{
    private readonly IOptionsSnapshot<ClientCredentialsClient> _options;

    public ClientAssertionService(IOptionsSnapshot<ClientCredentialsClient> options)
    {
        _options = options;
    }

    public Task<ClientAssertion?> GetClientAssertionAsync(
      string clientName, ClientCredentialsTokenRequestParameters? parameters = null)
    {
      	// load key
      	var credential = GetSigningCredential();
      
        if (clientName == "invoice")
        {
            var options = _options.Get(clientName);
            
            var descriptor = new SecurityTokenDescriptor
            {
                Issuer = options.ClientId,
                Audience = options.TokenEndpoint,
                Expires = DateTime.UtcNow.AddMinutes(1),
                SigningCredentials = credential,

                Claims = new Dictionary<string, object>
                {
                    { JwtClaimTypes.JwtId, Guid.NewGuid().ToString() },
                    { JwtClaimTypes.Subject, options.ClientId! },
                    { JwtClaimTypes.IssuedAt, DateTime.UtcNow.ToEpochTime() }
                }
            };

            var handler = new JsonWebTokenHandler();
            var jwt = handler.CreateToken(descriptor);

            return Task.FromResult<ClientAssertion?>(new ClientAssertion
            {
                Type = OidcConstants.ClientAssertionTypes.JwtBearer,
                Value = jwt
            });
        }

        return Task.FromResult<ClientAssertion?>(null);
    }
}