public static class JsonWebTokenHandler
{
/// <summary>
/// Creates a JWT client assertion used for authenticating an OAuth client.
/// </summary>
/// <param name="certificate">Certificate that includes both public and private key.</param>
/// <param name="clientId">Your OAuth client id, this can be found here: https://beta.oauth.vlaanderen.be/admin/OAuthClients.</param>
/// <param name="endpoint">e.g. https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/token</param>
/// <returns>JWT client assertion</returns>
public static string CreateJwtClientAssertion(X509Certificate2 certificate, string clientId, string endpoint)
{
var tokenHandler = new JwtSecurityTokenHandler();
var tokenDescriptor = new SecurityTokenDescriptor
{
Expires = DateTime.UtcNow.AddMinutes(960),
SigningCredentials = new SigningCredentials(new X509SecurityKey(certificate), SecurityAlgorithms.RsaSha256Signature),
Subject = new ClaimsIdentity(new List<Claim>
{
new Claim("sub", clientId),
new Claim("iss", clientId),
new Claim("jti", Guid.NewGuid().ToString()),
new Claim("aud", endpoint)
})
};
return tokenHandler.WriteToken(tokenHandler.CreateJwtSecurityToken(tokenDescriptor));
}
} |
Generate key pair
using System;
using System.IO;
using System.Security.Cryptography;
using System.Threading.Tasks;
using Newtonsoft.Json.Linq;
namespace GenerateJsonWebKey
{
class Program
{
const string privateKeyFileName = "jsonwebkeyprivate.key";
const string publicKeyFileName = "jsonwebkeypublic.key";
public static async Task Main()
{
var parametersPublic = default(RSAParameters);
var parametersPrivate = default(RSAParameters);
Console.WriteLine("Generating RSA key...");
using (var rsa = new RSACryptoServiceProvider(2048))
{
parametersPrivate = rsa.ExportParameters(true);
parametersPublic = rsa.ExportParameters(false);
}
var keyId = $"{Guid.NewGuid()}";
var key = new Microsoft.Azure.KeyVault.WebKey.JsonWebKey(parametersPrivate);
var keyPublic = new Microsoft.Azure.KeyVault.WebKey.JsonWebKey(parametersPublic);
key.Kid = keyId;
keyPublic.Kid = keyId;
var jsonPrivate = JObject.Parse(key.ToString());
jsonPrivate.Add("use", "sig");
jsonPrivate.Add("alg", "RS512");
var jsonPublic = JObject.Parse(keyPublic.ToString());
jsonPublic.Add("use", "sig");
jsonPublic.Add("alg", "RS512");
Console.WriteLine("Public Key");
Console.WriteLine(jsonPublic.ToString());
Console.WriteLine(Environment.NewLine);
Console.WriteLine("Private key");
Console.WriteLine(jsonPrivate.ToString());
Console.WriteLine(Environment.NewLine);
Console.WriteLine($"Writing public key to file {publicKeyFileName}.");
await File.WriteAllTextAsync(publicKeyFileName, jsonPublic.ToString());
Console.WriteLine(Environment.NewLine);
Console.WriteLine($"Writing private key to file {privateKeyFileName}.");
await File.WriteAllTextAsync(privateKeyFileName, jsonPrivate.ToString());
Console.Read();
}
}
}
|
Create JWT Client Assertion based on the generated key pair
public class OAuthOptions
{
public int ClientId { get; set; }
public List<string> Scopes { get; set; }
public Uri TokenEndpoint { get; set; }
public string JsonWebKey { get; set; }
}
//...
private string CreateJwtClientAssertion(OAuthOptions oAuthOptions, Microsoft.IdentityModel.Tokens.JsonWebKey jwk)
{
var tokenHandler = new JwtSecurityTokenHandler();
var tokenDescriptor = new SecurityTokenDescriptor
{
Expires = DateTime.UtcNow.AddMinutes(960),
SigningCredentials = new SigningCredentials(jwk, SecurityAlgorithms.RsaSha512Signature),
Subject = new ClaimsIdentity(new List<Claim>
{
new Claim("sub", oAuthOptions.ClientId.ToString()),
new Claim("iss", oAuthOptions.ClientId.ToString()),
new Claim("jti", Guid.NewGuid().ToString()),
new Claim("aud", oAuthOptions.TokenEndpoint.ToString())
)
};
return tokenHandler.WriteToken(tokenHandler.CreateJwtSecurityToken(tokenDescriptor));
} |