i'm trying to figure out how the define my AuthorizationCodeTokenRequest for Code Flow for the JWT scenario , using the IdentityModole freamwork
let say i have a defined client on my OP Server
new Client
{
ClientId = "myClientId"
ClientSecrets = {
new Secret("MyVerySpecialSecret".Sha256())
}
on the client side i would like to get an AuthorizationCode using JWT
var securityToken = tokenHandler.CreateJwtSecurityToken(
issuer: clientID,
audience: opEndPoint.TokenEndpoint,
subject: new ClaimsIdentity(new List<Claim>()
{
new Claim(JwtClaimTypes.JwtId, Guid.NewGuid().ToString()),
new Claim(JwtClaimTypes.Subject, clientID),
new Claim(JwtClaimTypes.IssuedAt, new DateTimeOffset(now).ToEpochTime().ToString(),
ClaimValueTypes.Integer64)
}),
expires:now.AddMinutes(5),
signingCredentials: new SigningCredentials(new SymmetricSecurityKey(Encoding.UTF8.GetBytes("MyVerySpecialSecret")), SecurityAlgorithms.HmacSha256Signature)
);
var clientAuthJwt = tokenHandler.WriteToken(securityToken);
var request = new AuthorizationCodeTokenRequest()
{
Address = opEndPoint.TokenEndpoint,
ClientId = clientID,
Code = code,
ClientAssertion = new ClientAssertion()
{
Type = OidcConstants.ClientAssertionTypes.JwtBearer,
Value = clientAuthJwt
},
RedirectUri = opEndPoint.RedirectUri,
GrantType = OidcConstants.GrantTypes.AuthorizationCode
};
var response = client.RequestAuthorizationCodeTokenAsync(request).Result;
i'm getting "invalid_client" , so clearly the SigningCredentials i am using is not correct could not find anywhere a working code example.
First of all you need to define in the Client Definition in IdentityServer what flows you want the client to support.
You do this by setting the following property:
See the details here for how to properly create a client definition.
A sample client can look like this:
SigningCredentials is a separate thing that controls how the keys issued by IdentityServer are issued. In development you don't need to worry about that because its all taken care of when you call this method .
builder.AddDeveloperSigningCredential();
You only need to deal with SigningCredentials when you deploy IdentityServer.
Client side, you need in your ASP.NET Core client application write code that looks like this:
You need to tweak the code to fit your need.