diff --git a/Source/ProofOfConcept/Program.cs b/Source/ProofOfConcept/Program.cs index cbc3d90..0279aeb 100644 --- a/Source/ProofOfConcept/Program.cs +++ b/Source/ProofOfConcept/Program.cs @@ -31,66 +31,59 @@ builder.Services.AddHealthChecks() .AddAsyncCheck("", cancellationToken => Task.FromResult(HealthCheckResult.Healthy()), ["ready"]); //TODO: Check tag builder.Services.AddHttpContextAccessor(); -builder.Services.AddAuthentication(o => -{ - o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; - o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; -}) -.AddCookie() -.AddOpenIdConnect(o => -{ - const string TeslaAuthority = "https://auth.tesla.com/oauth2/v3"; - const string TeslaMetadataEndpoint = $"{TeslaAuthority}/.well-known/openid-configuration"; - const string FleetAuthTokenEndpoint = "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/token"; - const string FleetApiAudience = "https://fleet-api.prd.eu.vn.cloud.tesla.com"; - - // Let the middleware do discovery/JWKS (on demand), but override token endpoint - o.ConfigurationManager = new TeslaOIDCConfigurationManager(TeslaMetadataEndpoint, FleetAuthTokenEndpoint); - - // Standard OIDC settings - o.Authority = TeslaAuthority; // discovery + /authorize - o.ClientId = "b2240ee4-332a-4252-91aa-bbcc24f78fdb"; - o.ClientSecret = "ta-secret.YG+XSdlvr6Lv8U-x"; - o.ResponseType = OpenIdConnectResponseType.Code; - o.UsePkce = true; - o.SaveTokens = true; - - // This must match exactly what you register at Tesla - o.CallbackPath = new PathString("/token-exchange"); - - // Scopes you actually need - o.Scope.Clear(); - o.Scope.Add("openid"); - o.Scope.Add("offline_access"); - o.Scope.Add("vehicle_device_data"); - o.Scope.Add("vehicle_location"); - - // Optional Tesla parameters - o.AdditionalAuthorizationParameters.Add("prompt_missing_scopes", "true"); - o.AdditionalAuthorizationParameters.Add("require_requested_scopes", "true"); - o.AdditionalAuthorizationParameters.Add("show_keypair_step", "true"); - - // If keys rotate during runtime, auto-refresh JWKS - o.RefreshOnIssuerKeyNotFound = true; - - // Set token validation parameters - o.TokenValidationParameters.ValidIssuers = ["https://fleet-auth.tesla.com/oauth2/v3/nts", "https://auth.tesla.com/oauth2/v3", "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/nts"]; - - var signingKeyResolver = new TeslaOIDCConfigurationManager.SigningKeyResolver(o.Backchannel, TimeSpan.FromHours(12)); - o.TokenValidationParameters.IssuerSigningKeyResolver = signingKeyResolver.Resolve; - - // Add Tesla's required audience to the token request - o.Events = new OpenIdConnectEvents +builder.Services + .AddAuthentication(o => { - OnAuthorizationCodeReceived = ctx => + o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; + o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; + }) + .AddCookie() + .AddOpenIdConnect(o => + { + // === Use Fleet-Auth third-party OIDC config === + // Issuer in that doc: https://fleet-auth.tesla.com/oauth2/v3/nts + o.Authority = "https://fleet-auth.tesla.com/oauth2/v3/nts"; + + // Point directly at the third-party metadata you found: + o.MetadataAddress = "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/thirdparty/.well-known/openid-configuration"; + + // Standard OIDC web app settings + o.ResponseType = OpenIdConnectResponseType.Code; + o.UsePkce = true; + o.SaveTokens = true; + + o.ClientId = "b2240ee4-332a-4252-91aa-bbcc24f78fdb"; + o.ClientSecret = "ta-secret.YG+XSdlvr6Lv8U-x"; + + // Must exactly match what you registered in Tesla portal + o.CallbackPath = new PathString("/token-exchange"); + + // Set scopes + o.Scope.Clear(); + o.Scope.Add("openid"); + o.Scope.Add("offline_access"); + o.Scope.Add("vehicle_device_data"); + o.Scope.Add("vehicle_location"); + + // Optional Tesla flags + o.AdditionalAuthorizationParameters.Add("require_requested_scopes", "true"); + o.AdditionalAuthorizationParameters.Add("show_keypair_step", "true"); + o.AdditionalAuthorizationParameters.Add("prompt_missing_scopes", "true"); + + // ✅ Add the Fleet API audience to the token POST + const string FleetApiAudience = "https://fleet-api.prd.eu.vn.cloud.tesla.com"; // set your region base + o.Events = new OpenIdConnectEvents { - if (ctx.TokenEndpointRequest is not null) + OnAuthorizationCodeReceived = ctx => + { ctx.TokenEndpointRequest.Parameters["audience"] = FleetApiAudience; - - return Task.CompletedTask; - } - }; -}); + return Task.CompletedTask; + } + }; + + // Auto-refresh keys if Tesla rotates JWKS + o.RefreshOnIssuerKeyNotFound = true; + }); // Add own services builder.Services.AddSingleton();