Configures Fleet-Auth OIDC authentication

Updates the authentication configuration to utilize Fleet-Auth's third-party OIDC configuration. This change streamlines the authentication process by directly pointing to the third-party metadata and adds the Fleet API audience to the token request, ensuring proper authorization for accessing Tesla's Fleet API. It also configures Tesla specific parameters.
2025-08-16 23:13:00 +02:00
parent 31bbc1a99d
commit 96dd0ff99a
1 changed files with 50 additions and 57 deletions
--- a/Source/ProofOfConcept/Program.cs
+++ b/Source/ProofOfConcept/Program.cs
@@ -31,66 +31,59 @@ builder.Services.AddHealthChecks()
    .AddAsyncCheck("", cancellationToken => Task.FromResult(HealthCheckResult.Healthy()), ["ready"]); //TODO: Check tag
 builder.Services.AddHttpContextAccessor();
-builder.Services.AddAuthentication(o =>
+builder.Services
-{
+    .AddAuthentication(o =>
    o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
 })
 .AddCookie()
 .AddOpenIdConnect(o =>
 {
    const string TeslaAuthority = "https://auth.tesla.com/oauth2/v3";
    const string TeslaMetadataEndpoint  = $"{TeslaAuthority}/.well-known/openid-configuration";
    const string FleetAuthTokenEndpoint = "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/token";
    const string FleetApiAudience = "https://fleet-api.prd.eu.vn.cloud.tesla.com";
    // Let the middleware do discovery/JWKS (on demand), but override token endpoint
    o.ConfigurationManager = new TeslaOIDCConfigurationManager(TeslaMetadataEndpoint, FleetAuthTokenEndpoint);
    // Standard OIDC settings
    o.Authority = TeslaAuthority;                 // discovery + /authorize
    o.ClientId = "b2240ee4-332a-4252-91aa-bbcc24f78fdb";
    o.ClientSecret = "ta-secret.YG+XSdlvr6Lv8U-x";
    o.ResponseType = OpenIdConnectResponseType.Code;
    o.UsePkce = true;
    o.SaveTokens = true;
    // This must match exactly what you register at Tesla
    o.CallbackPath = new PathString("/token-exchange");
    // Scopes you actually need
    o.Scope.Clear();
    o.Scope.Add("openid");
    o.Scope.Add("offline_access");
    o.Scope.Add("vehicle_device_data");
    o.Scope.Add("vehicle_location");
    // Optional Tesla parameters
    o.AdditionalAuthorizationParameters.Add("prompt_missing_scopes", "true");
    o.AdditionalAuthorizationParameters.Add("require_requested_scopes", "true");
    o.AdditionalAuthorizationParameters.Add("show_keypair_step", "true");
    // If keys rotate during runtime, auto-refresh JWKS
    o.RefreshOnIssuerKeyNotFound = true;
    // Set token validation parameters
    o.TokenValidationParameters.ValidIssuers = ["https://fleet-auth.tesla.com/oauth2/v3/nts", "https://auth.tesla.com/oauth2/v3", "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/nts"];
    var signingKeyResolver = new TeslaOIDCConfigurationManager.SigningKeyResolver(o.Backchannel, TimeSpan.FromHours(12));
    o.TokenValidationParameters.IssuerSigningKeyResolver = signingKeyResolver.Resolve;
    // Add Tesla's required audience to the token request
    o.Events = new OpenIdConnectEvents
    {
-        OnAuthorizationCodeReceived = ctx =>
+        o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-        {
+        o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
-            if (ctx.TokenEndpointRequest is not null) 
+    })
-                ctx.TokenEndpointRequest.Parameters["audience"] = FleetApiAudience;
+    .AddCookie()
    .AddOpenIdConnect(o =>
    {
        // === Use Fleet-Auth third-party OIDC config ===
        // Issuer in that doc: https://fleet-auth.tesla.com/oauth2/v3/nts
        o.Authority = "https://fleet-auth.tesla.com/oauth2/v3/nts";
-            return Task.CompletedTask;
+        // Point directly at the third-party metadata you found:
-        }
+        o.MetadataAddress = "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/thirdparty/.well-known/openid-configuration";
-    };
+
-});
+        // Standard OIDC web app settings
        o.ResponseType = OpenIdConnectResponseType.Code;
        o.UsePkce = true;
        o.SaveTokens = true;
        o.ClientId     = "b2240ee4-332a-4252-91aa-bbcc24f78fdb";
        o.ClientSecret = "ta-secret.YG+XSdlvr6Lv8U-x";
        // Must exactly match what you registered in Tesla portal
        o.CallbackPath = new PathString("/token-exchange");
        // Set scopes
        o.Scope.Clear();
        o.Scope.Add("openid");
        o.Scope.Add("offline_access");
        o.Scope.Add("vehicle_device_data");
        o.Scope.Add("vehicle_location");
        // Optional Tesla flags
        o.AdditionalAuthorizationParameters.Add("require_requested_scopes", "true");
        o.AdditionalAuthorizationParameters.Add("show_keypair_step", "true");
        o.AdditionalAuthorizationParameters.Add("prompt_missing_scopes", "true");
        // ✅ Add the Fleet API audience to the token POST
        const string FleetApiAudience = "https://fleet-api.prd.eu.vn.cloud.tesla.com"; // set your region base
        o.Events = new OpenIdConnectEvents
        {
            OnAuthorizationCodeReceived = ctx =>
            {
                ctx.TokenEndpointRequest.Parameters["audience"] = FleetApiAudience;
                return Task.CompletedTask;
            }
        };
        // Auto-refresh keys if Tesla rotates JWKS
        o.RefreshOnIssuerKeyNotFound = true;
    });
 // Add own services
 builder.Services.AddSingleton<IMessageProcessor, MessageProcessor>();