Configures Fleet-Auth OIDC authentication
All checks were successful
Build, Push and Run Container / build (push) Successful in 24s
All checks were successful
Build, Push and Run Container / build (push) Successful in 24s
Updates the authentication configuration to utilize Fleet-Auth's third-party OIDC configuration. This change streamlines the authentication process by directly pointing to the third-party metadata and adds the Fleet API audience to the token request, ensuring proper authorization for accessing Tesla's Fleet API. It also configures Tesla specific parameters.
This commit is contained in:
@@ -31,7 +31,8 @@ builder.Services.AddHealthChecks()
|
||||
.AddAsyncCheck("", cancellationToken => Task.FromResult(HealthCheckResult.Healthy()), ["ready"]); //TODO: Check tag
|
||||
builder.Services.AddHttpContextAccessor();
|
||||
|
||||
builder.Services.AddAuthentication(o =>
|
||||
builder.Services
|
||||
.AddAuthentication(o =>
|
||||
{
|
||||
o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
|
||||
o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
|
||||
@@ -39,57 +40,49 @@ builder.Services.AddAuthentication(o =>
|
||||
.AddCookie()
|
||||
.AddOpenIdConnect(o =>
|
||||
{
|
||||
const string TeslaAuthority = "https://auth.tesla.com/oauth2/v3";
|
||||
const string TeslaMetadataEndpoint = $"{TeslaAuthority}/.well-known/openid-configuration";
|
||||
const string FleetAuthTokenEndpoint = "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/token";
|
||||
const string FleetApiAudience = "https://fleet-api.prd.eu.vn.cloud.tesla.com";
|
||||
// === Use Fleet-Auth third-party OIDC config ===
|
||||
// Issuer in that doc: https://fleet-auth.tesla.com/oauth2/v3/nts
|
||||
o.Authority = "https://fleet-auth.tesla.com/oauth2/v3/nts";
|
||||
|
||||
// Let the middleware do discovery/JWKS (on demand), but override token endpoint
|
||||
o.ConfigurationManager = new TeslaOIDCConfigurationManager(TeslaMetadataEndpoint, FleetAuthTokenEndpoint);
|
||||
// Point directly at the third-party metadata you found:
|
||||
o.MetadataAddress = "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/thirdparty/.well-known/openid-configuration";
|
||||
|
||||
// Standard OIDC settings
|
||||
o.Authority = TeslaAuthority; // discovery + /authorize
|
||||
o.ClientId = "b2240ee4-332a-4252-91aa-bbcc24f78fdb";
|
||||
o.ClientSecret = "ta-secret.YG+XSdlvr6Lv8U-x";
|
||||
// Standard OIDC web app settings
|
||||
o.ResponseType = OpenIdConnectResponseType.Code;
|
||||
o.UsePkce = true;
|
||||
o.SaveTokens = true;
|
||||
|
||||
// This must match exactly what you register at Tesla
|
||||
o.ClientId = "b2240ee4-332a-4252-91aa-bbcc24f78fdb";
|
||||
o.ClientSecret = "ta-secret.YG+XSdlvr6Lv8U-x";
|
||||
|
||||
// Must exactly match what you registered in Tesla portal
|
||||
o.CallbackPath = new PathString("/token-exchange");
|
||||
|
||||
// Scopes you actually need
|
||||
// Set scopes
|
||||
o.Scope.Clear();
|
||||
o.Scope.Add("openid");
|
||||
o.Scope.Add("offline_access");
|
||||
o.Scope.Add("vehicle_device_data");
|
||||
o.Scope.Add("vehicle_location");
|
||||
|
||||
// Optional Tesla parameters
|
||||
o.AdditionalAuthorizationParameters.Add("prompt_missing_scopes", "true");
|
||||
// Optional Tesla flags
|
||||
o.AdditionalAuthorizationParameters.Add("require_requested_scopes", "true");
|
||||
o.AdditionalAuthorizationParameters.Add("show_keypair_step", "true");
|
||||
o.AdditionalAuthorizationParameters.Add("prompt_missing_scopes", "true");
|
||||
|
||||
// If keys rotate during runtime, auto-refresh JWKS
|
||||
o.RefreshOnIssuerKeyNotFound = true;
|
||||
|
||||
// Set token validation parameters
|
||||
o.TokenValidationParameters.ValidIssuers = ["https://fleet-auth.tesla.com/oauth2/v3/nts", "https://auth.tesla.com/oauth2/v3", "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/nts"];
|
||||
|
||||
var signingKeyResolver = new TeslaOIDCConfigurationManager.SigningKeyResolver(o.Backchannel, TimeSpan.FromHours(12));
|
||||
o.TokenValidationParameters.IssuerSigningKeyResolver = signingKeyResolver.Resolve;
|
||||
|
||||
// Add Tesla's required audience to the token request
|
||||
// ✅ Add the Fleet API audience to the token POST
|
||||
const string FleetApiAudience = "https://fleet-api.prd.eu.vn.cloud.tesla.com"; // set your region base
|
||||
o.Events = new OpenIdConnectEvents
|
||||
{
|
||||
OnAuthorizationCodeReceived = ctx =>
|
||||
{
|
||||
if (ctx.TokenEndpointRequest is not null)
|
||||
ctx.TokenEndpointRequest.Parameters["audience"] = FleetApiAudience;
|
||||
|
||||
return Task.CompletedTask;
|
||||
}
|
||||
};
|
||||
|
||||
// Auto-refresh keys if Tesla rotates JWKS
|
||||
o.RefreshOnIssuerKeyNotFound = true;
|
||||
});
|
||||
|
||||
// Add own services
|
||||
|
||||
Reference in New Issue
Block a user