Enhances Tesla OIDC authentication

Improves authentication by adding a signing key resolver and overriding the token endpoint.

This change ensures proper validation of Tesla's OIDC tokens by fetching the signing keys from the issuer's `certs` endpoint and caching them. It also configures the token endpoint required for Tesla authentication.

Source/ProofOfConcept/Program.cs

@@ -7,6 +7,7 @@ using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Tokens;
 using ProofOfConcept.Models;
 using ProofOfConcept.Services;
 using ProofOfConcept.Utilities;
@@ -55,9 +56,6 @@ builder.Services.AddAuthentication(o =>
 
     // This must match exactly what you register at Tesla
     o.CallbackPath = new PathString("/token-exchange");
-
-    o.TokenValidationParameters.ValidateIssuer = false;
-    o.TokenValidationParameters.ValidIssuers = ["https://fleet-auth.tesla.com/oauth2/v3/nts", "https://auth.tesla.com/oauth2/v3", "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/nts"];
     
     // Scopes you actually need
     o.Scope.Clear();
@@ -74,6 +72,12 @@ builder.Services.AddAuthentication(o =>
     // If keys rotate during runtime, auto-refresh JWKS
     o.RefreshOnIssuerKeyNotFound = true;
 
+    // Set token validation parameters
+    o.TokenValidationParameters.ValidIssuers = ["https://fleet-auth.tesla.com/oauth2/v3/nts", "https://auth.tesla.com/oauth2/v3", "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/nts"];
+
+    var signingKeyResolver = new TeslaOIDCConfigurationManager.SigningKeyResolver(o.Backchannel, TimeSpan.FromHours(12));
+    o.TokenValidationParameters.IssuerSigningKeyResolver = signingKeyResolver.Resolve;
+
     // Add Tesla's required audience to the token request
     o.Events = new OpenIdConnectEvents
     {