PDNDClientAssertionGenerator 1.0.4
dotnet add package PDNDClientAssertionGenerator --version 1.0.4
NuGet\Install-Package PDNDClientAssertionGenerator -Version 1.0.4
<PackageReference Include="PDNDClientAssertionGenerator" Version="1.0.4" />
<PackageVersion Include="PDNDClientAssertionGenerator" Version="1.0.4" />
<PackageReference Include="PDNDClientAssertionGenerator" />
paket add PDNDClientAssertionGenerator --version 1.0.4
#r "nuget: PDNDClientAssertionGenerator, 1.0.4"
#:package PDNDClientAssertionGenerator@1.0.4
#addin nuget:?package=PDNDClientAssertionGenerator&version=1.0.4
#tool nuget:?package=PDNDClientAssertionGenerator&version=1.0.4
PDND Client Assertion Generator
A .NET implementation of OAuth 2.0 client authentication for PDND (Piattaforma Digitale Nazionale Dati), including client assertion (JWT) generation and voucher retrieval.
Contents
- What is PDND?
- Voucher
- Requesting a Voucher
- How to Use the Client Assertion Generator
- Voucher Flow for Interoperability APIs
- Security Notes
- License
- Contact
What is PDND?
The Piattaforma Digitale Nazionale Dati (PDND) is an Italian digital infrastructure designed to facilitate data interoperability and exchange between public administrations and private entities. The platform aims to simplify the sharing of public data by providing a secure, standardized, and centralized system for data integration, access, and management. PDND promotes digital transformation within the public sector by ensuring data is accessible, reliable, and reusable, enabling more efficient public services, enhancing transparency, and supporting data-driven decision-making for both government and citizens.
Voucher
A voucher is a JWT used as a Bearer token to access PDND Interoperability APIs.
This library implements the OAuth 2.0 flow with:
To request a voucher, the client must:
- Register at least one public key on the PDND client.
- Create a client assertion (JWT) and sign it with the corresponding private key.
- Exchange the assertion for a voucher at the authorization endpoint.
Requesting a Voucher
To obtain a valid voucher, you must first upload at least one public key to an interop API client. The first step is to create a valid client assertion and sign it with your private key (which must match the public key registered with the client on PDND Interoperabilità). The client assertion consists of a header and a payload.
Voucher Flow for Interoperability APIs
- Your system requests a voucher using a signed client assertion.
- On success, include the returned voucher in the Authorization: Bearer <token> header when calling PDND Interoperability APIs.
How to Use the Client Assertion Generator
To properly set up and use the Client Assertion Generator in your ASP.NET Core application, follow these steps:
- Configure Client Assertion Settings, an example below:
"ClientAssertionConfig": {
"ServerUrl": "https://test-server-url.com",
"KeyId": "ZmYxZGE2YjQtMzY2Yy00NWI5LThjNGItMDJmYmQyZGIyMmZh",
"Algorithm": "RS256",
"Type": "JWT",
"ClientId": "9b361d49-33f4-4f1e-a88b-4e12661f2309",
"Issuer": "interop.pagopa.it",
"Subject": "9b361d49-33f4-4f1e-a88b-4e12661f2309",
"Audience": "https://erogatore.example/ente-example/v1",
"PurposeId": "1b361d49-33f4-4f1e-a88b-4e12661f2300",
"KeyPath": "C:/Keys/private.pem",
"KeyPassword": "", // Only for encrypted PKCS#8 PEM
"Duration": "600" // Duration is expressed in seconds
},
- Register Services:
builder.Services.AddPDNDClientAssertionServices();
Then you can use ClientAssertionGeneratorService, which provides the following methods:
GetClientAssertionAsyncGetTokenAsync(clientAssertion)
Supported Key Formats
The client assertion generator can load private keys from PEM files.
The following formats are supported:
| Format Type | PEM Header / Footer | Notes |
|---|---|---|
| PKCS#1 (RSA) | -----BEGIN RSA PRIVATE KEY-----<br>-----END RSA PRIVATE KEY----- |
Legacy RSA private key format. |
| PKCS#8 (unencrypted) | -----BEGIN PRIVATE KEY-----<br>-----END PRIVATE KEY----- |
Recommended format for new deployments. |
| PKCS#8 (encrypted) | -----BEGIN ENCRYPTED PRIVATE KEY-----<br>-----END ENCRYPTED PRIVATE KEY----- |
Requires the KeyPassword property in configuration. |
❌ Not supported: PFX/P12 containers (.pfx, .p12).
Testing the PDNDClientAssertionGenerator
This project includes a test application, PDNDClientAssertionGenerator.Api, designed to help you test the software with your own configuration. This application acts as a sandbox where you can validate the behavior of the PDNDClientAssertionGenerator components.
How to Use the Test Application:
Configuration: Update the configuration settings in the
appsettings.jsonfile or through environment variables to match your specific use case and environment.Running the Test Application:
- Navigate to the PDNDClientAssertionGenerator.Api folder.
- Use the following command to run the application:
dotnet run --project src/PDNDClientAssertionGenerator.Api/PDNDClientAssertionGenerator.Api.csproj
Testing Scenarios: Once the application is running, you can use various
GetClientAssertionandGetTokento test the functionality of the software in different configurations.
How to Contribute
Thank you for considering to help out with the source code! If you'd like to contribute, please fork, fix, commit and send a pull request for the maintainers to review and merge into the main code base.
- Setting up Git
- Fork the repository
- Open an issue if you encounter a bug or have a suggestion for improvements/features
Security Notes
- Never commit private keys or secrets to the repository.
- Prefer environment variables or secret stores for sensitive values.
- Rotate keys regularly and restrict file permissions on KeyPath.
- Validate token lifetimes appropriate to your risk profile.
License
Repository source code is available under MIT License, see license in the source.
Contact
Please contact at francesco.delre.87[at]gmail.com for any details.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net8.0
- Microsoft.Extensions.Configuration (>= 9.0.9)
- Microsoft.Extensions.Configuration.Abstractions (>= 9.0.9)
- Microsoft.Extensions.Configuration.Binder (>= 9.0.9)
- Microsoft.Extensions.Configuration.EnvironmentVariables (>= 9.0.9)
- Microsoft.Extensions.Configuration.FileExtensions (>= 9.0.9)
- Microsoft.Extensions.Configuration.Json (>= 9.0.9)
- Microsoft.Extensions.Options (>= 9.0.9)
- Microsoft.IdentityModel.Tokens (>= 8.14.0)
- System.IdentityModel.Tokens.Jwt (>= 8.14.0)
- System.Text.Json (>= 9.0.9)
-
net9.0
- Microsoft.Extensions.Configuration (>= 9.0.9)
- Microsoft.Extensions.Configuration.Abstractions (>= 9.0.9)
- Microsoft.Extensions.Configuration.Binder (>= 9.0.9)
- Microsoft.Extensions.Configuration.EnvironmentVariables (>= 9.0.9)
- Microsoft.Extensions.Configuration.FileExtensions (>= 9.0.9)
- Microsoft.Extensions.Configuration.Json (>= 9.0.9)
- Microsoft.Extensions.Options (>= 9.0.9)
- Microsoft.IdentityModel.Tokens (>= 8.14.0)
- System.IdentityModel.Tokens.Jwt (>= 8.14.0)
- System.Text.Json (>= 9.0.9)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.