Smartersoft.Identity.Client.Assertion.Proxy
0.6.0
See the version list below for details.
dotnet tool install --global Smartersoft.Identity.Client.Assertion.Proxy --version 0.6.0
dotnet new tool-manifest # if you are setting up this repo dotnet tool install --local Smartersoft.Identity.Client.Assertion.Proxy --version 0.6.0
#tool dotnet:?package=Smartersoft.Identity.Client.Assertion.Proxy&version=0.6.0
nuke :add-package Smartersoft.Identity.Client.Assertion.Proxy --version 0.6.0
Smartersoft.Identity.Client.Assertion.Proxy
If you are only allowed to use certificates as client credentials, and you're storing those in an Azure Key Vault. Your stuck when you want to use postman to debug your api.
This small api allows you to requests access tokens with those secrets securely stored in the Key Vault. See this post for more details. Or check the live demo.
Development only!
DON'T use this proxy anywhere in production! Having an endpoint where every app can just request tokens without authentication with your developer credentials is a bad idea. This api is meant to be used during development only! For production check out our extensions to ConfidentialClientApplicationBuilder.
Using this proxy
- Install the proxy with
dotnet tool install --global Smartersoft.Identity.Client.Assertion.Proxy - Run the proxy with
az-kv-proxyoraz-kv-proxy --urls http://localhost:5616if you wish to use another port - Open de browser and go to /swagger/index.html
- Try the endpoints
Usage with Insomnia
- Create request called
GetTokento one of the three endpoints. - Edit the original request, change authentication to Bearer.
- Select
TOKENfield and pressCTRL+SPACE, and selectResponse: Body attribute. - Request: Select
GetToken, Filter:$.access_token, Trigger Behavior:When Expiredand Max Age:3000(any number between 300 and 3599)
I like Insomnia over postman, but your millage may vary.
Usage with postman
- Create an environment variable called
token. - Create a request to one of the 3 endpoints to get a token.
- In the Tests tab, save the
access_tokento the environment variabletoken - Change other requests to use environment variable
tokenas the token.
See this post for more details.
Available endpoints
This api had several endpoints all requiring different parameters.
They all respond with the same data (provided it succeeded to get a token).
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIx___0IjoxNTE2MjM5MDIyfQ.SflKxwR___6yJV_adQssw5c",
"lifetime": 3600,
"expires_on": "2022-01-27T11:26:21.0424181+00:00",
"scopes": [
"https://graph.microsoft.com/.default"
]
}
And there also is a Swagger UI running to try it out in the browser, /swagger/index.html.
Using Key Vault Key
This is the most efficient way to use the Key Vault with your secret securely saved. It requires to get info about the key.
- URL
/api/Token/kv-key - Method
POST
{
"clientId": "7e36ca13-5d1e-4c62-95f1-66570bfcec47",
"tenantId": "8cd0791b-341e-40d5-a6de-9a0249c447f2",
"scopes": [
"https://graph.microsoft.com/.default"
],
"keyUri": "https://{kv-domain}.vault.azure.net/keys/{some-certificate-name}/{cert-version}",
"keyThumbprint": "{base64Url-encoded-certificate-hash}"
}
Using Key Vault Certificate
This endpoint still keeps the certificate in the Key Store, but it does requests information about the certificate on each call. Depending on usage, you're better of using the endpoint above this one.
- URL
/api/Token/kv-certificate - Method
POST
{
"clientId": "7e36ca13-5d1e-4c62-95f1-66570bfcec47",
"tenantId": "8cd0791b-341e-40d5-a6de-9a0249c447f2",
"scopes": [
"https://graph.microsoft.com/.default"
],
"keyVaultUri": "https://{kv-domain}.vault.azure.net/",
"certificateName": "{some-certificate-name}"
}
Using Certificate from current user certificate store
This endpoint requires you to generate the certificate in the current user certificate store, but is at least safer than using a plain password as a secret.
- URL
/api/Token/local-certificate - Method
POST
{
"clientId": "7e36ca13-5d1e-4c62-95f1-66570bfcec47",
"tenantId": "8cd0791b-341e-40d5-a6de-9a0249c447f2",
"scopes": [
"https://graph.microsoft.com/.default"
],
"findType": "FindByThumbprint",
"findValue": "{value-to-find-certificate-Thumbprint-in-this-case}"
}
Using Certificate from local computer certificate store
This endpoint requires you to generate the certificate in the current user certificate store, but is at least safer than using a plain password as a secret.
- URL
/api/Token/computer-certificate - Method
POST
{
"clientId": "7e36ca13-5d1e-4c62-95f1-66570bfcec47",
"tenantId": "8cd0791b-341e-40d5-a6de-9a0249c447f2",
"scopes": [
"https://graph.microsoft.com/.default"
],
"findType": "FindByThumbprint",
"findValue": "{value-to-find-certificate-Thumbprint-in-this-case}"
}
License
These packages are licensed under GPL-3.0, if you wish to use this software under a different license. Or you feel that this really helped in your commercial application and wish to support us? You can get in touch and we can talk terms. We are available as consultants.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net7.0 is compatible. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
This package has no dependencies.