Merge pull request #793 from DuendeSoftware/mb/atm

AccessTokenManagement updates

Author: maartenba

src/content/docs/accesstokenmanagement/advanced/_meta.yml

@@ -1,3 +1,3 @@
 label: 'Advanced'
-order: 4
+order: 10
 collapsed: true

src/content/docs/accesstokenmanagement/advanced/client-assertions.md

@@ -0,0 +1,143 @@
+---
+title: Client Assertions
+description: Learn how to use client assertions instead of shared secrets for token client authentication in Duende.AccessTokenManagement.
+sidebar:
+  label: Client Assertions
+  order: 30
+redirect_from:
+  - /foss/accesstokenmanagement/advanced/client_assertions/
+---
+import { Tabs, TabItem } from "@astrojs/starlight/components";
+
+If your token client is using a client assertion instead of a shared secret, you can provide the assertion in two ways:
+
+* Use the request parameter mechanism to pass a client assertion to the management
+* Implement the `IClientAssertionService` interface to centralize client assertion creation
+
+Here's a sample client assertion service using the Microsoft JWT library:
+
+{/* prettier-ignore */}
+<Tabs syncKey="atm">
+  {/* prettier-ignore */}
+  <TabItem label="V4">
+    ```csharp
+    // ClientAssertionService.cs
+    using Duende.AccessTokenManagement;
+    using Duende.IdentityModel;
+    using Duende.IdentityModel.Client;
+    using Microsoft.Extensions.Options;
+    using Microsoft.IdentityModel.JsonWebTokens;
+    using Microsoft.IdentityModel.Tokens;
+
+    public class ClientAssertionService(IOptionsSnapshot<ClientCredentialsClient> options)
+        : IClientAssertionService
+    {
+        public Task<ClientAssertion?> GetClientAssertionAsync(
+        ClientCredentialsClientName? clientName = null, TokenRequestParameters? parameters = null)
+        {
+            if (clientName == "invoice")
+            {
+                var options1 = options.Get(clientName);
+
+                var descriptor = new SecurityTokenDescriptor
+                {
+                    Issuer = options1.ClientId,
+                    Audience = options1.TokenEndpoint,
+                    Expires = DateTime.UtcNow.AddMinutes(1),
+                    SigningCredentials = GetSigningCredential(),
+
+                    Claims = new Dictionary<string, object>
+                    {
+                        { JwtClaimTypes.JwtId, Guid.NewGuid().ToString() },
+                        { JwtClaimTypes.Subject, options1.ClientId! },
+                        { JwtClaimTypes.IssuedAt, DateTime.UtcNow.ToEpochTime() }
+                    },
+
+                    AdditionalHeaderClaims = new Dictionary<string, object>
+                    {
+                        { JwtClaimTypes.TokenType, "client-authentication+jwt" }
+                    }
+                };
+
+                var handler = new JsonWebTokenHandler();
+                var jwt = handler.CreateToken(descriptor);
+
+                return Task.FromResult<ClientAssertion?>(new ClientAssertion
+                {
+                    Type = OidcConstants.ClientAssertionTypes.JwtBearer,
+                    Value = jwt
+                });
+            }
+
+            return Task.FromResult<ClientAssertion?>(null);
+        }
+
+        private SigningCredentials GetSigningCredential()
+        {
+            throw new NotImplementedException();
+        }
+    }
+    ```  
+  </TabItem>
+  <TabItem label="V3">
+
+    ```csharp
+    // ClientAssertionService.cs
+    using Duende.AccessTokenManagement;
+    using Duende.IdentityModel;
+    using Duende.IdentityModel.Client;
+    using Microsoft.Extensions.Options;
+    using Microsoft.IdentityModel.JsonWebTokens;
+    using Microsoft.IdentityModel.Tokens;
+
+    public class ClientAssertionService(IOptionsSnapshot<ClientCredentialsClient> options)
+        : IClientAssertionService
+    {
+        public Task<ClientAssertion?> GetClientAssertionAsync(
+        string? clientName = null, TokenRequestParameters? parameters = null)
+        {
+            if (clientName == "invoice")
+            {
+                var options1 = options.Get(clientName);
+
+                var descriptor = new SecurityTokenDescriptor
+                {
+                    Issuer = options1.ClientId,
+                    Audience = options1.TokenEndpoint,
+                    Expires = DateTime.UtcNow.AddMinutes(1),
+                    SigningCredentials = GetSigningCredential(),
+
+                    Claims = new Dictionary<string, object>
+                    {
+                        { JwtClaimTypes.JwtId, Guid.NewGuid().ToString() },
+                        { JwtClaimTypes.Subject, options1.ClientId! },
+                        { JwtClaimTypes.IssuedAt, DateTime.UtcNow.ToEpochTime() }
+                    },
+
+                    AdditionalHeaderClaims = new Dictionary<string, object>
+                    {
+                        { JwtClaimTypes.TokenType, "client-authentication+jwt" }
+                    }
+                };
+
+                var handler = new JsonWebTokenHandler();
+                var jwt = handler.CreateToken(descriptor);
+
+                return Task.FromResult<ClientAssertion?>(new ClientAssertion
+                {
+                    Type = OidcConstants.ClientAssertionTypes.JwtBearer,
+                    Value = jwt
+                });
+            }
+
+            return Task.FromResult<ClientAssertion?>(null);
+        }
+
+        private SigningCredentials GetSigningCredential()
+        {
+            throw new NotImplementedException();
+        }
+    }
+    ```
+    </TabItem>
+</Tabs>