TD-4086 Reworks JWT token generation to add iss and kid to token headers

Author: kevwhitt-hee

DigitalLearningSolutions.Data/Extensions/ConfigurationExtensions.cs

@@ -51,6 +51,7 @@ public static class ConfigurationExtensions
         private const string UserResearchUrlName = "UserResearchUrl";
         private const string TableauSectionKey = "TableauDashboards";
         private const string TableauClientId = "ClientId";
+        private const string TableauClientSecretId = "ClientSecretId";
         private const string TableauClientSecret = "ClientSecret";
         private const string TableauUsername = "Username";
         private const string TableauClientName = "ClientName";
@@ -236,6 +237,10 @@ public static string GetTableauClientSecret(this IConfiguration config)
         {
             return config[$"{TableauSectionKey}:{TableauClientSecret}"]!;
         }
+        public static string GetTableauClientSecretId(this IConfiguration config)
+        {
+            return config[$"{TableauSectionKey}:{TableauClientSecretId}"]!;
+        }
         public static string GetTableauUser(this IConfiguration config)
         {
             return config[$"{TableauSectionKey}:{TableauUsername}"]!;

DigitalLearningSolutions.Web/Helpers/ExternalApis/TableauConnectionHelper.cs

@@ -23,6 +23,7 @@ public class TableauConnectionHelper : ITableauConnectionHelperService
     {
         private readonly string connectedAppClientName;
         private readonly string connectedAppSecretKey;
+        private readonly string connectedAppSecretId;
         private readonly string connectedAppClientId;
         private readonly string tableauUrl;
         private readonly string dashboardUrl;
@@ -31,6 +32,7 @@ public TableauConnectionHelper(IConfiguration config)
         {
             connectedAppClientName = config.GetTableauClientName();
             connectedAppClientId = config.GetTableauClientId();
+            connectedAppSecretId = config.GetTableauClientSecretId();
             connectedAppSecretKey = config.GetTableauClientSecret();
             tableauUrl = config.GetTableauSiteUrl();
             dashboardUrl = config.GetTableauDashboardUrl();
@@ -39,27 +41,32 @@ public TableauConnectionHelper(IConfiguration config)
         public string GetTableauJwt(string email)
         {
             var tokenHandler = new JwtSecurityTokenHandler();
-            var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(connectedAppSecretKey));
-            var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
+            var key = Encoding.ASCII.GetBytes(connectedAppSecretKey);
+
             var claims = new[]
             {
                 new Claim(JwtRegisteredClaimNames.Sub, user),
-                new Claim(JwtRegisteredClaimNames.Iss, connectedAppClientId),
-                new Claim("scp", "tableau:views:embed"),
-                new Claim("users.primaryemail", email),
                 new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
-                new Claim(JwtRegisteredClaimNames.Exp,
-                new DateTimeOffset(DateTime.UtcNow.AddMinutes(20)).ToUnixTimeSeconds().ToString())
+                new Claim("users.primaryemail", email),
+                new Claim("scp", "tableau:views:embed")
             };
+            var securityKey = new SymmetricSecurityKey(key);
+            var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
+            var header = new JwtHeader(credentials);
+            header["kid"] = connectedAppSecretId; // Secret ID
+            header["iss"] = connectedAppClientId; // Issuer (iss)
+            var payload = new JwtPayload(
+                connectedAppClientId, // Issuer (iss)
+                "tableau", // Audience (aud)
+                claims,
+                notBefore: DateTime.UtcNow,
+                expires: DateTime.UtcNow.AddMinutes(5)
+            );
 
-            var token = new JwtSecurityToken(
-                issuer: connectedAppClientId,
-                audience: "tableau",
-                claims: claims,
-                expires: DateTime.UtcNow.AddMinutes(20),
-                signingCredentials: credentials);
+            var token = new JwtSecurityToken(header, payload);
+            var tokenString = tokenHandler.WriteToken(token);
 
-            return new JwtSecurityTokenHandler().WriteToken(token);
+            return tokenString;
         }
 
         public async Task<string> AuthenticateUserAsync(string jwtToken)

DigitalLearningSolutions.Web/appsettings.json

@@ -83,9 +83,10 @@
     "CompetencyDashboardUrl": "https://tabuat.data.england.nhs.uk/#/workbooks/7839/views",
     "Username": "SVC_default_TEL",
     "Password": "",
-    "ClientName":  "tel_dls",
+    "ClientName": "tel_dls",
     "ClientId": "a7906ce3-e0c9-403e-a169-8eb78d858f8a",
-    "ClientSecret":  ""
+    "ClientSecretId": "38b99058-a806-4ee2-bf7a-ad1933a81ae5",
+    "ClientSecret": ""
   },
   "UserResearchUrl": "https://forms.office.com/e/nKcK8AdHRX"
 }