Optional token exchange in server

Author: aorzelskiGH

examples/TokenTool/TokenTool.Core/TokenTool.cs

@@ -345,7 +345,8 @@ public async Task RunAsync(MyApp.IOConsole ioConsole)
                 "",
                 "basyx",
                 "assetfox",
-                "factory-x"
+                "factory-x",
+                "fa3st"
             ];
             for (var i = 0; i < configUrlList.Count; i++)
             {

src/AasSecurity/SecurityService.cs

@@ -474,6 +474,57 @@ private string HandleBearerToken(string? bearerToken, ref string user, ref bool
                         valid = true;
                     }
                     if (!valid)
+                    {
+                        var tokenExchange1 = System.Environment.GetEnvironmentVariable("TOKENEXCHANGE1");
+                        var tokenExchange2 = System.Environment.GetEnvironmentVariable("TOKENEXCHANGE2");
+                        if (!string.IsNullOrEmpty(tokenExchange1) && !string.IsNullOrEmpty(tokenExchange2)
+                            && iss == tokenExchange1)
+                        {
+                            var handlerExchange = new HttpClientHandler { DefaultProxyCredentials = CredentialCache.DefaultCredentials };
+                            var client = new HttpClient(handlerExchange);
+
+                            JsonDocument doc;
+                            var parameters = new Dictionary<string, string>
+                            {
+                                { "grant_type", "urn:ietf:params:oauth:grant-type:token-exchange" },
+                                { "subject_token_type", "urn:ietf:params:oauth:token-type:jwt" },
+                                { "requested_token_type", "urn:ietf:params:oauth:token-type:access_token" },
+                                { "subject_token", bearerToken },
+                                { "audience", "fa3st" }
+                            };
+                            var request = new HttpRequestMessage(HttpMethod.Post, $"{tokenExchange2}/token")
+                            {
+                                Content = new FormUrlEncodedContent(parameters)
+                            };
+                            request.Content.Headers.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded");
+
+                            var response = client.SendAsync(request);
+                            var content = response.GetAwaiter().GetResult().Content.ContentToString();
+
+                            bearerToken = "";
+                            jwtSecurityToken = null;
+                            doc = JsonDocument.Parse(content);
+                            if (doc.RootElement.TryGetProperty("access_token", out var tokenElement))
+                            {
+                                bearerToken = tokenElement.GetString();
+                                Console.WriteLine("token exchange " + bearerToken);
+                                jwtSecurityToken = handler.ReadJwtToken(bearerToken);
+
+                                iss = "";
+                                issClaim = jwtSecurityToken.Claims.Where(c => c.Type == "iss");
+                                if (issClaim.Any())
+                                {
+                                    iss = issClaim.First().Value;
+                                }
+                            }
+                            if (jwtSecurityToken == null)
+                            {
+                                user = "";
+                                return "";
+                            }
+                        }
+                    }
+                    if (!valid)
                     {
                         if (jwtSecurityToken.Header.TryGetValue("kid", out _))
                         {

src/AasSecurity/SecuritySettingsForServerParser.cs

@@ -217,29 +217,32 @@ private static void ParseAuthenticationServer(AdminShellPackageEnv env, Submodel
                                     .Select(sp => (string)sp)
                                     .FirstOrDefault()
                             })
-                            .FirstOrDefault()
+                            .ToList()
                     })
                     .ToList();
 
                 foreach (var provider in providers)
                 {
-                    var serverName = provider?.Service?.Name;
-                    Console.WriteLine(" serverName: " + serverName);
+                    foreach (var service in provider?.Service)
+                    {
+                        var serverName = service?.Name;
+                        Console.WriteLine(" serverName: " + serverName);
 
-                    var domain = provider?.Domain;
-                    Console.WriteLine("  domain: " + domain);
+                        var domain = provider?.Domain;
+                        Console.WriteLine("  domain: " + domain);
 
-                    var jwks = provider?.Service?.SupplyPoint;
-                    Console.WriteLine("  jwks: " + jwks);
+                        var jwks = service?.SupplyPoint;
+                        Console.WriteLine("  jwks: " + jwks);
 
-                    var kid = "";
+                        var kid = "";
 
-                    GlobalSecurityVariables.ServerCertificates.Add(null);
-                    GlobalSecurityVariables.ServerCertFileNames.Add("");
-                    GlobalSecurityVariables.ServerCertFileNames.Add(serverName + ".cer");
-                    GlobalSecurityVariables.ServerDomain.Add(domain);
-                    GlobalSecurityVariables.ServerJwksUrl.Add(jwks);
-                    GlobalSecurityVariables.ServerKid.Add(kid);
+                        GlobalSecurityVariables.ServerCertificates.Add(null);
+                        GlobalSecurityVariables.ServerCertFileNames.Add("");
+                        GlobalSecurityVariables.ServerCertFileNames.Add(serverName + ".cer");
+                        GlobalSecurityVariables.ServerDomain.Add(domain);
+                        GlobalSecurityVariables.ServerJwksUrl.Add(jwks);
+                        GlobalSecurityVariables.ServerKid.Add(kid);
+                    }
                 }
             }
             if (authServer == null || authServer.Value == null)

src/AasxServerBlazor/Properties/launchSettings.json

@@ -10,7 +10,7 @@
     },
     "AasxServerBlazor": {
       "commandName": "Project",
-      "commandLineArgs": "--with-db --start-index 0 --secret-string-api 1234 --data-path \"C:\\Users\\ee924l\\Documents\\aas\\mqtt\" --edit --external-blazor http://localhost:5001",
+      "commandLineArgs": "--with-db --start-index 1000 --secret-string-api 1234 --data-path \"C:\\Development\\p5\" --edit --external-blazor http://localhost:5001",
       "launchBrowser": true,
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development",
@@ -19,7 +19,8 @@
         "Kestrel__Endpoints__Http__Url": "http://localhost:5001",
         "EVENT2": "http://localhost:5002/submodels/aHR0cHM6Ly9pNGQuZGUvVC8zMjA5NTEwL3N1Ym1vZGVsL05hbWVwbGF0ZS9yZWNlaXZlcg/events/EventElement1",
         "AASX_MQTT": "1",
-        "REGISTRYOFREGISTRY": "https://plugfest3.aas-voyager.com/registry-descriptors"
+        "TOKENEXCHANGE1": "https://iam-security-training.com/consumer/sts",
+        "TOKENEXCHANGE2": "https://iam-security-training.com/provider/sts"
       },
       "applicationUrl": "http://localhost:5001",
       "jsWebView2Debugging": true