szakatsa/Automatic-Parking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Configures Fleet-Auth OIDC authentication
All checks were successful
Build, Push and Run Container / build (push) Successful in 24s
Details

Browse Source 
Updates the authentication configuration to utilize Fleet-Auth's third-party OIDC configuration.

This change streamlines the authentication process by directly pointing to the third-party metadata and adds the Fleet API audience to the token request, ensuring proper authorization for accessing Tesla's Fleet API. It also configures Tesla specific parameters.
This commit is contained in:
Szakáts Alpár
2025-08-16 23:13:00 +02:00
parent 31bbc1a99d
commit 96dd0ff99a
1 changed files with 50 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
Source/ProofOfConcept/Program.cs
View File

@@ -31,66 +31,59 @@ builder.Services.AddHealthChecks()
.AddAsyncCheck("", cancellationToken => Task.FromResult(HealthCheckResult.Healthy()), ["ready"]); //TODO: Check tag .AddAsyncCheck("", cancellationToken => Task.FromResult(HealthCheckResult.Healthy()), ["ready"]); //TODO: Check tag
builder.Services.AddHttpContextAccessor(); builder.Services.AddHttpContextAccessor();
builder.Services.AddAuthentication(o => builder.Services
{ .AddAuthentication(o =>
o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(o =>
{
const string TeslaAuthority = "https://auth.tesla.com/oauth2/v3";
const string TeslaMetadataEndpoint = $"{TeslaAuthority}/.well-known/openid-configuration";
const string FleetAuthTokenEndpoint = "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/token";
const string FleetApiAudience = "https://fleet-api.prd.eu.vn.cloud.tesla.com";
// Let the middleware do discovery/JWKS (on demand), but override token endpoint
o.ConfigurationManager = new TeslaOIDCConfigurationManager(TeslaMetadataEndpoint, FleetAuthTokenEndpoint);
// Standard OIDC settings
o.Authority = TeslaAuthority; // discovery + /authorize
o.ClientId = "b2240ee4-332a-4252-91aa-bbcc24f78fdb";
o.ClientSecret = "ta-secret.YG+XSdlvr6Lv8U-x";
o.ResponseType = OpenIdConnectResponseType.Code;
o.UsePkce = true;
o.SaveTokens = true;
// This must match exactly what you register at Tesla
o.CallbackPath = new PathString("/token-exchange");
// Scopes you actually need
o.Scope.Clear();
o.Scope.Add("openid");
o.Scope.Add("offline_access");
o.Scope.Add("vehicle_device_data");
o.Scope.Add("vehicle_location");
// Optional Tesla parameters
o.AdditionalAuthorizationParameters.Add("prompt_missing_scopes", "true");
o.AdditionalAuthorizationParameters.Add("require_requested_scopes", "true");
o.AdditionalAuthorizationParameters.Add("show_keypair_step", "true");
// If keys rotate during runtime, auto-refresh JWKS
o.RefreshOnIssuerKeyNotFound = true;
// Set token validation parameters
o.TokenValidationParameters.ValidIssuers = ["https://fleet-auth.tesla.com/oauth2/v3/nts", "https://auth.tesla.com/oauth2/v3", "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/nts"];
var signingKeyResolver = new TeslaOIDCConfigurationManager.SigningKeyResolver(o.Backchannel, TimeSpan.FromHours(12));
o.TokenValidationParameters.IssuerSigningKeyResolver = signingKeyResolver.Resolve;
// Add Tesla's required audience to the token request
o.Events = new OpenIdConnectEvents
{ {
OnAuthorizationCodeReceived = ctx => o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(o =>
{
// === Use Fleet-Auth third-party OIDC config ===
// Issuer in that doc: https://fleet-auth.tesla.com/oauth2/v3/nts
o.Authority = "https://fleet-auth.tesla.com/oauth2/v3/nts";
// Point directly at the third-party metadata you found:
o.MetadataAddress = "https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/thirdparty/.well-known/openid-configuration";
// Standard OIDC web app settings
o.ResponseType = OpenIdConnectResponseType.Code;
o.UsePkce = true;
o.SaveTokens = true;
o.ClientId = "b2240ee4-332a-4252-91aa-bbcc24f78fdb";
o.ClientSecret = "ta-secret.YG+XSdlvr6Lv8U-x";
// Must exactly match what you registered in Tesla portal
o.CallbackPath = new PathString("/token-exchange");
// Set scopes
o.Scope.Clear();
o.Scope.Add("openid");
o.Scope.Add("offline_access");
o.Scope.Add("vehicle_device_data");
o.Scope.Add("vehicle_location");
// Optional Tesla flags
o.AdditionalAuthorizationParameters.Add("require_requested_scopes", "true");
o.AdditionalAuthorizationParameters.Add("show_keypair_step", "true");
o.AdditionalAuthorizationParameters.Add("prompt_missing_scopes", "true");
// ✅ Add the Fleet API audience to the token POST
const string FleetApiAudience = "https://fleet-api.prd.eu.vn.cloud.tesla.com"; // set your region base
o.Events = new OpenIdConnectEvents
{ {
if (ctx.TokenEndpointRequest is not null) OnAuthorizationCodeReceived = ctx =>
{
ctx.TokenEndpointRequest.Parameters["audience"] = FleetApiAudience; ctx.TokenEndpointRequest.Parameters["audience"] = FleetApiAudience;
return Task.CompletedTask;
return Task.CompletedTask; }
} };
};
}); // Auto-refresh keys if Tesla rotates JWKS
o.RefreshOnIssuerKeyNotFound = true;
});
// Add own services // Add own services
builder.Services.AddSingleton<IMessageProcessor, MessageProcessor>(); builder.Services.AddSingleton<IMessageProcessor, MessageProcessor>();