|
- namespace Campaign_Tracker.Server.Authentication;
-
- public sealed class KeycloakOptions
- {
- public const string SectionName = "Keycloak";
-
- public string Authority { get; init; } = "https://kci-app01.ntp.kentcommunications.com/realms/KCI";
- public string? MetadataAddress { get; init; }
- public string? ValidIssuer { get; init; }
- public string PublicAuthority { get; init; } = "https://kci-app01.ntp.kentcommunications.com/realms/KCI";
- public string ClientId { get; init; } = "canopy-web";
- public string? ClientSecret { get; init; }
- public string? Audience { get; init; }
- public string[]? Audiences { get; init; }
- public bool DisableHttpsMetadata { get; init; }
- public string? TestSigningKey { get; init; }
-
- public string TokenAudience => string.IsNullOrWhiteSpace(Audience) ? ClientId : Audience;
-
- // Keycloak's default access token carries aud="account" (the realm's
- // built-in account client). Resource-server audience validation must
- // accept that alongside our own ClientId, otherwise every legitimate
- // token fails validation with SecurityTokenInvalidAudienceException.
- public string[] TokenAudiences =>
- Audiences is { Length: > 0 } configured
- ? configured
- : [TokenAudience, "account"];
-
- public string TokenIssuer =>
- string.IsNullOrWhiteSpace(ValidIssuer) ? PublicAuthority : ValidIssuer;
-
- public string TokenEndpointAuthority =>
- string.IsNullOrWhiteSpace(PublicAuthority) ? Authority : PublicAuthority;
- }
|
