{"id":35253163,"url":"https://github.com/damienbod/oidc-client-assertion","last_synced_at":"2026-03-27T04:08:56.925Z","repository":{"id":280634455,"uuid":"936067986","full_name":"damienbod/oidc-client-assertion","owner":"damienbod","description":"Use client assertions in OpenID Connect and ASP.NET Core","archived":false,"fork":false,"pushed_at":"2026-03-15T13:40:28.000Z","size":1264,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-16T02:58:47.548Z","etag":null,"topics":["aspnetcore","net","oauth","oidc","openid-connect"],"latest_commit_sha":null,"homepage":"https://damienbod.com/2025/02/24/use-client-assertions-in-openid-connect-and-asp-net-core/","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/damienbod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-02-20T13:30:44.000Z","updated_at":"2026-03-15T13:40:32.000Z","dependencies_parsed_at":"2025-03-04T13:46:23.436Z","dependency_job_id":"f5127bc4-ccd6-491b-914c-cbbf2d1cb8c1","html_url":"https://github.com/damienbod/oidc-client-assertion","commit_stats":null,"previous_names":["damienbod/oidc-client-assertion"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/damienbod/oidc-client-assertion","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/damienbod%2Foidc-client-assertion","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/damienbod%2Foidc-client-assertion/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/damienbod%2Foidc-client-assertion/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/damienbod%2Foidc-client-assertion/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/damienbod","download_url":"https://codeload.github.com/damienbod/oidc-client-assertion/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/damienbod%2Foidc-client-assertion/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31018555,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-27T03:51:26.850Z","status":"ssl_error","status_checked_at":"2026-03-27T03:51:09.693Z","response_time":164,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aspnetcore","net","oauth","oidc","openid-connect"],"created_at":"2025-12-30T07:08:49.761Z","updated_at":"2026-03-27T04:08:56.911Z","avatar_url":"https://github.com/damienbod.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Use client assertions in OpenID Connect and ASP.NET Core\n\n[![.NET](https://github.com/damienbod/oidc-client-assertion/actions/workflows/dotnet.yml/badge.svg)](https://github.com/damienbod/oidc-client-assertion/actions/workflows/dotnet.yml)\n\nBlog: [Use client assertions in OpenID Connect and ASP.NET Core](https://damienbod.com/2025/02/24/use-client-assertions-in-openid-connect-and-asp-net-core/)\n\nClient assertions is a method of client authentication which can be used in OpenID Connect. This provides an alternative to client secrets. This approach enhances security by using signed tokens (JWTs) to authenticate clients during the token request process or the OAuth PAR request. In ASP.NET Core, client assertions is not supported per default, a small implementation is required.\n\n![flow](https://github.com/damienbod/oidc-client-assertion/blob/main/images/oidc-confidential-pkce-code-flow-assertion.drawio.png)\n\n## History\n\n- 2026-03-15 Update packages\n- 2025-09-28 Update packages\n\n## Use an assertion in ASP.NET Core (token request):\n\nwhen using OAuth PAR, the client assertion is set in the OnPushAuthorization event.\n\n```csharp\n\n// single tenant\nvar aud = $\"https://login.microsoftonline.com/{builder.Configuration[\"AzureAd:TenantId\"]!}/oauth2/v2.0/token\";\n\nvar clientAssertion = CertService.GetSignedClientAssertion(\n\tX509CertificateLoader.LoadPkcs12FromFile(\"cert_rsa512.pfx\", \"1234\"),\n\taud,\n\tbuilder.Configuration[\"AzureAd:ClientId\"]!);\n\nbuilder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)\n.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)\n.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, oidcOptions =\u003e\n{\n\toidcOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;\n\toidcOptions.Scope.Add(OpenIdConnectScope.OpenIdProfile);\n\toidcOptions.Scope.Add(\"user.read\");\n\toidcOptions.Scope.Add(OpenIdConnectScope.OfflineAccess);\n\toidcOptions.Authority = $\"https://login.microsoftonline.com/{builder.Configuration[\"AzureAd:TenantId\"]}/v2.0/\";\n\toidcOptions.ClientId = builder.Configuration[\"AzureAd:ClientId\"];\n\t\t\n\toidcOptions.ResponseType = OpenIdConnectResponseType.Code;\n\toidcOptions.MapInboundClaims = false;\n\toidcOptions.SaveTokens = true;\n\toidcOptions.TokenValidationParameters.NameClaimType = JwtRegisteredClaimNames.Name;\n\toidcOptions.TokenValidationParameters.RoleClaimType = \"role\";\n\n\t//oidcOptions.ClientSecret = builder.Configuration[\"AzureAd:ClientSecret\"];\n\n\toidcOptions.Events = new OpenIdConnectEvents\n\t{\n\t\t// Add client_assertion            \n\t\tOnAuthorizationCodeReceived = context =\u003e\n\t\t{\n\t\t\tcontext.TokenEndpointRequest!.ClientAssertion = clientAssertion;\n\t\t\tcontext.TokenEndpointRequest.ClientAssertionType = \"urn:ietf:params:oauth:client-assertion-type:jwt-bearer\";\n\t\t\treturn Task.FromResult(0);\n\t\t}\n\t\t//OnPushAuthorization = context =\u003e\n\t\t//{\n\t\t//    context.TokenEndpointRequest.ClientAssertion = clientAssertion;\n\t\t//    context.TokenEndpointRequest.ClientAssertionType = \"urn:ietf:params:oauth:client-assertion-type:jwt-bearer\";\n\t\t//    return Task.FromResult(0);\n\t\t//}\n\t};\n});\n```\n\n## Links\n\nhttps://datatracker.ietf.org/doc/html/rfc7521\n\nhttps://datatracker.ietf.org/doc/html/rfc7523\n\nhttps://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/web-apps-apis/confidential-client-assertions\n\nhttps://github.com/AzureAD/microsoft-identity-web/blob/2b8fbf0104d820bba8785c41b2ef9e6f801b5e73/src/Microsoft.Identity.Web.TokenAcquisition/MsAuth10AtPop.cs#L48\n\nhttps://curity.io/resources/learn/jwt-assertion/\n\nhttps://oauth.net/private-key-jwt/\n\nhttps://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates\n\nhttps://learn.microsoft.com/en-us/aspnet/core/security/authentication/configure-oidc-web-authentication","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdamienbod%2Foidc-client-assertion","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdamienbod%2Foidc-client-assertion","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdamienbod%2Foidc-client-assertion/lists"}