public Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var fail = Task.FromResult(new SecretValidationResult {
Success = false
});
var success = Task.FromResult(new SecretValidationResult {
Success = true
});
if (parsedSecret.Type != IdentityServerConstants.ParsedSecretTypes.JwtBearer)
{
return(fail);
}
if (!(parsedSecret.Credential is string jwtTokenString))
{
_logger.LogError("ParsedSecret.Credential is not a string.");
return(fail);
}
if (!_genericJwtValidator.IsValid(jwtTokenString, parsedSecret.Id, _partyDetailsOptions.ClientId))
{
_logger.LogError("ParsedSecret.Credential is not a valid JWT.");
return(fail);
}
return(success);
}
public void IsValid_JwtHeaderAlgInvalid_ReturnsFalse(string signingAlgorithm)
{
var jwt = CreateClientAssertionJwt(signingAlgorithm);
var result = _sut.IsValid(jwt, ClientId, TestData.SchemeOwner.ClientId);
result.Should().BeFalse();
}
protected async Task <JwtSecurityToken> ValidateJwtAsync(string jwtTokenString, Client client)
{
if (!_defaultJwtValidator.IsValid(jwtTokenString, client.ClientId, _audience))
{
throw new SecurityTokenException();
}
var validationResult = await _assertionManager.ValidateAsync(jwtTokenString);
if (!validationResult.Success)
{
throw new SecurityTokenException();
}
var securityToken = new JwtSecurityTokenHandler().ReadToken(jwtTokenString);
var jwtToken = (JwtSecurityToken)securityToken;
return(jwtToken);
}
public async Task <IdentityResult> Validate(DelegationMask mask)
{
try
{
if (mask.PreviousSteps != null)
{
foreach (var step in mask.PreviousSteps)
{
var assertion = _assertionParser.Parse(step);
var result = await _assertionParser.ValidateAsync(assertion);
if (!result.Success || !_defaultJwtValidator.IsValid(step,
mask.DelegationRequest.Target.AccessSubject, // client id should be access subject
_context.HttpContext.User.GetRequestingClientId() // audience should be the requester id
))
{
return(IdentityResult.Failed(new IdentityError {
Code = "previous_steps_validation_error"
}));
}
if (mask.DelegationRequest.Target.AccessSubject != assertion.JwtToken.Issuer)
{
return(IdentityResult.Failed(new IdentityError {
Code = "invalid_delegation_assertion_pair"
}));
}
}
}
return(IdentityResult.Success);
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Exception while authorizing previous steps");
return(IdentityResult.Failed(new IdentityError {
Code = "previous_steps_validation_error", Description = ex.Message
}));
}
}
