private async Task <bool> IsTokenValid(string token)
{
try
{
using (var scope = await _shellHost.GetScopeAsync(_shellSettingsManager.GetSettings(ShellHelper.DefaultShellName)))
{
var dataProtectionProvider = scope.ServiceProvider.GetService <IDataProtectionProvider>();
ITimeLimitedDataProtector dataProtector = dataProtectionProvider.CreateProtector("Tokens").ToTimeLimitedDataProtector();
var tokenValue = dataProtector.Unprotect(token, out var expiration);
if (_clock.UtcNow < expiration.ToUniversalTime())
{
if (_shellSettings.Secret == tokenValue)
{
return(true);
}
}
}
}
catch (Exception ex)
{
_logger.LogError(ex, "Error in decrypting the token");
}
return(false);
}
public void Configure(string name, OpenIddictValidationOptions options)
{
// Ignore validation handler instances that don't correspond to the instance managed by the OpenID module.
if (!string.Equals(name, OpenIddictValidationDefaults.AuthenticationScheme, StringComparison.Ordinal))
{
return;
}
var settings = GetValidationSettingsAsync().GetAwaiter().GetResult();
if (settings == null)
{
return;
}
// If the tokens are issued by an authorization server located in a separate tenant,
// resolve the isolated data protection provider associated with the specified tenant.
if (!string.IsNullOrEmpty(settings.Tenant) &&
!string.Equals(settings.Tenant, _shellSettings.Name, StringComparison.Ordinal))
{
var shellSettings = _shellSettingsManager.GetSettings(settings.Tenant);
var(scope, shellContext) = _shellHost.GetScopeAndContextAsync(shellSettings).GetAwaiter().GetResult();
using (scope)
{
// If the other tenant is released, ensure the current tenant is also restarted as it
// relies on a data protection provider whose lifetime is managed by the other tenant.
// To make sure the other tenant is not disposed before all the pending requests are
// processed by the current tenant, a tenant dependency is manually added.
shellContext.AddDependentShell(_shellHost.GetOrCreateShellContextAsync(_shellSettings).GetAwaiter().GetResult());
// Note: the data protection provider is always registered as a singleton and thus will
// survive the current scope, which is mainly used to prevent the other tenant from being
// released before we have a chance to declare the current tenant as a dependent tenant.
options.DataProtectionProvider = scope.ServiceProvider.GetDataProtectionProvider();
}
}
// Don't allow the current tenant to choose the valid audiences, as this would
// otherwise allow it to introspect tokens meant to be used with another tenant.
options.Audiences.Add(OpenIdConstants.Prefixes.Tenant + _shellSettings.Name);
}