Beispiel #1
0
    /// <summary>
    /// Validates the JWT token
    /// </summary>
    protected virtual async Task <JsonWebToken> ValidateJwtAsync(JwtRequestValidationContext context, IEnumerable <SecurityKey> keys)
    {
        var tokenValidationParameters = new TokenValidationParameters
        {
            IssuerSigningKeys        = keys,
            ValidateIssuerSigningKey = true,

            ValidIssuer    = context.Client.ClientId,
            ValidateIssuer = true,

            ValidAudience    = await GetAudienceUri(),
            ValidateAudience = true,

            RequireSignedTokens   = true,
            RequireExpirationTime = true
        };

        var strictJarValidation = context.StrictJarValidation.HasValue ? context.StrictJarValidation.Value : Options.StrictJarValidation;

        if (strictJarValidation)
        {
            tokenValidationParameters.ValidTypes = new[] { JwtClaimTypes.JwtTypes.AuthorizationRequest };
        }

        var result = Handler.ValidateToken(context.JwtTokenString, tokenValidationParameters);

        if (!result.IsValid)
        {
            throw result.Exception;
        }

        return((JsonWebToken)result.SecurityToken);
    }
Beispiel #2
0
    /// <summary>
    /// Processes the JWT contents
    /// </summary>
    /// <param name="context"></param>
    /// <param name="token">The JWT token</param>
    /// <returns></returns>
    protected virtual Task <List <Claim> > ProcessPayloadAsync(JwtRequestValidationContext context, JsonWebToken token)
    {
        // filter JWT validation values
        var filter = Constants.Filters.JwtRequestClaimTypesFilter.ToList();

        if (context.IncludeJti)
        {
            // don't filter out the jti claim
            filter.Remove(JwtClaimTypes.JwtId);
        }

        var filtered = token.Claims.Where(claim => !filter.Contains(claim.Type));

        return(Task.FromResult(filtered.ToList()));
    }
Beispiel #3
0
    /// <inheritdoc/>
    public virtual async Task <JwtRequestValidationResult> ValidateAsync(JwtRequestValidationContext context)
    {
        using var activity = Tracing.BasicActivitySource.StartActivity("JwtRequestValidator.Validate");

        if (context == null)
        {
            throw new ArgumentNullException(nameof(context));
        }
        if (context.Client == null)
        {
            throw new ArgumentNullException(nameof(context.Client));
        }
        if (String.IsNullOrWhiteSpace(context.JwtTokenString))
        {
            throw new ArgumentNullException(nameof(context.JwtTokenString));
        }

        var fail = new JwtRequestValidationResult {
            IsError = true
        };

        List <SecurityKey> trustedKeys;

        try
        {
            trustedKeys = await GetKeysAsync(context.Client);
        }
        catch (Exception e)
        {
            Logger.LogError(e, "Could not parse client secrets");
            return(fail);
        }

        if (!trustedKeys.Any())
        {
            Logger.LogError("There are no keys available to validate JWT.");
            return(fail);
        }

        JsonWebToken jwtSecurityToken;

        try
        {
            jwtSecurityToken = await ValidateJwtAsync(context, trustedKeys);
        }
        catch (Exception e)
        {
            Logger.LogError(e, "JWT token validation error");
            return(fail);
        }

        if (jwtSecurityToken.TryGetPayloadValue <string>(OidcConstants.AuthorizeRequest.Request, out _) ||
            jwtSecurityToken.TryGetPayloadValue <string>(OidcConstants.AuthorizeRequest.RequestUri, out _))
        {
            Logger.LogError("JWT payload must not contain request or request_uri");
            return(fail);
        }

        var payload = await ProcessPayloadAsync(context, jwtSecurityToken);

        var result = new JwtRequestValidationResult
        {
            IsError = false,
            Payload = payload
        };

        Logger.LogDebug("JWT request object validation success.");
        return(result);
    }