public void VerifyGoogleToken(string idToken)
{
if (idToken != null)
{
try
{
JwtSecurityToken token = new JwtSecurityToken(idToken);
JwtSecurityTokenHandler jsth = new JwtSecurityTokenHandler();
string audience = token.Audiences.ToString();
Byte[][] certBytes = SOSCodecs.getGoogleCertBytes();
Dictionary <String, X509Certificate2> certificates = new Dictionary <string, X509Certificate2>();
for (int i = 0; i < certBytes.Length; i++)
{
X509Certificate2 certificate = new X509Certificate2(certBytes[i]);
certificates.Add(certificate.Thumbprint, certificate);
}
// Set up token validation
TokenValidationParameters tvp = new TokenValidationParameters()
{
ValidateActor = false,
ValidAudience = ConfigProvider.ConfigurationStore.GoogleClientID,
ValidateIssuer = true,
ValidIssuer = "accounts.google.com",
ValidateIssuerSigningKey = true,
RequireSignedTokens = true,
CertificateValidator = X509CertificateValidator.None,
IssuerSigningKeyResolver = (s, securityToken, identifier, parameter) =>
{
return(identifier.Select(x =>
{
if (certificates.ContainsKey(x.Id.ToUpper()))
{
return new X509SecurityKey(certificates[x.Id.ToUpper()]);
}
return null;
}).First(x => x != null));
},
ValidateLifetime = false,
RequireExpirationTime = true,
ClockSkew = TimeSpan.FromHours(12)
};
SecurityToken validateToken;
ClaimsPrincipal cp = jsth.ValidateToken(idToken, tvp, out validateToken);
if (cp != null)
{
_IsTokenValid = true;
}
}
catch (Exception e)
{
_IsTokenValid = false;
}
}
}
private void ExtractEnvelopeInfo()
{
string envelopeText = _RawToken.Envelope;
try
{
_Envelope = SOSCodecs.Deserialize(envelopeText, typeof(JWTEnvelope)) as JWTEnvelope;
}
catch (Exception ex)
{
throw new SerializationException(string.Format("Failed To Deserialize Base 64 encoded JWT Envelope to JSON Object. Text:{0}", envelopeText),
ex);
}
}
private void ExtractClaimsInfo()
{
string claimsText = _RawToken.Claims;
try
{
_Claims = SOSCodecs.Deserialize(claimsText, typeof(JWTClaims)) as JWTClaims;
}
catch (Exception ex)
{
throw new SerializationException(string.Format("Failed To Deserialize Base 64 encoded JWT Claims to JSON Object. Text:{0}", claimsText),
ex);
}
}
private void VerifySignatureInfo()
{
int ikid = 0;
if (!int.TryParse(_Envelope.kid, out ikid))
{
throw new ArgumentOutOfRangeException("Key ID should be a number more than 0, PassedVal:" + _Envelope.kid);
}
if (ikid > ConfigProvider.ConfigurationStore.LiveAuthKeyCount)
{
throw new ArgumentOutOfRangeException(string.Format("Key ID: {0}, is not configured properly or not loaded.", ikid));
}
_CurrentSecretKey = ConfigProvider.ConfigurationStore.LiveAuthKeys[ikid];
byte[] bKey = SOSCodecs.UTF8Encoder.GetBytes(_CurrentSecretKey + "JWTSig");
SHA256Managed SHAprovider = SecurityCodecs.SHA256CryptoProvider;
byte[] bCryptKey = SHAprovider.ComputeHash(bKey);
byte[] bCombined = SOSCodecs.UTF8Encoder.GetBytes(_RawToken.Envelope + "." + _RawToken.Claims);
SecurityCodecs codec = new SecurityCodecs();
HMACSHA256 HMACHACryptoProvider = codec.HMACSHA256Provider(bCryptKey);
_IsTokenValid = SOSCodecs.UrlEncode(HMACHACryptoProvider.ComputeHash(bCombined)) == _RawToken.Signature;
codec.Dispose();
SHAprovider.Clear();
SHAprovider.Dispose();
HMACHACryptoProvider.Clear();
HMACHACryptoProvider.Dispose();
}
