/// <summary>
/// Gets token, verifies, and adds claims to OWIN context.
/// </summary>
/// <param name="headers"></param>
/// <param name="context"></param>
public void ProcessToken(IDictionary <string, string[]> headers, ref IOwinContext context)
{
try
{
// verify token and set principal
if (!headers.ContainsKey("Authorization"))
{
return;
}
var token = GetTokenFromAuthorizationHeader(headers["Authorization"]);
if (token == "")
{
return;
}
var jwtConfig = new JwtConfig(true, context.Request.Uri.GetLeftPart(UriPartial.Authority));
var claimsPrincipal = JsonWebToken.VerifyToken(jwtConfig, token);
AddClaimsToContext(claimsPrincipal, ref context);
// set the context user to trigger Auth Attribute
context.Request.User = claimsPrincipal;
}
catch (Exception e)
{
// ignored
Logger.Error("Failed Token", e);
}
}
/// <summary>
/// Creates a token
/// </summary>
/// <param name="config"></param>
/// <param name="start"></param>
/// <param name="payload"></param>
/// <param name="isRefresh"></param>
/// <returns></returns>
private static string CreateToken(JwtConfig config, DateTime start, IDictionary <string, string[]> payload,
bool isRefresh)
{
var claimsIdentity = CreateClaimsIdentity(payload);
var descriptor = CreateDescriptor(start, config, claimsIdentity, isRefresh);
return(CreateToken(descriptor));
}
/// <summary>
/// Verifies token and returns claims.
/// Throws exception if invalid or unverified.
/// </summary>
/// <param name="config"></param>
/// <param name="tokenStr"></param>
/// <returns></returns>
public static ClaimsPrincipal VerifyToken(JwtConfig config, string tokenStr)
{
var validationParams = GetValidationParams(config);
SecurityToken jwt;
var tokenHandler = new JwtSecurityTokenHandler();
var principal = tokenHandler.ValidateToken(tokenStr, validationParams, out jwt);
return(principal);
}
/// <summary>
/// This verifies a refresh token.
/// If valid, we return a new access token
/// and a new refresh token with the necessary info to save it.
/// </summary>
/// <param name="config"></param>
/// <param name="refreshToken"></param>
/// <returns></returns>
public static bool GrantNewAccess(JwtConfig config, string refreshToken)
{
try
{
// remember, this will throw if invalid / expired
VerifyToken(config, refreshToken);
return(true);
}
catch (Exception)
{
return(false);
}
}
/// <summary>
/// Creates validation parameters from config settings.
/// </summary>
/// <param name="config"></param>
/// <returns></returns>
private static TokenValidationParameters GetValidationParams(JwtConfig config)
{
return(new TokenValidationParameters
{
ValidAudience = config.AppliesToAddress,
ValidateAudience = true,
IssuerSigningKey = new InMemorySymmetricSecurityKey(GetSymKey(config.SecretKey)),
ValidateIssuerSigningKey = true,
ValidIssuer = config.Issuer,
ValidateIssuer = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(1.5)
});
}
/// <summary>
/// Creates the Security Token Descriptor from the config
/// settings and Claims Identity.
/// </summary>
/// <param name="date"></param>
/// <param name="config"></param>
/// <param name="ci"></param>
/// <param name="isRefresh"></param>
/// <returns></returns>
private static SecurityTokenDescriptor CreateDescriptor(DateTime date, JwtConfig config, ClaimsIdentity ci,
bool isRefresh)
{
var symKey = GetSymKey(config.SecretKey);
var minutes = isRefresh ? config.RefreshMinutes : config.AccessMinutes;
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = ci,
TokenIssuerName = config.Issuer,
AppliesToAddress = config.AppliesToAddress,
Lifetime = new Lifetime(date, date.AddMinutes(minutes)),
SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(symKey),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256")
};
return(tokenDescriptor);
}
/// <summary>
/// Creates a refresh token.
/// Uses the refreshMinutes from the JWTConfig.
/// See JWTConfig for more info.
/// </summary>
/// <param name="config"></param>
/// <param name="start"></param>
/// <param name="payload"></param>
/// <returns></returns>
public static string CreateRefreshToken(JwtConfig config, DateTime start, IDictionary <string, string[]> payload)
{
return(CreateToken(config, start, payload, true));
}
/// <summary>
/// Creates an access token from info.
/// Basically, just uses the accessMinutes from the JWTConfig.
/// See JWTConfig for more info.
/// </summary>
/// <param name="config"></param>
/// <param name="start"></param>
/// <param name="payload"></param>
/// <returns></returns>
public static string CreateAccessToken(JwtConfig config, DateTime start, IDictionary <string, string[]> payload)
{
return(CreateToken(config, start, payload, false));
}