public static System.Security.Claims.ClaimsPrincipal ToClaimsPrincipal(this Claims claims, string authenticationType = "internal")
{
return(new System.Security.Claims.ClaimsPrincipal(claims.ToClaimsIdentity(authenticationType)));
}
public static IList <System.Security.Claims.Claim> ToClaimsList(this Claims claims)
{
return(new List <System.Security.Claims.Claim>(claims.Select(c => new System.Security.Claims.Claim(c.Type, c.Value))));
}
public static System.Security.Claims.ClaimsIdentity ToClaimsIdentity(this Claims claims, string authenticationType = "internal")
{
return(new System.Security.Claims.ClaimsIdentity(claims.ToClaimsList(), authenticationType));
}
private bool ValidateAccessTokenHash(string accessToken, int signingAlgorithmBits, Claims claims)
{
Logger.Debug("validate authorization code hash");
var atHash = claims.FindFirst(JwtClaimTypes.AccessTokenHash)?.Value ?? "";
if (atHash.IsMissing())
{
return(true);
}
var hashAlgorithm = GetHashAlgorithm(signingAlgorithmBits);
if (hashAlgorithm == null)
{
Logger.Error("No appropriate hashing algorithm found.");
}
var codeHash = hashAlgorithm.HashData(
CryptographicBuffer.CreateFromByteArray(
Encoding.UTF8.GetBytes(accessToken)));
byte[] atHashArray;
CryptographicBuffer.CopyToByteArray(codeHash, out atHashArray);
byte[] leftPart = new byte[signingAlgorithmBits / 16];
Array.Copy(atHashArray, leftPart, signingAlgorithmBits / 16);
var leftPartB64 = Base64Url.Encode(leftPart);
var match = leftPartB64.Equals(atHash);
if (!match)
{
Logger.Error($"access token hash ({leftPartB64}) does not match at_hash from token ({atHash})");
}
Logger.Debug("success");
return(match);
}
