/// <summary>Configure the signature behavior for a specific <paramref name="issuer"/>.</summary>
public TokenValidationPolicyBuilder RequireSignatureByDefault(string issuer, IKeyProvider keyProvider, SignatureAlgorithm defaultAlgorithm)
{
if (issuer is null)
{
throw new ArgumentNullException(nameof(issuer));
}
if (keyProvider is null)
{
throw new ArgumentNullException(nameof(keyProvider));
}
if (defaultAlgorithm is null)
{
throw new ArgumentNullException(nameof(defaultAlgorithm));
}
if (defaultAlgorithm == SignatureAlgorithm.None)
{
throw new ArgumentException($"The algorithm 'none' is not valid with the method {nameof(RequireSignature)}. Use the method {nameof(AcceptUnsecureToken)} instead.", nameof(defaultAlgorithm));
}
_hasSignatureValidation = true;
var policy = SignatureValidationPolicy.Create(keyProvider, defaultAlgorithm);
_signaturePolicies[issuer] = policy;
return(this);
}
/// <summary>Clear the defined policies.</summary>
public TokenValidationPolicyBuilder Clear()
{
_validators.Clear();
_criticalHeaderHandlers.Clear();
_defaultSignaturePolicy = SignatureValidationPolicy.InvalidSignature;
_signaturePolicies.Clear();
_maximumTokenSizeInBytes = DefaultMaximumTokenSizeInBytes;
_hasSignatureValidation = false;
_ignoreNestedToken = false;
return(this);
}
/// <summary>Builds the <see cref="TokenValidationPolicy"/>.</summary>
public TokenValidationPolicy Build()
{
Validate();
SignatureValidationPolicy signaturePolicy;
if (_signaturePolicies.Count == 0)
{
signaturePolicy = _defaultSignaturePolicy;
}
else if (_signaturePolicies.Count == 1)
{
var first = _signaturePolicies.First();
signaturePolicy = SignatureValidationPolicy.Create(first.Key, first.Value);
}
else
{
signaturePolicy = SignatureValidationPolicy.Create(_signaturePolicies, _defaultSignaturePolicy);
}
var policy = new TokenValidationPolicy(
validators: _validators.ToArray(),
criticalHandlers: _criticalHeaderHandlers,
maximumTokenSizeInBytes: _maximumTokenSizeInBytes,
ignoreCriticalHeader: _ignoreCriticalHeader,
ignoreNestedToken: _ignoreNestedToken,
headerCacheDisabled: _headerCacheDisabled,
signaturePolicy: signaturePolicy,
encryptionKeyProviders: _decryptionKeysProviders,
issuers: _issuers.ToArray(),
audiences: _audiences.ToArray(),
clockSkew: _clockSkew,
control: _control);
return(policy);
}
public bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error)
{
return(SignatureValidationPolicy.TryValidateSignature(header, payload, contentBytes, signatureSegment, out error));
}
/// <summary>
/// Try to validate the token signature.
/// </summary>
/// <param name="header"></param>
/// <param name="contentBytes"></param>
/// <param name="signatureSegment"></param>
/// <returns></returns>
public SignatureValidationResult TryValidateSignature(JwtHeader header, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment)
{
return(SignatureValidationPolicy.TryValidateSignature(header, contentBytes, signatureSegment));
}
public MultiIssuersSignatureValidationPolicy(Dictionary <string, SignatureValidationPolicy> policies, SignatureValidationPolicy defaultPolicy)
{
_policies = policies.ToDictionary(issuer => Utf8.GetBytes(issuer.Key), v => v.Value).ToArray();
_defaultPolicy = defaultPolicy;
}
/// <summary>Creates a new <see cref="SignatureValidationPolicy"/> instance.</summary>
internal static SignatureValidationPolicy Create(Dictionary <string, SignatureValidationPolicy> policies, SignatureValidationPolicy defaultPolicy)
{
return(new MultiIssuersSignatureValidationPolicy(policies, defaultPolicy));
}
/// <summary>Creates a new <see cref="SignatureValidationPolicy"/> instance.</summary>
internal static SignatureValidationPolicy Create(string issuer, SignatureValidationPolicy policy)
{
return(new SingleIssuerSignatureValidationPolicy(issuer, policy));
}
public SingleIssuerSignatureValidationPolicy(string issuer, SignatureValidationPolicy policy)
{
_issuer = Utf8.GetBytes(issuer);
_policy = policy;
}
/// <summary>
/// Defines the default signature validation when there is no issuer configuration.
/// Use the method <see cref="RequireSignatureByDefault(string, IKeyProvider, SignatureAlgorithm?)"/> for linking the issuer with the signature.
/// </summary>
public TokenValidationPolicyBuilder RequireSignatureByDefault(IKeyProvider keyProvider, SignatureAlgorithm?algorithm)
{
_hasSignatureValidation = true;
_defaultSignaturePolicy = SignatureValidationPolicy.Create(keyProvider, algorithm);
return(this);
}
/// <summary>Accepts secure token with the 'none' algorithm. You should use this very carefully.</summary>
public TokenValidationPolicyBuilder AcceptUnsecureTokenByDefault()
{
_hasSignatureValidation = true;
_defaultSignaturePolicy = SignatureValidationPolicy.NoSignature;
return(this);
}
/// <summary>Ignores the signature validation if no configuration is found for a specific issuer. You should use this very carefully.</summary>
public TokenValidationPolicyBuilder IgnoreSignatureByDefault()
{
_hasSignatureValidation = true;
_defaultSignaturePolicy = SignatureValidationPolicy.IgnoreSignature;
return(this);
}