public HttpStatusCode ValidatePrincipal(HttpRequest request)
{
HttpStatusCode statusCode = HttpStatusCode.Unauthorized;
string token = string.Empty;
if (!JWTTokenHandler.tryRetrieveToken(request, out token))
{
return(statusCode);
}
try {
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
// interesting initialization syntax here...
// Fetch the signing token from the FederationMetadata document of the tenant.
TokenValidationParameters parameters = new TokenValidationParameters()
{
AllowedAudience = allowedAudience,
ValidIssuer = tenant,
SigningToken = new X509SecurityToken(new X509Certificate2(JWTTokenHandler.signingCertificate(federationMetadataEndpoint)))
};
// Set the ClaimsPrincipal returned by ValidateToken to Thread.CurrentPrincipal and HttpContext.Current.User
HttpContext.Current.User = Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, parameters);
statusCode = HttpStatusCode.OK;
} catch (SecurityTokenValidationException) { statusCode = HttpStatusCode.Unauthorized; } catch (Exception) { statusCode = HttpStatusCode.InternalServerError; }
return(statusCode);
}
// I don't know exactly what's up here other than the standard for which claim is the 'name' changed at some point.
//protected override string NameIdentifierClaimType(JWTSecurityToken jwt) { return ClaimTypes.GivenName; }
//protected override string NameIdentifierClaimType(JwtSecurityToken jwt) { return ClaimTypes.Name; }
// public override ClaimsPrincipal ValidateToken(JwtSecurityToken jwt, TokenValidationParameters validationParameters) {
public override ClaimsPrincipal ValidateToken(JwtSecurityToken jwt)
{
if (string.IsNullOrEmpty(allowedAudience))
{
allowedAudience = ConfigurationManager.GetSetting("AllowedAudience");
}
if (string.IsNullOrEmpty(tenant))
{
tenant = ConfigurationManager.GetSetting("Tenant");
}
if (string.IsNullOrEmpty(federationMetadataEndpoint))
{
federationMetadataEndpoint = ConfigurationManager.GetSetting("FedMetadataEndpoint");
}
TokenValidationParameters validationParameters = new TokenValidationParameters();
validationParameters.AllowedAudience = allowedAudience;
validationParameters.ValidIssuer = tenant;
validationParameters.SigningToken = new X509SecurityToken(new X509Certificate2(JWTTokenHandler.signingCertificate(federationMetadataEndpoint)));
ClaimsPrincipal cp = base.ValidateToken(jwt, validationParameters);
// This call makes the raw claims information available to the web page
// which in turn can make the information available to javaScript for subsequent AJAX
(cp.Identity as ClaimsIdentity).AddClaim(new Claim("raw", jwt.RawData));
return(cp);
}