async Task <AccessTokenResult> ValidateUsingJWKs(HttpClient client, DiscoveryDocumentResponse disco, string token, CancellationToken cancellationToken = default)
{
// Replace with your authorization server URL:
var configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(
_issuerUrl + "/.well-known/oauth-authorization-server",
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever());
var discoveryDocument = await configurationManager.GetConfigurationAsync(cancellationToken);
var signingKeys = discoveryDocument.SigningKeys;
var validationParameters = new TokenValidationParameters
{
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateIssuer = true,
ValidIssuer = _issuerUrl,
ValidateIssuerSigningKey = true,
IssuerSigningKeys = signingKeys,
ValidateAudience = false,
ValidateLifetime = true,
// Allow for some drift in server time
// (a lower value is better; we recommend two minutes or less)
ClockSkew = TimeSpan.FromMinutes(2),
// See additional validation for aud below
};
try
{
var principal = new JwtSecurityTokenHandler()
.ValidateToken(token, validationParameters, out var rawValidatedToken);
var securityToken = (JwtSecurityToken)rawValidatedToken;
return(AccessTokenResult.Success(principal));
}
catch (SecurityTokenValidationException ex)
{
// Logging, etc.
return(AccessTokenResult.Expired());
}
//var claimsColl = instrospectResponse.Claims;
//var claimsIdentity = new ClaimsIdentity(claimsColl, "oidc");
//var principal = new ClaimsPrincipal(claimsIdentity);
//return AccessTokenResult.Success(principal);
}
async Task <AccessTokenResult> ValidateUsingUserInfo(HttpClient client, DiscoveryDocumentResponse disco, string token, CancellationToken cancellationToken = default)
{
var response = await client.GetUserInfoAsync(new UserInfoRequest
{
Address = disco.UserInfoEndpoint,
Token = token
});
var claimsColl = response.Claims;
var claimsIdentity = new ClaimsIdentity(claimsColl, "oidc");
var principal = new ClaimsPrincipal(claimsIdentity);
return(AccessTokenResult.Success(principal));
}
async Task <AccessTokenResult> ValidateUsingInstrospect(HttpClient client, DiscoveryDocumentResponse disco, string token, CancellationToken cancellationToken = default)
{
var instrospectResponse = await client.IntrospectTokenAsync(new TokenIntrospectionRequest()
{
Address = disco.IntrospectionEndpoint,
ClientId = Environment.GetEnvironmentVariable("ClientId"),
Token = token,
TokenTypeHint = "access_token"
}, CancellationToken.None);
var claimsColl = instrospectResponse.Claims;
var claimsIdentity = new ClaimsIdentity(claimsColl, "oidc");
var principal = new ClaimsPrincipal(claimsIdentity);
return(AccessTokenResult.Success(principal));
}
public Task <AccessTokenResult> ValidateToken(HttpRequest request, CancellationToken cancellationToken = default)
{
try
{
if (request != null &&
request.Headers.ContainsKey(AUTH_HEADER_NAME) &&
request.Headers[AUTH_HEADER_NAME].ToString().StartsWith(BEARER_PREFIX))
{
var token = request.Headers[AUTH_HEADER_NAME].ToString().Substring(BEARER_PREFIX.Length);
var tokenParams = new TokenValidationParameters()
{
RequireSignedTokens = true,
ValidAudience = _audience,
ValidateAudience = true,
ValidIssuer = _issuer,
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
IssuerSigningKey = new SymmetricSecurityKey(Token)
};
var handler = new JwtSecurityTokenHandler();
var result = handler.ValidateToken(token, tokenParams, out var securityToken);
return(Task.FromResult <AccessTokenResult>(AccessTokenResult.Success(result)));
}
else
{
return(Task.FromResult <AccessTokenResult>(AccessTokenResult.NoToken()));
}
}
catch (SecurityTokenExpiredException)
{
return(Task.FromResult <AccessTokenResult>(AccessTokenResult.Expired()));
}
catch (Exception ex)
{
return(Task.FromResult <AccessTokenResult>(AccessTokenResult.Error(ex)));
}
}
