internal static OAuthBearerAuthenticationOptions ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
var valParams = new TokenValidationParameters
{
ValidAudience = issuerProvider.Audience,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
var tokenFormat = new JwtFormat(valParams, issuerProvider);
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider()
};
return(bearerOptions);
}
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return(new Lazy <OAuthBearerAuthenticationOptions>(() =>
{
JwtFormat tokenFormat = null;
// use static configuration
if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
options.SigningCertificate != null)
{
// IdSrv3 hard-codes the value when issuing a token using the pattern below
var audience = options.IssuerName.EnsureTrailingSlash() + "resources";
// Use the configured values if present, otherwise fallback to the defaulted value
List <string> validAudiences;
if (options.ValidAudiences != null && options.ValidAudiences.Count() > 0)
{
validAudiences = new List <string>(options.ValidAudiences);
}
else
{
validAudiences = new List <string>()
{
audience
}
};
var valParams = new TokenValidationParameters
{
ValidIssuer = options.IssuerName,
ValidAudiences = validAudiences,
ValidateAudience = true,
IssuerSigningKey = new X509SecurityKey(options.SigningCertificate),
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
};
tokenFormat = new JwtFormat(valParams);
}
else
{
// use discovery endpoint
if (string.IsNullOrWhiteSpace(options.Authority))
{
throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
}
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
// Use the configured values if present, otherwise fallback to the discovery document's value
// (which is actually hard-coded to _issuer + "/resources")
List <string> validAudiences;
if (options.ValidAudiences != null && options.ValidAudiences.Count() > 0)
{
validAudiences = new List <string>(options.ValidAudiences);
}
else
{
validAudiences = new List <string>()
{
issuerProvider.Audience
}
};
var valParams = new TokenValidationParameters
{
ValidAudiences = validAudiences,
ValidateAudience = true,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
if (options.IssuerSigningKeyResolver != null)
{
valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver;
}
else
{
valParams.IssuerSigningKeyResolver = IssuerSigningKeyResolver;
}
tokenFormat = new JwtFormat(valParams, issuerProvider);
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider)
};
return bearerOptions;
}, LazyThreadSafetyMode.PublicationOnly));
}
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return(new Lazy <OAuthBearerAuthenticationOptions>(() =>
{
JwtFormat tokenFormat = null;
// use static configuration
if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
options.SigningCertificate != null)
{
var audience = options.IssuerName.EnsureTrailingSlash();
audience += "resources";
var valParams = new TokenValidationParameters
{
ValidIssuer = options.IssuerName,
ValidAudience = audience,
IssuerSigningKey = new X509SecurityKey(options.SigningCertificate),
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
};
tokenFormat = new JwtFormat(valParams);
}
else
{
// use discovery endpoint
if (string.IsNullOrWhiteSpace(options.Authority))
{
throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
}
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
var valParams = new TokenValidationParameters
{
ValidAudience = issuerProvider.Audience,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
if (options.IssuerSigningKeyResolver != null)
{
valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver;
}
else
{
valParams.IssuerSigningKeyResolver = ResolveRsaKeys;
}
tokenFormat = new JwtFormat(valParams, issuerProvider);
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider)
};
return bearerOptions;
}, LazyThreadSafetyMode.PublicationOnly));
}
internal static Lazy<OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return new Lazy<OAuthBearerAuthenticationOptions>(() =>
{
JwtFormat tokenFormat = null;
// use static configuration
if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
options.SigningCertificate != null)
{
var audience = options.IssuerName.EnsureTrailingSlash();
audience += "resources";
var valParams = new TokenValidationParameters
{
ValidIssuer = options.IssuerName,
ValidAudience = audience,
IssuerSigningToken = new X509SecurityToken(options.SigningCertificate),
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
};
tokenFormat = new JwtFormat(valParams);
}
else
{
// use discovery endpoint
if (string.IsNullOrWhiteSpace(options.Authority))
{
throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
}
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
var valParams = new TokenValidationParameters
{
ValidAudience = issuerProvider.Audience,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
tokenFormat = new JwtFormat(valParams, issuerProvider);
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider)
};
return bearerOptions;
}, true);
}
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return(new Lazy <OAuthBearerAuthenticationOptions>(() =>
{
JwtFormat tokenFormat = null;
// use static configuration
if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
options.SigningCertificate != null)
{
string audience = null;
bool validateAudience = true;
// if API name is set, do a strict audience check for
//https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/677bf6863a27c851270436faf9dfac437f46d90d/src/IdentityServerAuthenticationOptions.cs#L192
if (!string.IsNullOrWhiteSpace(options.ApiName) && !options.LegacyAudienceValidation)
{
audience = options.ApiName;
}
else if (options.LegacyAudienceValidation)
{
audience = options.IssuerName.EnsureTrailingSlash() + "resources";
}
else
{
// no audience validation, rely on scope checks only
validateAudience = false;
}
var valParams = new TokenValidationParameters
{
ValidIssuer = options.IssuerName,
ValidAudience = audience,
ValidateAudience = validateAudience,
IssuerSigningKey = new X509SecurityKey(options.SigningCertificate),
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
};
tokenFormat = new JwtFormat(valParams);
}
else
{
// use discovery endpoint
if (string.IsNullOrWhiteSpace(options.Authority))
{
throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
}
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
string audience = issuerProvider.Audience;
bool validateAudience = true;
// if API name is set, do a strict audience check for
//https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/677bf6863a27c851270436faf9dfac437f46d90d/src/IdentityServerAuthenticationOptions.cs#L192
if (string.IsNullOrWhiteSpace(audience) && !options.LegacyAudienceValidation)
{
// no audience validation, rely on scope checks only
validateAudience = false;
}
var valParams = new TokenValidationParameters
{
ValidAudience = audience,
ValidateAudience = validateAudience,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
if (options.IssuerSigningKeyResolver != null)
{
valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver;
}
else
{
valParams.IssuerSigningKeyResolver = IssuerSigningKeyResolver;
}
tokenFormat = new JwtFormat(valParams, issuerProvider);
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider)
};
return bearerOptions;
}, LazyThreadSafetyMode.PublicationOnly));
}
