public static string EncodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
return jwtOnTheWire;
}
public void AuthenticateUsingMsftJwt(string token)
{
try
{
// Use JWTSecurityTokenHandler to validate the JWT token
JWTSecurityTokenHandler tokenHandler = new JWTSecurityTokenHandler();
TokenValidationParameters parms = new TokenValidationParameters()
{
AllowedAudience = "MyRelyingPartApp",
ValidIssuers = new List <string>()
{
"TokenIssuer"
},
SigningToken = new BinarySecretSecurityToken(Convert.FromBase64String(this.secretKey))
};
var config = new IdentityConfiguration();
Thread.CurrentPrincipal = config
.ClaimsAuthenticationManager
.Authenticate("TheMethodRequiringAuthZ",
tokenHandler.ValidateToken(token, parms));
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
public static string EncodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
return(jwtOnTheWire);
}
/// <summary>
///
/// </summary>
/// <param name="token">= Token</param>
/// <param name="allowedAudience">= Azure ACS Namespace</param>
/// <param name="issuers">= RPs in ACS</param>
/// <returns></returns>
public static ClaimsPrincipal RetrieveClaims(string token, string issuer, List <string> allowedAudiences)
{
JWTSecurityTokenHandler tokenHandler = new JWTSecurityTokenHandler();
// Set the expected properties of the JWT token in the TokenValidationParameters
TokenValidationParameters validationParameters = new TokenValidationParameters()
{
AllowedAudiences = allowedAudiences,
ValidIssuer = issuer,
SigningToken = new X509SecurityToken(new X509Certificate2(GetSigningCertificate(issuer + "FederationMetadata/2007-06/FederationMetadata.xml")))
};
return(tokenHandler.ValidateToken(token, validationParameters));
}
/// <summary>
///
/// </summary>
/// <param name="token">= Token</param>
/// <param name="allowedAudience">= Azure ACS Namespace</param>
/// <param name="issuers">= RPs in ACS</param>
/// <returns></returns>
public static ClaimsPrincipal RetrieveClaims(string token, string issuer, List<string> allowedAudiences)
{
JWTSecurityTokenHandler tokenHandler = new JWTSecurityTokenHandler();
// Set the expected properties of the JWT token in the TokenValidationParameters
TokenValidationParameters validationParameters = new TokenValidationParameters()
{
AllowedAudiences = allowedAudiences,
ValidIssuer = issuer,
SigningToken = new X509SecurityToken(new X509Certificate2(GetSigningCertificate(issuer + "FederationMetadata/2007-06/FederationMetadata.xml")))
};
return tokenHandler.ValidateToken(token, validationParameters);
}
public static string DecodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
// Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>)
JWTSecurityToken parsedJwt = jwtHandler.ReadToken(jwtOnTheWire) as JWTSecurityToken;
return(parsedJwt.ToString());
}
public static string DecodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
// Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>)
JWTSecurityToken parsedJwt = jwtHandler.ReadToken(jwtOnTheWire) as JWTSecurityToken;
return parsedJwt.ToString();
}
public ClaimsIdentity ValidateJwtToken(string jwt)
{
var handler = new JWTSecurityTokenHandler();
var validationParameters = new TokenValidationParameters()
{
AudienceUriMode = AudienceUriMode.Never,
SigningToken = new X509SecurityToken(_configuration.Keys.SigningCertificate),
ValidIssuer = _configuration.Global.IssuerUri,
ValidateExpiration = true
};
var principal = handler.ValidateToken(jwt, validationParameters);
return(principal.Identities.First());
}
/// <summary>
/// Returns the OpenID token already serialized to be sent to the client
/// </summary>
/// <param name="tokenRequest"></param>
/// <returns></returns>
public static OpenIdConnectTokenRequestResponse GenerateOpenIdConnectToken(string issuer, string audience, string subject, string code, string scopes, int expiresIn=0)
{
if (string.IsNullOrEmpty(issuer) || string.IsNullOrEmpty(audience) || string.IsNullOrEmpty(subject) || string.IsNullOrEmpty(code) || string.IsNullOrEmpty(scopes) || expiresIn<0)
{
throw new ApplicationException("The parameters provided are not valid");
}
DateTime issuedAt = DateTime.UtcNow;
DateTime expires = DateTime.UtcNow.AddMinutes(2);
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Create a simple JWT claim set
IList<Claim> claims = new List<Claim>() {
new Claim("sub", subject),
new Claim("iat", ToUnixTime(issuedAt).ToString()) };
JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, null, issuedAt, expires);
OpenIdConnectTokenRequestResponse tokenResponse = new OpenIdConnectTokenRequestResponse();
string newAccessToken = GenerateOpenIdConnectToken();
string newRefreshToken = GenerateOpenIdConnectToken();
string jwtReadyToBeSent = jwtHandler.WriteToken(jwt);
tokenResponse.access_token = newAccessToken;
tokenResponse.expires_in = expiresIn.ToString();
if (scopes.Contains("offline_access"))
{
tokenResponse.refresh_token = newRefreshToken.ToString();
}
else
{
tokenResponse.refresh_token = null;
}
tokenResponse.id_token = jwtReadyToBeSent;
tokenResponse.token_type = "Bearer";
//string serializedResponse = JsonConvert.SerializeObject(tokenResponse);
return tokenResponse;
}
public static bool IsTokenValid(JWTSecurityToken jwt, string audience, string issuer, byte[] signature)
{
bool result = false;
// Create token validation parameters for the signed JWT
// This object will be used to verify the cryptographic signature of the received JWT
TokenValidationParameters validationParams =
new TokenValidationParameters()
{
AllowedAudience = audience,
ValidIssuer = issuer,
ValidateExpiration = true,
ValidateNotBefore = false,
ValidateIssuer = true,
ValidateSignature = true,
//SigningToken = null
SigningToken = new BinarySecretSecurityToken(signature)
};
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
try
{
// Validate the token signature (we provide the shared symmetric key in `validationParams`)
// This will throw if the signature does not validate
// jwtHandler.ValidateToken(jwtOnTheWire, validationParams);
jwtHandler.ValidateToken(jwt, validationParams);
result = true;
}
catch
{
result = false;
}
return(result);
}
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
if (!HasAuthorizationHeaderValue(request.Headers.Authorization))
return base.SendAsync(request, cancellationToken);
HttpStatusCode statusCode;
string token;
if (!TryRetrieveToken(request, out token))
{
statusCode = HttpStatusCode.Unauthorized;
return Task<HttpResponseMessage>.Factory.StartNew(() => new HttpResponseMessage(statusCode));
}
try
{
JWTSecurityTokenHandler tokenHandler = new JWTSecurityTokenHandler();
var secret = this.SymmetricKey.Replace('-', '+').Replace('_', '/');
TokenValidationParameters validationParameters = new TokenValidationParameters()
{
AllowedAudience = this.Audience,
ValidateIssuer = this.Issuer != null ? true : false,
ValidIssuer = this.Issuer,
SigningToken = new BinarySecretSecurityToken(Convert.FromBase64String(secret))
};
Thread.CurrentPrincipal =
tokenHandler.ValidateToken(token, validationParameters);
return base.SendAsync(request, cancellationToken);
}
catch (SecurityTokenValidationException)
{
statusCode = HttpStatusCode.Unauthorized;
}
catch (Exception)
{
statusCode = HttpStatusCode.InternalServerError;
}
return Task<HttpResponseMessage>.Factory.StartNew(() => new HttpResponseMessage(statusCode));
}
private static void ValidateJwt(string jwt)
{
var handler = new JWTSecurityTokenHandler();
var validationParameters = new TokenValidationParameters()
{
AllowedAudience = realm,
SigningToken = new X509SecurityToken(signingCert),
ValidIssuer = "http://idsrv.local/trust",
ValidateExpiration = true
};
var principal = handler.ValidateToken(jwt, validationParameters);
Console.WriteLine("Token validated. Claims from token:");
foreach (var claim in principal.Claims)
{
Console.WriteLine("{0}\n {1}", claim.Type, claim.Value);
}
Console.WriteLine();
}
public TokenResponse ConvertSamlToJwt(SecurityToken securityToken, string scope)
{
var subject = ValidateSamlToken(securityToken);
var descriptor = new SecurityTokenDescriptor
{
Subject = subject,
AppliesToAddress = scope,
SigningCredentials = new X509SigningCredentials(_configuration.Keys.SigningCertificate),
TokenIssuerName = _configuration.Global.IssuerUri,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(_configuration.AdfsIntegration.AuthenticationTokenLifetime))
};
var jwtHandler = new JWTSecurityTokenHandler();
var jwt = jwtHandler.CreateToken(descriptor);
return(new TokenResponse
{
AccessToken = jwtHandler.WriteToken(jwt),
ExpiresIn = _configuration.AdfsIntegration.AuthenticationTokenLifetime
});
}
protected override Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
HttpStatusCode statusCode;
string token;
var authorisationHeader = request.Headers.Authorization;
if (!TryRetrieveToken(request, out token))
{
statusCode = HttpStatusCode.Unauthorized;
return(Task <HttpResponseMessage> .Factory.StartNew(() => new HttpResponseMessage(statusCode)));
}
try
{
X509SecurityToken cert = new X509SecurityToken(new X509Certificate2(
GetSigningCertificate(ConfigurationManager.AppSettings["ida:FederationMetadataLocation"])));
JWTSecurityTokenHandler tokenHandler = new JWTSecurityTokenHandler();
TokenValidationParameters validationParameters = new TokenValidationParameters()
{
AllowedAudience = ConfigurationManager.AppSettings["fa:AllowedAudience"],
ValidIssuer = "https://fairlieauthentic.accesscontrol.windows.net/",
SigningToken = cert
};
ClaimsPrincipal cp = tokenHandler.ValidateToken(token, validationParameters);
Thread.CurrentPrincipal = cp;
return(base.SendAsync(request, cancellationToken));
}
catch (SecurityTokenValidationException e)
{
statusCode = HttpStatusCode.Unauthorized;
}
catch (Exception)
{
statusCode = HttpStatusCode.InternalServerError;
}
return(Task <HttpResponseMessage> .Factory.StartNew(() => new HttpResponseMessage(statusCode)));
}
public static bool IsTokenValid(JWTSecurityToken jwt, string audience, string issuer, byte[] signature)
{
bool result = false;
// Create token validation parameters for the signed JWT
// This object will be used to verify the cryptographic signature of the received JWT
TokenValidationParameters validationParams =
new TokenValidationParameters()
{
AllowedAudience = audience,
ValidIssuer = issuer,
ValidateExpiration = true,
ValidateNotBefore = false,
ValidateIssuer = true,
ValidateSignature = true,
//SigningToken = null
SigningToken = new BinarySecretSecurityToken(signature)
};
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
try
{
// Validate the token signature (we provide the shared symmetric key in `validationParams`)
// This will throw if the signature does not validate
// jwtHandler.ValidateToken(jwtOnTheWire, validationParams);
jwtHandler.ValidateToken(jwt, validationParams);
result = true;
}
catch
{
result = false;
}
return result;
}
public TokenResponse ConvertSamlToJwt(SecurityToken securityToken, string scope)
{
var subject = ValidateSamlToken(securityToken);
var descriptor = new SecurityTokenDescriptor
{
Subject = subject,
AppliesToAddress = scope,
SigningCredentials = new X509SigningCredentials(_configuration.Keys.SigningCertificate),
TokenIssuerName = _configuration.Global.IssuerUri,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(_configuration.AdfsIntegration.AuthenticationTokenLifetime))
};
var jwtHandler = new JWTSecurityTokenHandler();
var jwt = jwtHandler.CreateToken(descriptor);
return new TokenResponse
{
AccessToken = jwtHandler.WriteToken(jwt),
ExpiresIn = _configuration.AdfsIntegration.AuthenticationTokenLifetime
};
}
public ClaimsIdentity ValidateJwtToken(string jwt)
{
var handler = new JWTSecurityTokenHandler();
var validationParameters = new TokenValidationParameters()
{
AudienceUriMode = AudienceUriMode.Never,
SigningToken = new X509SecurityToken(_configuration.Keys.SigningCertificate),
ValidIssuer = _configuration.Global.IssuerUri,
ValidateExpiration = true
};
var principal = handler.ValidateToken(jwt, validationParameters);
return principal.Identities.First();
}
/// <summary>
/// Processes the request based on the path.
/// </summary>
/// <param name="context">Contains the request and response.</param>
public async Task <WebApplication.Api.Controllers.AccountController.GoogleUserViewModel> VerifyGoogleAccessToken(string accessToken, string idToken)
{
// Validate the ID token
if (idToken != null)
{
JWTSecurityToken token = new JWTSecurityToken(idToken);
JWTSecurityTokenHandler jwt = new JWTSecurityTokenHandler();
// Configure validation
Byte[][] certBytes = getCertBytes();
for (int i = 0; i < certBytes.Length; i++)
{
X509Certificate2 certificate = new X509Certificate2(certBytes[i]);
X509SecurityToken certToken = new X509SecurityToken(certificate);
// Set up token validation
TokenValidationParameters tvp = new TokenValidationParameters();
tvp.AllowedAudience = CLIENT_ID;
tvp.SigningToken = certToken;
tvp.ValidIssuer = "accounts.google.com";
// Enable / disable tests
tvp.ValidateNotBefore = false;
tvp.ValidateExpiration = true;
tvp.ValidateSignature = true;
tvp.ValidateIssuer = true;
// Account for clock skew. Look at current time when getting the message
// "The token is expired" in try/catch block.
// This is relative to GMT, for example, GMT-8 is:
tvp.ClockSkewInSeconds = 3600 * 13;
try
{
// Validate using the provider
ClaimsPrincipal cp = jwt.ValidateToken(token, tvp);
if (cp != null)
{
its.valid = true;
its.message = "Valid ID Token.";
its.aud = cp.FindFirst("aud").Value;
its.azp = cp.FindFirst("azp").Value;
its.email = cp.FindFirst("email").Value;
its.sub = cp.FindFirst("sub").Value;
}
}
catch (Exception e)
{
// Multiple certificates are tested.
if (its.valid != true)
{
its.message = "Invalid ID Token.";
}
if (e.Message.IndexOf("The token is expired") > 0)
{
// TODO: Check current time in the exception for clock skew.
}
}
}
// Get the Google+ id for this user from the "gplus_id" claim.
Claim[] claims = token.Claims.ToArray <Claim>();
for (int i = 0; i < claims.Length; i++)
{
if (claims[i].Type.Equals("gplus_id"))
{
its.gplus_id = claims[i].Value;
}
}
}
// Use the wrapper to return JSON
token_status_wrapper tsr = new token_status_wrapper();
tsr.id_token_status = its;
tsr.access_token_status = ats;
if (its.valid)
{
WebApplication.Api.Controllers.AccountController.GoogleUserViewModel fbUser = new Api.Controllers.AccountController.GoogleUserViewModel();
fbUser.Email = its.email;
fbUser.aud = its.aud;
fbUser.azp = its.azp;
fbUser.gplus_id = its.gplus_id;
fbUser.sub = its.sub;
return(fbUser);
}
return(null);
}
private static void ValidateJwt(string jwt)
{
var handler = new JWTSecurityTokenHandler();
var validationParameters = new TokenValidationParameters()
{
AllowedAudience = realm,
SigningToken = new X509SecurityToken(signingCert),
ValidIssuer = "http://idsrv.local/trust",
ValidateExpiration = true
};
var principal = handler.ValidateToken(jwt, validationParameters);
Console.WriteLine("Token validated. Claims from token:");
foreach (var claim in principal.Claims)
{
Console.WriteLine("{0}\n {1}", claim.Type, claim.Value);
}
Console.WriteLine();
}
/// <summary>
/// Processes the request based on the path.
/// </summary>
/// <param name="context">Contains the request and response.</param>
public void ProcessRequest(HttpContext context)
{
// Get the code from the request POST body.
string accessToken = context.Request.Params["access_token"];
string idToken = context.Request.Params["id_token"];
// Validate the ID token
if (idToken != null)
{
JWTSecurityToken token = new JWTSecurityToken(idToken);
JWTSecurityTokenHandler jwt = new JWTSecurityTokenHandler();
// Configure validation
Byte[][] certBytes = getCertBytes();
for (int i = 0; i < certBytes.Length; i++)
{
X509Certificate2 certificate = new X509Certificate2(certBytes[i]);
X509SecurityToken certToken = new X509SecurityToken(certificate);
// Set up token validation
TokenValidationParameters tvp = new TokenValidationParameters();
tvp.AllowedAudience = CLIENT_ID;
tvp.SigningToken = certToken;
tvp.ValidIssuer = "accounts.google.com";
// Enable / disable tests
tvp.ValidateNotBefore = false;
tvp.ValidateExpiration = true;
tvp.ValidateSignature = true;
tvp.ValidateIssuer = true;
// Account for clock skew. Look at current time when getting the message
// "The token is expired" in try/catch block.
// This is relative to GMT, for example, GMT-8 is:
tvp.ClockSkewInSeconds = 3600 * 13;
try
{
// Validate using the provider
ClaimsPrincipal cp = jwt.ValidateToken(token, tvp);
if (cp != null)
{
its.valid = true;
its.message = "Valid ID Token.";
}
}
catch (Exception e)
{
// Multiple certificates are tested.
if (its.valid != true)
{
its.message = "Invalid ID Token.";
}
if (e.Message.IndexOf("The token is expired") > 0)
{
// TODO: Check current time in the exception for clock skew.
}
}
}
// Get the Google+ id for this user from the "sub" claim.
Claim[] claims = token.Claims.ToArray<Claim>();
for (int i = 0; i < claims.Length; i++)
{
if (claims[i].Type.Equals("sub"))
{
its.gplus_id = claims[i].Value;
}
}
}
// Use Tokeninfo to validate the user and the client.
var tokeninfo_request = new Oauth2Service().Tokeninfo();
tokeninfo_request.Access_token = accessToken;
// Use Google as a trusted provider to validate the token.
// Invalid values, including expired tokens, return 400
Tokeninfo tokeninfo = null;
try
{
tokeninfo = tokeninfo_request.Fetch();
if (tokeninfo.Issued_to != CLIENT_ID){
ats.message = "Access Token not meant for this app.";
}else{
ats.valid = true;
ats.message = "Valid Access Token.";
ats.gplus_id = tokeninfo.User_id;
}
}
catch (Exception stve)
{
ats.message = "Invalid Access Token.";
}
// Use the wrapper to return JSON
token_status_wrapper tsr = new token_status_wrapper();
tsr.id_token_status = its;
tsr.access_token_status = ats;
context.Response.StatusCode = 200;
context.Response.ContentType = "text/json";
context.Response.Write(JsonConvert.SerializeObject(tsr));
}
