public static string EncodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
return jwtOnTheWire;
}
public static string EncodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
return(jwtOnTheWire);
}
public static string DecodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
// Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>)
JWTSecurityToken parsedJwt = jwtHandler.ReadToken(jwtOnTheWire) as JWTSecurityToken;
return(parsedJwt.ToString());
}
public static string DecodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
// Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>)
JWTSecurityToken parsedJwt = jwtHandler.ReadToken(jwtOnTheWire) as JWTSecurityToken;
return parsedJwt.ToString();
}
/// <summary>
/// Returns the OpenID token already serialized to be sent to the client
/// </summary>
/// <param name="tokenRequest"></param>
/// <returns></returns>
public static OpenIdConnectTokenRequestResponse GenerateOpenIdConnectToken(string issuer, string audience, string subject, string code, string scopes, int expiresIn=0)
{
if (string.IsNullOrEmpty(issuer) || string.IsNullOrEmpty(audience) || string.IsNullOrEmpty(subject) || string.IsNullOrEmpty(code) || string.IsNullOrEmpty(scopes) || expiresIn<0)
{
throw new ApplicationException("The parameters provided are not valid");
}
DateTime issuedAt = DateTime.UtcNow;
DateTime expires = DateTime.UtcNow.AddMinutes(2);
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Create a simple JWT claim set
IList<Claim> claims = new List<Claim>() {
new Claim("sub", subject),
new Claim("iat", ToUnixTime(issuedAt).ToString()) };
JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, null, issuedAt, expires);
OpenIdConnectTokenRequestResponse tokenResponse = new OpenIdConnectTokenRequestResponse();
string newAccessToken = GenerateOpenIdConnectToken();
string newRefreshToken = GenerateOpenIdConnectToken();
string jwtReadyToBeSent = jwtHandler.WriteToken(jwt);
tokenResponse.access_token = newAccessToken;
tokenResponse.expires_in = expiresIn.ToString();
if (scopes.Contains("offline_access"))
{
tokenResponse.refresh_token = newRefreshToken.ToString();
}
else
{
tokenResponse.refresh_token = null;
}
tokenResponse.id_token = jwtReadyToBeSent;
tokenResponse.token_type = "Bearer";
//string serializedResponse = JsonConvert.SerializeObject(tokenResponse);
return tokenResponse;
}
public static bool IsTokenValid(JWTSecurityToken jwt, string audience, string issuer, byte[] signature)
{
bool result = false;
// Create token validation parameters for the signed JWT
// This object will be used to verify the cryptographic signature of the received JWT
TokenValidationParameters validationParams =
new TokenValidationParameters()
{
AllowedAudience = audience,
ValidIssuer = issuer,
ValidateExpiration = true,
ValidateNotBefore = false,
ValidateIssuer = true,
ValidateSignature = true,
//SigningToken = null
SigningToken = new BinarySecretSecurityToken(signature)
};
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
try
{
// Validate the token signature (we provide the shared symmetric key in `validationParams`)
// This will throw if the signature does not validate
// jwtHandler.ValidateToken(jwtOnTheWire, validationParams);
jwtHandler.ValidateToken(jwt, validationParams);
result = true;
}
catch
{
result = false;
}
return(result);
}
public TokenResponse ConvertSamlToJwt(SecurityToken securityToken, string scope)
{
var subject = ValidateSamlToken(securityToken);
var descriptor = new SecurityTokenDescriptor
{
Subject = subject,
AppliesToAddress = scope,
SigningCredentials = new X509SigningCredentials(_configuration.Keys.SigningCertificate),
TokenIssuerName = _configuration.Global.IssuerUri,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(_configuration.AdfsIntegration.AuthenticationTokenLifetime))
};
var jwtHandler = new JWTSecurityTokenHandler();
var jwt = jwtHandler.CreateToken(descriptor);
return(new TokenResponse
{
AccessToken = jwtHandler.WriteToken(jwt),
ExpiresIn = _configuration.AdfsIntegration.AuthenticationTokenLifetime
});
}
public static bool IsTokenValid(JWTSecurityToken jwt, string audience, string issuer, byte[] signature)
{
bool result = false;
// Create token validation parameters for the signed JWT
// This object will be used to verify the cryptographic signature of the received JWT
TokenValidationParameters validationParams =
new TokenValidationParameters()
{
AllowedAudience = audience,
ValidIssuer = issuer,
ValidateExpiration = true,
ValidateNotBefore = false,
ValidateIssuer = true,
ValidateSignature = true,
//SigningToken = null
SigningToken = new BinarySecretSecurityToken(signature)
};
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
try
{
// Validate the token signature (we provide the shared symmetric key in `validationParams`)
// This will throw if the signature does not validate
// jwtHandler.ValidateToken(jwtOnTheWire, validationParams);
jwtHandler.ValidateToken(jwt, validationParams);
result = true;
}
catch
{
result = false;
}
return result;
}
public TokenResponse ConvertSamlToJwt(SecurityToken securityToken, string scope)
{
var subject = ValidateSamlToken(securityToken);
var descriptor = new SecurityTokenDescriptor
{
Subject = subject,
AppliesToAddress = scope,
SigningCredentials = new X509SigningCredentials(_configuration.Keys.SigningCertificate),
TokenIssuerName = _configuration.Global.IssuerUri,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(_configuration.AdfsIntegration.AuthenticationTokenLifetime))
};
var jwtHandler = new JWTSecurityTokenHandler();
var jwt = jwtHandler.CreateToken(descriptor);
return new TokenResponse
{
AccessToken = jwtHandler.WriteToken(jwt),
ExpiresIn = _configuration.AdfsIntegration.AuthenticationTokenLifetime
};
}
