public string Protect(AuthenticationTicket data) { if (data == null) { throw new ArgumentNullException("data"); } string audienceId = ConfigurationManager.AppSettings["audienceId"]; string symmetricKeyAsBase64 = ConfigurationManager.AppSettings["audienceSecret"]; var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64); var signingKey = new HmacSigningCredentials(keyByteArray); var issued = data.Properties.IssuedUtc; var expires = data.Properties.ExpiresUtc; var token = new System.IdentityModel.Tokens.JwtSecurityToken(_issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey); var handler = new System.IdentityModel.Tokens.JwtSecurityTokenHandler(); var jwt = handler.WriteToken(token); return(jwt); }
public static string MakeToken(string secret, string user) { var securityKey = new System.IdentityModel.Tokens.InMemorySymmetricSecurityKey(Encoding.Default.GetBytes(secret)); System.IdentityModel.Tokens.SigningCredentials signingCredentials = new System.IdentityModel.Tokens.SigningCredentials( securityKey, "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"); byte[] randomNonce = new Byte[32]; RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); rng.GetBytes(randomNonce); List <Claim> claims = new List <Claim>() { new Claim("user", user), new Claim("nonce", Convert.ToBase64String(randomNonce)), }; var jwtSecurityToken = new System.IdentityModel.Tokens.JwtSecurityToken( issuer, audience, claims, DateTime.Now, DateTime.Now.AddHours(1), signingCredentials ); var handler = new System.IdentityModel.Tokens.JwtSecurityTokenHandler(); string tokenString = handler.WriteToken(jwtSecurityToken); return(tokenString); }
public static void ValidateToken(string tokenString, string secret) { var securityKey = new System.IdentityModel.Tokens.InMemorySymmetricSecurityKey(Encoding.Default.GetBytes(secret)); var jwt = new System.IdentityModel.Tokens.JwtSecurityToken(tokenString); var tokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters() { ValidAudiences = new string[] { audience }, ValidIssuers = new string[] { issuer }, IssuerSigningKey = securityKey }; System.IdentityModel.Tokens.SecurityToken validatedToken; var handler = new System.IdentityModel.Tokens.JwtSecurityTokenHandler(); handler.ValidateToken(tokenString, tokenValidationParameters, out validatedToken); }
/// <inheritdoc /> public async Task <ActionableMessageTokenValidationResult> ValidateTokenAsync( string token, string targetServiceBaseUrl) { if (string.IsNullOrEmpty(token)) { throw new ArgumentException("token is null or empty.", "token"); } if (string.IsNullOrEmpty(targetServiceBaseUrl)) { throw new ArgumentException("url is null or empty.", "targetServiceBaseUrl"); } CancellationToken cancellationToken; OpenIdConnectConfiguration o365OpenIdConfig = await OpenIdConnectConfigurationRetriever.GetAsync(O365OpenIdConfiguration.MetadataUrl, cancellationToken); ClaimsPrincipal claimsPrincipal; ActionableMessageTokenValidationResult result = new ActionableMessageTokenValidationResult(); var parameters = new System.IdentityModel.Tokens.TokenValidationParameters() { ValidateIssuer = true, ValidIssuers = new[] { O365OpenIdConfiguration.TokenIssuer }, ValidateAudience = true, ValidAudiences = new[] { targetServiceBaseUrl }, ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(TokenTimeValidationClockSkewBufferInMinutes), RequireSignedTokens = true, IssuerSigningKeys = o365OpenIdConfig.SigningTokens.SelectMany(st => st.SecurityKeys), }; System.IdentityModel.Tokens.JwtSecurityTokenHandler tokenHandler = new System.IdentityModel.Tokens.JwtSecurityTokenHandler(); try { // This will validate the token's lifetime and the following claims: // // iss // aud // claimsPrincipal = tokenHandler.ValidateToken(token, parameters, out System.IdentityModel.Tokens.SecurityToken validatedToken); } catch (SecurityTokenSignatureKeyNotFoundException ex) { Trace.TraceError("Token signature key not found."); result.Exception = ex; return(result); } catch (SecurityTokenExpiredException ex) { Trace.TraceError("Token expired."); result.Exception = ex; return(result); } catch (SecurityTokenInvalidSignatureException ex) { Trace.TraceError("Invalid signature."); result.Exception = ex; return(result); } catch (Exception ex) { Trace.TraceError(ex.Message); result.Exception = ex; return(result); } if (claimsPrincipal == null) { Trace.TraceError("Identity not found in the token."); result.Exception = new InvalidOperationException("Identity not found in the token"); return(result); } ClaimsIdentity identity = claimsPrincipal.Identities.OfType <ClaimsIdentity>().FirstOrDefault(); if (identity == null) { Trace.TraceError("Claims not found in the token."); result.Exception = new InvalidOperationException("Claims not found in the token."); return(null); } if (!string.Equals(GetClaimValue(identity, "appid"), O365OpenIdConfiguration.AppId, StringComparison.OrdinalIgnoreCase)) { Trace.TraceError( "App ID does not match. Expected: {0} Actual: {1}", O365OpenIdConfiguration.AppId, GetClaimValue(identity, "appid")); return(null); } result.ValidationSucceeded = true; result.Sender = GetClaimValue(identity, "sender"); // Get the value of the "sub" claim. Passing in "sub" will not return a value because the TokenHandler // maps "sub" to ClaimTypes.NameIdentifier. More info here // https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/415. result.ActionPerformer = GetClaimValue(identity, ClaimTypes.NameIdentifier); return(result); }