public void ShouldCreateParameters() { var authOptions = new AuthOptions { JwtIssuer = "jwtIssuer" }; var devPermissionsOptions = new DevPermissionsOptions(); var jwtSigningKeyProviderMock = new Mock <IJwtSigningKeyResolver>(); var hostingEnvironmentMock = new Mock <IHostingEnvironment>(); var tokenValidationParametersFactory = new TokenValidationParametersFactory(Options.Create(authOptions), jwtSigningKeyProviderMock.Object, Options.Create(devPermissionsOptions), hostingEnvironmentMock.Object); var tokenValidationParameters = tokenValidationParametersFactory.Create(); Assert.False(tokenValidationParameters.ValidateIssuer); Assert.Equal(authOptions.JwtIssuer, tokenValidationParameters.ValidIssuer); Assert.False(tokenValidationParameters.ValidateAudience); Assert.Equal(authOptions.JwtAudience, tokenValidationParameters.ValidAudience); Assert.True(tokenValidationParameters.ValidateLifetime); Assert.True(tokenValidationParameters.RequireSignedTokens); }
public static Action <JwtBearerOptions> ConfigureJwtOptions(JwtConfig jwtConfig) { return(bearerOptions => { JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); bearerOptions.RequireHttpsMetadata = false; bearerOptions.SaveToken = true; bearerOptions.TokenValidationParameters = TokenValidationParametersFactory.Create(jwtConfig); }); }
private bool IsJwtValid(string jwtTokenString, string clientId, string audience) { var trustedKeys = _keysExtractor.ExtractSecurityKeys(jwtTokenString); if (!trustedKeys.Any()) { return(FromError("Trusted keys not found.")); } var tokenValidationParameters = TokenValidationParametersFactory.Create(clientId, audience, trustedKeys); try { var handler = new JwtSecurityTokenHandler(); handler.ValidateToken(jwtTokenString, tokenValidationParameters, out var token); var jwtToken = (JwtSecurityToken)token; if (IsHeaderAlgInvalid(jwtToken.Header.Alg)) { return(FromError("Header alg value must be RS256.")); } if (IsSubInvalid(jwtToken)) { return(FromError("Both 'sub' and 'iss' in the client assertion token must have a value of client_id.")); } if (string.IsNullOrEmpty(jwtToken.Payload.Jti)) { return(FromError("The 'jti' claim is missing from the client assertion.")); } if (IsUnixTimestampGreaterThanUtcNow(jwtToken.Payload.Iat)) { return(FromError("The 'iat' claim cannot have higher value than UtcNow.")); } if (IsExpired(jwtToken.Payload.Exp)) { return(FromError("The 'exp' claim states that token is expired.")); } return(true); } catch (Exception e) { _logger.LogError(e, "JWT token validation error."); return(false); } }
public FinishSsoEndpointMiddleware( Saml2SecurityTokenHandler handler, TokenValidationParametersFactory parametersFactory, ISystemClock clock, Saml2pSerializer serializer, Saml2pCache cache, Saml2pPartnerProvider partners, Saml2pEncodingService encoder, IOptionsMonitor <Saml2pOptions> monitor, ILoggerFactory factory, RequestDelegate _) : this(handler, parametersFactory, clock, serializer, cache, partners, encoder, monitor, factory) { }
public FinishSsoEndpointMiddleware( Saml2SecurityTokenHandler handler, TokenValidationParametersFactory parametersFactory, ISystemClock clock, Saml2pSerializer serializer, Saml2pCache cache, Saml2pPartnerProvider partners, Saml2pEncodingService encoder, IOptionsMonitor <Saml2pOptions> monitor, ILoggerFactory factory) : base(serializer, cache, partners, encoder, monitor, factory) { _handler = handler; _factory = parametersFactory; _clock = clock; }
public void NameClaimTypeRetrieverShouldUseSubIfSubNotPresent() { var authOptions = new AuthOptions() { EnableServiceAccountAuthorization = false }; var devPermissionsOptions = new DevPermissionsOptions(); var jwtSigningKeyProviderMock = new Mock <IJwtSigningKeyResolver>(); var hostingEnvironmentMock = new Mock <IHostingEnvironment>(); var tokenValidationParametersFactory = new TokenValidationParametersFactory(Options.Create(authOptions), jwtSigningKeyProviderMock.Object, Options.Create(devPermissionsOptions), hostingEnvironmentMock.Object); SecurityToken securityToken = new JwtSecurityToken(); var result = tokenValidationParametersFactory.NameClaimTypeRetriever(securityToken, String.Empty); Assert.Equal(Claims.Sub, result); }
public void NameClaimTypeRetriever_Should_Use_XAuthenticatedUserId_If_Present() { var authOptions = new AuthOptions() { EnableServiceAccountAuthorization = false }; var devPermissionsOptions = new DevPermissionsOptions(); var jwtSigningKeyProviderMock = new Mock <IJwtSigningKeyResolver>(); var hostingEnvironmentMock = new Mock <IHostingEnvironment>(); var tokenValidationParametersFactory = new TokenValidationParametersFactory(Options.Create(authOptions), jwtSigningKeyProviderMock.Object, Options.Create(devPermissionsOptions), hostingEnvironmentMock.Object); var token = "eyJ4NXUiOiJodHRwczpcL1wvYXBpLWd3LW8uYW50d2VycGVuLmJlXC9rZXlzXC9wdWIiLCJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0OTE5MTA5ODMsIlgtQ3JlZGVudGlhbC1Vc2VybmFtZSI6Im5vbmUiLCJYLUNvbnN1bWVyLUdyb3VwcyI6InBla2UubW9ja2Jpbi52MSIsImlzcyI6IjcwOTU5NGMyYjAwZDRkMjA5MDJlZTc3YWZkMDJiYjBjIiwiYXVkIjoibW9ja2Jpbi5vcmciLCJYLUpXVC1Jc3N1ZXIiOiJodHRwczpcL1wvYXBpLWd3LW8uYW50d2VycGVuLmJlIiwiWC1Db25zdW1lci1Vc2VybmFtZSI6ImludC1wZWtlLm1vY2tiaW4udjEiLCJYLUNvbnN1bWVyLUN1c3RvbS1JRCI6ImludC1wZWtlLm1vY2tiaW4udjEiLCJYLUF1dGhlbnRpY2F0ZWQtVXNlcmlkIjoicmMwMDExNUBkaWdhbnQuYW50d2VycGVuLmxvY2FsIiwiWC1BdXRoZW50aWNhdGVkLVNjb3BlIjoibm9uZSIsIlgtSG9zdC1PdmVycmlkZSI6Im5vbmUiLCJpYXQiOjE0OTE5MTEyODMsImp0aSI6IjhiNGJjNTIxNWJmODQ5NmJiOTM1ZjNiMzA1Yzg3NzEzIiwiWC1Db25zdW1lci1JRCI6IjU0ODkwNWU0LWM0OTUtNGUxOS1hOGQ5LTY0NGMwMmJkY2ExYiIsImV4cCI6MTQ5MjEyNzI4M30.MlSg19vT0zi3Vh8k283FzsHaseggezSWFuWN2-n4r-VsOXNuN1mxge95EFz2v_fJ__YN_b2w5CYJ0GKFXSDjD7kxctc3h8m3pI55GyHsDePn66qXipS0ayShaWKAkeg0xGWBV3KuHuGFVmEwcUJbi5yAYhfRqUdNbSSCMS1SuFA-jyOmr_jT7NSJGehjGzby20perBGnVnQhULv0mf3mX1Li3IX4jKHVMOB3dJKnhgazaOhS0pDhiERbTqop1e3H-g6hKttRSkOJNPyLbzw76fJfq9eLLQEGE8_XtU_W8iXy_1Wb6B6Qbao8IMFx65T1xGIALqR556TgWdXjNsAROQCBFNv0aCdbExvxYUjpu_w56JlYqMCRfEcxr1d2h8axxQDJrosu5T2YjjS61k0MXgFpbQqEj5N9Y47kvmp0qN9SQU9bKMsP3Pvw9oixgLNa-TaHvtTjovWl9iw4s4krQtaTlQvtXU5S99ZnQMLPdhZl_2VR3vVS75yoy-UXKENBAEoQRZ2FQfAV_cEBM8q5DGOR-SD17faNaRjIrTqLTRjr4RdXZbmYhQziEmKfG2vVQYjUIjBXINJS7KmiGLn4ZFpqM7jBXn-bmNBRRsmSEAMF4qIExhYavY2gwQ6MeQg4ZfwW7Oto9ce_Oy2fnxOanMPgAyG3GKfLRrm8Brg7i6w"; SecurityToken securityToken = new JwtSecurityToken(token); var result = tokenValidationParametersFactory.NameClaimTypeRetriever(securityToken, String.Empty); Assert.Equal(Claims.XAuthenticatedUserId, result); }
public void NameClaimTypeRetrieverShouldUseXConsumerUsernameClaimIfSubNotPresent() { var authOptions = new AuthOptions() { EnableServiceAccountAuthorization = true }; var devPermissionsOptions = new DevPermissionsOptions(); var jwtSigningKeyProviderMock = new Mock <IJwtSigningKeyResolver>(); var hostingEnvironmentMock = new Mock <IHostingEnvironment>(); var tokenValidationParametersFactory = new TokenValidationParametersFactory(Options.Create(authOptions), jwtSigningKeyProviderMock.Object, Options.Create(devPermissionsOptions), hostingEnvironmentMock.Object); var token = "eyJ4NXUiOiJodHRwczpcL1wvYXBpLWd3LWEuYW50d2VycGVuLmJlXC9rZXlzXC9wdWIiLCJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1MjA1MTI1MTEsIlgtQ3JlZGVudGlhbC1Vc2VybmFtZSI6Im5vbmUiLCJYLUNvbnN1bWVyLUdyb3VwcyI6ImFzdGFkLmFwcm9maWVsLnYxLCBhYnMuYWJzYmlqbGFnZWFwaS52MSwgYWJzLmFic2Rvc3NpZXJhcGkudjEsIGFjcGFhcy53Y21jb250ZW50bWFuYWdlci52MywgamltbXloYW5ub24udGVzdC52MSwgYWJzLmFic3Byb2Nlc3NhcGkudjEsIGFjcGFhcy53Y21wcm94eS52MyIsImlzcyI6Imh0dHBzOlwvXC9hcGktZ3ctYS5hbnR3ZXJwZW4uYmUiLCJhdWQiOiJyYXN1MTE1NS5ydGUuYW50d2VycGVuLmxvY2FsOjUwMTAyIiwiWC1KV1QtSXNzdWVyIjoiaHR0cHM6XC9cL2FwaS1ndy1hLmFudHdlcnBlbi5iZSIsIlgtQ29uc3VtZXItVXNlcm5hbWUiOiJpbnQtYWJzaW9kLmZvcm1pb2Rsb2NhbC52MSIsIlgtQ29uc3VtZXItQ3VzdG9tLUlEIjoiaW50LWFic2lvZC5mb3JtaW9kbG9jYWwudjEiLCJYLUF1dGhlbnRpY2F0ZWQtVXNlcmlkIjoibm9uZSIsIlgtQXV0aGVudGljYXRlZC1TY29wZSI6Im5vbmUiLCJYLUhvc3QtT3ZlcnJpZGUiOiJub25lIiwiaWF0IjoxNTIwNTEyODExLCJqdGkiOiI2ODBkZmEyNzgxMGU0MDhhYWE3YjcyOGUxMTdlYjk5ZSIsIlgtQ29uc3VtZXItSUQiOiI3OGM5ZDA0Mi03NTNhLTRkNWUtOGMzNS1hYTg2Yjk4OTI2OTIiLCJleHAiOjE1MjA3Mjg4MTF9.XeGnL6a_NDHYl7WHPL3tmrXP1Ga483ZePFD6x-LoJP8znTmYVfbYtQcajADgtZu2x65detsSBb0Z_MnVK7mod3Eec7niyz67UMu2Be86CmTbl-wTtf6i4UZKVcCk6alS-d2ZC6g9Hk66njOecXES998xij4CiKoikGUJ5AdY6FWxhpnOKRFg5FbhiIpHt294Hf2QSHjuV2476xbYTWCSOr8A61LibPzhR9hOHaopOivnCOkPeJEZtn98Lyoa6CqcM44gdppZdO9rqQ1pxhLrycdsc2dSZ0yxHXwmZ5XwOfmCqbQRIl4WbmMpuMVfUEetHhuZ95pI_oUxZsIqxyMLRwOv6z1K184MVgRzFB6ziZY495a2zXoOMXwqhk7C-Zih_8mgPvYbsoR6Rv7jp95c7xfMTMUDuj0HelIr3FVlff-J7XZEuWeTDdp6Hvk4JkxMnkMiYkeuzmsiJKaCcirUlelSftcebr2AL_-jVQ9jtnfmXt7NUWKrYEd9Ohn7qyxaDWb2M-JzL_FhONt1H81zpzwq45SSC21YjjxNpo9basMtiYzRTtRNMusUbkEHxgwkfLcBNywse0vygWWnehWkD3rwryJAjL5ifrCWEKbC9Bk2BVf1i_kzdCI_iCixy5HXQcQ6bsTtUB_6k1XowsDj9kL7PLAe2nPCErxd7SYA2dg"; SecurityToken securityToken = new JwtSecurityToken(token); var result = tokenValidationParametersFactory.NameClaimTypeRetriever(securityToken, String.Empty); Assert.Equal(Claims.XConsumerUsername, result); }
public void NameClaimTypeRetrieverShouldUseSubClaimIfPresent() { var authOptions = new AuthOptions() { EnableServiceAccountAuthorization = true }; var devPermissionsOptions = new DevPermissionsOptions(); var jwtSigningKeyProviderMock = new Mock <IJwtSigningKeyResolver>(); var hostingEnvironmentMock = new Mock <IHostingEnvironment>(); var tokenValidationParametersFactory = new TokenValidationParametersFactory(Options.Create(authOptions), jwtSigningKeyProviderMock.Object, Options.Create(devPermissionsOptions), hostingEnvironmentMock.Object); var token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsIng1dSI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC94NXUifQ.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE0NzI1NDk1NDgsImV4cCI6MTUwNDA4NTU0OCwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.jKg9l0cuTapEFcx9v1pLtBiigK_7EXlCqvKZBoS24XE"; SecurityToken securityToken = new JwtSecurityToken(token); var result = tokenValidationParametersFactory.NameClaimTypeRetriever(securityToken, String.Empty); Assert.Equal(Claims.Sub, result); }
public void ValidateTokenLifetimeShouldBeTrue() { var authOptions = new AuthOptions(); var devPermissionsOptions = new DevPermissionsOptions { Environment = "Testing", }; var jwtSigningKeyProviderMock = new Mock <IJwtSigningKeyResolver>(); var hostingEnvironmentMock = new Mock <IHostingEnvironment>(); hostingEnvironmentMock.SetupGet(h => h.EnvironmentName) .Returns(devPermissionsOptions.Environment); var tokenValidationParametersFactory = new TokenValidationParametersFactory(Options.Create(authOptions), jwtSigningKeyProviderMock.Object, Options.Create(devPermissionsOptions), hostingEnvironmentMock.Object); var tokenValidationParameters = tokenValidationParametersFactory.Create(); Assert.True(tokenValidationParameters.ValidateLifetime); }
/// <exception cref="NullReferenceException">Thrown when one of the enviroment variables was not found. This results in an empty or null string variable which is not allowed.</exception> private DbConfigurations() { string connectionString = Environment.GetEnvironmentVariable("MSSConnectionString"); _sqlConnectionString = connectionString; if (String.IsNullOrEmpty(connectionString)) { throw new NullReferenceException("connstring = null or empty"); } string issuerSigningKey = Environment.GetEnvironmentVariable("MSSValidateIssuerSigningKey"); if (String.IsNullOrEmpty(connectionString)) { throw new NullReferenceException("key = null or empty"); } _issuerSigningKey = issuerSigningKey; _tokenValidationParameters = TokenValidationParametersFactory.Build(_issuerSigningKey); _identityOptions = IdentityOptionsFactory.Build(); }