public void X509SecurityKey_Constructor()
{
X509SecurityKey x509SecurityKey;
ExpectedException expectedException = new ExpectedException(typeExpected: typeof(ArgumentNullException), substringExpected: "certificate");
try
{
x509SecurityKey = new X509SecurityKey(null);
expectedException.ProcessNoException();
}
catch(Exception exception)
{
expectedException.ProcessException(exception);
}
X509Certificate2 x509Certificate2 = KeyingMaterial.DefaultCert_2048;
expectedException = ExpectedException.NoExceptionExpected;
try
{
x509SecurityKey = new X509SecurityKey(x509Certificate2);
Assert.ReferenceEquals(x509Certificate2, x509SecurityKey.Certificate);
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
}
public virtual async Task<TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true)
{
Logger.Info("Start identity token validation");
if (clientId.IsMissing())
{
clientId = GetClientIdFromJwt(token);
if (clientId.IsMissing())
{
Logger.Error("No clientId supplied, can't find id in identity token.");
return Invalid(Constants.ProtectedResourceErrors.InvalidToken);
}
}
_log.ClientId = clientId;
_log.ValidateLifetime = validateLifetime;
var client = await _clients.FindClientByIdAsync(clientId);
if (client == null)
{
LogError("Unknown or diabled client.");
return Invalid(Constants.ProtectedResourceErrors.InvalidToken);
}
_log.ClientName = client.ClientName;
var signingKey = new X509SecurityKey(_options.SigningCertificate);
var result = await ValidateJwtAsync(token, clientId, signingKey, validateLifetime);
result.Client = client;
if (result.IsError)
{
LogError("Error validating JWT");
return result;
}
if (_options.DiagnosticsOptions.IncludeSensitiveDataInLogs)
{
_log.Claims = result.Claims.ToClaimsDictionary();
}
var customResult = await _customValidator.ValidateIdentityTokenAsync(result);
if (customResult.IsError)
{
LogError("Custom validator failed: " + customResult.Error ?? "unknown");
return customResult;
}
if (_options.DiagnosticsOptions.IncludeSensitiveDataInLogs)
{
_log.Claims = customResult.Claims.ToClaimsDictionary();
}
LogSuccess();
return customResult;
}
/// <summary>
/// Signs the token.
/// </summary>
/// <param name="token">The token.</param>
/// <returns>
/// A protected and serialized security token
/// </returns>
public virtual async Task<string> SignTokenAsync(Token token)
{
var key = new X509SecurityKey(await _keyService.GetSigningKeyAsync());
var header = await CreateHeaderAsync(token, key);
var payload = await CreatePayloadAsync(token);
return await SignAsync(new JwtSecurityToken(header, payload));
}
public virtual async Task<TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true)
{
if (clientId.IsMissing())
{
clientId = GetClientIdFromJwt(token);
if (clientId.IsMissing())
{
return Invalid(Constants.ProtectedResourceErrors.InvalidToken);
}
}
var client = await _clients.FindClientByIdAsync(clientId);
if (client == null)
{
return Invalid(Constants.ProtectedResourceErrors.InvalidToken);
}
SecurityKey signingKey;
if (client.IdentityTokenSigningKeyType == SigningKeyTypes.ClientSecret)
{
signingKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(client.ClientSecret));
}
else
{
signingKey = new X509SecurityKey(_options.SigningCertificate);
}
var result = await ValidateJwtAsync(token, clientId, signingKey, validateLifetime);
result.Client = client;
if (result.IsError)
{
return result;
}
Logger.Debug("Calling custom token validator");
var customResult = await _customValidator.ValidateIdentityTokenAsync(result);
if (customResult.IsError)
{
Logger.Error("Custom validator failed: " + customResult.Error ?? "unknown");
}
return customResult;
}
/// <summary>
/// Validates the <see cref="SecurityKey"/> that signed a <see cref="SecurityToken"/>.
/// </summary>
/// <param name="securityKey">The <see cref="SecurityKey"/> that signed the <see cref="SecurityToken"/>.</param>
/// <param name="securityToken">The <see cref="SecurityToken"/> being validated.</param>
/// <param name="validationParameters"><see cref="TokenValidationParameters"/> required for validation.</param>
/// <exception cref="ArgumentNullException"> if 'vaidationParameters' is null.</exception>
public static void ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters)
{
if (validationParameters == null)
{
throw new ArgumentNullException("validationParameters");
}
if (!validationParameters.ValidateIssuerSigningKey)
{
return;
}
X509SecurityKey x509SecurityKey = securityKey as X509SecurityKey;
if (x509SecurityKey != null)
{
//validationParameters.CertificateValidator.Validate(x509SecurityKey.Certificate);
}
}
public static TokenValidationParameters GetParameters()
{
var tvp = new TokenValidationParameters();
tvp.ValidAudience = ApplicationConfiguration.Get("audience");
tvp.ValidIssuer = ApplicationConfiguration.Get("issuer");
tvp.ValidateIssuer = true;
tvp.ValidateAudience = true;
tvp.ValidateIssuerSigningKey = true;
tvp.ValidateLifetime = true;
var keys = new List<X509SecurityKey>();
var certs = GetCertificates();
foreach (var certificate in certs)
{
var key = new X509SecurityKey(certificate);
keys.Add(key);
}
tvp.IssuerSigningKeyResolver = (a, b, c, d) => keys;
return tvp;
}
public static IEnumerable<Claim> ValidateIdentityToken(string token, string issuer, string audience, X509Certificate2 signingCertificate)
{
ClaimsPrincipal cp = null;
if (token != null)
{
JwtSecurityToken idToken = new JwtSecurityToken(token);
JwtSecurityTokenHandler jwt = new JwtSecurityTokenHandler();
// Configure validation
Byte[][] certBytes = getCertBytes();
for (int i = 0; i < certBytes.Length; i++)
{
X509Certificate2 certificate = new X509Certificate2(certBytes[i]);
X509SecurityToken certToken = new X509SecurityToken(certificate);
var key = new X509SecurityKey(certificate);
// Set up token validation
TokenValidationParameters tvp = new TokenValidationParameters();
tvp.ValidAudience = audience;
tvp.IssuerSigningToken = certToken;
tvp.ValidIssuer = "accounts.google.com";
tvp.IssuerSigningKeyResolver = (a, b, c, d) => key;
// Enable / disable tests
//tvp.ValidateNotBefore = false;
//tvp.ValidateExpiration = true;
//tvp.ValidateSignature = true;
tvp.ValidateIssuer = true;
tvp.ValidateAudience = true;
tvp.ValidateIssuerSigningKey = true;
tvp.ValidateLifetime = true;
// Account for clock skew. Look at current time when getting the message
// "The token is expired" in try/catch block.
// This is relative to GMT, for example, GMT-8 is:
//tvp.ClockSkew = TimeSpan.FromMinutes(3600 * 13);
try
{
SecurityToken securityToken;
// Validate using the provider
cp = jwt.ValidateToken(token, tvp, out securityToken);
}
catch (Exception)
{
if (i == certBytes.Length)
throw;
}
}
}
return cp.Claims;
}
