protected IEnumerable <Claim> GetClaimsFromAccount(TAccount account) { var claims = new List <Claim> { new Claim(Constants.ClaimTypes.Subject, GetSubjectForAccount(account)), new Claim(Constants.ClaimTypes.UpdatedAt, EpochTimeExtensions.ToEpochTime(account.LastUpdated).ToString(), ClaimValueTypes.Integer), new Claim("tenant", account.Tenant), new Claim(Constants.ClaimTypes.PreferredUserName, account.Username), }; if (!String.IsNullOrWhiteSpace(account.Email)) { claims.Add(new Claim(Constants.ClaimTypes.Email, account.Email)); claims.Add(new Claim(Constants.ClaimTypes.EmailVerified, account.IsAccountVerified ? "true" : "false")); } if (!String.IsNullOrWhiteSpace(account.MobilePhoneNumber)) { claims.Add(new Claim(Constants.ClaimTypes.PhoneNumber, account.MobilePhoneNumber)); claims.Add(new Claim(Constants.ClaimTypes.PhoneNumberVerified, !String.IsNullOrWhiteSpace(account.MobilePhoneNumber) ? "true" : "false")); } claims.AddRange(account.Claims.Select(x => new Claim(x.Type, x.Value))); claims.AddRange(userAccountService.MapClaims(account)); return(claims); }
private bool ValidateToken(string identityToken) { if (AppController.keys != null) { //IdentityToken if (identityToken != null) { //Split the identityToken to get Header and Payload string[] splitValues = identityToken.Split('.'); if (splitValues[0] != null) { //Decode header var headerJson = Encoding.UTF8.GetString(Base64Url.Decode(splitValues[0].ToString())); //Deserilaize headerData IdTokenHeader headerData = JsonConvert.DeserializeObject <IdTokenHeader>(headerJson); //Verify if the key id of the key used to sign the payload is not null if (headerData.Kid == null) { return(false); } //Verify if the hashing alg used to sign the payload is not null if (headerData.Alg == null) { return(false); } } if (splitValues[1] != null) { //Decode payload var payloadJson = Encoding.UTF8.GetString(Base64Url.Decode(splitValues[1].ToString())); payloadData = JsonConvert.DeserializeObject <IdTokenJWTClaimTypes>(payloadJson); //Verify Aud matches ClientId if (payloadData.Aud != null) { if (payloadData.Aud[0].ToString() != AppController.clientid) { return(false); } } else { return(false); } //Verify Authtime matches the time the ID token was authorized. if (payloadData.Auth_time == null) { return(false); } //Verify exp matches the time the ID token expires, represented in Unix time (integer seconds). if (payloadData.Exp != null) { long expiration = Convert.ToInt64(payloadData.Exp); long currentEpochTime = EpochTimeExtensions.ToEpochTime(DateTime.UtcNow); //Verify the ID expiration time with what expiry time you have calculated and saved in your application //If they are equal then it means IdToken has expired if ((expiration - currentEpochTime) <= 0) { return(false); } } //Verify Iat matches the time the ID token was issued, represented in Unix time (integer seconds). if (payloadData.Iat == null) { return(false); } //verify Iss matches the issuer identifier for the issuer of the response. if (payloadData.Iss != null) { if (payloadData.Iss.ToString() != AppController.issuerEndpoint) { return(false); } } else { return(false); } //Verify sub. Sub is an identifier for the user, unique among all Intuit accounts and never reused. //An Intuit account can have multiple emails at different points in time, but the sub value is never changed. //Use sub within your application as the unique-identifier key for the user. if (payloadData.Sub == null) { return(false); } } //Use external lib to decode mod and expo value and generte hashes RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(); //Read values of n and e from discovery document. rsa.ImportParameters( new RSAParameters() { //Read values from discovery document Modulus = Base64Url.Decode(AppController.mod), Exponent = Base64Url.Decode(AppController.expo) }); //Verify Siganture hash matches the signed concatenation of the encoded header and the encoded payload with the specified algorithm SHA256 sha256 = SHA256.Create(); byte[] hash = sha256.ComputeHash(Encoding.UTF8.GetBytes(splitValues[0] + '.' + splitValues[1])); RSAPKCS1SignatureDeformatter rsaDeformatter = new RSAPKCS1SignatureDeformatter(rsa); rsaDeformatter.SetHashAlgorithm("SHA256"); if (rsaDeformatter.VerifySignature(hash, Base64Url.Decode(splitValues[2]))) { //identityToken is valid return(true); } else { //identityToken is not valid return(false); } } else { //identityToken is not valid return(false); } } else { //Missing mod and expo values return(false); } }