private async Task <AuthorizationRequest> GetAuthorizationRequestFromJwt(string token, string clientId)
{
var jwsToken = token;
if (_jwtParser.IsJweToken(token))
{
jwsToken = await _jwtParser.DecryptAsync(token, clientId);
}
var jwsPayload = await _jwtParser.UnSignAsync(jwsToken, clientId);
return(jwsPayload == null ? null : jwsPayload.ToAuthorizationRequest());
}
public async Task <JwsPayload> GetPayload(Client client, string jwsToken)
{
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (string.IsNullOrWhiteSpace(jwsToken))
{
throw new ArgumentNullException(nameof(jwsToken));
}
var signedResponseAlg = client.GetIdTokenSignedResponseAlg();
var encryptResponseAlg = client.GetIdTokenEncryptedResponseAlg();
if (encryptResponseAlg != null) // Decrypt the token.
{
jwsToken = await _jwtParser.DecryptAsync(jwsToken, client.ClientId);
}
return(await _jwtParser.UnSignAsync(jwsToken, client.ClientId));
}
private async Task ProcessIdTokenHint(
ActionResult actionResult,
AuthorizationParameter authorizationParameter,
ICollection <PromptParameter> prompts,
ClaimsPrincipal claimsPrincipal,
string issuerName)
{
if (!string.IsNullOrWhiteSpace(authorizationParameter.IdTokenHint) &&
prompts.Contains(PromptParameter.none) &&
actionResult.Type == TypeActionResult.RedirectToCallBackUrl)
{
var token = authorizationParameter.IdTokenHint;
if (!_jwtParser.IsJweToken(token) &&
!_jwtParser.IsJwsToken(token))
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheIdTokenHintParameterIsNotAValidToken,
authorizationParameter.State);
}
string jwsToken;
if (_jwtParser.IsJweToken(token))
{
jwsToken = await _jwtParser.DecryptAsync(token);
if (string.IsNullOrWhiteSpace(jwsToken))
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheIdTokenHintParameterCannotBeDecrypted,
authorizationParameter.State);
}
}
else
{
jwsToken = token;
}
var jwsPayload = await _jwtParser.UnSignAsync(jwsToken);
if (jwsPayload == null)
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheSignatureOfIdTokenHintParameterCannotBeChecked,
authorizationParameter.State);
}
if (jwsPayload.Audiences == null ||
!jwsPayload.Audiences.Any() ||
!jwsPayload.Audiences.Contains(issuerName))
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheIdentityTokenDoesntContainSimpleIdentityServerAsAudience,
authorizationParameter.State);
}
var currentSubject = string.Empty;
var expectedSubject = jwsPayload.GetClaimValue(Jwt.Constants.StandardResourceOwnerClaimNames.Subject);
if (claimsPrincipal != null && claimsPrincipal.IsAuthenticated())
{
currentSubject = claimsPrincipal.GetSubject();
}
if (currentSubject != expectedSubject)
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheCurrentAuthenticatedUserDoesntMatchWithTheIdentityToken,
authorizationParameter.State);
}
}
}