/// <summary> /// Finds a named collection of <see cref="SecurityKey"/>(s) that match the <see cref="SecurityKeyIdentifierClause"/> and returns a <see cref="NamedKeySecurityToken"/> that contains the <see cref="SecurityKey"/>(s). /// </summary> /// <param name="keyIdentifierClause">The <see cref="SecurityKeyIdentifier"/> to resolve to a <see cref="SecurityToken"/></param> /// <param name="token">The resolved <see cref="SecurityToken"/>.</param> /// <remarks>If there is no match, then <see cref="IssuerTokenResolver"/> and 'base' are called in order.</remarks> /// <returns>true if token was resolved.</returns> /// <exception cref="ArgumentNullException">if 'keyIdentifierClause' is null.</exception> protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token) { if (keyIdentifierClause == null) { throw new ArgumentNullException("keyIdentifierClause"); } token = null; NamedKeySecurityKeyIdentifierClause namedKeyIdentifierClause = keyIdentifierClause as NamedKeySecurityKeyIdentifierClause; if (namedKeyIdentifierClause != null) { IList <SecurityKey> resolvedKeys = null; if (this.keys.TryGetValue(namedKeyIdentifierClause.Name, out resolvedKeys)) { token = new NamedKeySecurityToken(namedKeyIdentifierClause.Name, namedKeyIdentifierClause.Id, resolvedKeys); return(true); } } if (IssuerTokenResolver != null && IssuerTokenResolver.TryResolveToken(keyIdentifierClause, out token)) { return(true); } return(base.TryResolveTokenCore(keyIdentifierClause, out token)); }
/// <summary> /// Initializes a new instance of the <see cref="NamedKeyIssuerTokenResolver"/> class. /// Populates this instance with a named collection of <see cref="SecurityKey"/>(s) and an optional <see cref="SecurityTokenResolver"/> that will be called when a /// <see cref="SecurityKeyIdentifier"/> or <see cref="SecurityKeyIdentifierClause"/> cannot be resolved. /// </summary> /// <param name="keys"> /// A named collection of <see cref="SecurityKey"/>(s). /// </param> /// <param name="innerTokenResolver"> /// A <see cref="IssuerTokenResolver"/> to call when resolving fails, before calling base. /// </param> /// <remarks> /// if 'keys' is null an empty collection will be created. A named collection of <see cref="SecurityKey"/>(s) can be added by accessing the property <see cref="SecurityKeys"/>. /// </remarks> public NamedKeyIssuerTokenResolver(IDictionary <string, IList <SecurityKey> > keys = null, IssuerTokenResolver innerTokenResolver = null) { if (keys == null) { this.keys = new Dictionary <string, IList <SecurityKey> >(); } else { this.keys = keys; } this.issuerTokenResolver = innerTokenResolver; }
public SecurityTokenHandlerConfiguration GetConfiguration() { var inner = new X509CertificateStoreTokenResolver("testCertStore", StoreLocation.LocalMachine); var tokenResolver = new IssuerTokenResolver(inner); var configuration = new SecurityTokenHandlerConfiguration { IssuerTokenResolver = tokenResolver, ServiceTokenResolver = inner, AudienceRestriction = new AudienceRestriction(AudienceUriMode.Always), CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.Custom, }; return(configuration); }
public SecurityTokenHandlerConfiguration GetConfiguration(string partnerId) { this._certificateValidator.SetFederationPartyId(partnerId); var partnerContex = this._federationPartyContextBuilder.BuildContext(partnerId); var descriptor = partnerContex.MetadataContext.EntityDesriptorConfiguration.SPSSODescriptors.First(); var cert = descriptor.KeyDescriptors.First(x => x.IsDefault && x.Use == Kernel.Federation.MetaData.Configuration.Cryptography.KeyUsage.Encryption); if (cert.CertificateContext == null) { throw new ArgumentNullException("certificate context"); } var x509CertificateContext = cert.CertificateContext as X509CertificateContext; if (x509CertificateContext == null) { throw new InvalidOperationException(String.Format("Expected certificate context of type: {0} but it was:{1}", typeof(X509CertificateContext).Name, cert.CertificateContext.GetType())); } var inner = this.certificateManager.GetX509CertificateStoreTokenResolver(x509CertificateContext); var tokenResolver = new IssuerTokenResolver(inner); var issuerNameRegistry = IdentityConfigurationHelper.IssuerNameRegistry; var configuration = new SecurityTokenHandlerConfiguration { IssuerNameRegistry = issuerNameRegistry, IssuerTokenResolver = tokenResolver, ServiceTokenResolver = inner, AudienceRestriction = new AudienceRestriction(AudienceUriMode.Always), CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.Custom, CertificateValidator = (X509CertificateValidator)this._certificateValidator }; configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(partnerContex.MetadataContext.EntityId)); return(configuration); }