/// <summary>
/// Finds a named collection of <see cref="SecurityKey"/>(s) that match the <see cref="SecurityKeyIdentifierClause"/> and returns a <see cref="NamedKeySecurityToken"/> that contains the <see cref="SecurityKey"/>(s).
/// </summary>
/// <param name="keyIdentifierClause">The <see cref="SecurityKeyIdentifier"/> to resolve to a <see cref="SecurityToken"/></param>
/// <param name="token">The resolved <see cref="SecurityToken"/>.</param>
/// <remarks>If there is no match, then <see cref="IssuerTokenResolver"/> and 'base' are called in order.</remarks>
/// <returns>true if token was resolved.</returns>
/// <exception cref="ArgumentNullException">if 'keyIdentifierClause' is null.</exception>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw new ArgumentNullException("keyIdentifierClause");
}
token = null;
NamedKeySecurityKeyIdentifierClause namedKeyIdentifierClause = keyIdentifierClause as NamedKeySecurityKeyIdentifierClause;
if (namedKeyIdentifierClause != null)
{
IList <SecurityKey> resolvedKeys = null;
if (this.keys.TryGetValue(namedKeyIdentifierClause.Name, out resolvedKeys))
{
token = new NamedKeySecurityToken(namedKeyIdentifierClause.Name, namedKeyIdentifierClause.Id, resolvedKeys);
return(true);
}
}
if (IssuerTokenResolver != null && IssuerTokenResolver.TryResolveToken(keyIdentifierClause, out token))
{
return(true);
}
return(base.TryResolveTokenCore(keyIdentifierClause, out token));
}
/// <summary>
/// Initializes a new instance of the <see cref="NamedKeyIssuerTokenResolver"/> class.
/// Populates this instance with a named collection of <see cref="SecurityKey"/>(s) and an optional <see cref="SecurityTokenResolver"/> that will be called when a
/// <see cref="SecurityKeyIdentifier"/> or <see cref="SecurityKeyIdentifierClause"/> cannot be resolved.
/// </summary>
/// <param name="keys">
/// A named collection of <see cref="SecurityKey"/>(s).
/// </param>
/// <param name="innerTokenResolver">
/// A <see cref="IssuerTokenResolver"/> to call when resolving fails, before calling base.
/// </param>
/// <remarks>
/// if 'keys' is null an empty collection will be created. A named collection of <see cref="SecurityKey"/>(s) can be added by accessing the property <see cref="SecurityKeys"/>.
/// </remarks>
public NamedKeyIssuerTokenResolver(IDictionary <string, IList <SecurityKey> > keys = null, IssuerTokenResolver innerTokenResolver = null)
{
if (keys == null)
{
this.keys = new Dictionary <string, IList <SecurityKey> >();
}
else
{
this.keys = keys;
}
this.issuerTokenResolver = innerTokenResolver;
}
public SecurityTokenHandlerConfiguration GetConfiguration()
{
var inner = new X509CertificateStoreTokenResolver("testCertStore", StoreLocation.LocalMachine);
var tokenResolver = new IssuerTokenResolver(inner);
var configuration = new SecurityTokenHandlerConfiguration
{
IssuerTokenResolver = tokenResolver,
ServiceTokenResolver = inner,
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Always),
CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.Custom,
};
return(configuration);
}
public SecurityTokenHandlerConfiguration GetConfiguration(string partnerId)
{
this._certificateValidator.SetFederationPartyId(partnerId);
var partnerContex = this._federationPartyContextBuilder.BuildContext(partnerId);
var descriptor = partnerContex.MetadataContext.EntityDesriptorConfiguration.SPSSODescriptors.First();
var cert = descriptor.KeyDescriptors.First(x => x.IsDefault && x.Use == Kernel.Federation.MetaData.Configuration.Cryptography.KeyUsage.Encryption);
if (cert.CertificateContext == null)
{
throw new ArgumentNullException("certificate context");
}
var x509CertificateContext = cert.CertificateContext as X509CertificateContext;
if (x509CertificateContext == null)
{
throw new InvalidOperationException(String.Format("Expected certificate context of type: {0} but it was:{1}", typeof(X509CertificateContext).Name, cert.CertificateContext.GetType()));
}
var inner = this.certificateManager.GetX509CertificateStoreTokenResolver(x509CertificateContext);
var tokenResolver = new IssuerTokenResolver(inner);
var issuerNameRegistry = IdentityConfigurationHelper.IssuerNameRegistry;
var configuration = new SecurityTokenHandlerConfiguration
{
IssuerNameRegistry = issuerNameRegistry,
IssuerTokenResolver = tokenResolver,
ServiceTokenResolver = inner,
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Always),
CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.Custom,
CertificateValidator = (X509CertificateValidator)this._certificateValidator
};
configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(partnerContex.MetadataContext.EntityId));
return(configuration);
}
