/// <summary>
        /// Internal method to validate the credentials included in the request,
        /// returning an IPrincipal for the resulting authenticated entity.
        /// </summary>
        private async Task <IPrincipal> ValidateCredentialsAsync(string credentials,
                                                                 HttpRequestMessage request,
                                                                 CancellationToken cancellationToken)
        {
            string _publicKey = "PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgAgAGUAbgBjAG8AZABpAG4AZwA9ACIAdQB0AGYALQAxADYAIgA/AD4ADQAKADwAUgBTAEEAUABhAHIAYQBtAGUAdABlAHIAcwAgAHgAbQBsAG4AcwA6AHgAcwBpAD0AIgBoAHQAdABwADoALwAvAHcAdwB3AC4AdwAzAC4AbwByAGcALwAyADAAMAAxAC8AWABNAEwAUwBjAGgAZQBtAGEALQBpAG4AcwB0AGEAbgBjAGUAIgAgAHgAbQBsAG4AcwA6AHgAcwBkAD0AIgBoAHQAdABwADoALwAvAHcAdwB3AC4AdwAzAC4AbwByAGcALwAyADAAMAAxAC8AWABNAEwAUwBjAGgAZQBtAGEAIgA+AA0ACgAgACAAPABFAHgAcABvAG4AZQBuAHQAPgBBAFEAQQBCADwALwBFAHgAcABvAG4AZQBuAHQAPgANAAoAIAAgADwATQBvAGQAdQBsAHUAcwA+AHgAUQBqAFoAQwBnAHUATQA4AEkAKwBKAC8AZQB0AGIAagBBAGsAWgBHAC8AcgArAHEATQBpAFcATwBoAGcAZwBoAGMANQB1ADMAOABLAEIAbABMAG8AQwBGAGwAQQBaAGkAUAB0AGQAZQBqADAAUwB3AGUAcABsAFUAcwBPAEIAUAA1AEQAZwBWAGIAUQA0AFAAVQArAFMAQQBrAFAAcwB3AFIATQBWADEAawBtAFoAawBJAG4ANQBVADUAbgB6ADMAOQBXAGwATABMAEMATABSAHQAZABMAEIARQAzAE0ASQBaAE0AegBVAG0AZwBCADUAYQBiAGYAcgBSAGMAVgB6ADMAYgB5AG8AWgBTAFMARgBKAFAAbABIAHUAUwBzAEIANQBsAEEAMwBsAE8ARABwAHMAdwAvAGsATQBCAGsAMQAyADgAegBwAGsAMQBGAGQAdQBBAEUAMwByADMAOABUAHgAVgB3AFgAWABuAGEAawBXACsAOABlAGcASwBNAGEAYQBNADYAaQAwADEAWQBUAGEAawBKAHgASQBJAGgARQBZAEIAeABFAG8AOABLADcALwBQAFIARQBKAGgARQBJAGcANAB0AFoAWABZAEgARQBpAG4AQQB5AEIAUgBYADcAdwBpAEIAWABrADAAOABiAHoAUAAwAG0AVQBoAHMAcwBsAHoAbQBmAEEARQBqAHQAOABsAEUARwBhAGYAWgBmAHgASQA3AG8AbQAzAFcATABmAGwASABwAFIAcABpAGMAbwA3AEMAMgBlAGUATABLAHYAQQBuAHYAVgBjAFUAbQBJADEANgA1AE4ASQBqAGEAZABBAHQAVgBIAE0ATgAxAEIAWgA5AG8AaABtAGYAMQBKADUAaQBzAGUAawBvAHcAUABTAGQANABRAD0APQA8AC8ATQBvAGQAdQBsAHUAcwA+AA0ACgA8AC8AUgBTAEEAUABhAHIAYQBtAGUAdABlAHIAcwA+AA==";



            var jwtHandler = new JwtSecurityTokenHandler();
            // verify this is a valid JWT token
            var isValidJwt               = jwtHandler.CanReadToken(credentials);
            ClaimsUserManager cum        = new ClaimsUserManager();
            string            Userid     = cum.getClaimValue("Id", credentials);
            ManageUser        manageUser = new ManageUser();
            var user = manageUser.GetUserById(Userid);

            _publicKey = user.PublicToken;
            _audience  = user.UserName;
            var _secret            = Encoding.Unicode.GetBytes(_publicKey);
            var securityKey        = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(_secret);
            var signingCredentials = new Microsoft.IdentityModel.Tokens.SigningCredentials(
                securityKey, SecurityAlgorithms.HmacSha256Signature);

            if (!isValidJwt)
            {
                return(null);
            }

            // at this point you would want to validate the JWT internals --
            //   minimally signing key and lifetime, but probably issuer and
            //   audience as well. Note some profiles of JWT require validating
            //   certain features (ex. OAuth).
            TokenValidationParameters validationParameters = new TokenValidationParameters
            {
                ValidateAudience = false,
                ValidAudiences   = new[] { _audience },

                ValidateIssuer = false,
                ValidIssuers   = new[] { _validIssuer },

                RequireSignedTokens      = true,
                ValidateIssuerSigningKey = true,
                IssuerSigningKeys        = new[] { securityKey },

                //RequireExpirationTime = true,
                //ValidateLifetime = true,
                //ClockSkew = TimeSpan.FromHours(500),  // limit the lifetime padding

                //NameClaimType = ClaimTypes.NameIdentifier,
                //AuthenticationType = SupportedTokenScheme
            };

            SecurityToken   validatedToken = new JwtSecurityToken();
            ClaimsPrincipal principal      = jwtHandler.ValidateToken(credentials, validationParameters, out validatedToken);

            // Add any other locally-generated claims you might want downstream code
            //   to have access to.
            // In this example we set a few claim names we might re-use across a
            //   number of token handlers
            ((ClaimsIdentity)principal.Identity).AddClaim(new Claim("urn:Issuer",
                                                                    validatedToken.Issuer));
            ((ClaimsIdentity)principal.Identity).AddClaim(new Claim("urn:TokenScheme",
                                                                    SupportedTokenScheme));

            // if you think any downstream code might want the original token string -
            // perhaps because they need it to make downstream calls -
            // store it in a standard claim name or the bootstrap context
            // for later retrieval by the other filters/action methods
            ((ClaimsIdentity)principal.Identity).BootstrapContext = credentials;

            return(await Task.FromResult(principal));
        }