/// <summary> /// Validate Token /// </summary> /// <param name="jwt"></param> /// <param name="validationParameters"></param> /// <returns></returns> public override ClaimsPrincipal ValidateToken(JwtSecurityToken jwt, TokenValidationParameters validationParameters) { // set up valid issuers if ((validationParameters.ValidIssuer == null) && (validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any())) { validationParameters.ValidIssuers = new List <string> { validIssuerString }; } // and signing token. if (validationParameters.SigningToken == null) { var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver; if (resolver.SecurityKeys != null) { IList <SecurityKey> skeys; if (resolver.SecurityKeys.TryGetValue(audience, out skeys)) { var tok = new NamedKeySecurityToken(audience, skeys); validationParameters.SigningToken = tok; } } } return(base.ValidateToken(jwt, validationParameters)); }
public void JwtSecurityKeyIdentifyier_Extensibility() { string clauseName = "kid"; string keyId = Issuers.GotJwt; NamedKeySecurityKeyIdentifierClause clause = new NamedKeySecurityKeyIdentifierClause(clauseName, keyId); SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(clause); SigningCredentials signingCredentials = new SigningCredentials(KeyingMaterial.SymmetricSecurityKey_256, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest, keyIdentifier); JwtHeader jwtHeader = new JwtHeader(signingCredentials); SecurityKeyIdentifier ski = jwtHeader.SigningKeyIdentifier; Assert.IsFalse(ski.Count != 1, "ski.Count != 1 "); NamedKeySecurityKeyIdentifierClause clauseOut = ski.Find <NamedKeySecurityKeyIdentifierClause>(); Assert.IsFalse(clauseOut == null, "NamedKeySecurityKeyIdentifierClause not found"); Assert.IsFalse(clauseOut.Name != clauseName, "clauseOut.Id != clauseId"); Assert.IsFalse(clauseOut.KeyIdentifier != keyId, "clauseOut.KeyIdentifier != keyId"); NamedKeySecurityToken NamedKeySecurityToken = new NamedKeySecurityToken(clauseName, new SecurityKey[] { KeyingMaterial.SymmetricSecurityKey_256 }); Assert.IsFalse(!NamedKeySecurityToken.MatchesKeyIdentifierClause(clause), "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed"); List <SecurityKey> list = new List <SecurityKey>() { KeyingMaterial.SymmetricSecurityKey_256 }; Dictionary <string, IList <SecurityKey> > keys = new Dictionary <string, IList <SecurityKey> >() { { "kid", list }, }; NamedKeyIssuerTokenResolver nkitr = new NamedKeyIssuerTokenResolver(keys: keys); SecurityKey sk = nkitr.ResolveSecurityKey(clause); Assert.IsFalse(sk == null, "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed"); JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); JwtSecurityToken jwt = handler.CreateToken(issuer: Issuers.GotJwt, signingCredentials: signingCredentials) as JwtSecurityToken; handler.Configuration = new SecurityTokenHandlerConfiguration() { IssuerTokenResolver = new NamedKeyIssuerTokenResolver(keys: keys), AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never), IssuerNameRegistry = new SetNameIssuerNameRegistry("http://GotJwt.com"), }; handler.ValidateToken(jwt); }
public override ClaimsPrincipal ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters) { Check.IsNotNull(jwt, "jwt"); Check.IsNotNull(validationParameters, "validationParameters"); diagnostics.WriteInformationTrace(TraceEventId.InboundParameters, "JWT token details from ACS: {0}, {1}, {2}, {3}", jwt.Issuer, jwt.ValidFrom, jwt.ValidTo, jwt.RawData); string audienceUrl; if (this.Configuration != null) { audienceUrl = this.Configuration.AudienceRestriction.AllowedAudienceUris[0].ToString(); } else { audienceUrl = validationParameters.AllowedAudience; } // set up valid issuers if ((validationParameters.ValidIssuer == null) && (validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any())) { List <string> issuers = new List <string>(); issuers.AddRange(ConfigurationManager.AppSettings["Issuers"].Split(new[] { ',' })); validationParameters.ValidIssuers = issuers; } // setup signing token. if (validationParameters.SigningToken == null) { var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver; if (resolver.SecurityKeys != null) { List <SecurityKey> skeys; if (resolver.SecurityKeys.TryGetValue(audienceUrl, out skeys)) { var tok = new NamedKeySecurityToken(audienceUrl, skeys); validationParameters.SigningToken = tok; } } } diagnostics.WriteInformationTrace(TraceEventId.Flow, "Successfully validated JWT token from ACS"); return(base.ValidateToken(jwt, validationParameters)); }
public override System.Collections.ObjectModel.ReadOnlyCollection <System.Security.Claims.ClaimsIdentity> ValidateToken(SecurityToken token) { var idConfig = System.IdentityModel.Configuration.SystemIdentityModelSection.Current.IdentityConfigurationElements.GetElement(""); var validationParameters = new TokenValidationParameters() { ValidAudience = (idConfig.AudienceUris.Cast <AudienceUriElement>().First()).Value }; // set up valid issuers if ((validationParameters.ValidIssuer == null) && (validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any())) { validationParameters.ValidIssuers = new List <string> { ValidIssuerString }; } // and signing token. if (validationParameters.IssuerSigningToken == null) { var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver; if (resolver.SecurityKeys != null) { IList <SecurityKey> skeys; if (resolver.SecurityKeys.TryGetValue(KeyName, out skeys)) { var tok = new NamedKeySecurityToken(KeyName, "id", skeys); validationParameters.IssuerSigningToken = tok; } } } var tokenString = (token as JwtSecurityToken); ClaimsPrincipal validated = base.ValidateToken(tokenString.RawData, validationParameters, out token); var result = new ReadOnlyCollection <ClaimsIdentity>(validated.Identities.ToList()); return(result); }
public void NamedKeySecurityKeyIdentifierClause_Extensibility() { string clauseName = "kid"; string keyId = Issuers.GotJwt; NamedKeySecurityKeyIdentifierClause clause = new NamedKeySecurityKeyIdentifierClause(clauseName, keyId); SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(clause); SigningCredentials signingCredentials = new SigningCredentials(KeyingMaterial.DefaultSymmetricSecurityKey_256, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest, keyIdentifier); JwtHeader jwtHeader = new JwtHeader(signingCredentials); SecurityKeyIdentifier ski = jwtHeader.SigningKeyIdentifier; Assert.AreEqual(ski.Count, 1, "ski.Count != 1 "); NamedKeySecurityKeyIdentifierClause clauseOut = ski.Find <NamedKeySecurityKeyIdentifierClause>(); Assert.IsNotNull(clauseOut, "NamedKeySecurityKeyIdentifierClause not found"); Assert.AreEqual(clauseOut.Name, clauseName, "clauseOut.Id != clauseId"); Assert.AreEqual(clauseOut.Id, keyId, "clauseOut.KeyIdentifier != keyId"); NamedKeySecurityToken NamedKeySecurityToken = new NamedKeySecurityToken(clauseName, keyId, new SecurityKey[] { KeyingMaterial.DefaultSymmetricSecurityKey_256 }); Assert.IsTrue(NamedKeySecurityToken.MatchesKeyIdentifierClause(clause), "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed"); List <SecurityKey> list = new List <SecurityKey>() { KeyingMaterial.DefaultSymmetricSecurityKey_256 }; Dictionary <string, IList <SecurityKey> > keys = new Dictionary <string, IList <SecurityKey> >() { { "kid", list }, }; NamedKeyIssuerTokenResolver nkitr = new NamedKeyIssuerTokenResolver(keys: keys); SecurityKey sk = nkitr.ResolveSecurityKey(clause); Assert.IsNotNull(sk, "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed"); }
protected override Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { Check.IsNotNull(request, "request"); HttpStatusCode statusCode; string token; if (request.RequestUri.AbsolutePath.Contains("/authenticate")) { return(base.SendAsync(request, cancellationToken)); } if (request.RequestUri.AbsolutePath.Contains("/signout")) { return(base.SendAsync(request, cancellationToken)); } if (request.RequestUri.AbsolutePath.Contains("/SignOutCallback")) { return(base.SendAsync(request, cancellationToken)); } if (request.RequestUri.AbsolutePath.Contains("/windowsLiveAuthorization")) { return(base.SendAsync(request, cancellationToken)); } if (request.RequestUri.AbsolutePath.Contains("api/GetSupportedIdentityProviders")) { return(base.SendAsync(request, cancellationToken)); } if (request.RequestUri.AbsolutePath.Contains("api/SignInCallBack")) { return(base.SendAsync(request, cancellationToken)); } if (!TryRetrieveToken(request, out token)) { statusCode = HttpStatusCode.Unauthorized; return(Task <HttpResponseMessage> .Factory.StartNew(() => new HttpResponseMessage(statusCode))); } try { diagnostics.WriteInformationTrace(TraceEventId.Flow, "Validating bearer token: {0}", token); string issuersValue = ConfigurationManager.AppSettings["Issuers"]; string signingSymmetricKey = ConfigurationManager.AppSettings["SigningSymmetricKey"]; string allowedAudience = ConfigurationManager.AppSettings["AllowedAudience"]; // Use JWTSecurityTokenHandler to validate the JWT token ApiJWTSecurityTokenHandler tokenHandler = new ApiJWTSecurityTokenHandler(); List <string> issuers = new List <string>(); issuers.AddRange(issuersValue.Split(new[] { ',' })); InMemorySymmetricSecurityKey securityKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(signingSymmetricKey)); NamedKeySecurityToken namedToken = new NamedKeySecurityToken(allowedAudience, new List <SecurityKey>() { securityKey }); // Set the expected properties of the JWT token in the TokenValidationParameters TokenValidationParameters validationParameters = new TokenValidationParameters() { AllowedAudience = allowedAudience, ValidIssuers = issuers, SigningToken = namedToken }; ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(token, validationParameters); ClaimsIdentity claimsIdentity = (ClaimsIdentity)claimsPrincipal.Identity; try { IUserService userService = (IUserService)GlobalConfiguration.Configuration.DependencyResolver.GetService(typeof(IUserService)); User user = IdentityHelper.GetCurrentUser(userService, claimsPrincipal); foreach (var role in user.UserRoles) { if (!claimsIdentity.HasClaim(ClaimTypes.Role, role.Role.Name)) { claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, role.Role.Name)); } } } catch (UserNotFoundException) { // No need to do anything here because GetUsersByNameIdentifier action in UsersController will take care of sending appropriate http response. } Thread.CurrentPrincipal = claimsPrincipal; if (HttpContext.Current != null) { HttpContext.Current.User = claimsPrincipal; } diagnostics.WriteInformationTrace(TraceEventId.Flow, "Authorization token validated successfully"); return(base.SendAsync(request, cancellationToken)); } catch (SecurityTokenValidationException secutiryTokenValidationException) { FederatedAuthentication.WSFederationAuthenticationModule.SignOut(true); HttpResponseMessage response = request.CreateErrorResponse(HttpStatusCode.Unauthorized, secutiryTokenValidationException); return(Task <HttpResponseMessage> .Factory.StartNew(() => response)); } }