protected virtual IClaimsPrincipal GetUserPrincipal()
{
//
// Look for the authorization header. If present, extract the Simple Web Token.
//
string authorizationHeader = HttpContext.Current.Request.Headers["Authorization"];
if (!string.IsNullOrEmpty(authorizationHeader))
{
string rawToken = GetTokenFromHeader(authorizationHeader);
if (!String.IsNullOrEmpty(rawToken))
{
SimpleWebToken swt = SimpleWebToken.FromString(rawToken);
if (!swt.SignVerify(Convert.FromBase64String(ConfigurationManager.AppSettings.Get("SigningKey"))))
{
throw new InvalidSecurityException("Token signature is invalid. Ensure that the correct signing key is configured in Web.config.");
}
if (!StringComparer.OrdinalIgnoreCase.Equals(swt.Audience, "https://oauth2RelyingParty/"))
{
throw new InvalidSecurityException("Token is not issued for this relying party.");
}
if (DateTime.Compare(swt.ExpiresOn, DateTime.Now) < 0)
{
throw new InvalidSecurityException("Token is expired.");
}
//
// Additional checks omitted for brevity.
// In a real-world application, the issuer and claims would likely be verified as well.
//
return(ClaimsPrincipal.CreateFromIdentity(new ClaimsIdentity(swt.Claims)));
}
}
return(null);
}
