/// <summary> /// This method validates the Simple Web Token. /// </summary> /// <param name="token">A simple web token.</param> /// <returns>A Claims Collection which contains all the claims from the token.</returns> public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token) { if (token == null) { throw new ArgumentNullException("token"); } CustomToken CustomToken = token as CustomToken; if (CustomToken == null) { throw new ArgumentException("The token provided must be of type CustomToken."); } if (DateTime.Compare(CustomToken.ValidTo.Add(Configuration.MaxClockSkew), DateTime.UtcNow) <= 0) { throw new SecurityTokenExpiredException("The incoming token has expired. Get a new access token from the Authorization Server."); } ValidateSignature(CustomToken); ValidateAudience(CustomToken.Audience); ClaimsIdentity claimsIdentity = CreateClaims(CustomToken); if (this.Configuration.SaveBootstrapContext) { claimsIdentity.BootstrapContext = new BootstrapContext(CustomToken.SerializedToken); } List <ClaimsIdentity> claimCollection = new List <ClaimsIdentity>(new ClaimsIdentity[] { claimsIdentity }); return(claimCollection.AsReadOnly()); }
/// <summary> /// Parses the string token and generates a <see cref="SecurityToken"/>. /// </summary> /// <param name="serializedToken">The serialized form of the token received.</param> /// <returns>The parsed form of the token.</returns> protected SecurityToken ReadSecurityTokenFromString(string serializedToken) { if (String.IsNullOrEmpty(serializedToken)) { throw new ArgumentException("The parameter 'serializedToken' cannot be null or empty string."); } // Create a collection of SWT name value pairs NameValueCollection properties = ParseToken(serializedToken); CustomToken swt = new CustomToken(properties, serializedToken); return(swt); }
/// <summary> /// Validates the signature on the incoming token. /// </summary> /// <param name="CustomToken">The incoming <see cref="CustomToken"/>.</param> protected virtual void ValidateSignature(CustomToken CustomToken) { if (CustomToken == null) { throw new ArgumentNullException("CustomToken"); } if (String.IsNullOrEmpty(CustomToken.SerializedToken) || String.IsNullOrEmpty(CustomToken.Signature)) { throw new SecurityTokenValidationException("The token does not have a signature to verify"); } string serializedToken = CustomToken.SerializedToken; string unsignedToken = null; // Find the last parameter. The signature must be last per SWT specification. int lastSeparator = serializedToken.LastIndexOf(ParameterSeparator); // Check whether the last parameter is an hmac. if (lastSeparator > 0) { string lastParamStart = ParameterSeparator + CustomTokenConstants.Signature + "="; string lastParam = serializedToken.Substring(lastSeparator); // Strip the trailing hmac to obtain the original unsigned string for later hmac verification. if (lastParam.StartsWith(lastParamStart, StringComparison.Ordinal)) { unsignedToken = serializedToken.Substring(0, lastSeparator); } } CustomTokenKeyIdentifierClause clause = new CustomTokenKeyIdentifierClause(CustomToken.Audience); InMemorySymmetricSecurityKey securityKey = null; try { securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause); } catch (InvalidOperationException) { throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause."); } string generatedSignature = GenerateSignature(unsignedToken, securityKey.GetSymmetricKey()); if (string.CompareOrdinal(HttpUtility.UrlDecode(generatedSignature), HttpUtility.UrlDecode(CustomToken.Signature)) != 0) { throw new SecurityTokenValidationException("The signature on the incoming token is invalid."); } }
/// <summary>Creates <see cref="Claim"/>'s from the incoming token. /// </summary> /// <param name="CustomToken">The incoming <see cref="CustomToken"/>.</param> /// <returns>A <see cref="ClaimsIdentity"/> created from the token.</returns> protected virtual ClaimsIdentity CreateClaims(CustomToken CustomToken) { if (CustomToken == null) { throw new ArgumentNullException("CustomToken"); } NameValueCollection tokenProperties = CustomToken.GetAllProperties(); if (tokenProperties == null) { throw new SecurityTokenValidationException("No claims can be created from this Simple Web Token."); } if (Configuration.IssuerNameRegistry == null) { throw new InvalidOperationException("The Configuration.IssuerNameRegistry property of this SecurityTokenHandler is set to null. Tokens cannot be validated in this state."); } string normalizedIssuer = Configuration.IssuerNameRegistry.GetIssuerName(CustomToken); ClaimsIdentity identity = new ClaimsIdentity(AuthenticationTypes.Federation); foreach (string key in tokenProperties.Keys) { if (!IsReservedKeyName(key) && !string.IsNullOrEmpty(tokenProperties[key])) { identity.AddClaim(new Claim(key, tokenProperties[key], ClaimValueTypes.String, normalizedIssuer)); if (key == AcsNameClaimType) { // add a default name claim from the Name identifier claim. identity.AddClaim(new Claim(DefaultNameClaimType, tokenProperties[key], ClaimValueTypes.String, normalizedIssuer)); } } } return(identity); }
public override SecurityToken CreateToken(SecurityTokenDescriptor tokenDescriptor) { if (tokenDescriptor == null) { throw new ArgumentNullException("tokenDescriptor"); } NameValueCollection properties = new NameValueCollection(); properties.Add(CustomTokenConstants.Id, Guid.NewGuid().ToString()); properties.Add(CustomTokenConstants.Issuer, tokenDescriptor.TokenIssuerName); properties.Add(CustomTokenConstants.Audience, tokenDescriptor.AppliesToAddress); properties.Add(CustomTokenConstants.ExpiresOn, SecondsFromSwtBaseTime(tokenDescriptor.Lifetime.Expires)); properties.Add(CustomTokenConstants.ValidFrom, SecondsFromSwtBaseTime(tokenDescriptor.Lifetime.Created)); foreach (Claim claim in tokenDescriptor.Subject.Claims) { properties.Add(claim.Type, claim.Value); } CustomToken token = new CustomToken(properties); return(token); }
/// <summary> /// Serializes the given SecurityToken to the XmlWriter. /// </summary> /// <param name="writer">XmlWriter into which the token is serialized.</param> /// <param name="token">SecurityToken to be serialized.</param> public override void WriteToken(XmlWriter writer, SecurityToken token) { CustomToken CustomToken = token as CustomToken; if (CustomToken == null) { throw new SecurityTokenException("The given token is not of the expected type 'CustomToken'."); } string signedToken = null; if (String.IsNullOrEmpty(CustomToken.SerializedToken)) { StringBuilder strBuilder = new StringBuilder(); bool skipDelimiter = true; NameValueCollection tokenProperties = CustomToken.GetAllProperties(); // Remove the signature if present if (String.IsNullOrEmpty(tokenProperties[CustomTokenConstants.Signature])) { tokenProperties.Remove(CustomTokenConstants.Signature); } foreach (string key in tokenProperties.Keys) { if (tokenProperties[key] != null) { if (!skipDelimiter) { strBuilder.Append(ParameterSeparator); } strBuilder.Append(String.Format( CultureInfo.InvariantCulture, "{0}={1}", HttpUtility.UrlEncode(key), HttpUtility.UrlEncode(tokenProperties[key]))); skipDelimiter = false; } } string serializedToken = strBuilder.ToString(); CustomTokenKeyIdentifierClause clause = new CustomTokenKeyIdentifierClause(CustomToken.Audience); InMemorySymmetricSecurityKey securityKey = null; try { securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause); } catch (InvalidOperationException) { throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause."); } // append the signature string signature = GenerateSignature(serializedToken, securityKey.GetSymmetricKey()); strBuilder.Append(String.Format( CultureInfo.InvariantCulture, "{0}{1}={2}", ParameterSeparator, HttpUtility.UrlEncode(CustomTokenConstants.Signature), HttpUtility.UrlEncode(signature))); signedToken = strBuilder.ToString(); } else { // Reuse the stored serialized token if present signedToken = CustomToken.SerializedToken; } string encodedToken = Convert.ToBase64String(Encoding.UTF8.GetBytes(signedToken)); writer.WriteStartElement(BinarySecurityToken); writer.WriteAttributeString("Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", token.Id); writer.WriteAttributeString(ValueType, CustomTokenConstants.ValueTypeUri); writer.WriteAttributeString(EncodingType, Base64EncodingType); writer.WriteString(encodedToken); writer.WriteEndElement(); }