/// <summary>
/// Finds a named collection of <see cref="SecurityKey"/>(s) that match the <see cref="SecurityKeyIdentifierClause"/> and returns a <see cref="NamedKeySecurityToken"/> that contains the <see cref="SecurityKey"/>(s).
/// </summary>
/// <param name="keyIdentifierClause">The <see cref="SecurityKeyIdentifier"/> to resolve to a <see cref="SecurityToken"/></param>
/// <param name="token">The resolved <see cref="SecurityToken"/>.</param>
/// <remarks>If there is no match, then <see cref="IssuerTokenResolver"/> and 'base' are called in order.</remarks>
/// <returns>true if token was resolved.</returns>
/// <exception cref="ArgumentNullException">if 'keyIdentifierClause' is null.</exception>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw new ArgumentNullException("keyIdentifierClause");
}
token = null;
NamedKeySecurityKeyIdentifierClause namedKeyIdentifierClause = keyIdentifierClause as NamedKeySecurityKeyIdentifierClause;
if (namedKeyIdentifierClause != null)
{
IList <SecurityKey> resolvedKeys = null;
if (this.keys.TryGetValue(namedKeyIdentifierClause.Name, out resolvedKeys))
{
token = new NamedKeySecurityToken(namedKeyIdentifierClause.Name, namedKeyIdentifierClause.Id, resolvedKeys);
return(true);
}
}
if (IssuerTokenResolver != null && IssuerTokenResolver.TryResolveToken(keyIdentifierClause, out token))
{
return(true);
}
return(base.TryResolveTokenCore(keyIdentifierClause, out token));
}
/// <summary>
/// Gets the first<see cref="SecurityKey"/> that matches a <see cref="SecurityKeyIdentifierClause"/>
/// </summary>
/// <param name="keyIdentifierClause">the <see cref="SecurityKeyIdentifierClause"/> to match.</param>
/// <returns>The first <see cref="SecurityKey"/> that matches the <see cref="SecurityKeyIdentifierClause"/>.
/// <para>null if there is no match.</para></returns>
/// <para>Only <see cref="NamedKeySecurityKeyIdentifierClause"/> are matched.</para>
/// <exception cref="ArgumentNullException">'keyIdentifierClause' is null.</exception>
public override SecurityKey ResolveKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
if (keyIdentifierClause == null)
{
throw new ArgumentNullException("keyIdentifierClause");
}
// if name matches, return first non null
NamedKeySecurityKeyIdentifierClause namedKeyIdentifierClause = keyIdentifierClause as NamedKeySecurityKeyIdentifierClause;
if (namedKeyIdentifierClause != null)
{
if (string.Equals(namedKeyIdentifierClause.Name, this.name, StringComparison.Ordinal))
{
foreach (SecurityKey securityKey in this.securityKeys)
{
if (securityKey == null)
{
continue;
}
return(securityKey);
}
}
}
return(null);
}
/// <summary>
/// Answers if the <see cref="SecurityKeyIdentifierClause"/> is a match.
/// </summary>
/// <param name="keyIdentifierClause">The <see cref="SecurityKeyIdentifierClause"/></param>
/// <returns>true if matched.</returns>
/// <remarks><para>A successful match occurs when <see cref="NamedKeySecurityKeyIdentifierClause.Name"/> == <see cref="Id"/>.</para>
/// <para>Only <see cref="NamedKeySecurityKeyIdentifierClause"/> are matched.</para></remarks>
/// <exception cref="ArgumentNullException">'keyIdentifierClause' is null.</exception>
public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
if (keyIdentifierClause == null)
{
throw new ArgumentNullException("keyIdentifierClause");
}
NamedKeySecurityKeyIdentifierClause namedKeyIdentifierClause = keyIdentifierClause as NamedKeySecurityKeyIdentifierClause;
if (namedKeyIdentifierClause != null)
{
if (string.Equals(namedKeyIdentifierClause.Id, this.id, StringComparison.Ordinal) &&
string.Equals(namedKeyIdentifierClause.Name, this.name, StringComparison.Ordinal))
{
return(true);
}
}
return(false);
}
/// <summary>
/// Initializes a new instance of the <see cref="JwtHeader"/> class. With the Header Parameters as follows:
/// <para>{ { typ, JWT }, { alg, Mapped( <see cref="System.IdentityModel.Tokens.SigningCredentials.SignatureAlgorithm"/> } }
/// See: Algorithm Mapping below.</para>
/// </summary>
/// <param name="signingCredentials">The <see cref="SigningCredentials"/> that will be or were used to sign the <see cref="JwtSecurityToken"/>.</param>
/// <remarks>
/// <para>For each <see cref="SecurityKeyIdentifierClause"/> in signingCredentials.SigningKeyIdentifier</para>
/// <para>if the clause is a <see cref="NamedKeySecurityKeyIdentifierClause"/> Header Parameter { clause.Name, clause.Id } will be added.</para>
/// <para>For example, if clause.Name == 'kid' and clause.Id == 'SecretKey99'. The JSON object { kid, SecretKey99 } would be added.</para>
/// <para>In addition, if the <see cref="SigningCredentials"/> is a <see cref="X509SigningCredentials"/> the JSON object { x5t, Base64UrlEncoded( <see cref="X509Certificate.GetCertHashString()"/> } will be added.</para>
/// <para>This simplifies the common case where a X509Certificate is used.</para>
/// <para>================= </para>
/// <para>Algorithm Mapping</para>
/// <para>================= </para>
/// <para><see cref="System.IdentityModel.Tokens.SigningCredentials.SignatureAlgorithm"/> describes the algorithm that is discoverable by the CLR runtime.</para>
/// <para>The { alg, 'value' } placed in the header reflects the JWT specification.</para>
/// <see cref="JwtSecurityTokenHandler.OutboundAlgorithmMap"/> contains a signature mapping where the 'value' above will be translated according to this mapping.
/// <para>Current mapping is:</para>
/// <para>    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' => 'RS256'</para>
/// <para>    'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' => 'HS256'</para>
/// </remarks>
public JwtHeader(SigningCredentials signingCredentials = null)
: base(StringComparer.Ordinal)
{
this[JwtHeaderParameterNames.Typ] = JwtConstants.HeaderType;
if (signingCredentials != null)
{
this.signingCredentials = signingCredentials;
string algorithm = signingCredentials.SignatureAlgorithm;
if (JwtSecurityTokenHandler.OutboundAlgorithmMap.ContainsKey(signingCredentials.SignatureAlgorithm))
{
algorithm = JwtSecurityTokenHandler.OutboundAlgorithmMap[algorithm];
}
this[JwtHeaderParameterNames.Alg] = algorithm;
if (signingCredentials.SigningKeyIdentifier != null)
{
foreach (SecurityKeyIdentifierClause clause in signingCredentials.SigningKeyIdentifier)
{
NamedKeySecurityKeyIdentifierClause namedKeyClause = clause as NamedKeySecurityKeyIdentifierClause;
if (namedKeyClause != null)
{
this[namedKeyClause.Name] = namedKeyClause.Id;
}
}
}
X509SigningCredentials x509SigningCredentials = signingCredentials as X509SigningCredentials;
if (x509SigningCredentials != null && x509SigningCredentials.Certificate != null)
{
this[JwtHeaderParameterNames.X5t] = Base64UrlEncoder.Encode(x509SigningCredentials.Certificate.GetCertHash());
}
}
else
{
this[JwtHeaderParameterNames.Alg] = JwtAlgorithms.NONE;
}
}
