public virtual string WriteTokenAsString(System.IdentityModel.Tokens.SecurityToken token)
{
Utility.VerifyNonNullArgument("token", token);
JsonWebSecurityToken jsonWebSecurityToken = token as JsonWebSecurityToken;
if (jsonWebSecurityToken == null)
{
throw new System.ArgumentException("Unsupported token type", "token");
}
if (jsonWebSecurityToken.CanWriteSourceData)
{
return(jsonWebSecurityToken.WriteSourceData());
}
System.Collections.Generic.IDictionary <string, string> self = jsonWebSecurityToken.CreateHeaderClaims();
System.Collections.Generic.IDictionary <string, string> self2 = jsonWebSecurityToken.CreatePayloadClaims();
string text = string.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}.{1}", new object[]
{
Base64UrlEncoder.Encode(self.EncodeToJson()),
Base64UrlEncoder.Encode(self2.EncodeToJson())
});
string text2 = this.Sign(text, jsonWebSecurityToken.SigningCredentials);
return(string.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}.{1}", new object[]
{
text,
text2
}));
}
private ClaimsIdentityCollection ValidateTokenCore(System.IdentityModel.Tokens.SecurityToken token, bool isActorToken)
{
JsonWebSecurityToken jsonWebSecurityToken = token as JsonWebSecurityToken;
if (jsonWebSecurityToken == null)
{
return(base.ValidateToken(token));
}
if (base.Configuration == null)
{
throw new System.InvalidOperationException("No configuration.");
}
if (base.Configuration.IssuerNameRegistry == null)
{
throw new System.InvalidOperationException("No issuername registry configured.");
}
this.ValidateLifetime(jsonWebSecurityToken);
this.ValidateAudience(jsonWebSecurityToken);
System.IdentityModel.Tokens.X509SecurityToken x509SecurityToken = jsonWebSecurityToken.IssuerToken as System.IdentityModel.Tokens.X509SecurityToken;
if (x509SecurityToken != null)
{
base.Configuration.CertificateValidator.Validate(x509SecurityToken.Certificate);
}
ClaimsIdentityCollection claimsIdentityCollection = new ClaimsIdentityCollection();
ClaimsIdentity claimsIdentity = new ClaimsIdentity("Federation");
if (!isActorToken && jsonWebSecurityToken.ActorToken != null)
{
ValidateActorTokenForAppOnly(jsonWebSecurityToken.ActorToken);
ClaimsIdentityCollection claimsIdentityCollection2 = this.ValidateActorToken(jsonWebSecurityToken.ActorToken);
if (claimsIdentityCollection2.Count > 1)
{
throw new System.IdentityModel.Tokens.SecurityTokenException("Invalid JWT token. Actor has multiple identities.");
}
claimsIdentity.Actor = claimsIdentityCollection2[0];
}
string issuerName = this.GetIssuerName(jsonWebSecurityToken);
foreach (JsonWebTokenClaim current in jsonWebSecurityToken.Claims)
{
if (claimsIdentity.Actor == null || !System.StringComparer.Ordinal.Equals("actortoken", current.ClaimType))
{
string text = current.Value;
if (text == null)
{
text = "NULL";
}
claimsIdentity.Claims.Add(new Claim(current.ClaimType, text, "http://www.w3.org/2001/XMLSchema#string", issuerName));
}
}
if (!isActorToken && base.Configuration.SaveBootstrapTokens)
{
claimsIdentity.BootstrapToken = token;
}
claimsIdentityCollection.Add(claimsIdentity);
return(claimsIdentityCollection);
}
/// <summary>
///Validates that the actor token is an app token by checking for the lack of user claims
/// </summary>
/// <param name="actorToken"></param>
private static void ValidateActorTokenForAppOnly(JsonWebSecurityToken actorToken)
{
if (actorToken != null)
{
if (actorToken.Claims.FirstOrDefault <JsonWebTokenClaim>(x => x.ClaimType.Equals("scp")) != null ||
actorToken.Claims.FirstOrDefault <JsonWebTokenClaim>(x => x.ClaimType.Equals("upn")) != null ||
actorToken.Claims.FirstOrDefault <JsonWebTokenClaim>(x => x.ClaimType.Equals("unique_name")) != null ||
actorToken.Claims.FirstOrDefault <JsonWebTokenClaim>(x => x.ClaimType.Equals("altsecid")) != null)
{
throw new UnauthorizedAccessException("Invalid actor token.");
}
}
}
protected virtual string GetIssuerName(JsonWebSecurityToken token)
{
if (token.IssuerToken == null)
{
throw new System.IdentityModel.Tokens.SecurityTokenException("JWT tokens must be signed.");
}
string issuerName = base.Configuration.IssuerNameRegistry.GetIssuerName(token.IssuerToken, token.Issuer);
if (string.IsNullOrEmpty(issuerName))
{
throw new System.IdentityModel.Tokens.SecurityTokenException("Invalid issuer or signature.");
}
return(issuerName);
}
protected virtual void ValidateAudience(JsonWebSecurityToken token)
{
if (base.Configuration.AudienceRestriction.AudienceMode == System.IdentityModel.Selectors.AudienceUriMode.Always || base.Configuration.AudienceRestriction.AudienceMode == System.IdentityModel.Selectors.AudienceUriMode.BearerKeyOnly)
{
if (string.IsNullOrEmpty(token.Audience))
{
throw new Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException("Audience URI validation failed. Token audience must be specified.");
}
AudienceValidator.ValidateAudiences(base.Configuration.AudienceRestriction.AllowedAudienceUris, new System.Uri[]
{
new System.Uri(token.Audience, System.UriKind.RelativeOrAbsolute)
});
}
}
public override System.IdentityModel.Tokens.SecurityToken ReadToken(System.Xml.XmlReader reader)
{
if (!this.CanReadToken(reader))
{
throw new System.Xml.XmlException("Unsupported security token.");
}
string id = null;
string jsonTokenString = this.GetJsonTokenString(reader, out id);
JsonWebSecurityToken jsonWebSecurityToken = this.ReadToken(jsonTokenString) as JsonWebSecurityToken;
if (jsonWebSecurityToken != null)
{
jsonWebSecurityToken.SetId(id);
}
return(jsonWebSecurityToken);
}
private JsonWebSecurityToken ReadActor(System.Collections.Generic.IDictionary <string, string> payload)
{
if (!this.JsonWebSecurityTokenRequirement.AllowActorToken)
{
return(null);
}
JsonWebSecurityToken result = null;
string text;
payload.TryGetValue("actortoken", out text);
if (!string.IsNullOrEmpty(text))
{
result = (this.ReadTokenCore(text, true) as JsonWebSecurityToken);
payload.Remove("actortoken");
}
return(result);
}
protected virtual void ValidateLifetime(JsonWebSecurityToken token)
{
System.TimeSpan maxClockSkew = base.Configuration.MaxClockSkew;
System.DateTime utcNow = System.DateTime.UtcNow;
if (maxClockSkew < System.TimeSpan.Zero)
{
throw new System.InvalidOperationException("No valid ClockSkew configured.");
}
if (token.ValidTo < utcNow - maxClockSkew)
{
throw new Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException("Invalid JWT token. The token is expired.");
}
if (token.ValidFrom > utcNow + maxClockSkew)
{
throw new Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException(string.Concat(new object[]
{
"Invalid JWT token. The token is not yet valid. Current time is ",
utcNow,
" and the token is Valid from ",
token.ValidFrom,
"."
}));
}
}
protected virtual ClaimsIdentityCollection ValidateActorToken(JsonWebSecurityToken actorToken)
{
return(this.ValidateTokenCore(actorToken, true));
}
private System.IdentityModel.Tokens.SecurityToken ReadTokenCore(string token, bool isActorToken)
{
Utility.VerifyNonNullOrEmptyStringArgument("token", token);
if (base.Configuration == null)
{
throw new System.InvalidOperationException("No configuration");
}
if (base.Configuration.IssuerTokenResolver == null)
{
throw new System.InvalidOperationException("No configured IssuerTokenResolver");
}
if (!this.CanReadToken(token))
{
throw new System.IdentityModel.Tokens.SecurityTokenException("Unsupported security token.");
}
string[] array = token.Split(new char[]
{
'.'
});
string text = array[0];
string text2 = array[1];
string text3 = array[2];
System.Collections.Generic.Dictionary <string, string> dictionary = new System.Collections.Generic.Dictionary <string, string>(System.StringComparer.Ordinal);
dictionary.DecodeFromJson(Base64UrlEncoder.Decode(text));
System.Collections.Generic.Dictionary <string, string> dictionary2 = new System.Collections.Generic.Dictionary <string, string>(System.StringComparer.Ordinal);
dictionary2.DecodeFromJson(Base64UrlEncoder.Decode(text2));
string text4;
dictionary.TryGetValue("alg", out text4);
System.IdentityModel.Tokens.SecurityToken issuerToken = null;
if (!System.StringComparer.Ordinal.Equals(text4, "none"))
{
if (string.IsNullOrEmpty(text3))
{
throw new System.IdentityModel.Tokens.SecurityTokenException("Missing signature.");
}
System.IdentityModel.Tokens.SecurityKeyIdentifier signingKeyIdentifier = this.GetSigningKeyIdentifier(dictionary, dictionary2);
System.IdentityModel.Tokens.SecurityToken securityToken;
base.Configuration.IssuerTokenResolver.TryResolveToken(signingKeyIdentifier, out securityToken);
if (securityToken == null)
{
throw new System.IdentityModel.Tokens.SecurityTokenException("Invalid JWT token. Could not resolve issuer token.");
}
issuerToken = this.VerifySignature(string.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}.{1}", new object[]
{
text,
text2
}), text3, text4, securityToken);
}
JsonWebSecurityToken actorToken = null;
if (!isActorToken)
{
actorToken = this.ReadActor(dictionary2);
}
string text5;
dictionary2.TryGetValue("iss", out text5);
if (string.IsNullOrEmpty(text5))
{
throw new System.IdentityModel.Tokens.SecurityTokenValidationException("The token being parsed does not have an issuer.");
}
string text6;
dictionary2.TryGetValue("aud", out text6);
if (string.IsNullOrEmpty(text6))
{
throw new System.IdentityModel.Tokens.SecurityTokenValidationException("The token being parsed does not have an audience.");
}
string text7;
dictionary2.TryGetValue("nbf", out text7);
if (string.IsNullOrEmpty(text7))
{
throw new System.IdentityModel.Tokens.SecurityTokenValidationException("The token being parsed does not have an 'not before' claim.");
}
System.DateTime dateTimeFromSeconds = this.GetDateTimeFromSeconds(text7);
text7 = "";
dictionary2.TryGetValue("exp", out text7);
if (string.IsNullOrEmpty(text7))
{
throw new System.IdentityModel.Tokens.SecurityTokenValidationException("The token being parsed does not have an 'expires at' claim.");
}
System.DateTime dateTimeFromSeconds2 = this.GetDateTimeFromSeconds(text7);
JsonWebSecurityToken jsonWebSecurityToken = new JsonWebSecurityToken(text5, text6, dateTimeFromSeconds, dateTimeFromSeconds2, this.CreateClaims(dictionary2), issuerToken, actorToken);
jsonWebSecurityToken.CaptureSourceData(token);
return(jsonWebSecurityToken);
}
public JsonWebSecurityToken(string issuer, string audience, System.DateTime validFrom, System.DateTime validTo, System.Collections.Generic.IEnumerable <JsonWebTokenClaim> claims, System.IdentityModel.Tokens.SecurityToken issuerToken, JsonWebSecurityToken actorToken) : this(issuer, audience, validFrom, validTo, claims)
{
this._issuerToken = issuerToken;
this._actorToken = actorToken;
}
