private static void CreateClaims(SimpleWebToken swt, StringBuilder sb)
{
var claims = new Dictionary<string, string>();
foreach (var claim in swt.Claims)
{
claims.Add(claim.ClaimType, claim.Value);
}
foreach (var kv in claims)
{
sb.AppendFormat("{0}={1}&", HttpUtility.UrlEncode(kv.Key), HttpUtility.UrlEncode(kv.Value));
}
}
/// <summary>
/// Reads a serialized token and converts it into a <see cref="SecurityToken"/>.
/// </summary>
/// <param name="rawToken">The token in serialized form.</param>
/// <returns>The parsed form of the token.</returns>
public SecurityToken ReadToken(string rawToken)
{
char parameterSeparator = '&';
Uri audienceUri = null;
string issuer = null;
string signature = null;
string unsignedString = null;
string expires = null;
if (string.IsNullOrEmpty(rawToken))
{
throw new ArgumentNullException("rawToken");
}
//
// Find the last parameter. The signature must be last per SWT specification.
//
int lastSeparator = rawToken.LastIndexOf(parameterSeparator);
// Check whether the last parameter is an hmac.
//
if (lastSeparator > 0)
{
string lastParamStart = parameterSeparator + Digest256Label + "=";
string lastParam = rawToken.Substring(lastSeparator);
// Strip the trailing hmac to obtain the original unsigned string for later hmac verification.
// e.g. name1=value1&name2=value2&HMACSHA256=XXX123 -> name1=value1&name2=value2
//
if (lastParam.StartsWith(lastParamStart, StringComparison.Ordinal))
{
unsignedString = rawToken.Substring(0, lastSeparator);
}
}
else
{
throw new SecurityTokenValidationException("The Simple Web Token must have a signature at the end. The incoming token did not have a signature at the end of the token.");
}
// Signature is a mandatory parameter, and it must be the last one.
// If there's no trailing hmac, Return error.
//
if (unsignedString == null)
{
throw new SecurityTokenValidationException("The Simple Web Token must have a signature at the end. The incoming token did not have a signature at the end of the token.");
}
// Create a collection of SWT claims
//
NameValueCollection rawClaims = ParseToken(rawToken);
audienceUri = new Uri(rawClaims[AudienceLabel]);
if (audienceUri != null)
{
rawClaims.Remove(AudienceLabel);
}
else
{
throw new SecurityTokenValidationException("Then incoming token does not have an AudienceUri.");
}
expires = rawClaims[ExpiresOnLabel];
if (expires != null)
{
rawClaims.Remove(ExpiresOnLabel);
}
else
{
throw new SecurityTokenValidationException("Then incoming token does not have an expiry time.");
}
issuer = rawClaims[IssuerLabel];
if (issuer != null)
{
rawClaims.Remove(IssuerLabel);
}
else
{
throw new SecurityTokenValidationException("Then incoming token does not have an Issuer");
}
signature = rawClaims[Digest256Label];
if (signature != null)
{
rawClaims.Remove(Digest256Label);
}
else
{
throw new SecurityTokenValidationException("Then incoming token does not have a signature");
}
List<Claim> claims = DecodeClaims(issuer, rawClaims);
SimpleWebToken swt = new SimpleWebToken(audienceUri, issuer, DecodeExpiry(expires), claims, signature, unsignedString, rawToken);
return swt;
}
/// <summary>
/// Requests an SWT Token using an input SWT token.
/// </summary>
/// <param name="token">The input SWT token.</param>
/// <param name="scope">The requested scope.</param>
/// <returns>The requested SWT token</returns>
public SimpleWebToken Issue(SimpleWebToken token, Uri scope)
{
return IssueAssertion(token.ToString(), "SWT", scope);
}
