public static ClaimsPrincipal ValidateToken(this SecurityTokenHandlerCollection tokenHandlers, string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
if (tokenHandlers == null)
{
throw new ArgumentNullException("tokenHandlers");
}
if (securityToken == null)
{
throw new ArgumentNullException("securityToken");
}
if (validationParameters == null)
{
throw new ArgumentNullException("validationParameters");
}
bool iSecurityTokenValidatorFound = false;
foreach (SecurityTokenHandler tokenHandler in tokenHandlers)
{
ISecurityTokenValidator securityTokenValidator = tokenHandler as ISecurityTokenValidator;
if (securityTokenValidator != null && securityTokenValidator.CanReadToken(securityToken))
{
iSecurityTokenValidatorFound = true;
return(securityTokenValidator.ValidateToken(securityToken, validationParameters, out validatedToken));
}
}
if (iSecurityTokenValidatorFound)
{
throw new SecurityTokenValidationException(ErrorMessages.IDX10201);
}
else
{
throw new SecurityTokenValidationException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10201, securityToken));
}
}
public async Task <ClaimsPrincipal> ValidateTokenAsync(string token)
{
if (!securityTokenValidator.CanReadToken(token))
{
logger.LogError(AuthenticationResources.TokenInvalid);
return(null);
}
if (ValidationParameters == null)
{
var openIdConnectConfiguration = await configurationManager.GetConfigurationAsync(CancellationToken.None);
ValidationParameters = new TokenValidationParameters()
{
IssuerSigningKeys = openIdConnectConfiguration.SigningKeys,
RequireSignedTokens = true,
ValidAudiences = tokenValidatorConfiguration.ValidAudiences,
ValidateAudience = true,
ValidIssuers = tokenValidatorConfiguration.ValidIssuers,
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
};
}
ClaimsPrincipal claimsPrincipal = null;
try
{
claimsPrincipal = securityTokenValidator.ValidateToken(token, ValidationParameters, out _);
}
catch (SecurityTokenException ex)
{
logger.LogError(ex.Message);
}
return(claimsPrincipal);
}
public bool CanReadToken(string securityToken)
{
return(_underlyingValidator.CanReadToken(securityToken));
}
public async Task Invoke(HttpContext context,
ISecurityTokenValidator tokenValidator,
IOptions <DelegationOptions> options,
ITokenValidationParametersFactory tokenValidationParametersFactory)
{
if (tokenValidator == null)
{
throw new ArgumentNullException(nameof(tokenValidator), $"{nameof(tokenValidator)} cannot be null.");
}
if (tokenValidationParametersFactory == null)
{
throw new ArgumentNullException(nameof(tokenValidationParametersFactory), $"{nameof(tokenValidationParametersFactory)} cannot be null.");
}
var validationParameters = tokenValidationParametersFactory.Create();
// get DelegationUser added as scoped service
var delegationUser = context.RequestServices.GetService(typeof(IDelegationUser)) as DelegationUser;
bool delegationUserParsed = false;
var token = string.Empty;
try
{
token = GetDelegationJwtToken(context, options.Value.DelegationHeader);
if (!string.IsNullOrWhiteSpace(token))
{
if (tokenValidator.CanReadToken(token))
{
ClaimsPrincipal principal = null;
SecurityToken validatedToken = null;
try
{
principal = tokenValidator.ValidateToken(token, validationParameters, out validatedToken);
_logger.LogInformation($"Jwt delegation token validation succeeded");
}
catch (Exception ex)
{
_logger.LogInformation($"Jwt delegation token validation failed. Exception: {ex.ToString()}");
throw;
}
ClaimsIdentity claimsIdentity = principal.Identities?.FirstOrDefault();
if (claimsIdentity != null && delegationUser.TrySetValues(claimsIdentity, token))
{
delegationUserParsed = true;
}
}
}
}
catch (Exception ex)
{
_logger.LogInformation($"Processing delegation user failed. Exception: {ex.ToString()}");
throw;
}
if (delegationUserParsed)
{
delegationUser.SetValid(true);
_logger.LogInformation($"Request for delegated user: { delegationUser.Sub} ({delegationUser.GivenName} {delegationUser.SurName})");
}
else
{
delegationUser.SetValid(false);
var info = $"No delegated user detected for request { (string.IsNullOrWhiteSpace(token) ? "(no delegation token found)" : $"(delegation token: {token})") }.";
_logger.LogInformation(info);
}
await _next.Invoke(context);
}