public virtual async Task <TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true)
{
Logger.Info("Start identity token validation");
if (clientId.IsMissing())
{
clientId = GetClientIdFromJwt(token);
if (clientId.IsMissing())
{
Logger.Error("No clientId supplied, can't find id in identity token.");
return(Invalid(Constants.ProtectedResourceErrors.InvalidToken));
}
}
_log.ClientId = clientId;
_log.ValidateLifetime = validateLifetime;
var client = await _clients.FindClientByIdAsync(clientId);
if (client == null)
{
LogError("Unknown or diabled client.");
return(Invalid(Constants.ProtectedResourceErrors.InvalidToken));
}
_log.ClientName = client.ClientName;
var signingKey = new X509SecurityKey(_options.SigningCertificate);
var result = await ValidateJwtAsync(token, clientId, signingKey, validateLifetime);
result.Client = client;
if (result.IsError)
{
LogError("Error validating JWT");
return(result);
}
if (_options.LoggingOptions.IncludeSensitiveDataInLogs)
{
_log.Claims = result.Claims.ToClaimsDictionary();
}
var customResult = await _customValidator.ValidateIdentityTokenAsync(result);
if (customResult.IsError)
{
LogError("Custom validator failed: " + customResult.Error ?? "unknown");
return(customResult);
}
if (_options.LoggingOptions.IncludeSensitiveDataInLogs)
{
_log.Claims = customResult.Claims.ToClaimsDictionary();
}
LogSuccess();
return(customResult);
}
public virtual async Task <TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true)
{
if (clientId.IsMissing())
{
clientId = GetClientIdFromJwt(token);
if (clientId.IsMissing())
{
return(Invalid(Constants.ProtectedResourceErrors.InvalidToken));
}
}
var client = await _clients.FindClientByIdAsync(clientId);
if (client == null)
{
return(Invalid(Constants.ProtectedResourceErrors.InvalidToken));
}
SecurityKey signingKey;
if (client.IdentityTokenSigningKeyType == SigningKeyTypes.ClientSecret)
{
signingKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(client.ClientSecret));
}
else
{
signingKey = new X509SecurityKey(_options.SigningCertificate);
}
var result = await ValidateJwtAsync(token, clientId, signingKey, validateLifetime);
result.Client = client;
if (result.IsError)
{
return(result);
}
Logger.Debug("Calling custom token validator");
var customResult = await _customValidator.ValidateIdentityTokenAsync(result);
if (customResult.IsError)
{
Logger.Error("Custom validator failed: " + customResult.Error ?? "unknown");
}
return(customResult);
}
public virtual async Task <TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true)
{
_logger.LogDebug("Start identity token validation");
if (token.Length > _options.InputLengthRestrictions.Jwt)
{
_logger.LogError("JWT too long");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
if (clientId.IsMissing())
{
clientId = GetClientIdFromJwt(token);
if (clientId.IsMissing())
{
_logger.LogError("No clientId supplied, can't find id in identity token.");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
}
_log.ClientId = clientId;
_log.ValidateLifetime = validateLifetime;
var client = await _clients.FindEnabledClientByIdAsync(clientId);
if (client == null)
{
_logger.LogError("Unknown or diabled client: {clientId}.", clientId);
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
_log.ClientName = client.ClientName;
_logger.LogDebug("Client found: {clientId} / {clientName}", client.ClientId, client.ClientName);
var keys = await _keys.GetValidationKeysAsync();
var result = await ValidateJwtAsync(token, clientId, keys, validateLifetime);
result.Client = client;
if (result.IsError)
{
LogError("Error validating JWT");
return(result);
}
_log.Claims = result.Claims.ToClaimsDictionary();
_logger.LogDebug("Calling into custom token validator: {type}", _customValidator.GetType().FullName);
var customResult = await _customValidator.ValidateIdentityTokenAsync(result);
if (customResult.IsError)
{
LogError("Custom validator failed: " + (customResult.Error ?? "unknown"));
return(customResult);
}
_log.Claims = customResult.Claims.ToClaimsDictionary();
LogSuccess();
return(customResult);
}
public async Task <TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true)
{
_logger.LogDebug("Start identity token validation");
if (token.Length > _options.InputLengthRestrictions.Jwt)
{
_logger.LogError("JWT too long");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
if (clientId.IsMissing())
{
clientId = GetClientIdFromJwt(token);
if (clientId.IsMissing())
{
_logger.LogError("No clientId supplied, can't find id in identity token.");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
}
_log.ClientId = clientId;
_log.ValidateLifetime = validateLifetime;
var client = await _clients.FindEnabledClientByIdAsync(clientId);
if (client == null)
{
_logger.LogError("Unknown or disabled client: {clientId}.", clientId);
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
_log.ClientName = client.ClientName;
_logger.LogDebug("Client found: {clientId} / {clientName}", client.ClientId, client.ClientName);
var keys = await _keys.GetValidationKeysAsync();
var result = await ValidateJwtAsync(token, clientId, keys, validateLifetime);
result.Client = client;
if (result.IsError)
{
LogError("Error validating JWT");
return(result);
}
_log.Claims = result.Claims.ToClaimsDictionary();
// make sure user is still active (if sub claim is present)
var subClaim = result.Claims.FirstOrDefault(c => c.Type == JwtClaimTypes.Subject);
if (subClaim != null)
{
var principal = Principal.Create("tokenvalidator", result.Claims.ToArray());
var isActiveCtx = new IsActiveContext(principal, result.Client, IdentityServerConstants.ProfileIsActiveCallers.IdentityTokenValidation);
await _profile.IsActiveAsync(isActiveCtx);
if (isActiveCtx.IsActive == false)
{
_logger.LogError("User marked as not active: {subject}", subClaim.Value);
result.IsError = true;
result.Error = OidcConstants.ProtectedResourceErrors.InvalidToken;
result.Claims = null;
return(result);
}
}
_logger.LogDebug("Calling into custom token validator: {type}", _customValidator.GetType().FullName);
var customResult = await _customValidator.ValidateIdentityTokenAsync(result);
if (customResult.IsError)
{
LogError("Custom validator failed: " + (customResult.Error ?? "unknown"));
return(customResult);
}
_log.Claims = customResult.Claims.ToClaimsDictionary();
LogSuccess();
return(customResult);
}
public virtual async Task <TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true)
{
Logger.Info("Start identity token validation");
if (token.Length > _options.InputLengthRestrictions.Jwt)
{
Logger.Error("JWT too long");
return(Invalid(Constants.ProtectedResourceErrors.InvalidToken));
}
if (clientId.IsMissing())
{
clientId = GetClientIdFromJwt(token);
if (clientId.IsMissing())
{
Logger.Error("No clientId supplied, can't find id in identity token.");
return(Invalid(Constants.ProtectedResourceErrors.InvalidToken));
}
}
_log.ClientId = clientId;
_log.ValidateLifetime = validateLifetime;
var client = await _clients.FindClientByIdAsync(clientId);
if (client == null)
{
LogError("Unknown or disabled client.");
return(Invalid(Constants.ProtectedResourceErrors.InvalidToken));
}
_log.ClientName = client.ClientName;
var certs = await _keyService.GetPublicKeysAsync();
var result = await ValidateJwtAsync(token, clientId, certs, validateLifetime);
result.Client = client;
if (result.IsError)
{
LogError("Error validating JWT");
return(result);
}
_log.Claims = result.Claims.ToClaimsDictionary();
var customResult = await _customValidator.ValidateIdentityTokenAsync(result);
if (customResult.IsError)
{
LogError("Custom validator failed: " + (customResult.Error ?? "unknown"));
return(customResult);
}
_log.Claims = customResult.Claims.ToClaimsDictionary();
LogSuccess();
return(customResult);
}