private static string GetSignedClientAssertionUsingWilson( string issuer, string aud, X509Certificate2 cert) { // no need to add exp, nbf as JsonWebTokenHandler will add them by default. var claims = new Dictionary <string, object>() { { "aud", aud }, { "iss", issuer }, { "jti", Guid.NewGuid().ToString() }, { "sub", issuer } }; var securityTokenDescriptor = new SecurityTokenDescriptor { Claims = claims, SigningCredentials = new X509SigningCredentials(cert) }; var handler = new JsonWebTokenHandler(); var signedClientAssertion = handler.CreateToken(securityTokenDescriptor); return(signedClientAssertion); }
public static void Run() { var key = new RsaSecurityKey(RSA.Create(2048)) { KeyId = Guid.NewGuid().ToString() }; var jweKey = new EncryptingCredentials(key, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256); var payloadRepresentation = new List <Claim>() { new("claim1", "10"), new("claim2", "claim2-value"), new ("name", "Bruno Brito"), new ("given_name", "Bruno"), new ("logins", "brunohbrito"), new ("logins", "bhdebrito"), new ("logins", "bruno_hbrito"), }; var handler = new JsonWebTokenHandler(); var now = DateTime.Now; var jwt = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = new ClaimsIdentity(payloadRepresentation), EncryptingCredentials = jweKey }; var jwe = handler.CreateToken(jwt); Console.ResetColor(); Console.ForegroundColor = ConsoleColor.Yellow; Console.Write("JWE: "); Console.ForegroundColor = ConsoleColor.Cyan; Console.WriteLine(jwe); Console.ResetColor(); var result = handler.ValidateToken(jwe, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", RequireSignedTokens = false, TokenDecryptionKey = jweKey.Key }); var claims = JsonSerializer.Serialize(result.Claims, new JsonSerializerOptions() { WriteIndented = true }); Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine("Claims: "); Console.ForegroundColor = ConsoleColor.Cyan; Console.WriteLine(claims); Console.ResetColor(); }
public IActionResult GetJwtForChat() { Account account = _accountService.GetAccount(Guid.Parse(HttpContext.User.Identity.Name)); var iat = new DateTimeOffset(DateTime.UtcNow).ToUnixTimeSeconds(); var exp = new DateTimeOffset(DateTime.UtcNow.AddMinutes(5)).ToUnixTimeSeconds(); var payload = "{" + "\"iat\":" + iat.ToString() + ", " + "\"exp\":" + exp.ToString() + ", " + "\"external_id\":\"" + account.Id.ToString() + "\", " + "\"name\":\"" + account.FirstName + "\", " + "\"email\":\"" + account.Email + "\"" + "}"; var jsonWebTokenHandler = new JsonWebTokenHandler(); //var jsonWebToken = new JsonWebToken("{\"typ\":\"JWT\", \"alg\":\"HS256\"}", payload); var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["ZendeskSharedKey"])); var signingCredentials = new SigningCredentials(key, "HS256"); var token = jsonWebTokenHandler.CreateToken(payload, signingCredentials); return(Ok(token)); }
public static void Authorize() { var txtreader = new StringReader(Authorization.privateKey); var rsaParams = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters) new PemReader(txtreader).ReadObject()); var jwtsigner = new JsonWebTokenHandler(); var now = DateTime.UtcNow; var descriptor = new SecurityTokenDescriptor { Issuer = Authorization.clientId, Audience = "https://xenqu.com", Expires = now.AddMinutes(5), Claims = new Dictionary <string, object> { { "sub", Authorization.subscriber } }, SigningCredentials = new SigningCredentials(new RsaSecurityKey(rsaParams), "RS256") }; var data = "grant_type=" + Uri.EscapeDataString("urn:ietf:params:oauth:grant-type:jwt-bearer") + "&assertion=" + Uri.EscapeDataString(jwtsigner.CreateToken(descriptor)); var provider = ServiceProvider.Instance; var results = JObject.Parse(provider.PostData("/oauth2/token", "application/x-www-form-urlencoded", data)); Authorization.tokenKey = (string)results["token"]; Authorization.tokenSecret = (string)results["token_secret"]; Authorization.tokenExpires = Convert.ToDouble((string)results["expires"]); }
/// <summary> /// Generate JWT /// </summary> /// <returns></returns> internal string GenerateToken() { try { // ... Build ClaimSet var claims = new ClaimsIdentity(new Claim[] { new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()), new Claim(JwtRegisteredClaimNames.Sub, AppId) }); // ... Build Token Descriptor var securityTokenDescriptor = new SecurityTokenDescriptor { Subject = claims, Audience = EndPoint, Issuer = AppId, NotBefore = DateTime.Now, Expires = DateTime.Now.AddMinutes(ExpiryMinutes), SigningCredentials = new X509SigningCredentials(X509Cert) }; // ... Build JWT Token var handler = new JsonWebTokenHandler(); return(handler.CreateToken(securityTokenDescriptor)); } catch (Exception ex) { throw new Exception("Failed in Generate JWT, error " + ex.Message); } }
private void CreateTokenButton_Click(object sender, RoutedEventArgs e) { var principal = Principal.Create("InMemory", new Claim(ClaimTypes.Name, UserName.Text)); var tokenType = GetTokenType(); var sts = new STS(); SecurityToken token; var success = sts.TryIssueToken( new EndpointReference(Realm.Text), principal, tokenType, out token); if (success) { if (tokenType == TokenTypes.Saml2TokenProfile11 || tokenType == TokenTypes.Saml11TokenProfile11) { var xml = token.ToTokenXmlString(); Output.Text = XElement.Parse(xml).ToString(); } if (tokenType == TokenTypes.JsonWebToken) { var tokenString = new JsonWebTokenHandler().WriteToken(token); Output.Text = tokenString; } } else { throw new Exception("Error"); } }
public void ShouldGetCurrentToSignAndValidateJws(string algorithm, KeyType keyType) { var options = new JwksOptions() { Jws = JwsAlgorithm.Create(algorithm, keyType), KeyPrefix = $"{nameof(JsonWebKeySetServiceTests)}_" }; _jwksService.GenerateSigningCredentials(options); var signingCredentials = _jwksService.GetCurrentSigningCredentials(); var handler = new JsonWebTokenHandler(); var now = DateTime.Now; var descriptor = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = new ClaimsIdentity(GenerateClaim().Generate(5)), SigningCredentials = signingCredentials }; var jwt = handler.CreateToken(descriptor); var result = handler.ValidateToken(jwt, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", IssuerSigningKey = signingCredentials.Key }); result.IsValid.Should().BeTrue(); }
public static async Task <IActionResult> Run([HttpTrigger(Microsoft.Azure.WebJobs.Extensions.Http.AuthorizationLevel.Anonymous)] HttpRequest req, ILogger log) { log.LogInformation("C# HTTP trigger function processed a request."); JsonWebTokenHandler handler = new JsonWebTokenHandler(); string tokenString = req.Headers["X-MS-TOKEN-AAD-ID-TOKEN"].ToString(); var token = handler.ReadJsonWebToken(tokenString); StringBuilder sb = new StringBuilder(); token.Claims.ToList().ForEach(a => { sb.Append($"{a.Type} :: {a.Value}"); sb.Append(System.Environment.NewLine); }); var claimString = sb.ToString(); var nameClaim = token.Claims.Where(c => c.Type == "given_name").FirstOrDefault(); var name = string.Empty; if (nameClaim != null) { name = nameClaim.Value; } return(new OkObjectResult($"Hello, {name}.{System.Environment.NewLine}{System.Environment.NewLine}CLAIMS:{System.Environment.NewLine}{claimString}")); }
/// <summary> /// Creates the authorization token for requests made by users who have logged in. /// </summary> /// <param name="email">The email/username of the user which will be embedded in the token, and later retrieved for validation</param> /// <returns></returns> private string CreateJsonWebToken(string email) { try { JsonWebToken token = new JsonWebToken(); token.Header = new Thinktecture.IdentityModel.Tokens.JwtHeader { SignatureAlgorithm = Thinktecture.IdentityModel.Constants.JwtConstants.SignatureAlgorithms.HMACSHA256, SigningCredentials = new HmacSigningCredentials("Dc9Mpi3jbooUpBQpB/4R7XtUsa3D/ALSjTVvk8IUZbg=") }; token.Issuer = "https://chatapiidsvr3/embedded"; token.Audience = new Uri("https://chatapi"); token.Claims = new Dictionary <string, string> { { ClaimTypes.NameIdentifier, email }, { ClaimTypes.Expiration, DateTime.UtcNow.AddDays(2).ToString() } }; JsonWebTokenHandler handler = new JsonWebTokenHandler(); string result = handler.WriteToken(token); return(result); } catch (Exception ex) { throw ex; } }
public void ShouldValidateJwe(string algorithm, KeyType keyType, string encryption) { var options = new JwksOptions() { KeyPrefix = $"{nameof(JsonWebKeySetServiceTests)}_", Jwe = JweAlgorithm.Create(algorithm, keyType).WithEncryption(encryption) }; var encryptingCredentials = _jwksService.GenerateEncryptingCredentials(options); var handler = new JsonWebTokenHandler(); var now = DateTime.Now; var jwt = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = new ClaimsIdentity(GenerateClaim().Generate(5)), EncryptingCredentials = encryptingCredentials }; var jwe = handler.CreateToken(jwt); var result = handler.ValidateToken(jwe, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", RequireSignedTokens = false, TokenDecryptionKey = encryptingCredentials.Key }); result.IsValid.Should().BeTrue(); }
public void CanValidateES256() { const string token = "eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"; var x = Base64Url.DeserializeBytes("f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "ECDSA key X value"); var y = Base64Url.DeserializeBytes("x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "ECDSA key Y value"); var key = new ECDsaSecurityKey(ECDsa.Create(new ECParameters { Q = new ECPoint { X = x, Y = y }, Curve = ECCurve.NamedCurves.nistP384 })); IdentityModelEventSource.ShowPII = true; var result = new JsonWebTokenHandler().ValidateToken(token, new TokenValidationParameters { IssuerSigningKey = key, ClockSkew = TimeSpan.FromDays(4000), ValidIssuer = "joe", ValidateAudience = false }); result.IsValid.ShouldBeTrue(); }
public static bool Validate(string jwtToValidate, string jwks, out IDictionary <string, object>?claims) { JsonWebKeySet jwksObject = new(jwks); var tokenValidationResult = new JsonWebTokenHandler().ValidateToken( jwtToValidate, new() { IssuerSigningKey = jwksObject.GetSigningKeys().First(), CryptoProviderFactory = new() { CacheSignatureProviders = false }, ValidateAudience = false, ValidateIssuer = false, ValidateLifetime = false }); if (!tokenValidationResult.IsValid) { claims = null; return(false); } claims = tokenValidationResult.Claims; return(true); }
public string GenerateUserToken(User user) { byte[] key = Encoding.ASCII.GetBytes(_configuration["Auth:TokenSecret"]); var tokenHandle = new JsonWebTokenHandler(); int tokenDurHours = _configuration.GetValue <int>("Auth:TokenDuration"); string[] userRoles = user.Roles.Select(u => u.Role.Name).ToArray(); var claims = new Dictionary <string, object> { { nameof(User.Id), user.Id }, { nameof(User.Name), user.Name }, { nameof(User.Group), user.Group }, { "Roles", userRoles } }; var tokenDescriptor = new SecurityTokenDescriptor { Claims = claims, Expires = DateTime.UtcNow.AddHours(tokenDurHours), SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature) }; string token = tokenHandle.CreateToken(tokenDescriptor); Console.WriteLine(token); return(token); }
public static void Run() { var tokenHandler = new JsonWebTokenHandler(); var key = new RsaSecurityKey(RSA.Create(2048)) { KeyId = Guid.NewGuid().ToString() }; Jwt.SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.RsaSsaPssSha256); var lastJws = tokenHandler.CreateToken(Jwt); Console.WriteLine($"{lastJws}{Environment.NewLine}"); // Store in filesystem // Store HMAC os Filesystem, recover and test if it's valid var jwk = JsonWebKeyConverter.ConvertFromRSASecurityKey(key); File.WriteAllText("current-rsa.key", JsonConvert.SerializeObject(jwk)); var storedJwk = JsonConvert.DeserializeObject <JsonWebKey>(File.ReadAllText("current-rsa.key")); TokenValidationParams.IssuerSigningKey = storedJwk; var validationResult = tokenHandler.ValidateToken(lastJws, TokenValidationParams); Console.WriteLine(validationResult.IsValid); }
private static string GetSignedClientAssertion(string tenantId, string confidentialClientID, string certificatePath, string certPass) { var cert = new X509Certificate2(certificatePath, certPass, X509KeyStorageFlags.EphemeralKeySet); // JsonWebTokenHandler will add defaults var claims = new Dictionary <string, object>() { { "aud", $"https://login.microsoftonline.com/{tenantId}/oauth2/token" }, { "iss", confidentialClientID }, { "jti", Guid.NewGuid().ToString() }, { "sub", confidentialClientID } }; var securityTokenDescriptor = new SecurityTokenDescriptor { Claims = claims, SigningCredentials = new X509SigningCredentials(cert) }; var handler = new JsonWebTokenHandler(); var signedClientAssertion = handler.CreateToken(securityTokenDescriptor); return(signedClientAssertion); }
/// <summary> /// 验证 Token /// </summary> /// <param name="accessToken"></param> /// <param name="jwtSettings"></param> /// <returns></returns> public static (bool IsValid, JsonWebToken Token) Validate(string accessToken, JWTSettingsOptions jwtSettings) { var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSettings.IssuerSigningKey)); var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256); var tokenValidationParameters = CreateTokenValidationParameters(jwtSettings); if (tokenValidationParameters.IssuerSigningKey == null) { tokenValidationParameters.IssuerSigningKey = creds.Key; } var tokenHandler = new JsonWebTokenHandler(); try { var tokenValidationResult = tokenHandler.ValidateToken(accessToken, tokenValidationParameters); if (!tokenValidationResult.IsValid) { return(false, null); } var jsonWebToken = tokenValidationResult.SecurityToken as JsonWebToken; return(true, jsonWebToken); } catch { return(false, default);
public async Task <IActionResult> Post([FromBody] UserRequestModel credentials) { ApiUser apiUser = new ApiUser(credentials.UserName); var result = await _userManager.CreateAsync(apiUser, credentials.Password); if (!result.Succeeded) { _logger.LogError($"User creation error: {String.Join(" | ", result.Errors.Select(x => x.Description).ToArray())}"); throw new ApplicationException("Could not create user."); } var now = DateTime.Now; var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(_options.SecretKey)); var tokenHandler = new JsonWebTokenHandler(); var descriptor = new SecurityTokenDescriptor { Issuer = _options.Issuer, IssuedAt = now, NotBefore = now, Expires = now.AddHours(1), Claims = new Dictionary <string, object> { { JwtRegisteredClaimNames.Sub, apiUser.UserName } }, SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256) }; TegetgramUserDTO user = await _userService.GetUser(apiUser.UserName, apiUser.UserName); return(Ok(new { access_token = tokenHandler.CreateToken(descriptor), user = user })); }
public void ManualWriteNoSig() { var jwt = new JsonWebToken { Header = new JwtHeader { SignatureAlgorithm = JwtConstants.SignatureAlgorithms.None }, Audience = new Uri("http://foo.com"), Issuer = "dominick", ExpirationTime = 500000, Claims = new Dictionary <string, string> { { ClaimTypes.Name, "dominick" }, { ClaimTypes.Email, "*****@*****.**" } } }; var handler = new JsonWebTokenHandler(); var token = handler.WriteToken(jwt); Trace.WriteLine(token); Assert.IsTrue(!string.IsNullOrWhiteSpace(token)); var parts = token.Split('.'); Assert.IsTrue(parts.Length == 2, "JWT should have excactly 2 parts"); }
private static TokenValidationResult ValidateSignedToken(string serviceJwt, JsonWebKeySet jwksTrustedSigningKeys, bool includeDetails) { // Now validate the JWT using the signing keys we just discovered TokenValidationParameters tokenValidationParams = new TokenValidationParameters { ValidateAudience = false, ValidateIssuer = false, IssuerSigningKeys = jwksTrustedSigningKeys.GetSigningKeys() }; var jwtHandler = new JsonWebTokenHandler(); var validatedToken = jwtHandler.ValidateToken(serviceJwt, tokenValidationParams); if (!validatedToken.IsValid) { throw new ArgumentException("JWT is not valid (signature verification failed)"); } Logger.WriteLine($"JWT signature validation : True"); if (includeDetails) { X509SecurityKey signingKey = (X509SecurityKey)validatedToken.SecurityToken.SigningKey; if (signingKey.PublicKey is RSA publicKey) { var modulus = publicKey.ExportParameters(false).Modulus; var exponent = publicKey.ExportParameters(false).Exponent; Logger.WriteLine(37, 80, " RSA signing key modulus : ", BitConverter.ToString(modulus).Replace("-", "")); Logger.WriteLine(37, 80, " RSA signing key exponent : ", BitConverter.ToString(exponent).Replace("-", "")); } else { Logger.WriteLine($"Unexpected signing key type. Signing Key Type: {signingKey.PublicKey.GetType()}"); } } return(validatedToken); }
private static TlsFederationMetadata Validate(JwsBody body) { foreach (var signature in body.Signatures) { var key = JsonWebKey.Create(File.ReadAllText("Skolverket.jwk")); var handler = new JsonWebTokenHandler(); var jwsCompact = signature.Protected + "." + body.Payload + "." + signature.Signature; var validation = new TokenValidationParameters() { IssuerSigningKey = key, ValidateAudience = false, ValidateLifetime = false, ValidateIssuer = false }; var tokenValidation = handler.ValidateToken(jwsCompact, validation); if (tokenValidation.IsValid) { var base64 = body.Payload.PadRight(body.Payload.Length + (4 - body.Payload.Length % 4) % 4, '='); var content = Encoding.UTF8.GetString(Convert.FromBase64String(base64)); return(JsonConvert.DeserializeObject <TlsFederationMetadata>(content)); } else { return(null); } } return(null); }
/// <summary> /// Instantiates an instance of private_key_jwt secret validator (used for testing) /// </summary> internal JwtRequestValidator(string audience, ILogger <JwtRequestValidator> logger) { _audienceUri = audience; Logger = logger; Handler = new JsonWebTokenHandler(); }
public async Task <JsonWebToken> ValidateTokenAsync(string accessToken) { var tokenHandler = new JsonWebTokenHandler(); var tokenValidationParameters = new TokenValidationParameters() { ValidAudience = ".Api", IssuerSigningKey = SecurityKey, RequireExpirationTime = false, ValidateLifetime = false, ValidateIssuer = false }; var tokenValidationResult = tokenHandler.ValidateToken(accessToken, tokenValidationParameters); var jwt = tokenValidationResult.SecurityToken as JsonWebToken; if (jwt == null) { throw new Exception("Invalid token format."); } await _tokenRepository.GetAsync(new Guid(jwt.Id)); return(jwt); }
/// <summary> /// Validates token and reads the token payload. /// </summary> /// <param name="encodedToken">Raw, encoded ID Token, as received from the server.</param> /// <param name="verifyWithKey">RSA public key to use for verifying OpenID Connect ID token signature, if an ID token is present in the response. /// If <c>null</c>, no verification is done.</param> /// <returns>The token payload as a JSON string.</returns> /// <exception cref="SecurityTokenInvalidSignatureException">Thrown if token signature verification fails.</exception> public static string ReadPayload(string encodedToken, RSA verifyWithKey) { JsonWebToken token; if (verifyWithKey == null) { token = new JsonWebTokenHandler().ReadJsonWebToken(encodedToken); } else { var key = new RsaSecurityKey(verifyWithKey); var validationParams = new TokenValidationParameters() { IssuerSigningKey = key, ValidateAudience = false, ValidateIssuer = false, ValidateLifetime = false, }; var validationResult = new JsonWebTokenHandler().ValidateToken(encodedToken, validationParams); if (!validationResult.IsValid) { if (validationResult.Exception != null) { throw validationResult.Exception; } throw new SecurityTokenInvalidSignatureException("Invalid ID token signature"); } token = validationResult.SecurityToken as JsonWebToken; } return(Base64Url.DecodeString(token.EncodedPayload)); }
public static string GetToken(IEnumerable <string>?roles = null, IEnumerable <string>?scopes = null) { roles ??= Array.Empty <string>(); scopes = new[] { "user_impersonation" }.Concat(scopes ?? Array.Empty <string>()); var tokenHandler = new JsonWebTokenHandler(); var tokenDescriptor = new SecurityTokenDescriptor { Audience = "tests", Issuer = "tests", Claims = new Dictionary <string, object> { ["name"] = "Testy McTesterson", ["given_name"] = "Testy", ["family_name"] = "McTesterson", ["unique_name"] = "*****@*****.**", ["upn"] = "*****@*****.**", ["acr"] = "1", ["amr"] = new[] { "pwd", "mfa" }, ["roles"] = roles.ToArray(), ["oid"] = PrincipalId.ToString(), ["appid"] = Guid.NewGuid().ToString(), ["deviceid"] = Guid.NewGuid().ToString(), ["sub"] = "Xwq2sQJEYUbxkwV_0V9Gg_nIAW2mWX9tJnt_Gqrkdbm", ["tid"] = Guid.NewGuid().ToString(), ["scp"] = string.Join(" ", scopes), ["ver"] = "1.0", }, Expires = DateTime.UtcNow.AddDays(1), SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SigningKey)), SecurityAlgorithms.HmacSha256Signature), }; return(tokenHandler.CreateToken(tokenDescriptor)); }
public void ShouldValidateJwe(string algorithm, string encryption) { var key = new CryptographicKey(Algorithm.Create(algorithm).WithContentEncryption(encryption)); var encryptingCredentials = new EncryptingCredentials(key, algorithm, encryption); var handler = new JsonWebTokenHandler(); var now = DateTime.Now; var jwt = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = new ClaimsIdentity(GenerateClaim().Generate(5)), EncryptingCredentials = encryptingCredentials }; var jwe = handler.CreateToken(jwt); var result = handler.ValidateToken(jwe, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", RequireSignedTokens = false, TokenDecryptionKey = encryptingCredentials.Key }); result.IsValid.Should().BeTrue(); }
public void AddJsonWebToken(string issuer, string audience, string signingKey, AuthenticationOptions options) { var config = new SecurityTokenHandlerConfiguration(); var registry = new WebTokenIssuerNameRegistry(); registry.AddTrustedIssuer(issuer, issuer); config.IssuerNameRegistry = registry; var issuerResolver = new WebTokenIssuerTokenResolver(); issuerResolver.AddSigningKey(issuer, signingKey); config.IssuerTokenResolver = issuerResolver; config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audience)); var handler = new JsonWebTokenHandler(); handler.Configuration = config; AddMapping(new AuthenticationOptionMapping { TokenHandler = new SecurityTokenHandlerCollection { handler }, Options = options }); }
public void ShouldValidateJws(string algorithm) { var signingCredentials = new SigningCredentials(new CryptographicKey(algorithm), algorithm); var handler = new JsonWebTokenHandler(); var now = DateTime.Now; var jwt = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = new ClaimsIdentity(GenerateClaim().Generate(5)), SigningCredentials = signingCredentials }; var jws = handler.CreateToken(jwt); var result = handler.ValidateToken(jws, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", IssuerSigningKey = signingCredentials.Key }); result.IsValid.Should().BeTrue(); }
public T GetClaim <T>(string jwt, JwtClaim claim) { if (jwt == null) { throw new UnprocessableException(); } string key = Enum.GetName(typeof(JwtClaim), claim); var handler = new JsonWebTokenHandler(); JsonWebToken jwtToken = handler.ReadJsonWebToken(jwt); string foundClaim = jwtToken.Claims? .FirstOrDefault(c => c.Type.Equals(key, StringComparison.OrdinalIgnoreCase))? .Value; if (typeof(T) == typeof(Guid)) { return((T)Convert.ChangeType(Guid.Parse(foundClaim), typeof(T), CultureInfo.InvariantCulture)); } if (typeof(T) == typeof(AccountRole)) { return((T)Convert.ChangeType(Enum.Parse <AccountRole>(foundClaim), typeof(T), CultureInfo.InvariantCulture)); } return(default);
private void ValidateAttestationClaims(EnclaveType enclaveType, string attestationToken, EnclavePublicKey enclavePublicKey, byte[] nonce) { // Read the json token JsonWebToken token = null; try { JsonWebTokenHandler tokenHandler = new JsonWebTokenHandler(); token = tokenHandler.ReadJsonWebToken(attestationToken); } catch (ArgumentException argumentException) { throw new AlwaysEncryptedAttestationException(String.Format(Strings.FailToParseAttestationToken, argumentException.Message)); } // Get all the claims from the token Dictionary <string, string> claims = new Dictionary <string, string>(); foreach (Claim claim in token.Claims.ToList()) { claims.Add(claim.Type, claim.Value); } // Get Enclave held data claim and validate it with the Base64UrlEncode(enclave public key) ValidateClaim(claims, "aas-ehd", enclavePublicKey.PublicKey); if (enclaveType == EnclaveType.Vbs) { // Get rp_data claim and validate it with the Base64UrlEncode(nonce) ValidateClaim(claims, "rp_data", nonce); } }
/// <summary> /// Create a new client secret (per request). /// </summary> /// <param name="issuer">Your account's team ID found in the dev portal.</param> /// <param name="audience">Apple authority.</param> /// <param name="subject">The service id (client_id).</param> /// <param name="privateKey">Base64 encoded private key.</param> /// <param name="privateKeyId">The key id.</param> /// <param name="duration">Expiry can be a maximum of 6 months - generate one per request or re-use until expiration. Defaults to 5 minutes.</param> public static string CreateNewToken(string issuer, string audience, string subject, string privateKey, string privateKeyId, TimeSpan?duration = null) { duration ??= TimeSpan.FromMinutes(5); var now = DateTime.UtcNow; var ecdsa = ECDsa.Create(); if (privateKey.StartsWith('-')) { var lines = privateKey.Split(new[] { '\n', '\r' }, StringSplitOptions.RemoveEmptyEntries); privateKey = string.Join("", lines.Skip(1).Take(lines.Length - 2)); } //#if NETCOREAPP3_1 ecdsa?.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _); //#else //ecdsa?.ImportFromPem(privateKey); //#endif var handler = new JsonWebTokenHandler(); var key = new ECDsaSecurityKey(ecdsa) { KeyId = privateKeyId }; return(handler.CreateToken(new SecurityTokenDescriptor { Issuer = issuer, Audience = audience, Claims = new Dictionary <string, object> { { "sub", subject } }, Expires = now.Add(duration.Value), IssuedAt = now, NotBefore = now, SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256) })); }
public static void AddJsonWebToken(this AuthenticationConfiguration configuration, string issuer, string audience, string signingKey, AuthenticationOptions options) { var config = new SecurityTokenHandlerConfiguration(); var registry = new WebTokenIssuerNameRegistry(); registry.AddTrustedIssuer(issuer, issuer); config.IssuerNameRegistry = registry; var issuerResolver = new WebTokenIssuerTokenResolver(); issuerResolver.AddSigningKey(issuer, signingKey); config.IssuerTokenResolver = issuerResolver; config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audience)); var handler = new JsonWebTokenHandler(); handler.Configuration = config; configuration.AddMapping(new AuthenticationOptionMapping { TokenHandler = new SecurityTokenHandlerCollection { handler }, Options = options }); }