public bool Validate(string expectedClientId, string expectedAlgorithm, string expectedIssuer, string accessToken = null)
{
// verify signature
if (!Algorithm.Equals(expectedAlgorithm, StringComparison.OrdinalIgnoreCase))
{
throw new ArgumentOutOfRangeException(nameof(Algorithm), $"The id_token 'alg' does not match the expected algorithm value. Expected '{expectedAlgorithm}' but found '{Algorithm}'.");
}
//TODO: Validate signature
// Verify expiration claim
if (Expiration < DateTime.UtcNow)
{
throw new ArgumentOutOfRangeException(nameof(Expiration), $"The id_token is expired");
}
// Verify issuer claim
if (!Issuer.Equals(expectedIssuer, StringComparison.OrdinalIgnoreCase))
{
throw new ArgumentOutOfRangeException(nameof(Issuer), $"The id_token 'iss' claim does not match expected issuer value. Expected '{expectedIssuer}' but fond '{Issuer}'.");
}
// Verify audience claim
if (!Audience.Equals(expectedClientId, StringComparison.OrdinalIgnoreCase))
{
throw new ArgumentOutOfRangeException(nameof(Audience), $"The id_token 'aud' claim does not match the provided clientId value.")
;
}
// Verify Access Token Hash claim (if provided)
if (!string.IsNullOrEmpty(accessToken) && !string.IsNullOrEmpty(AccessTokenHash))
{
var atHash = Util.Sha256AtHash(accessToken);
if (!AccessTokenHash.Equals(atHash, StringComparison.Ordinal))
{
throw new ArgumentOutOfRangeException(nameof(AccessTokenHash), $"The id_token 'at_hash' claim does not match the expected hash of the given token. Expected {atHash} but found {AccessTokenHash}");
}
}
return(true);
}
