public EntityDescriptor Generate(string wsfedEndpoint)
{
var tokenServiceDescriptor = GetTokenServiceDescriptor(wsfedEndpoint);
var id = new EntityId(_settings.GetIssuerUri());
var entity = new EntityDescriptor(id);
entity.SigningCredentials = new X509SigningCredentials(_settings.GetSigningCertificate());
entity.RoleDescriptors.Add(tokenServiceDescriptor);
return(entity);
}
protected virtual Task <TokenValidationResult> ValidateJwtAccessTokenAsync(string jwt)
{
var handler = new JwtSecurityTokenHandler();
handler.Configuration = new SecurityTokenHandlerConfiguration();
handler.Configuration.CertificateValidationMode = X509CertificateValidationMode.None;
handler.Configuration.CertificateValidator = X509CertificateValidator.None;
var parameters = new TokenValidationParameters
{
ValidIssuer = _settings.GetIssuerUri(),
SigningToken = new X509SecurityToken(_settings.GetSigningCertificate()),
AllowedAudience = string.Format(Constants.AccessTokenAudience, _settings.GetIssuerUri())
};
try
{
var id = handler.ValidateToken(jwt, parameters);
return(Task.FromResult(new TokenValidationResult
{
Claims = id.Claims
}));
}
catch (Exception ex)
{
_logger.ErrorFormat("JWT token validation error: {0}", ex.ToString());
return(Task.FromResult(new TokenValidationResult
{
IsError = true,
Error = Constants.ProtectedResourceErrors.InvalidToken
}));
}
}
private SecurityToken CreateSecurityToken(SignInValidationResult validationResult, ClaimsIdentity outgoingSubject)
{
var descriptor = new SecurityTokenDescriptor
{
AppliesToAddress = validationResult.RelyingParty.Realm,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(validationResult.RelyingParty.TokenLifeTime)),
ReplyToAddress = validationResult.ReplyUrl,
SigningCredentials = new X509SigningCredentials(_settings.GetSigningCertificate()),
Subject = outgoingSubject,
TokenIssuerName = _settings.GetIssuerUri(),
TokenType = validationResult.RelyingParty.TokenType
};
return(CreateSupportedSecurityTokenHandler().CreateToken(descriptor));
}
public virtual async Task <string> CreateSecurityTokenAsync(Token token)
{
if (token.Type == Constants.TokenTypes.AccessToken)
{
if (token.Client.AccessTokenType == AccessTokenType.JWT)
{
return(CreateJsonWebToken(
token,
new X509SigningCredentials(_settings.GetSigningCertificate())));
}
else
{
var handle = Guid.NewGuid().ToString("N");
await _tokenHandles.StoreAsync(handle, token);
return(handle);
}
}
if (token.Type == Constants.TokenTypes.IdentityToken)
{
SigningCredentials credentials;
if (token.Client.IdentityTokenSigningKeyType == SigningKeyTypes.ClientSecret)
{
credentials = new HmacSigningCredentials(token.Client.ClientSecret);
}
else
{
credentials = new X509SigningCredentials(_settings.GetSigningCertificate());
}
return(CreateJsonWebToken(token, credentials));
}
throw new InvalidOperationException("Invalid token type.");
}
public dynamic GetKeyData()
{
var cert = _settings.GetSigningCertificate();
var cert64 = Convert.ToBase64String(cert.RawData);
var thumbprint = Base64Url.Encode(cert.GetCertHash());
var key = new
{
kty = "RSA",
use = "sig",
kid = thumbprint,
x5t = thumbprint,
x5c = new string[] { cert64 }
};
return(new { keys = new[] { key } });
}