internal static OAuthBearerAuthenticationOptions ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); var valParams = new TokenValidationParameters { ValidAudience = issuerProvider.Audience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; var tokenFormat = new JwtFormat(valParams, issuerProvider); var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider() }; return(bearerOptions); }
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { return(new Lazy <OAuthBearerAuthenticationOptions>(() => { JwtFormat tokenFormat = null; // use static configuration if (!string.IsNullOrWhiteSpace(options.IssuerName) && options.SigningCertificate != null) { // IdSrv3 hard-codes the value when issuing a token using the pattern below var audience = options.IssuerName.EnsureTrailingSlash() + "resources"; // Use the configured values if present, otherwise fallback to the defaulted value List <string> validAudiences; if (options.ValidAudiences != null && options.ValidAudiences.Count() > 0) { validAudiences = new List <string>(options.ValidAudiences); } else { validAudiences = new List <string>() { audience } }; var valParams = new TokenValidationParameters { ValidIssuer = options.IssuerName, ValidAudiences = validAudiences, ValidateAudience = true, IssuerSigningKey = new X509SecurityKey(options.SigningCertificate), NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, }; tokenFormat = new JwtFormat(valParams); } else { // use discovery endpoint if (string.IsNullOrWhiteSpace(options.Authority)) { throw new Exception("Either set IssuerName and SigningCertificate - or Authority"); } var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); // Use the configured values if present, otherwise fallback to the discovery document's value // (which is actually hard-coded to _issuer + "/resources") List <string> validAudiences; if (options.ValidAudiences != null && options.ValidAudiences.Count() > 0) { validAudiences = new List <string>(options.ValidAudiences); } else { validAudiences = new List <string>() { issuerProvider.Audience } }; var valParams = new TokenValidationParameters { ValidAudiences = validAudiences, ValidateAudience = true, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; if (options.IssuerSigningKeyResolver != null) { valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver; } else { valParams.IssuerSigningKeyResolver = IssuerSigningKeyResolver; } tokenFormat = new JwtFormat(valParams, issuerProvider); } var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider(options.TokenProvider) }; return bearerOptions; }, LazyThreadSafetyMode.PublicationOnly)); }
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { return(new Lazy <OAuthBearerAuthenticationOptions>(() => { JwtFormat tokenFormat = null; // use static configuration if (!string.IsNullOrWhiteSpace(options.IssuerName) && options.SigningCertificate != null) { var audience = options.IssuerName.EnsureTrailingSlash(); audience += "resources"; var valParams = new TokenValidationParameters { ValidIssuer = options.IssuerName, ValidAudience = audience, IssuerSigningKey = new X509SecurityKey(options.SigningCertificate), NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, }; tokenFormat = new JwtFormat(valParams); } else { // use discovery endpoint if (string.IsNullOrWhiteSpace(options.Authority)) { throw new Exception("Either set IssuerName and SigningCertificate - or Authority"); } var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); var valParams = new TokenValidationParameters { ValidAudience = issuerProvider.Audience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; if (options.IssuerSigningKeyResolver != null) { valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver; } else { valParams.IssuerSigningKeyResolver = ResolveRsaKeys; } tokenFormat = new JwtFormat(valParams, issuerProvider); } var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider(options.TokenProvider) }; return bearerOptions; }, LazyThreadSafetyMode.PublicationOnly)); }
internal static Lazy<OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { return new Lazy<OAuthBearerAuthenticationOptions>(() => { JwtFormat tokenFormat = null; // use static configuration if (!string.IsNullOrWhiteSpace(options.IssuerName) && options.SigningCertificate != null) { var audience = options.IssuerName.EnsureTrailingSlash(); audience += "resources"; var valParams = new TokenValidationParameters { ValidIssuer = options.IssuerName, ValidAudience = audience, IssuerSigningToken = new X509SecurityToken(options.SigningCertificate), NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, }; tokenFormat = new JwtFormat(valParams); } else { // use discovery endpoint if (string.IsNullOrWhiteSpace(options.Authority)) { throw new Exception("Either set IssuerName and SigningCertificate - or Authority"); } var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); var valParams = new TokenValidationParameters { ValidAudience = issuerProvider.Audience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; tokenFormat = new JwtFormat(valParams, issuerProvider); } var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider(options.TokenProvider) }; return bearerOptions; }, true); }
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { return(new Lazy <OAuthBearerAuthenticationOptions>(() => { JwtFormat tokenFormat = null; // use static configuration if (!string.IsNullOrWhiteSpace(options.IssuerName) && options.SigningCertificate != null) { string audience = null; bool validateAudience = true; // if API name is set, do a strict audience check for //https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/677bf6863a27c851270436faf9dfac437f46d90d/src/IdentityServerAuthenticationOptions.cs#L192 if (!string.IsNullOrWhiteSpace(options.ApiName) && !options.LegacyAudienceValidation) { audience = options.ApiName; } else if (options.LegacyAudienceValidation) { audience = options.IssuerName.EnsureTrailingSlash() + "resources"; } else { // no audience validation, rely on scope checks only validateAudience = false; } var valParams = new TokenValidationParameters { ValidIssuer = options.IssuerName, ValidAudience = audience, ValidateAudience = validateAudience, IssuerSigningKey = new X509SecurityKey(options.SigningCertificate), NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, }; tokenFormat = new JwtFormat(valParams); } else { // use discovery endpoint if (string.IsNullOrWhiteSpace(options.Authority)) { throw new Exception("Either set IssuerName and SigningCertificate - or Authority"); } var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); string audience = issuerProvider.Audience; bool validateAudience = true; // if API name is set, do a strict audience check for //https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/677bf6863a27c851270436faf9dfac437f46d90d/src/IdentityServerAuthenticationOptions.cs#L192 if (string.IsNullOrWhiteSpace(audience) && !options.LegacyAudienceValidation) { // no audience validation, rely on scope checks only validateAudience = false; } var valParams = new TokenValidationParameters { ValidAudience = audience, ValidateAudience = validateAudience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; if (options.IssuerSigningKeyResolver != null) { valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver; } else { valParams.IssuerSigningKeyResolver = IssuerSigningKeyResolver; } tokenFormat = new JwtFormat(valParams, issuerProvider); } var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider(options.TokenProvider) }; return bearerOptions; }, LazyThreadSafetyMode.PublicationOnly)); }