public string GenerateToken()
{
var signingCredentials = new SigningCredentials(appSettings.TokenSigningKey, SecurityAlgorithms.HmacSha256);
var ec = new EncryptingCredentials(appSettings.TokenEncryptionKey, JwtConstants.DirectKeyUseAlg, SecurityAlgorithms.Aes256CbcHmacSha512);
var handler = new JwtSecurityTokenHandler();
IList <Claim> claims = new List <Claim>();
claims.Add(new Claim(Constants.Claims.ObjectId, ObjectId, ClaimValueTypes.String, appSettings.IdTokenIssuer));
claims.Add(new Claim(Constants.Claims.TransactionReference, TransactionReference, ClaimValueTypes.String, appSettings.IdTokenIssuer));
claims.Add(new Claim(Constants.Claims.IsVerified, IsVerified.ToString(), ClaimValueTypes.String, appSettings.IdTokenIssuer));
claims.Add(new Claim(Constants.Claims.Message, Message ?? string.Empty, ClaimValueTypes.String, appSettings.IdTokenIssuer));
var jwt = handler.CreateEncodedJwt(
appSettings.IdTokenIssuer,
appSettings.IdTokenAudience,
new ClaimsIdentity(claims),
DateTime.Now,
DateTime.Now.AddDays(1),
DateTime.Now,
signingCredentials,
ec);
return(jwt);
}
private (string Token, DateTimeOffset Expires) CreateToken(IEnumerable <Claim> claims, int expirationMinutes)
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration.Value.SigningKey));
var signingCredentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
EncryptingCredentials encryptCredentials = null;
if (!string.IsNullOrEmpty(_configuration.Value.EncrtyptKey))
{
var encryptionkey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration.Value.EncrtyptKey));
encryptCredentials = new EncryptingCredentials(encryptionkey, SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
}
var now = DateTime.UtcNow;
var expires = now.AddMinutes(expirationMinutes);
var descriptor = new SecurityTokenDescriptor
{
Issuer = _configuration.Value.Issuer,
Audience = _configuration.Value.Audience,
IssuedAt = now,
NotBefore = now,
Expires = expires,
SigningCredentials = signingCredentials,
EncryptingCredentials = encryptCredentials,
Subject = new ClaimsIdentity(claims)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(descriptor);
var encryptedJwt = tokenHandler.WriteToken(securityToken);
return(encryptedJwt, expires);
}
public string Generate(User user)
{
var secretKey = Encoding.UTF8.GetBytes(_configuration["Jwt:SecretKey"]); // longer that 16 character
var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(secretKey), SecurityAlgorithms.HmacSha256Signature);
var encryptionkey = Encoding.UTF8.GetBytes(_configuration["Jwt:Encryptkey"]); //must be 16 character
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptionkey), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var claims = _getClaims(user);
var descriptor = new SecurityTokenDescriptor
{
Issuer = _configuration["Jwt:Issuer"],
Audience = _configuration["Jwt:Audience"],
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now.AddMinutes(0),
Expires = DateTime.Now.AddDays(7),
SigningCredentials = signingCredentials,
EncryptingCredentials = encryptingCredentials,
Subject = new ClaimsIdentity(claims)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(descriptor);
var encryptedJwt = tokenHandler.WriteToken(securityToken);
return(encryptedJwt);
}
public async Task <string> GenerateAccessTokenAsync(AppUser user)
{
var secretKey = Encoding.UTF8.GetBytes(_siteSettings.JwtSettings.SecretKey);
var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(secretKey), SecurityAlgorithms.HmacSha256Signature);
var encryptionKey = Encoding.UTF8.GetBytes(_siteSettings.JwtSettings.EncryptKey);
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptionKey), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var tokenDescriptor = new SecurityTokenDescriptor()
{
Issuer = _siteSettings.JwtSettings.Issuer,
Audience = _siteSettings.JwtSettings.Audience,
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now.AddMinutes(_siteSettings.JwtSettings.NotBeforeMinutes),
Expires = DateTime.Now.AddMinutes(_siteSettings.JwtSettings.ExpirationMinutes),
SigningCredentials = signingCredentials,
Subject = new ClaimsIdentity(GetClaimsAsync(user)),
EncryptingCredentials = encryptingCredentials,
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(tokenDescriptor);
return(tokenHandler.WriteToken(securityToken));
}
public ActionResult GetAdminToken()
{
var claims = new[]
{
new Claim(JwtRegisteredClaimNames.Sub, "sub"),
new Claim(JwtRegisteredClaimNames.Jti, "jti"),
new Claim(ClaimTypes.Role, "admin")
};
string securityKey = "super_secrete_222super_secrete_222super_secrete_222super_secrete_222super_secrete_222super_secrete_222super_secrete_222super_secrete_222";
var symmetricSecKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey));
var singInCredentials = new SigningCredentials(symmetricSecKey, SecurityAlgorithms.HmacSha256Signature);
var encryptingCredentials = new EncryptingCredentials(symmetricSecKey, JwtConstants.DirectKeyUseAlg, SecurityAlgorithms.Aes256CbcHmacSha512);
var token = new JwtSecurityTokenHandler().CreateJwtSecurityToken(
"kevin.broit",
"readers",
new ClaimsIdentity(claims),
null,
DateTime.Now.AddHours(1),
null,
singInCredentials,
encryptingCredentials);
return(Ok(new JwtSecurityTokenHandler().WriteToken(token)));
}
public async Task <string> Generate(User user)
{
var secretKey = Encoding.UTF8.GetBytes(settings.Value.JWTSettings.SecretKey); // longer than 16 characters
var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(secretKey), SecurityAlgorithms.HmacSha256Signature);
var encryptionKey = Encoding.UTF8.GetBytes(settings.Value.JWTSettings.EncryptKey);
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptionKey), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var claims = await _getClaims(user);
var descriptor = new SecurityTokenDescriptor
{
Issuer = settings.Value.JWTSettings.Issuer,
Audience = settings.Value.JWTSettings.Audience,
IssuedAt = DateTime.Now,
//NotBefore = DateTime.Now.AddMinutes(settings.Value.JWTSettings.NotBeforeMinutes),
Expires = DateTime.Now.AddMinutes(settings.Value.JWTSettings.ExpirationTime),
SigningCredentials = signingCredentials,
EncryptingCredentials = encryptingCredentials,
Subject = new ClaimsIdentity(claims)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(descriptor);
var encryptedJwt = tokenHandler.WriteToken(securityToken);
return(encryptedJwt);
}
private UserToken BuildToken(UserInfo data, string rol)
{
var claimsData = new List <Claim> {
new Claim(JwtRegisteredClaimNames.UniqueName, data.User),
new Claim("Custom", "CustomData"),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(ClaimTypes.Role, rol)
};
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("LLAVE-DE-SEGURIDAD123456789012345679012lsklsksiwkwkwkisksksiwlwlodckd34569874525241252524414525215655000"));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var encryptingCredentials = new EncryptingCredentials(key, JwtConstants.DirectKeyUseAlg, SecurityAlgorithms.Aes256CbcHmacSha512);
var tiempoExpiracion = DateTime.UtcNow.AddMinutes(30);
var token = new JwtSecurityTokenHandler().CreateJwtSecurityToken(
issuer: null,
audience: null,
subject: new ClaimsIdentity(claimsData),
notBefore: null,
expires: tiempoExpiracion,
issuedAt: null,
signingCredentials: creds,
encryptingCredentials: encryptingCredentials
);
return(new UserToken()
{
ExpirationToken = tiempoExpiracion,
Token = new JwtSecurityTokenHandler().WriteToken(token)
});
}
public SecurityTokenDescriptor CreateDescriptor(string name = "user", string nameIdentifier = "user-id", SecurityKey encryptionKey = null, SecurityKey signingKey = null, SecurityKey proofKey = null, bool encryptProofKey = true)
{
if (encryptionKey == null)
encryptionKey = DefaultEncryptionKey;
if (signingKey == null)
signingKey = DefaultSigningKey;
var claims = new List<Claim>();
if (name != null)
claims.Add(new Claim(ClaimTypes.Name, name));
if (nameIdentifier != null)
claims.Add(new Claim(ClaimTypes.NameIdentifier, nameIdentifier));
var identity = new ClaimsIdentity(claims, "Test", ClaimTypes.NameIdentifier, ClaimTypes.Role);
var encryptingCredentials = new EncryptingCredentials(encryptionKey, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128Encryption);
var descriptor = new RequestedSecurityTokenDescriptor
{
Issuer = "urn:tests",
Audience = "urn:unittests",
EncryptingCredentials = encryptingCredentials,
SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest),
IssuedAt = DateTime.UtcNow,
Expires = DateTime.UtcNow.AddMinutes(5),
NotBefore = DateTime.UtcNow,
Subject = identity,
ProofKey = proofKey,
ProofKeyEncryptingCredentials = encryptProofKey ? encryptingCredentials : null
};
return descriptor;
}
public string GenerateToken(IAuthContainerModel model)
{
if (model == null || model.Claims == null || model.Claims.Count == 0)
{
throw new ArgumentException("Arguments to create token are not valid");
}
var ep = new EncryptingCredentials(
GetSymmetricSecurityKey2(),
JwtConstants.DirectKeyUseAlg, // SecurityAlgorithms.Aes128KW,
SecurityAlgorithms.Aes128CbcHmacSha256);
SecurityTokenDescriptor securityTokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(GetClaims(model.Claims)),
Expires = DateTime.UtcNow.AddMinutes(Convert.ToInt32(model.ExpireMinutes)),
SigningCredentials = new SigningCredentials(GetSymmetricSecurityKey(), model.SecurityAlgorithm),
EncryptingCredentials = ep//new EncryptingCredentials(GetSymmetricSecurityKey2(), model.SecurityAlgorithm),
};
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
SecurityToken securityToken = handler.CreateToken(securityTokenDescriptor);
string token = handler.WriteToken(securityToken);
return(token);
}
public void ShouldValidateJwe(string algorithm, string encryption)
{
var key = new CryptographicKey(Algorithm.Create(algorithm).WithContentEncryption(encryption));
var encryptingCredentials = new EncryptingCredentials(key, algorithm, encryption);
var handler = new JsonWebTokenHandler();
var now = DateTime.Now;
var jwt = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = new ClaimsIdentity(GenerateClaim().Generate(5)),
EncryptingCredentials = encryptingCredentials
};
var jwe = handler.CreateToken(jwt);
var result = handler.ValidateToken(jwe,
new TokenValidationParameters
{
ValidIssuer = "me",
ValidAudience = "you",
RequireSignedTokens = false,
TokenDecryptionKey = encryptingCredentials.Key
});
result.IsValid.Should().BeTrue();
}
public static void Run()
{
var key = new RsaSecurityKey(RSA.Create(2048))
{
KeyId = Guid.NewGuid().ToString()
};
var jweKey = new EncryptingCredentials(key, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256);
var payloadRepresentation = new List <Claim>()
{
new("claim1", "10"),
new("claim2", "claim2-value"),
new ("name", "Bruno Brito"),
new ("given_name", "Bruno"),
new ("logins", "brunohbrito"),
new ("logins", "bhdebrito"),
new ("logins", "bruno_hbrito"),
};
var handler = new JsonWebTokenHandler();
var now = DateTime.Now;
var jwt = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = new ClaimsIdentity(payloadRepresentation),
EncryptingCredentials = jweKey
};
var jwe = handler.CreateToken(jwt);
Console.ResetColor();
Console.ForegroundColor = ConsoleColor.Yellow;
Console.Write("JWE: ");
Console.ForegroundColor = ConsoleColor.Cyan;
Console.WriteLine(jwe);
Console.ResetColor();
var result = handler.ValidateToken(jwe,
new TokenValidationParameters
{
ValidIssuer = "me",
ValidAudience = "you",
RequireSignedTokens = false,
TokenDecryptionKey = jweKey.Key
});
var claims = JsonSerializer.Serialize(result.Claims, new JsonSerializerOptions()
{
WriteIndented = true
});
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("Claims: ");
Console.ForegroundColor = ConsoleColor.Cyan;
Console.WriteLine(claims);
Console.ResetColor();
}
private string CreateJwt(User created)
{
var claims = new[]
{
new Claim(ClaimTypes.Name, created.Id.ToString())
};
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration.Token.Key));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var encryptingCredentials = new EncryptingCredentials(key, JwtConstants.DirectKeyUseAlg, SecurityAlgorithms.Aes256CbcHmacSha512);
var jwtSecurityToken = new JwtSecurityTokenHandler().CreateJwtSecurityToken(
_configuration.Token.Issuer,
_configuration.Token.Audience,
new ClaimsIdentity(claims),
null,
expires: DateTime.UtcNow.AddDays(3),
null,
signingCredentials: creds,
encryptingCredentials: encryptingCredentials
);
var encryptedJWT = new JwtSecurityTokenHandler().WriteToken(jwtSecurityToken);
return(encryptedJWT);
}
public async Task <AccessToken> GenerateToken(User user)
{
var securityKey = Encoding.UTF8.GetBytes(_settings.JwtOptions.SecretKey);
var signinCredentials = new SigningCredentials(new SymmetricSecurityKey(securityKey), SecurityAlgorithms.HmacSha256Signature);
var secretKey2 = Encoding.UTF8.GetBytes(_settings.JwtOptions.SecretKey2);
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(secretKey2), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var claims = await _getUserClaims(user);
var descriptor = new SecurityTokenDescriptor
{
Issuer = _settings.JwtOptions.Issuer,
Audience = _settings.JwtOptions.Audience,
IssuedAt = DateTime.UtcNow,
Expires = DateTime.Now.AddMinutes(_settings.JwtOptions.Expiration),
SigningCredentials = signinCredentials,
Subject = new ClaimsIdentity(claims),
EncryptingCredentials = encryptingCredentials
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateJwtSecurityToken(descriptor);
return(GenerateAccessToken(securityToken));
}
/// <summary>
/// Generate a token
/// </summary>
/// <param name="entitlements">Details of the entitlements to encode into the token.</param>
/// <param name="signingCert">Certificate to use when signing the token (optional).</param>
/// <param name="encryptionCert">Certificate to use when encrypting the token (optional).</param>
/// <returns>Generated token, if any; otherwise all related errors.</returns>
private static string GenerateToken(
NodeEntitlements entitlements,
X509Certificate2 signingCert = null,
X509Certificate2 encryptionCert = null)
{
SigningCredentials signingCredentials = null;
if (signingCert != null)
{
var signingKey = new X509SecurityKey(signingCert);
signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha512Signature);
}
EncryptingCredentials encryptingCredentials = null;
if (encryptionCert != null)
{
var encryptionKey = new X509SecurityKey(encryptionCert);
encryptingCredentials = new EncryptingCredentials(
encryptionKey, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes256CbcHmacSha512);
}
var entitlementWithIdentifier = entitlements.WithIdentifier($"entitlement-{Guid.NewGuid():D}");
var generator = new TokenGenerator(_logger, signingCredentials, encryptingCredentials);
return(generator.Generate(entitlementWithIdentifier));
}
private async Task <string> GenerateToken(TokenInfo user, int lifeTime)
{
var secretKey = Encoding.UTF8.GetBytes(_setting.JwtSetting.SecretKey); // longer that 16 character
var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(secretKey)
, SecurityAlgorithms.HmacSha256Signature);
var encryptionkey = Encoding.UTF8.GetBytes(_setting.JwtSetting.Encryptkey); //must be 16 character
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptionkey),
SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
///تنظیم ویژگی های توکن
var descriptor = new SecurityTokenDescriptor
{
///صادر کننده توکن
Issuer = _setting.JwtSetting.Issuer,
Audience = _setting.JwtSetting.Audience,
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now,
Expires = DateTime.Now.AddMinutes(lifeTime),
SigningCredentials = signingCredentials,
EncryptingCredentials = encryptingCredentials,
Subject = new ClaimsIdentity(CustomClaims(user))
};
var tokenHandler = new JwtSecurityTokenHandler();
return(tokenHandler.WriteToken(tokenHandler.CreateToken(descriptor)));
}
public string Generate(User user)
{
var encryptionkey = Encoding.UTF8.GetBytes("aaaaaaaaaaaaaaaa"); //must be 16 character
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptionkey), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var secretkey = Encoding.UTF8.GetBytes("asdfdsasdfcdsdfdsd");
var signingcredential = new SigningCredentials(new SymmetricSecurityKey(secretkey), SecurityAlgorithms.HmacSha256Signature);
var claims = getclaims(user);
var descriptor = new SecurityTokenDescriptor
{
Issuer = "MyWeb",
Audience = "MyWeb",
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now.AddMinutes(0),
Expires = DateTime.Now.AddHours(1),
SigningCredentials = signingcredential,
EncryptingCredentials = encryptingCredentials,
Subject = new ClaimsIdentity(claims)
};
var tokenhandler = new JwtSecurityTokenHandler();
var securitykey = tokenhandler.CreateToken(descriptor);
var jwt = tokenhandler.WriteToken(securitykey);
return(jwt);
}
public async Task <String> GenerateTokenAsync(ApplicationUser user)
{
var securityKey = Encoding.UTF8.GetBytes(_settings.SecretKey);
var signingCredentials =
new SigningCredentials(new SymmetricSecurityKey(securityKey), SecurityAlgorithms.HmacSha256Signature);
var encryptKey = Encoding.UTF8.GetBytes(_settings.EncryptKey);
var encryptingCredentials =
new EncryptingCredentials(new SymmetricSecurityKey(encryptKey), SecurityAlgorithms.Aes128KW,
SecurityAlgorithms.Aes128CbcHmacSha256);
var tokenDescriptor = new SecurityTokenDescriptor
{
Audience = _settings.Audience,
Issuer = _settings.Issuer,
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now.AddMinutes(_settings.NotBeforeMinutes),
Expires = DateTime.Now.AddDays(_settings.ExpirationDay),
SigningCredentials = signingCredentials,
EncryptingCredentials = encryptingCredentials,
Subject = await _getUserAsSubject(user)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(tokenDescriptor);
var writeToken = tokenHandler.WriteToken(securityToken);
return(writeToken);
}
public async Task <Token> BuildTokenAsync(long userId, IEnumerable <Claim> claims)
{
var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_options.Value.SigningKey));
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
var encryptingKey = Encoding.UTF8.GetBytes(_options.Value.EncryptingKey); //must be 16 character
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptingKey),
SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var now = DateTime.UtcNow;
var tokenDescriptor = new SecurityTokenDescriptor
{
Issuer = _options.Value.Issuer,
Audience = _options.Value.Audience,
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(_options.Value.TokenExpirationMinutes),
SigningCredentials = signingCredentials,
EncryptingCredentials = encryptingCredentials,
Subject = new ClaimsIdentity(claims)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(tokenDescriptor);
var token = tokenHandler.WriteToken(securityToken);
await AddUserTokenAsync(userId, token);
return(new Token {
Value = token
});
}
public async Task <AccessToken> GenerateAsync(User user)
{
byte[] secretKey = Encoding.UTF8.GetBytes(_siteSetting.JwtSettings.SecretKey); // longer that 16 character
SigningCredentials signingCredentials = new SigningCredentials(new SymmetricSecurityKey(secretKey), SecurityAlgorithms.HmacSha256Signature);
byte[] encryptionkey = Encoding.UTF8.GetBytes(_siteSetting.JwtSettings.Encryptkey); //must be 16 character
EncryptingCredentials encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptionkey), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
IEnumerable <Claim> claims = await _getClaimsAsync(user);
SecurityTokenDescriptor descriptor = new SecurityTokenDescriptor
{
Issuer = _siteSetting.JwtSettings.Issuer,
Audience = _siteSetting.JwtSettings.Audience,
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now.AddMinutes(_siteSetting.JwtSettings.NotBeforeMinutes),
Expires = DateTime.Now.AddMinutes(_siteSetting.JwtSettings.ExpirationMinutes),
SigningCredentials = signingCredentials,
EncryptingCredentials = encryptingCredentials,
Subject = new ClaimsIdentity(claims)
};
//JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
//JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
//JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear();
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
JwtSecurityToken securityToken = tokenHandler.CreateJwtSecurityToken(descriptor);
//string encryptedJwt = tokenHandler.WriteToken(securityToken);
return(new AccessToken(securityToken));
}
public static string BuildJwt(
IEnumerable <Claim> claims,
string issuer,
string?audience,
TimeSpan accessTokenExpiryTime,
SigningCredentials signingCredentials,
EncryptingCredentials encryptingCredentials)
{
DateTime utcNow = DateTime.UtcNow;
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
JwtSecurityToken token = handler.CreateJwtSecurityToken(
issuer,
audience, // null if _options.NeedAudienceToBeChecked is false
new ClaimsIdentity(claims),
utcNow,
utcNow + accessTokenExpiryTime,
utcNow,
signingCredentials,
encryptingCredentials
);
return(handler.WriteToken(token));
}
public async Task <AccessToken> GenerateAsync(User user)
{
var secretKey = Encoding.UTF8.GetBytes(_siteSetting.SecretKey); // longer that 16 character
var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(secretKey), SecurityAlgorithms.HmacSha256Signature);
var encryptionkey = Encoding.UTF8.GetBytes(_siteSetting.Encryptkey); //must be 16 character
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptionkey), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var claims = await _getClaimsAsync(user);
var descriptor = new SecurityTokenDescriptor
{
Issuer = _siteSetting.Issuer,
Audience = _siteSetting.Audience,
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now.AddMinutes(0),
Expires = DateTime.Now.AddMinutes(_siteSetting.ExpirationMinutes),
SigningCredentials = signingCredentials,
EncryptingCredentials = encryptingCredentials,
Subject = new ClaimsIdentity(claims)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateJwtSecurityToken(descriptor);
var refreshToken = await _unitOfWork.UserRefreshTokenRepository.CreateToken(user.Id);
await _unitOfWork.CommitAsync();
return(new AccessToken(securityToken, refreshToken.ToString()));
}
public static void AddAuthentication(this IServiceCollection services, SecurityOptions options)
{
_signing = _signing ?? BuildSigningCredentials(options);
_encrypting = _encrypting ?? BuildEncryptingCredentials(options);
services
.AddAuthentication(x =>
{
x.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultSignInScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(x =>
{
x.TokenValidationParameters = BuildTokenValidationParameters(options);
#if DEBUG
x.IncludeErrorDetails = true;
x.RequireHttpsMetadata = false;
#else
x.IncludeErrorDetails = false;
x.RequireHttpsMetadata = true;
#endif
})
.AddCookie(cfg => cfg.SlidingExpiration = true);
}
private string BuildToken2(UserModel user)
{
var secretKey = Encoding.UTF8.GetBytes(_config["JwtSettings:Key"]); // must be 16 character or longer
var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(secretKey), SecurityAlgorithms.HmacSha256Signature);
var encryptionkey = Encoding.UTF8.GetBytes(_config["JwtSettings:EncryptKey"]); //must be 16 character
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptionkey), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var claims = new List <Claim>
{
new Claim(ClaimTypes.Name, "UserName"), //user.UserName
new Claim(ClaimTypes.NameIdentifier, "123"), //user.Id
};
var descriptor = new SecurityTokenDescriptor
{
Issuer = _config["JwtSettings:Issuer"], //_siteSetting.JwtSettings.Issuer,
Audience = _config["JwtSettings:Audience"], //_siteSetting.JwtSettings.Audience,
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now.AddMinutes(Convert.ToDouble(_config["JwtSettings:AccessTokenExpirationMinutes"])),
Expires = DateTime.Now.AddMinutes(Convert.ToDouble(_config["JwtSettings:AccessTokenExpirationMinutes"])),
SigningCredentials = signingCredentials,
EncryptingCredentials = encryptingCredentials,
Subject = new ClaimsIdentity(claims)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(descriptor);
string encryptedJwt = tokenHandler.WriteToken(securityToken);
return(encryptedJwt);
}
public CustomSecurityTokenService(string loginProviderName, SecurityTokenServiceConfiguration securityTokenServiceConfiguration, EncryptingCredentials encryptingCredentials, IDragonUserStore <T> userStore)
: base(securityTokenServiceConfiguration)
{
_loginProviderName = loginProviderName;
_encryptingCredentials = encryptingCredentials;
_userStore = userStore;
}
public async Task <string> GenerateAsync(ApplicationUser user)
{
var secretKey = Encoding.UTF8.GetBytes(_siteSettings.JwtSettings.secretkey); // secret key on server to ensure security (encrypt+decrypt)
var signinCredentials = new SigningCredentials(new SymmetricSecurityKey(secretKey), SecurityAlgorithms.HmacSha256Signature);
var encryptionkey = Encoding.UTF8.GetBytes(_siteSettings.JwtSettings.secretkey); //must be 16 character
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptionkey), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var claims = await _getClaimsAsync(user);
var descriptor = new SecurityTokenDescriptor()
{
Issuer = _siteSettings.JwtSettings.Issuer,
Audience = _siteSettings.JwtSettings.Audience,
IssuedAt = DateTime.Now,
Expires = DateTime.Now.AddMinutes(30),
SigningCredentials = signinCredentials,
EncryptingCredentials = encryptingCredentials,
Subject = new ClaimsIdentity(claims)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(descriptor);
var jwt = tokenHandler.WriteToken(securityToken);
return(jwt);
}
public async Task <JwtToken> CreateAsync(User user)
{
var jwtSetting = new JwtSettings();
var secretKey = Encoding.UTF8.GetBytes(jwtSetting.SecretKey); // longer that 16 character
var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(secretKey), SecurityAlgorithms.HmacSha256Signature);
var encryptionkey = Encoding.UTF8.GetBytes(jwtSetting.Encryptkey); //must be 16 character
var encryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(encryptionkey), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var claims = await AddClaimsAsync(user);
var descriptor = new SecurityTokenDescriptor
{
Issuer = jwtSetting.Issuer,
Audience = jwtSetting.Audience,
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now.AddMinutes(jwtSetting.NotBeforeMinutes),
Expires = DateTime.Now.AddMinutes(jwtSetting.ExpirationMinutes),
SigningCredentials = signingCredentials,
EncryptingCredentials = encryptingCredentials,
Subject = new ClaimsIdentity(claims)
};
//JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
//JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
//JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear();
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateJwtSecurityToken(descriptor);
//string encryptedJwt = tokenHandler.WriteToken(securityToken);
return(new JwtToken(securityToken));
}
public string CreateTokenString(ICommandUser commandUser)
{
SigningCredentials singingCridentials = new SigningCredentials(this.signingKey, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest);
EncryptingCredentials encryptingCridentials = new EncryptingCredentials(this.secutityKey, SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
ClaimsIdentity claimsIdentity = new ClaimsIdentity(new List <Claim>());
claimsIdentity.AddClaim(new Claim(ClaimTypes.PrimarySid, commandUser.ID));
claimsIdentity.AddClaim(new Claim(ClaimTypes.UserData, JsonConvert.SerializeObject(commandUser.UserData)));
claimsIdentity.AddClaim(new Claim(ClaimTypes.Name, commandUser.Username));
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, JsonConvert.SerializeObject(commandUser.UserRoles)));
SecurityTokenDescriptor tokenDiscriptor = new SecurityTokenDescriptor();
tokenDiscriptor.Subject = claimsIdentity;
tokenDiscriptor.Issuer = this.issuer;
tokenDiscriptor.SigningCredentials = singingCridentials;
tokenDiscriptor.EncryptingCredentials = encryptingCridentials;
tokenDiscriptor.Expires = DateTime.UtcNow.Add(TimeSpan.FromHours(1));
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
JwtSecurityToken token = tokenHandler.CreateJwtSecurityToken(tokenDiscriptor);
string tokenString = tokenHandler.WriteToken(token);
return(tokenString);
}
public async Task ShouldGenerateAndValidateJweAndJws()
{
await WarmupData.Clear();
var handler = new JsonWebTokenHandler();
var now = DateTime.Now;
// Generate right now and in memory
var newKey = new CryptographicKey(Algorithm.Create(AlgorithmType.RSA, JwtType.Both));
var encryptingCredentials = new EncryptingCredentials(newKey, EncryptionAlgorithmKey.RsaOAEP, EncryptionAlgorithmContent.Aes128CbcHmacSha256);
var signingCredentials = new SigningCredentials(newKey, DigitalSignaturesAlgorithm.RsaSsaPssSha256);
var claims = new ClaimsIdentity(GenerateClaim().Generate(5));
var descriptorJws = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = claims,
SigningCredentials = signingCredentials
};
var descriptorJwe = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = claims,
EncryptingCredentials = encryptingCredentials
};
var jws = handler.CreateToken(descriptorJws);
var jwe = handler.CreateToken(descriptorJwe);
var result = await handler.ValidateTokenAsync(jws,
new TokenValidationParameters
{
ValidIssuer = "me",
ValidAudience = "you",
IssuerSigningKey = signingCredentials.Key
});
result.IsValid.Should().BeTrue();
result = await handler.ValidateTokenAsync(jwe,
new TokenValidationParameters
{
ValidIssuer = "me",
ValidAudience = "you",
RequireSignedTokens = false,
TokenDecryptionKey = encryptingCredentials.Key
});
result.IsValid.Should().BeTrue();
}
public TokenGeneratorTests()
{
const string plainTextSecurityKey = "This is my shared, not so secret, secret!";
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(plainTextSecurityKey));
_signingCredentials = new SigningCredentials(key, "fu");
_encryptionCredentials = new EncryptingCredentials(key, "bar", "baz");
}
public CredentialsConfiguration()
{
SigningCredentials = new SigningCredentials(SymmetricKeySigningCredentials, SecurityAlgorithms.HmacSha256);
EncryptingCredentials = new EncryptingCredentials(SymmetricKeyEncryptingCredentials,
SecurityAlgorithms.Aes128KW,
SecurityAlgorithms.Aes128CbcHmacSha256);
}
public SamlRequestDetailsScope(SamlRequestDetails details, EncryptingCredentials signingCredentials, bool requireEncryption)
: base(details.Realm.Uri.AbsoluteUri, signingCredentials)
{
RequestDetails = details;
if (RequestDetails.UsesEncryption)
{
EncryptingCredentials = new X509EncryptingCredentials(details.EncryptingCertificate);
}
if (RequestDetails.TokenType == TokenTypes.SimpleWebToken || RequestDetails.TokenType == TokenTypes.JsonWebToken)
{
SigningCredentials = new HmacSigningCredentials(details.RelyingPartyRegistration.SymmetricSigningKey);
}
ReplyToAddress = RequestDetails.ReplyToAddress.AbsoluteUri;
TokenEncryptionRequired = requireEncryption;
}
