/// <summary> /// Retrieves the signing credential (override to load key from alternative locations) /// </summary> /// <returns>The signing credential</returns> protected virtual async Task <SigningCredentials> GetSigningCredentialsAsync() { var key = await _keyService.GetSigningKeyAsync(); var certificate = await _certificateKeyService.GetCertificate(key); return(new X509SigningCredentials(certificate)); }
private async Task <TokenValidationResult> ValidateJwtAsync(string jwt, string audience, IEnumerable <JsonWebKey> signingKeys, bool validateLifetime = true) { var handler = new JwtSecurityTokenHandler { Configuration = new SecurityTokenHandlerConfiguration { CertificateValidationMode = X509CertificateValidationMode.None, CertificateValidator = X509CertificateValidator.None } }; var signingCertificates = await Task.WhenAll(signingKeys.Select(key => _certificateKeyService.GetCertificate(key))); var keys = (from c in signingCertificates select new X509SecurityKey(c)).ToList(); var parameters = new TokenValidationParameters { ValidIssuer = IssuerUri, IssuerSigningKeys = keys, ValidateLifetime = validateLifetime, ValidAudience = audience }; try { SecurityToken jwtToken; var id = handler.ValidateToken(jwt, parameters, out jwtToken); // if access token contains an ID, log it var jwtId = id.FindFirst(Constants.ClaimTypes.JwtId); if (jwtId != null) { _log.JwtId = jwtId.Value; } // load the client that belongs to the client_id claim Client client = null; var clientId = id.FindFirst(Constants.ClaimTypes.ClientId); if (clientId != null) { client = await _clients.FindClientByIdAsync(clientId.Value); if (client == null) { throw new InvalidOperationException("Client does not exist anymore."); } } return(new TokenValidationResult { IsError = false, Claims = id.Claims, Client = client, Jwt = jwt }); } catch (Exception ex) { Logger.ErrorException("JWT token validation error", ex); return(Invalid(Constants.ProtectedResourceErrors.InvalidToken)); } }