public async Task <AuthenticationResult> AuthenticateClientWithPrivateKeyJwtAsync(AuthenticateInstruction instruction, string expectedIssuer)
{
if (instruction == null)
{
throw new ArgumentNullException("instruction");
}
var clientAssertion = instruction.ClientAssertion;
var isJwsToken = _jwtParser.IsJwsToken(clientAssertion);
if (!isJwsToken)
{
return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJwsToken));
}
var jws = instruction.ClientAssertion;
var jwsPayload = _jwsParser.GetPayload(jws);
if (jwsPayload == null)
{
return(new AuthenticationResult(null, ErrorDescriptions.TheJwsPayloadCannotBeExtracted));
}
var clientId = jwsPayload.Issuer;
var payload = await _jwtParser.UnSignAsync(jws, clientId);
if (payload == null)
{
return(new AuthenticationResult(null, ErrorDescriptions.TheSignatureIsNotCorrect));
}
return(await ValidateJwsPayLoad(payload, expectedIssuer));
}
public async Task RevokeSessionCallback()
{
var authenticatedUser = await _authenticationService.GetAuthenticatedUser(this, Constants.CookieNames.CookieName);
if (authenticatedUser == null || !authenticatedUser.Identity.IsAuthenticated)
{
await this.DisplayInternalHtml("SimpleIdentityServer.Host.Views.UserNotConnected.html");
return;
}
var query = Request.Query;
var serializer = new ParamSerializer();
RevokeSessionRequest request = null;
if (query != null)
{
request = serializer.Deserialize <RevokeSessionRequest>(query);
}
Response.Cookies.Delete(Core.Constants.SESSION_ID);
await _authenticationService.SignOutAsync(HttpContext, Constants.CookieNames.CookieName, new Microsoft.AspNetCore.Authentication.AuthenticationProperties());
if (request != null && !string.IsNullOrWhiteSpace(request.PostLogoutRedirectUri) && !string.IsNullOrWhiteSpace(request.IdTokenHint))
{
var jws = await _jwtParser.UnSignAsync(request.IdTokenHint);
if (jws != null)
{
var claim = jws.FirstOrDefault(c => c.Key == StandardClaimNames.Azp);
if (!claim.Equals(default(KeyValuePair <string, object>)) && claim.Value != null)
{
var client = await _clientRepository.GetClientByIdAsync(claim.Value.ToString());
if (client != null)
{
if (client.PostLogoutRedirectUris != null && client.PostLogoutRedirectUris.Contains(request.PostLogoutRedirectUri))
{
var redirectUrl = request.PostLogoutRedirectUri;
if (!string.IsNullOrWhiteSpace(request.State))
{
redirectUrl = $"{redirectUrl}?state={request.State}";
}
Response.Redirect(redirectUrl);
return;
}
}
}
}
}
await this.DisplayInternalHtml("SimpleIdentityServer.Host.Views.RevokeSessionCallback.html");
}
private async Task <AuthorizationRequest> GetAuthorizationRequestFromJwt(string token, string clientId)
{
var jwsToken = token;
if (_jwtParser.IsJweToken(token))
{
jwsToken = await _jwtParser.DecryptAsync(token, clientId);
}
var jwsPayload = await _jwtParser.UnSignAsync(jwsToken, clientId);
return(jwsPayload == null ? null : jwsPayload.ToAuthorizationRequest());
}
public async Task <JwsPayload> GetPayload(Client client, string jwsToken)
{
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (string.IsNullOrWhiteSpace(jwsToken))
{
throw new ArgumentNullException(nameof(jwsToken));
}
var signedResponseAlg = client.GetIdTokenSignedResponseAlg();
var encryptResponseAlg = client.GetIdTokenEncryptedResponseAlg();
if (encryptResponseAlg != null) // Decrypt the token.
{
jwsToken = await _jwtParser.DecryptAsync(jwsToken, client.ClientId);
}
return(await _jwtParser.UnSignAsync(jwsToken, client.ClientId));
}
public async Task When_Passing_Null_To_Unsign_Without_ClientId_Then_Exception_Is_Thrown()
{
// ARRANGE
InitializeFakeObjects();
// ACT & ASSERT
await Assert.ThrowsAsync <ArgumentNullException>(() => _jwtParser.UnSignAsync(string.Empty));
}
private async Task ProcessIdTokenHint(
ActionResult actionResult,
AuthorizationParameter authorizationParameter,
ICollection <PromptParameter> prompts,
ClaimsPrincipal claimsPrincipal,
string issuerName)
{
if (!string.IsNullOrWhiteSpace(authorizationParameter.IdTokenHint) &&
prompts.Contains(PromptParameter.none) &&
actionResult.Type == TypeActionResult.RedirectToCallBackUrl)
{
var token = authorizationParameter.IdTokenHint;
if (!_jwtParser.IsJweToken(token) &&
!_jwtParser.IsJwsToken(token))
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheIdTokenHintParameterIsNotAValidToken,
authorizationParameter.State);
}
string jwsToken;
if (_jwtParser.IsJweToken(token))
{
jwsToken = await _jwtParser.DecryptAsync(token);
if (string.IsNullOrWhiteSpace(jwsToken))
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheIdTokenHintParameterCannotBeDecrypted,
authorizationParameter.State);
}
}
else
{
jwsToken = token;
}
var jwsPayload = await _jwtParser.UnSignAsync(jwsToken);
if (jwsPayload == null)
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheSignatureOfIdTokenHintParameterCannotBeChecked,
authorizationParameter.State);
}
if (jwsPayload.Audiences == null ||
!jwsPayload.Audiences.Any() ||
!jwsPayload.Audiences.Contains(issuerName))
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheIdentityTokenDoesntContainSimpleIdentityServerAsAudience,
authorizationParameter.State);
}
var currentSubject = string.Empty;
var expectedSubject = jwsPayload.GetClaimValue(Jwt.Constants.StandardResourceOwnerClaimNames.Subject);
if (claimsPrincipal != null && claimsPrincipal.IsAuthenticated())
{
currentSubject = claimsPrincipal.GetSubject();
}
if (currentSubject != expectedSubject)
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheCurrentAuthenticatedUserDoesntMatchWithTheIdentityToken,
authorizationParameter.State);
}
}
}