public Task <IdentityTokenValidationResult> ValidateAsync(string identityToken, string clientId, ProviderInformation providerInformation)
{
var fail = new IdentityTokenValidationResult
{
Success = false
};
var e = Base64Url.Decode(providerInformation.KeySet.Keys.First().E);
var n = Base64Url.Decode(providerInformation.KeySet.Keys.First().N);
var pubKey = PublicKey.New(e, n);
var json = JosePCL.Jwt.Decode(identityToken, pubKey);
var payload = JObject.Parse(json);
var issuer = payload["iss"].ToString();
var audience = payload["aud"].ToString();
if (issuer != providerInformation.IssuerName)
{
fail.Error = "Invalid issuer name";
return(Task.FromResult(fail));
}
if (audience != clientId)
{
fail.Error = "Invalid audience";
return(Task.FromResult(fail));
}
var exp = payload["exp"].ToString();
var nbf = payload["nbf"].ToString();
var utcNow = DateTime.UtcNow;
var notBefore = long.Parse(nbf).ToDateTimeFromEpoch();
var expires = long.Parse(exp).ToDateTimeFromEpoch();
if (notBefore > utcNow.Add(ClockSkew))
{
fail.Error = "Token not valid yet";
return(Task.FromResult(fail));
}
if (expires < utcNow.Add(ClockSkew.Negate()))
{
fail.Error = "Token expired";
return(Task.FromResult(fail));
}
return(Task.FromResult(new IdentityTokenValidationResult
{
Success = true,
Claims = payload.ToClaims(),
SignatureAlgorithm = "RS256"
}));
}
public Task <IdentityTokenValidationResult> ValidateAsync(string identityToken, string clientId, ProviderInformation providerInformation)
{
Logger.Debug("starting identity token validation");
Logger.Debug($"identity token: {identityToken}");
var fail = new IdentityTokenValidationResult();
ValidatedToken token;
try
{
token = ValidateSignature(identityToken, providerInformation.KeySet);
}
catch (Exception ex)
{
fail.Error = ex.ToString();
Logger.Error(fail.Error);
return(Task.FromResult(fail));
}
if (!token.Success)
{
fail.Error = token.Error;
Logger.Error(fail.Error);
return(Task.FromResult(fail));
}
var issuer = token.Payload["iss"].ToString();
Logger.Debug($"issuer: {issuer}");
var audience = token.Payload["aud"].ToString();
Logger.Debug($"audience: {audience}");
if (!string.Equals(issuer, providerInformation.IssuerName, StringComparison.Ordinal))
{
fail.Error = "Invalid issuer name";
Logger.Error(fail.Error);
return(Task.FromResult(fail));
}
if (!string.Equals(audience, clientId, StringComparison.Ordinal))
{
fail.Error = "Invalid audience";
Logger.Error(fail.Error);
return(Task.FromResult(fail));
}
var utcNow = DateTime.UtcNow;
var exp = token.Payload.Value <long>("exp");
var nbf = token.Payload.Value <long?>("nbf");
Logger.Debug($"exp: {exp}");
if (nbf != null)
{
Logger.Debug($"nbf: {nbf}");
var notBefore = nbf.Value.ToDateTimeFromEpoch();
if (notBefore > utcNow.Add(ClockSkew))
{
fail.Error = "Token not valid yet";
Logger.Error(fail.Error);
return(Task.FromResult(fail));
}
}
var expires = exp.ToDateTimeFromEpoch();
if (expires < utcNow.Add(ClockSkew.Negate()))
{
fail.Error = "Token expired";
Logger.Error(fail.Error);
return(Task.FromResult(fail));
}
Logger.Info("identity token validation success");
return(Task.FromResult(new IdentityTokenValidationResult
{
Claims = token.Payload.ToClaims(),
SignatureAlgorithm = token.Algorithm
}));
}
public TokenResponseValidationResult(IdentityTokenValidationResult result)
{
IdentityTokenValidationResult = result;
}
