public async void Subscribe_OnChallengeDefault_CompletesSuccessfully() { _jwtEvents = _jwtDiagnostics.Subscribe(_jwtEvents); await _jwtEvents.Challenge(new JwtBearerChallengeContext(_httpContext, _authScheme, _jwtOptions, new AuthenticationProperties())).ConfigureAwait(false); AssertSuccess(false); }
internal JwtBearerEvents JwtEvent() { var bearer = new JwtBearerEvents(); return(new JwtBearerEvents() { OnMessageReceived = e => { e.Token = InternalTokenRetriever(e.Request); return bearer.MessageReceived(e); }, OnTokenValidated = e => bearer.TokenValidated(e), OnAuthenticationFailed = e => bearer.AuthenticationFailed(e), OnChallenge = e => bearer.Challenge(e) }); }
internal void ConfigureJwtBearer(JwtBearerOptions jwtOptions) { jwtOptions.Authority = Authority; jwtOptions.RequireHttpsMetadata = RequireHttpsMetadata; jwtOptions.BackchannelTimeout = BackChannelTimeouts; jwtOptions.RefreshOnIssuerKeyNotFound = true; jwtOptions.SaveToken = SaveToken; jwtOptions.Events = new JwtBearerEvents { OnMessageReceived = e => { e.Token = InternalTokenRetriever(e.Request); return(JwtBearerEvents.MessageReceived(e)); }, OnTokenValidated = e => JwtBearerEvents.TokenValidated(e), OnAuthenticationFailed = e => JwtBearerEvents.AuthenticationFailed(e), OnChallenge = e => JwtBearerEvents.Challenge(e) }; if (DiscoveryDocumentRefreshInterval.HasValue) { var parsedUrl = DiscoveryEndpoint.ParseUrl(Authority); var httpClient = new HttpClient(JwtBackChannelHandler ?? new HttpClientHandler()) { Timeout = BackChannelTimeouts, MaxResponseContentBufferSize = 1024 * 1024 * 10 // 10 MB }; var manager = new ConfigurationManager <OpenIdConnectConfiguration>( parsedUrl.Url, new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever(httpClient) { RequireHttps = RequireHttpsMetadata }) { AutomaticRefreshInterval = DiscoveryDocumentRefreshInterval.Value }; jwtOptions.ConfigurationManager = manager; } if (JwtBackChannelHandler != null) { jwtOptions.BackchannelHttpHandler = JwtBackChannelHandler; } // if API name is set, do a strict audience check for if (!string.IsNullOrWhiteSpace(ApiName) && !LegacyAudienceValidation) { jwtOptions.Audience = ApiName; } else { // no audience validation, rely on scope checks only jwtOptions.TokenValidationParameters.ValidateAudience = false; } jwtOptions.TokenValidationParameters.NameClaimType = NameClaimType; jwtOptions.TokenValidationParameters.RoleClaimType = RoleClaimType; if (JwtValidationClockSkew.HasValue) { jwtOptions.TokenValidationParameters.ClockSkew = JwtValidationClockSkew.Value; } if (InboundJwtClaimTypeMap != null) { var handler = new JwtSecurityTokenHandler { InboundClaimTypeMap = InboundJwtClaimTypeMap }; jwtOptions.SecurityTokenValidators.Clear(); jwtOptions.SecurityTokenValidators.Add(handler); } }
internal void ConfigureJwtBearer(JwtBearerOptions jwtOptions) { jwtOptions.Authority = Authority; jwtOptions.RequireHttpsMetadata = RequireHttpsMetadata; jwtOptions.BackchannelTimeout = BackChannelTimeouts; jwtOptions.RefreshOnIssuerKeyNotFound = true; jwtOptions.SaveToken = SaveToken; jwtOptions.Events = new JwtBearerEvents { OnMessageReceived = e => { e.Token = InternalTokenRetriever(e.Request); return(JwtBearerEvents.MessageReceived(e)); }, OnTokenValidated = e => JwtBearerEvents.TokenValidated(e), OnAuthenticationFailed = e => JwtBearerEvents.AuthenticationFailed(e), OnChallenge = e => JwtBearerEvents.Challenge(e) }; if (DiscoveryDocumentRefreshInterval.HasValue) { var parsedUrl = DiscoveryClient.ParseUrl(Authority); var httpClient = new HttpClient(JwtBackChannelHandler ?? new HttpClientHandler()) { Timeout = BackChannelTimeouts, MaxResponseContentBufferSize = 1024 * 1024 * 10 // 10 MB }; var manager = new ConfigurationManager <OpenIdConnectConfiguration>( parsedUrl.Url, new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever(httpClient) { RequireHttps = RequireHttpsMetadata }) { AutomaticRefreshInterval = DiscoveryDocumentRefreshInterval.Value }; jwtOptions.ConfigurationManager = manager; } if (JwtBackChannelHandler != null) { jwtOptions.BackchannelHttpHandler = JwtBackChannelHandler; } // if API name is set, do a strict audience check for if (!string.IsNullOrWhiteSpace(ApiName) && !LegacyAudienceValidation) { jwtOptions.Audience = ApiName; } else { // no audience validation, rely on scope checks only jwtOptions.TokenValidationParameters.ValidateAudience = false; } jwtOptions.TokenValidationParameters.NameClaimType = NameClaimType; jwtOptions.TokenValidationParameters.RoleClaimType = RoleClaimType; if (TokenDecryptionKey != null) { jwtOptions.TokenValidationParameters.TokenDecryptionKey = TokenDecryptionKey; } else if (!string.IsNullOrWhiteSpace(CertificateThumbprint)) { var certStore = new X509Store(StoreName.My, StoreLocation.LocalMachine); certStore.Open(OpenFlags.ReadOnly); var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, CertificateThumbprint, true); if (certCollection.Count == 0) { throw new Exception("CertificateNotFound"); } var certificate = certCollection[0]; jwtOptions.TokenValidationParameters.TokenDecryptionKey = new X509SecurityKey(certificate); } jwtOptions.TokenValidationParameters.RequireSignedTokens = RequireSignedTokens; jwtOptions.TokenValidationParameters.ValidateIssuer = ValidateIssuer; if (JwtValidationClockSkew.HasValue) { jwtOptions.TokenValidationParameters.ClockSkew = JwtValidationClockSkew.Value; } if (InboundJwtClaimTypeMap != null) { var handler = new JwtSecurityTokenHandler { InboundClaimTypeMap = InboundJwtClaimTypeMap }; jwtOptions.SecurityTokenValidators.Clear(); jwtOptions.SecurityTokenValidators.Add(handler); } }