public async void Subscribe_OnChallengeDefault_CompletesSuccessfully()
{
_jwtEvents = _jwtDiagnostics.Subscribe(_jwtEvents);
await _jwtEvents.Challenge(new JwtBearerChallengeContext(_httpContext, _authScheme, _jwtOptions, new AuthenticationProperties())).ConfigureAwait(false);
AssertSuccess(false);
}
internal JwtBearerEvents JwtEvent()
{
var bearer = new JwtBearerEvents();
return(new JwtBearerEvents()
{
OnMessageReceived = e =>
{
e.Token = InternalTokenRetriever(e.Request);
return bearer.MessageReceived(e);
},
OnTokenValidated = e => bearer.TokenValidated(e),
OnAuthenticationFailed = e => bearer.AuthenticationFailed(e),
OnChallenge = e => bearer.Challenge(e)
});
}
internal void ConfigureJwtBearer(JwtBearerOptions jwtOptions)
{
jwtOptions.Authority = Authority;
jwtOptions.RequireHttpsMetadata = RequireHttpsMetadata;
jwtOptions.BackchannelTimeout = BackChannelTimeouts;
jwtOptions.RefreshOnIssuerKeyNotFound = true;
jwtOptions.SaveToken = SaveToken;
jwtOptions.Events = new JwtBearerEvents
{
OnMessageReceived = e =>
{
e.Token = InternalTokenRetriever(e.Request);
return(JwtBearerEvents.MessageReceived(e));
},
OnTokenValidated = e => JwtBearerEvents.TokenValidated(e),
OnAuthenticationFailed = e => JwtBearerEvents.AuthenticationFailed(e),
OnChallenge = e => JwtBearerEvents.Challenge(e)
};
if (DiscoveryDocumentRefreshInterval.HasValue)
{
var parsedUrl = DiscoveryEndpoint.ParseUrl(Authority);
var httpClient = new HttpClient(JwtBackChannelHandler ?? new HttpClientHandler())
{
Timeout = BackChannelTimeouts,
MaxResponseContentBufferSize = 1024 * 1024 * 10 // 10 MB
};
var manager = new ConfigurationManager <OpenIdConnectConfiguration>(
parsedUrl.Url,
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(httpClient)
{
RequireHttps = RequireHttpsMetadata
})
{
AutomaticRefreshInterval = DiscoveryDocumentRefreshInterval.Value
};
jwtOptions.ConfigurationManager = manager;
}
if (JwtBackChannelHandler != null)
{
jwtOptions.BackchannelHttpHandler = JwtBackChannelHandler;
}
// if API name is set, do a strict audience check for
if (!string.IsNullOrWhiteSpace(ApiName) && !LegacyAudienceValidation)
{
jwtOptions.Audience = ApiName;
}
else
{
// no audience validation, rely on scope checks only
jwtOptions.TokenValidationParameters.ValidateAudience = false;
}
jwtOptions.TokenValidationParameters.NameClaimType = NameClaimType;
jwtOptions.TokenValidationParameters.RoleClaimType = RoleClaimType;
if (JwtValidationClockSkew.HasValue)
{
jwtOptions.TokenValidationParameters.ClockSkew = JwtValidationClockSkew.Value;
}
if (InboundJwtClaimTypeMap != null)
{
var handler = new JwtSecurityTokenHandler
{
InboundClaimTypeMap = InboundJwtClaimTypeMap
};
jwtOptions.SecurityTokenValidators.Clear();
jwtOptions.SecurityTokenValidators.Add(handler);
}
}
internal void ConfigureJwtBearer(JwtBearerOptions jwtOptions)
{
jwtOptions.Authority = Authority;
jwtOptions.RequireHttpsMetadata = RequireHttpsMetadata;
jwtOptions.BackchannelTimeout = BackChannelTimeouts;
jwtOptions.RefreshOnIssuerKeyNotFound = true;
jwtOptions.SaveToken = SaveToken;
jwtOptions.Events = new JwtBearerEvents
{
OnMessageReceived = e =>
{
e.Token = InternalTokenRetriever(e.Request);
return(JwtBearerEvents.MessageReceived(e));
},
OnTokenValidated = e => JwtBearerEvents.TokenValidated(e),
OnAuthenticationFailed = e => JwtBearerEvents.AuthenticationFailed(e),
OnChallenge = e => JwtBearerEvents.Challenge(e)
};
if (DiscoveryDocumentRefreshInterval.HasValue)
{
var parsedUrl = DiscoveryClient.ParseUrl(Authority);
var httpClient = new HttpClient(JwtBackChannelHandler ?? new HttpClientHandler())
{
Timeout = BackChannelTimeouts,
MaxResponseContentBufferSize = 1024 * 1024 * 10 // 10 MB
};
var manager = new ConfigurationManager <OpenIdConnectConfiguration>(
parsedUrl.Url,
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(httpClient)
{
RequireHttps = RequireHttpsMetadata
})
{
AutomaticRefreshInterval = DiscoveryDocumentRefreshInterval.Value
};
jwtOptions.ConfigurationManager = manager;
}
if (JwtBackChannelHandler != null)
{
jwtOptions.BackchannelHttpHandler = JwtBackChannelHandler;
}
// if API name is set, do a strict audience check for
if (!string.IsNullOrWhiteSpace(ApiName) && !LegacyAudienceValidation)
{
jwtOptions.Audience = ApiName;
}
else
{
// no audience validation, rely on scope checks only
jwtOptions.TokenValidationParameters.ValidateAudience = false;
}
jwtOptions.TokenValidationParameters.NameClaimType = NameClaimType;
jwtOptions.TokenValidationParameters.RoleClaimType = RoleClaimType;
if (TokenDecryptionKey != null)
{
jwtOptions.TokenValidationParameters.TokenDecryptionKey = TokenDecryptionKey;
}
else if (!string.IsNullOrWhiteSpace(CertificateThumbprint))
{
var certStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certStore.Open(OpenFlags.ReadOnly);
var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, CertificateThumbprint, true);
if (certCollection.Count == 0)
{
throw new Exception("CertificateNotFound");
}
var certificate = certCollection[0];
jwtOptions.TokenValidationParameters.TokenDecryptionKey = new X509SecurityKey(certificate);
}
jwtOptions.TokenValidationParameters.RequireSignedTokens = RequireSignedTokens;
jwtOptions.TokenValidationParameters.ValidateIssuer = ValidateIssuer;
if (JwtValidationClockSkew.HasValue)
{
jwtOptions.TokenValidationParameters.ClockSkew = JwtValidationClockSkew.Value;
}
if (InboundJwtClaimTypeMap != null)
{
var handler = new JwtSecurityTokenHandler
{
InboundClaimTypeMap = InboundJwtClaimTypeMap
};
jwtOptions.SecurityTokenValidators.Clear();
jwtOptions.SecurityTokenValidators.Add(handler);
}
}