/// <summary>
/// Validates the JWT Structure for correctness.
/// </summary>
/// <param name="context">The context.</param>
/// <returns></returns>
public async Task <TokenValidationResult> ValidateJWTStructure(HttpContext context)
{
TokenValidationResult result
= new TokenValidationResult();
_logger.LogDebug("Started JWTToken Validation");
var body = await context.Request.ReadFormAsync();
if (body != null)
{
var jwttoken = body["jwttoken"].FirstOrDefault();
if (jwttoken.IsPresent())
{
var printablejwt = GetPrintableJWT(jwttoken);
_logger.LogDebug($"JWT Token found (truncated): {printablejwt}");
if (jwttoken.Contains("."))
{
if (jwttoken.Length > _options.InputLengthRestrictions.Jwt)
{
_logger.LogWarn("JWT too long");
result = new TokenValidationResult
{
IsError = true,
Error = OidcConstants.ProtectedResourceErrors.InvalidToken,
ErrorDescription = "Token too long"
};
}
else
{
result = new TokenValidationResult
{
IsError = false,
Jwt = jwttoken
};
}
}
else
{
_logger.LogWarn("Invalid Token Format");
result = new TokenValidationResult
{
IsError = true,
Error = OidcConstants.ProtectedResourceErrors.InvalidToken,
ErrorDescription = "Invalid Token Format"
};
}
}
else
{
_logger.LogWarn("JWT Token wasn't found");
result.IsError = true;
result.Error = "Invalid_Token";
result.ErrorDescription = "JWT Token missing";
}
}
return(result);
}
public Task <TokenValidationResult> ValidateAccessTokenAsync(string token, string expectedScope = null)
{
// this key should store in the KeyVault service, then we can securely access in anywhere
var key = "cw_0x689RpI-jtRR7oE8h_eQsKImvJapLeSbXpwF4e4=".UrlSafe64Decode();
var jwt64Token = SimpleFernet.Decrypt(key, token, out var timestamp);
var jwtToken = jwt64Token.UrlSafe64Encode().FromBase64String();
if (string.IsNullOrEmpty(jwtToken))
{
return(Task.FromResult(new TokenValidationResult
{
IsError = true
}));
}
var result = new TokenValidationResult
{
IsError = false,
Claims = new List <Claim>
{
new Claim(JwtClaimTypes.Scope, jwtToken)
}
};
return(Task.FromResult(result));
}
public override async Task <TokenValidationResult> ValidateAccessTokenAsync(TokenValidationResult result)
{
var subjectId = result.ReferenceToken != null ? result.ReferenceToken.SubjectId : result.Claims.GetFirstClaimValueByType("sub");
var user = await LocalUserService.GetUserBySubjectAsync(subjectId);
var tempClaims = result.Claims.Where(c => c.Type != "role").ToList();
if (user != null)
{
if (user?.Roles != null)
{
foreach (var role in user.Roles)
{
tempClaims.Add(new Claim("role", role.Name));
}
}
foreach (var roleClaim in user.Claims.Where(c => c.Type == "role"))
{
tempClaims.Add(new Claim("role", roleClaim.Value));
}
}
result.Claims = tempClaims;
return(result);
}
protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
{
string requestToken = null;
string authorization = Request.Headers["Authorization"];
if (string.IsNullOrEmpty(authorization))
{
return(AuthenticateResult.Fail("No Authorization Header is sent."));
}
if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
requestToken = authorization.Substring("Bearer ".Length).Trim();
}
if (string.IsNullOrEmpty(requestToken))
{
return(AuthenticateResult.Fail("No Access Token is sent."));
}
TokenValidationResult result = await _tokenValidator.ValidateAccessTokenAsync(requestToken, Options.ExpectedScope);
if (result.IsError)
{
return(AuthenticateResult.Fail(result.Error));
}
ClaimsIdentity claimsIdentity = new ClaimsIdentity(result.Claims, Scheme.Name);
ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
AuthenticationTicket authenticationTicket = new AuthenticationTicket(claimsPrincipal, Scheme.Name);
return(AuthenticateResult.Success(authenticationTicket));
}
public async Task ValidateAsync_Successful(string audience,
TokenModel tokenModel,
TokenValidationResult tokenValidationResult,
TokenValidationRequest validationRequest,
TokenValidationResponse tokenValidationResponse)
{
// Arrange
_tokenValidationService
.Setup(x => x.ValidateAsync(audience, tokenModel, It.IsAny <CancellationToken>()))
.ReturnsAsync(tokenValidationResult);
_mapper.Setup(x => x.Map <TokenModel>(It.Is <TokenValidationRequest>(p => p.Token == validationRequest.Token))).Returns(tokenModel);
_mapper.Setup(x => x.Map <TokenValidationResponse>(tokenValidationResult)).Returns(tokenValidationResponse);
// Act
var result = await _client.PostAsync(string.Format(ValidationRequestPath, audience), new JsonContent(validationRequest));
// Assert
result.StatusCode.Should().Be(StatusCodes.Status200OK);
var resultValue = await result.Content.ReadAsAsync <TokenValidationResponse>();
resultValue.Should().BeEquivalentTo(tokenValidationResponse);
_mapper.VerifyAll();
_tokenValidationService.VerifyAll();
}
/// <inheritdoc />
public TokenValidationResult TryValidate(Jwt jwt)
{
if (jwt is null)
{
ThrowHelper.ThrowArgumentNullException(ExceptionArgument.jwt);
}
if (jwt.Payload is null)
{
return(TokenValidationResult.MalformedToken());
}
var claim = jwt.Payload[_claim];
if (claim is null)
{
return(TokenValidationResult.MissingClaim(jwt, _claim));
}
for (int i = 0; i < _values.Count; i++)
{
if (_values[i] !.Equals((TClaim)claim))
{
return(TokenValidationResult.Success(jwt));
}
}
return(TokenValidationResult.InvalidClaim(jwt, _claim));
}
/// <inheritdoc />
public TokenValidationResult TryValidate(Jwt jwt)
{
if (jwt is null)
{
ThrowHelper.ThrowArgumentNullException(ExceptionArgument.jwt);
}
if (jwt.Payload is null)
{
return(TokenValidationResult.MalformedToken());
}
var claim = jwt.Payload[_claim];
if (claim is null)
{
return(TokenValidationResult.MissingClaim(jwt, _claim));
}
if (_value != (double?)claim)
{
return(TokenValidationResult.InvalidClaim(jwt, _claim));
}
return(TokenValidationResult.Success(jwt));
}
protected override async Task <AuthenticationTicket> AuthenticateCoreAsync()
{
string requestToken = null;
string authorization = Request.Headers["Authorization"];
if (string.IsNullOrEmpty(authorization))
{
return(null);
}
if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
requestToken = authorization.Substring("Bearer ".Length).Trim();
}
if (string.IsNullOrEmpty(requestToken))
{
return(null);
}
TokenValidator tokenValidator = Context.Environment.ResolveDependency <TokenValidator>();
TokenValidationResult result = await tokenValidator.ValidateAccessTokenAsync(requestToken, Options.ExpectedScope);
if (result.IsError)
{
return(null);
}
AuthenticationProperties properties = new AuthenticationProperties();
ClaimsIdentity identity = new ClaimsIdentity(result.Claims, Options.AuthenticationType);
return(new AuthenticationTicket(identity, properties));
}
/// <summary>
/// Custom validation logic for identity tokens.
/// </summary>
/// <param name="result">The validation result so far.</param>
/// <returns>
/// The validation result
/// </returns>
public virtual async Task <TokenValidationResult> ValidateIdentityTokenAsync(TokenValidationResult result)
{
// make sure user is still active (if sub claim is present)
var subClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject);
if (subClaim != null)
{
var principal = Principal.Create("tokenvalidator", result.Claims.ToArray());
var isActiveCtx = new IsActiveContext(principal, result.Client);
await _users.IsActiveAsync(isActiveCtx);
if (isActiveCtx.IsActive == false)
{
Logger.Warn("User marked as not active: " + subClaim.Value);
result.IsError = true;
result.Error = Constants.ProtectedResourceErrors.InvalidToken;
result.Claims = null;
return(result);
}
}
return(result);
}
public async Task ValidateAsync_Successful(string audience,
TokenModel tokenModel,
TokenValidationRequest validationRequest,
TokenValidationResult tokenValidationResult,
TokenValidationResponse tokenValidationResponse)
{
// Arrange
_tokenValidationService
.Setup(x => x.ValidateAsync(audience, tokenModel, CancellationToken.None))
.ReturnsAsync(tokenValidationResult);
_mapper.Setup(x => x.Map <TokenValidationResponse>(tokenValidationResult)).Returns(tokenValidationResponse);
_mapper.Setup(x => x.Map <TokenModel>(It.Is <TokenValidationRequest>(p => p.Token == validationRequest.Token))).Returns(tokenModel);
// Act
var result = await _controller.ValidateAsync(audience, validationRequest, CancellationToken.None);
// Assert
var okObjectResult = result.Should().BeOfType <OkObjectResult>();
okObjectResult.Subject.Value.Should().Be(tokenValidationResponse);
_mapper.VerifyAll();
_tokenValidationService.VerifyAll();
}
public void ValidateIdTokenSignatureShouldNotValidateWhenKeysetNull()
{
var token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3QifQ.eyJhenAiOiJNekZsWmpreFpHSXRPV1UyTlMwMFpURm1MVGt3TXpjdE5UUXpOamRrTURCa016Y3pPbTl3WlhKaGRHOXlMV0U9IiwiYXV0aF90aW1lIjoxNDcwMzI2ODIwLCJhdWQiOlsiTXpGbFpqa3haR0l0T1dVMk5TMDBaVEZtTFRrd016Y3ROVFF6Tmpka01EQmtNemN6T205d1pYSmhkRzl5TFdFPSJdLCJhbXIiOlsiU0lNX1BJTiJdLCJub25jZSI6ImFkNjVmOGUwNzA3MTRlYTU5Yzc2NDRlZjE1OGM1MjM3IiwiaWF0IjoxNDcwMzI2ODIwLCJpc3MiOiJpbnRlZ3JhdGlvbjIuc2FuZGJveC5tb2JpbGVjb25uZWN0LmlvIiwiYWNyIjoiMiIsImV4cCI6MTQ3MDMzMDQyMCwic3ViIjoiYzIzMjQ2N2MtNDliMi0xMWU2LTlhYTgtMDI0MmFjMTEwMDAzIn0.PKN_cBANpXLegnmu6My4yhqcdbZaRVRLlseQJ4y1gMyFzLfRfYFHhbQC4xrIaN6ryxIsgJvFZ-047WfMwyptIhcP87exuYt6253k9gddndmjJtLuT9d5DB9bjiKkK49IdVsu91xyT1bXBHiWnZ-alFgnC4NfsCN3ec9TAynlivhzlBwghfdc6T8V27ewHWKg1ds0ZZbLQYZ0PtuLd0PW_SEOAnajVICBN7xm0rgxf9CTgOs5mBnKVCgPu1sJ-6bdcfA2VpLGLleuDHb9J9t6kbMytEMUjs4eDjdgxlogIUBOvY4MWfuu4l85GPZPMJ29aGmvAbns9e5Pufm8nO9DEA";
TokenValidationResult actual = TokenValidation.ValidateIdTokenSignature(token, null);
Assert.AreEqual(TokenValidationResult.JWKSError, actual);
}
public async Task ValidateJwtTest()
{
AuthorizationTokensViewmodel result = await _jwtLogic.CreateJwt(new TestUserDto().User);
TokenValidationResult validationResult = _jwtLogic.ValidateJwt(result.Jwt);
Assert.True(validationResult.IsValid);
}
private AuthenticateResult CreateSuccessResult(TokenValidationResult tokenValidationResult)
{
var identity = new ClaimsIdentity(tokenValidationResult.Claims, Scheme.Name);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, Scheme.Name);
return(AuthenticateResult.Success(ticket));
}
public override Task <TokenValidationResult> ValidateAccessTokenAsync(string token, string expectedScope = null)
{
var result = new TokenValidationResult
{
Error = Constants.ProtectedResourceErrors.InvalidToken
};
return(Task.FromResult(result));
}
public override Task <TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true)
{
var result = new TokenValidationResult
{
Error = Constants.ProtectedResourceErrors.InvalidToken
};
return(Task.FromResult(result));
}
/// <summary>
/// Extensão que faz a validação de um token.
/// </summary>
/// <param name="token">Objeto referenciado</param>
/// <param name="settings">Configurações de autoridade</param>
/// <returns>Resultado da validação do token</returns>
public static async Task <TokenValidationResult> ValidateAsync(this JwtSecurityToken token, IdentityConfigurations settings)
{
TokenValidationResult result;
try
{
var tokenDecoder = new JwtSecurityTokenHandler();
var parameters = await settings.GetTokenParametesAsync(token);
var principal = tokenDecoder.ValidateToken(token.RawData, parameters, out SecurityToken validatedToken);
result = new TokenValidationResult(TokenValidation.Valid)
{
Principal = principal,
SecurityToken = validatedToken
};
}
catch (SecurityTokenExpiredException ex)
{
result = new TokenValidationResult(TokenValidation.Expired, ex.Message);
}
catch (SecurityTokenInvalidAudienceException ex)
{
result = new TokenValidationResult(TokenValidation.InvalidAudience, ex.Message);
}
catch (SecurityTokenInvalidLifetimeException ex)
{
result = new TokenValidationResult(TokenValidation.InvalidLifetime, ex.Message);
}
catch (SecurityTokenInvalidSignatureException ex)
{
result = new TokenValidationResult(TokenValidation.InvalidSignature, ex.Message);
}
catch (SecurityTokenNoExpirationException ex)
{
result = new TokenValidationResult(TokenValidation.NoExpiration, ex.Message);
}
catch (SecurityTokenNotYetValidException ex)
{
result = new TokenValidationResult(TokenValidation.NotYetValid, ex.Message);
}
catch (SecurityTokenReplayAddFailedException ex)
{
result = new TokenValidationResult(TokenValidation.ReplayAdd, ex.Message);
}
catch (SecurityTokenReplayDetectedException ex)
{
result = new TokenValidationResult(TokenValidation.ReplayDetected, ex.Message);
}
catch (Exception ex)
{
result = new TokenValidationResult(TokenValidation.Error, ex.Message);
}
return(result);
}
public void ValidateIdTokenShouldNotValidateWhenNoIdToken()
{
var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\"}]}";
var idToken = "";
var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson);
TokenValidationResult actual = TokenValidation.ValidateIdToken(idToken, clientId, issuer, nonce, maxAge, jwks, _allValidationSupportedVersion);
Assert.AreEqual(TokenValidationResult.IdTokenMissing, actual);
}
public void ValidateIdTokenShouldNotValidateWhenClaimInvalid()
{
var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\"}]}";
var idToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJub25jZSI6IjEyMzQ1Njc4OTAiLCJhdWQiOiJ4LWNsaWVudGlkLXkiLCJhenAiOiJ4LWNsaWVudGlkLXkiLCJpc3MiOiJodHRwOi8vbW9iaWxlY29ubmVjdC5pbyIsImV4cCI6MjE0NzQ4MzY0NywiYXV0aF90aW1lIjoyMTQ3NDgzNjQ3LCJpYXQiOjE0NzEwMDc2NzR9.byu8aDef11sJPpPD9WM_j5uv92CsQEJLJ23SVCwrmf-btdyViTe5q1Q0X1hjVzv6FcCQLlrdJj1ib4sky6It1kVEEDk_E7w8KHH1CmmApghWh2lozJRlg8LQTQXgvfnUPeSLsoGBDYWI502aUhyy9V_zm9M0F3Vi0GWmDVZeXIvUlqdGd1YdzO0cmEfc9nyQSchimVmc-0etCGJn8qehvCZa_x96_u-qJeUiOb_7NypECoVDv8UzAZ48P5Dq-iDCYP6jCmOjdZ36b4JO6co1OnYp4cGONqZTQadVDewAfskKtGkspm6XUdil0WDct1DMuPnDuH1eweQtYopxtHRsjw";
var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson);
TokenValidationResult actual = TokenValidation.ValidateIdToken(idToken, clientId, issuer, nonce, maxAge, jwks, _allValidationSupportedVersion);
Assert.AreEqual(TokenValidationResult.InvalidAudAndAzp, actual);
}
public void ValidateIdTokenShouldReturnValidWhenUnsupportedVersionAndValidationPassed()
{
var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\"}]}";
var idToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJub25jZSI6IjEyMzQ1Njc4OTAiLCJhdWQiOiJ4LWNsaWVudGlkLXgiLCJhenAiOiJ4LWNsaWVudGlkLXgiLCJpc3MiOiJodHRwOi8vbW9iaWxlY29ubmVjdC5pbyIsImV4cCI6MjE0NzQ4MzY0NywiYXV0aF90aW1lIjoyMTQ3NDgzNjQ3LCJpYXQiOjE0NzEwMDczMjd9.U9c5iuybG4GIvrbQH5BT9AgllRbPL6SuIzL4Y3MW7VlCVIQOc_HFfkiLa0LNvqZiP-kFlADmnkzuuQxPq7IyaOILVYct20mrcOb_U_zMli4jg-t9P3BxHaq3ds9JlLBjz0oewd01ZQtWHgRnrGymfKAIojzHlde-aePuL1M26Eld5zoKQvCLcKAynZsjKsWF_6YdLk-uhlC5ofMOaOoPirPSPAxYvbj91z3o9XIgSHoU-umN7AJ6UQ4H-ulfftlRGK8hz0Yzpf2MHOy9OHg1u3ayfCaaf8g5zKGngcz0LgK9VAw2B31xJw-RHkPPh0Hz82FgBc4588oEFC1c22GGTw";
var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson);
TokenValidationResult actual = TokenValidation.ValidateIdToken(idToken, clientId, issuer, nonce, maxAge, jwks, _validationUnsupportedVersion);
Assert.AreEqual(TokenValidationResult.IdTokenValidationSkipped, actual);
}
public void ValidateIdTokenSignatureShouldNotValidateWhenNoMatchingKey()
{
var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\",\"kid\":\"test1\",},{\"e\":\"AQAB\",\"n\":\"sj_E_-OM6We6kM3Zl8LFQCbp4J1GA_RArvFo8Y0jLXR1xK20nJ0UIhCR1u4a3WD9dSwDRmcDa-3nT_1g5mzMOjBBO1I0VFDG61LyTkrbHhaz-VtRKjMcZMaVPHGC-nRogg92984s-ahO-Q4hkE05tiO96u3xj4S8_A3bsMIQCLQRYKS9_ovl_HxEJne3NFRkSZiiTym5g0H_nOrl2RlBYfV7GPst8Vzq45Mn1uDtCHocSeM3zunLG8TNOz0t6U_s0hAd0gKukoxgaGc1JDSsRWNs8r9SPniRMclKkcMWpdZQbLdT9ARsEB7i6w4x4C1p9i75PloXhwE-EOZ9kCeOtw\",\"kty\":\"RSA\",\"kid\":\"nottest\"}]}";
var token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3QifQ.eyJhenAiOiJNekZsWmpreFpHSXRPV1UyTlMwMFpURm1MVGt3TXpjdE5UUXpOamRrTURCa016Y3pPbTl3WlhKaGRHOXlMV0U9IiwiYXV0aF90aW1lIjoxNDcwMzI2ODIwLCJhdWQiOlsiTXpGbFpqa3haR0l0T1dVMk5TMDBaVEZtTFRrd016Y3ROVFF6Tmpka01EQmtNemN6T205d1pYSmhkRzl5TFdFPSJdLCJhbXIiOlsiU0lNX1BJTiJdLCJub25jZSI6ImFkNjVmOGUwNzA3MTRlYTU5Yzc2NDRlZjE1OGM1MjM3IiwiaWF0IjoxNDcwMzI2ODIwLCJpc3MiOiJpbnRlZ3JhdGlvbjIuc2FuZGJveC5tb2JpbGVjb25uZWN0LmlvIiwiYWNyIjoiMiIsImV4cCI6MTQ3MDMzMDQyMCwic3ViIjoiYzIzMjQ2N2MtNDliMi0xMWU2LTlhYTgtMDI0MmFjMTEwMDAzIn0.PKN_cBANpXLegnmu6My4yhqcdbZaRVRLlseQJ4y1gMyFzLfRfYFHhbQC4xrIaN6ryxIsgJvFZ-047WfMwyptIhcP87exuYt6253k9gddndmjJtLuT9d5DB9bjiKkK49IdVsu91xyT1bXBHiWnZ-alFgnC4NfsCN3ec9TAynlivhzlBwghfdc6T8V27ewHWKg1ds0ZZbLQYZ0PtuLd0PW_SEOAnajVICBN7xm0rgxf9CTgOs5mBnKVCgPu1sJ-6bdcfA2VpLGLleuDHb9J9t6kbMytEMUjs4eDjdgxlogIUBOvY4MWfuu4l85GPZPMJ29aGmvAbns9e5Pufm8nO9DEA";
var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson);
TokenValidationResult actual = TokenValidation.ValidateIdTokenSignature(token, jwks);
Assert.AreEqual(TokenValidationResult.NoMatchingKey, actual);
}
public void ValidateIdTokenSignatureShouldValidateUsingMatchingAlgKey()
{
var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\"}]}";
var token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhenAiOiJNekZsWmpreFpHSXRPV1UyTlMwMFpURm1MVGt3TXpjdE5UUXpOamRrTURCa016Y3pPbTl3WlhKaGRHOXlMV0U9IiwiYXV0aF90aW1lIjoxNDcwMzI2ODIwLCJhdWQiOlsiTXpGbFpqa3haR0l0T1dVMk5TMDBaVEZtTFRrd016Y3ROVFF6Tmpka01EQmtNemN6T205d1pYSmhkRzl5TFdFPSJdLCJhbXIiOlsiU0lNX1BJTiJdLCJub25jZSI6ImFkNjVmOGUwNzA3MTRlYTU5Yzc2NDRlZjE1OGM1MjM3IiwiaWF0IjoxNDcwMzI2ODIwLCJpc3MiOiJpbnRlZ3JhdGlvbjIuc2FuZGJveC5tb2JpbGVjb25uZWN0LmlvIiwiYWNyIjoiMiIsImV4cCI6MTQ3MDMzMDQyMCwic3ViIjoiYzIzMjQ2N2MtNDliMi0xMWU2LTlhYTgtMDI0MmFjMTEwMDAzIn0.QOdjTBG5xzX9ROIYmEyJ5ozamcd1O8R6Zna0GpO14n2lFu2oG2FP7HWws3VvgDqMkgwhyt-l7wFs-SDxYWsXj6a3wCGOHQSkOwdFWx5QZwHf4abOCVbcD0HMcFRWAAhBU8K0k9gBlNOdblArEusXWUtNOb3zA9kE5X8aX8v3anh_utrxaKYSvndjHIe7d50XybsOip4QOsqMEUbeBdos4hqSc_KW9qQvZcqBoZs3J7n-n8nPX5TcXu7OZd62pT48GvpL1Y1O6xvBA-gvLEpba3KffucBkgSXtLYsfw8n109A335z9TWIM_9D6OrRkWQrYBLm3B6GfcGOUDJIISegTA";
var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson);
TokenValidationResult actual = TokenValidation.ValidateIdTokenSignature(token, jwks);
Assert.AreEqual(TokenValidationResult.Valid, actual);
}
private static void EnforceJwtIssuerIsTenant(TokenValidationResult validatedToken, string tenantAttestUri)
{
// Verify that the JWT issuer is indeed the tenantAttestUri (tenant specific URI)
var jwtTokenIssuerClaim = validatedToken.ClaimsIdentity.Claims.First(c => c.Type == "iss");
if (!string.Equals(tenantAttestUri, jwtTokenIssuerClaim.Value, StringComparison.OrdinalIgnoreCase))
{
throw new ArgumentException("Policy JWT is not valid (iss claim does not match attest URI)");
}
}
public void ValidateIdTokenSignatureShouldNotValidateWhenAlgNotRS256()
{
var jwksJson = "{\"keys\":[{\"alg\":\"HS256\",\"kty\":\"oct\",\"use\":\"sig\",\"secret\":\"E5JqlByqY5vGQmeczEigRRr43fr-m7KdJMkN3eSDHOiv3UYYhRTr6OIirFHaYDdUgA4iq3WQ3lkHd3r-KV_iWlDzpha0dmaGaHvzYMThO5WKUBlsekGHT17V7tnnYq7aameaAUmVOZocKQ5svXrPNQJcFhDs-XO6Kcsin2zaYL6eCdLZF8w_YUYtGfxYD0SqB5mdmmE5jIam3f1dnodkoLmfGxUeSSAgCCJXHQtM-SwPpyZfGbYrhTAkcahPmrJOiQwZ7WPtFlMYR-T8U12STNaTDv63hjPW57cwLfjeTW8NEYO00KCWZD7HZo-8Tg4j93FG6b78VE7QUB-vjopQlw\"}]}";
var token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhenAiOiJNekZsWmpreFpHSXRPV1UyTlMwMFpURm1MVGt3TXpjdE5UUXpOamRrTURCa016Y3pPbTl3WlhKaGRHOXlMV0U9IiwiYXV0aF90aW1lIjoxNDcwMzI2ODIwLCJhdWQiOlsiTXpGbFpqa3haR0l0T1dVMk5TMDBaVEZtTFRrd016Y3ROVFF6Tmpka01EQmtNemN6T205d1pYSmhkRzl5TFdFPSJdLCJhbXIiOlsiU0lNX1BJTiJdLCJub25jZSI6ImFkNjVmOGUwNzA3MTRlYTU5Yzc2NDRlZjE1OGM1MjM3IiwiaWF0IjoxNDcwMzI2ODIwLCJpc3MiOiJpbnRlZ3JhdGlvbjIuc2FuZGJveC5tb2JpbGVjb25uZWN0LmlvIiwiYWNyIjoiMiIsImV4cCI6MTQ3MDMzMDQyMCwic3ViIjoiYzIzMjQ2N2MtNDliMi0xMWU2LTlhYTgtMDI0MmFjMTEwMDAzIn0.iTLUvv-HCYBkDzeVX0tRc5k3URY8kbjqvY1EgyXUE2s";
var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson);
TokenValidationResult actual = TokenValidation.ValidateIdTokenSignature(token, jwks);
Assert.AreEqual(TokenValidationResult.IncorrectAlgorithm, actual);
}
public void ValidateIdTokenSignatureShouldNotValidateWhenSignatureMissing()
{
var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\"}]}";
var token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhenAiOiJNekZsWmpreFpHSXRPV1UyTlMwMFpURm1MVGt3TXpjdE5UUXpOamRrTURCa016Y3pPbTl3WlhKaGRHOXlMV0U9IiwiYXV0aF90aW1lIjoxNDcwMzI2ODIwLCJhdWQiOlsiTXpGbFpqa3haR0l0T1dVMk5TMDBaVEZtTFRrd016Y3ROVFF6Tmpka01EQmtNemN6T205d1pYSmhkRzl5TFdFPSJdLCJhbXIiOlsiU0lNX1BJTiJdLCJub25jZSI6ImFkNjVmOGUwNzA3MTRlYTU5Yzc2NDRlZjE1OGM1MjM3IiwiaWF0IjoxNDcwMzI2ODIwLCJpc3MiOiJpbnRlZ3JhdGlvbjIuc2FuZGJveC5tb2JpbGVjb25uZWN0LmlvIiwiYWNyIjoiMiIsImV4cCI6MTQ3MDMzMDQyMCwic3ViIjoiYzIzMjQ2N2MtNDliMi0xMWU2LTlhYTgtMDI0MmFjMTEwMDAzIn0.";
var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson);
TokenValidationResult actual = TokenValidation.ValidateIdTokenSignature(token, jwks);
Assert.AreEqual(TokenValidationResult.InvalidSignature, actual);
}
/// <summary>
/// Custom validation logic for access tokens.
/// </summary>
/// <param name="result">The validation result so far.</param>
/// <returns>
/// The validation result
/// </returns>
public virtual async Task <TokenValidationResult> ValidateAccessTokenAsync(TokenValidationResult result)
{
if (result.IsError)
{
return(result);
}
// make sure user is still active (if sub claim is present)
var subClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject);
if (subClaim != null)
{
var principal = Principal.Create("tokenvalidator", result.Claims.ToArray());
if (result.ReferenceTokenId.IsPresent())
{
principal.Identities.First().AddClaim(new Claim(Constants.ClaimTypes.ReferenceTokenId, result.ReferenceTokenId));
}
var isActiveCtx = new IsActiveContext(principal, result.Client);
await _users.IsActiveAsync(isActiveCtx);
if (isActiveCtx.IsActive == false)
{
Logger.Warn("User marked as not active: " + subClaim.Value);
result.IsError = true;
result.Error = Constants.ProtectedResourceErrors.InvalidToken;
result.Claims = null;
return(result);
}
}
// make sure client is still active (if client_id claim is present)
var clientClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.ClientId);
if (clientClaim != null)
{
var client = await _clients.FindClientByIdAsync(clientClaim.Value);
if (client == null || client.Enabled == false)
{
Logger.Warn("Client deleted or disabled: " + clientClaim.Value);
result.IsError = true;
result.Error = Constants.ProtectedResourceErrors.InvalidToken;
result.Claims = null;
return(result);
}
}
return(result);
}
/// <inheritdoc />
protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
{
_logger.LogTrace("HandleAuthenticateAsync called");
string token = null;
string authorization = Request.Headers["Authorization"];
if (string.IsNullOrEmpty(authorization))
{
return(AuthenticateResult.Fail("No Authorization Header is sent."));
}
if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
token = authorization.Substring("Bearer ".Length).Trim();
}
if (string.IsNullOrEmpty(token))
{
return(AuthenticateResult.Fail("No Access Token is sent."));
}
_logger.LogTrace("Token found: {token}", token);
TokenValidationResult result = await _tokenValidator.ValidateAccessTokenAsync(token, Options.ExpectedScope);
if (result.IsError)
{
_logger.LogTrace("Failed to validate the token");
return(AuthenticateResult.Fail(result.Error));
}
_logger.LogTrace("Successfully validated the token.");
ClaimsIdentity claimsIdentity = new ClaimsIdentity(result.Claims, Scheme.Name, JwtClaimTypes.Name, JwtClaimTypes.Role);
ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
AuthenticationProperties authenticationProperties = new AuthenticationProperties();
if (Options.SaveToken)
{
authenticationProperties.StoreTokens(new[]
{
new AuthenticationToken {
Name = "access_token", Value = token
}
});
}
AuthenticationTicket authenticationTicket = new AuthenticationTicket(claimsPrincipal, authenticationProperties, Scheme.Name);
return(AuthenticateResult.Success(authenticationTicket));
}
public async Task ValidateAccessToken(OAuthValidateTokenContext <IAccessToken> context)
{
var result = new TokenValidationResult <IAccessToken>(context.Token);
if (context.Token == null || string.IsNullOrWhiteSpace(context.Token.Ticket))
{
context.Rejected();
return;
}
context.Validated();
}
private void ValidateAccessToken(string encryptedUserCred)
{
string option = AccessTokenValidatorFactory.ACCESS_TOKEN_WCF;
IAccessTokenValidator tokenValidator = AccessTokenValidatorFactory.GetAccessTokenValidator(option);
TokenValidationResult result = tokenValidator.IsUserCredentialValid(encryptedUserCred);
if (!result.IsValidationSuccess)
{
throw new TokenValidationException(result.Message, result.Status);
}
}
/// <summary>
/// Custom validation logic for access tokens.
/// </summary>
/// <param name="result">The validation result so far.</param>
/// <returns>
/// The validation result
/// </returns>
public async Task <TokenValidationResult> ValidateAccessTokenAsync(TokenValidationResult result)
{
if (!string.IsNullOrWhiteSpace(result.Jwt) && !result.IsError)
{
Token token = await Store.GetReferenceTokenAsync(result.Jwt);
if (token == null)
{
result.IsError = true;
}
}
return(result);
}
public override Task <TokenValidationResult> ValidateAccessTokenAsync(string token, string expectedScope = null)
{
var result = new TokenValidationResult
{
IsError = false,
Claims = new[]
{
new Claim(Constants.ClaimTypes.Subject, "unique_subject"),
new Claim(Constants.ClaimTypes.Name, "subject name")
}
};
return(Task.FromResult(result));
}
public Task<TokenValidationResult> ValidateIdentityTokenAsync(TokenValidationResult result, Core.Models.CoreSettings settings, Core.Services.IClientService clients, Core.Services.IUserService users)
{
throw new NotImplementedException();
}
/// <summary>
/// Gets the Message for the specified Token Validation Result
/// </summary>
/// <param name="tokenResult">TokenValidationResult</param>
/// <returns>String Message</returns>
private String GetTokenValidationResultMessage(TokenValidationResult tokenResult)
{
switch (tokenResult)
{
case TokenValidationResult.Success:
return "Success";
case TokenValidationResult.FailureExpired:
return "Expired Token";
case TokenValidationResult.FailureInvalid:
return "Invalid Token";
case TokenValidationResult.FailureHash:
return "Hash Failure";
default:
return "Unknown Error";
}
}
public Task<TokenValidationResult> ValidateAccessTokenAsync(TokenValidationResult result, Core.Models.CoreSettings settings, Core.Services.IClientService clients, Core.Services.IUserService users)
{
return Task.FromResult(result);
}
