/// <summary> /// Validates a secret /// </summary> /// <param name="secrets">The stored secrets.</param> /// <param name="parsedSecret">The received secret.</param> /// <returns> /// A validation result /// </returns> /// <exception cref="System.ArgumentException">ParsedSecret.Credential is not a JWT token</exception> public Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret) { var fail = Task.FromResult(new SecretValidationResult { Success = false }); var success = Task.FromResult(new SecretValidationResult { Success = true }); if (parsedSecret.Type != Constants.ParsedSecretTypes.JwtBearer) { return(fail); } var jwtTokenString = parsedSecret.Credential as string; if (jwtTokenString == null) { throw new ArgumentException("ParsedSecret.Credential is not a string."); } var enumeratedSecrets = secrets.ToList().AsReadOnly(); var trustedKeys = GetTrustedKeys(enumeratedSecrets, jwtTokenString); if (!trustedKeys.Any()) { Logger.Warn("There are no certificates available to validate client assertion."); return(fail); } var tokenValidationParameters = new TokenValidationParameters { IssuerSigningKeys = trustedKeys, ValidateIssuerSigningKey = true, ValidIssuer = parsedSecret.Id, ValidateIssuer = true, ValidAudience = audienceUri, ValidateAudience = true, RequireSignedTokens = true, RequireExpirationTime = true }; try { SecurityToken token; var handler = new EmbeddedCertificateJwtSecurityTokenHandler(); handler.ValidateToken(jwtTokenString, tokenValidationParameters, out token); var jwtToken = (JwtSecurityToken)token; if (jwtToken.Subject != jwtToken.Issuer) { Logger.Warn("Both 'sub' and 'iss' in the client assertion token must have a value of client_id."); return(fail); } return(success); } catch (Exception e) { Logger.Debug("JWT token validation error: " + e.Message); return(fail); } }
/// <summary> /// Validates a secret /// </summary> /// <param name="secrets">The stored secrets.</param> /// <param name="parsedSecret">The received secret.</param> /// <returns> /// A validation result /// </returns> /// <exception cref="System.ArgumentException">ParsedSecret.Credential is not a JWT token</exception> public Task<SecretValidationResult> ValidateAsync(IEnumerable<Secret> secrets, ParsedSecret parsedSecret) { var fail = Task.FromResult(new SecretValidationResult { Success = false }); var success = Task.FromResult(new SecretValidationResult { Success = true }); if (parsedSecret.Type != Constants.ParsedSecretTypes.JwtBearer) { return fail; } var jwtTokenString = parsedSecret.Credential as string; if (jwtTokenString == null) { throw new ArgumentException("ParsedSecret.Credential is not a string."); } var enumeratedSecrets = secrets.ToList().AsReadOnly(); var trustedKeys = GetTrustedKeys(enumeratedSecrets, jwtTokenString); if (!trustedKeys.Any()) { Logger.Warn("There are no certificates available to validate client assertion."); return fail; } var tokenValidationParameters = new TokenValidationParameters { IssuerSigningKeys = trustedKeys, ValidateIssuerSigningKey = true, ValidIssuer = parsedSecret.Id, ValidateIssuer = true, ValidAudience = audienceUri, ValidateAudience = true, RequireSignedTokens = true, RequireExpirationTime = true }; try { SecurityToken token; var handler = new EmbeddedCertificateJwtSecurityTokenHandler(); handler.ValidateToken(jwtTokenString, tokenValidationParameters, out token); var jwtToken = (JwtSecurityToken)token; if (jwtToken.Subject != jwtToken.Issuer) { Logger.Warn("Both 'sub' and 'iss' in the client assertion token must have a value of client_id."); return fail; } return success; } catch (Exception e) { Logger.Debug("JWT token validation error: " + e.Message); return fail; } }