/// <summary>Configure the signature behavior for a specific <paramref name="issuer"/>.</summary> public TokenValidationPolicyBuilder RequireSignatureByDefault(string issuer, IKeyProvider keyProvider, SignatureAlgorithm defaultAlgorithm) { if (issuer is null) { throw new ArgumentNullException(nameof(issuer)); } if (keyProvider is null) { throw new ArgumentNullException(nameof(keyProvider)); } if (defaultAlgorithm is null) { throw new ArgumentNullException(nameof(defaultAlgorithm)); } if (defaultAlgorithm == SignatureAlgorithm.None) { throw new ArgumentException($"The algorithm 'none' is not valid with the method {nameof(RequireSignature)}. Use the method {nameof(AcceptUnsecureToken)} instead.", nameof(defaultAlgorithm)); } _hasSignatureValidation = true; var policy = SignatureValidationPolicy.Create(keyProvider, defaultAlgorithm); _signaturePolicies[issuer] = policy; return(this); }
/// <summary>Clear the defined policies.</summary> public TokenValidationPolicyBuilder Clear() { _validators.Clear(); _criticalHeaderHandlers.Clear(); _defaultSignaturePolicy = SignatureValidationPolicy.InvalidSignature; _signaturePolicies.Clear(); _maximumTokenSizeInBytes = DefaultMaximumTokenSizeInBytes; _hasSignatureValidation = false; _ignoreNestedToken = false; return(this); }
/// <summary>Builds the <see cref="TokenValidationPolicy"/>.</summary> public TokenValidationPolicy Build() { Validate(); SignatureValidationPolicy signaturePolicy; if (_signaturePolicies.Count == 0) { signaturePolicy = _defaultSignaturePolicy; } else if (_signaturePolicies.Count == 1) { var first = _signaturePolicies.First(); signaturePolicy = SignatureValidationPolicy.Create(first.Key, first.Value); } else { signaturePolicy = SignatureValidationPolicy.Create(_signaturePolicies, _defaultSignaturePolicy); } var policy = new TokenValidationPolicy( validators: _validators.ToArray(), criticalHandlers: _criticalHeaderHandlers, maximumTokenSizeInBytes: _maximumTokenSizeInBytes, ignoreCriticalHeader: _ignoreCriticalHeader, ignoreNestedToken: _ignoreNestedToken, headerCacheDisabled: _headerCacheDisabled, signaturePolicy: signaturePolicy, encryptionKeyProviders: _decryptionKeysProviders, issuers: _issuers.ToArray(), audiences: _audiences.ToArray(), clockSkew: _clockSkew, control: _control); return(policy); }
public bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error) { return(SignatureValidationPolicy.TryValidateSignature(header, payload, contentBytes, signatureSegment, out error)); }
/// <summary> /// Try to validate the token signature. /// </summary> /// <param name="header"></param> /// <param name="contentBytes"></param> /// <param name="signatureSegment"></param> /// <returns></returns> public SignatureValidationResult TryValidateSignature(JwtHeader header, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment) { return(SignatureValidationPolicy.TryValidateSignature(header, contentBytes, signatureSegment)); }
public MultiIssuersSignatureValidationPolicy(Dictionary <string, SignatureValidationPolicy> policies, SignatureValidationPolicy defaultPolicy) { _policies = policies.ToDictionary(issuer => Utf8.GetBytes(issuer.Key), v => v.Value).ToArray(); _defaultPolicy = defaultPolicy; }
/// <summary>Creates a new <see cref="SignatureValidationPolicy"/> instance.</summary> internal static SignatureValidationPolicy Create(Dictionary <string, SignatureValidationPolicy> policies, SignatureValidationPolicy defaultPolicy) { return(new MultiIssuersSignatureValidationPolicy(policies, defaultPolicy)); }
/// <summary>Creates a new <see cref="SignatureValidationPolicy"/> instance.</summary> internal static SignatureValidationPolicy Create(string issuer, SignatureValidationPolicy policy) { return(new SingleIssuerSignatureValidationPolicy(issuer, policy)); }
public SingleIssuerSignatureValidationPolicy(string issuer, SignatureValidationPolicy policy) { _issuer = Utf8.GetBytes(issuer); _policy = policy; }
/// <summary> /// Defines the default signature validation when there is no issuer configuration. /// Use the method <see cref="RequireSignatureByDefault(string, IKeyProvider, SignatureAlgorithm?)"/> for linking the issuer with the signature. /// </summary> public TokenValidationPolicyBuilder RequireSignatureByDefault(IKeyProvider keyProvider, SignatureAlgorithm?algorithm) { _hasSignatureValidation = true; _defaultSignaturePolicy = SignatureValidationPolicy.Create(keyProvider, algorithm); return(this); }
/// <summary>Accepts secure token with the 'none' algorithm. You should use this very carefully.</summary> public TokenValidationPolicyBuilder AcceptUnsecureTokenByDefault() { _hasSignatureValidation = true; _defaultSignaturePolicy = SignatureValidationPolicy.NoSignature; return(this); }
/// <summary>Ignores the signature validation if no configuration is found for a specific issuer. You should use this very carefully.</summary> public TokenValidationPolicyBuilder IgnoreSignatureByDefault() { _hasSignatureValidation = true; _defaultSignaturePolicy = SignatureValidationPolicy.IgnoreSignature; return(this); }