/// <summary> /// Finds a named collection of <see cref="SecurityKey"/>(s) that match the <see cref="SecurityKeyIdentifierClause"/> and returns a <see cref="NamedKeySecurityToken"/> that contains the <see cref="SecurityKey"/>(s). /// </summary> /// <param name="keyIdentifierClause">The <see cref="SecurityKeyIdentifier"/> to resolve to a <see cref="SecurityToken"/></param> /// <param name="token">The resolved <see cref="SecurityToken"/>.</param> /// <remarks>If there is no match, then <see cref="IssuerTokenResolver"/> and 'base' are called in order.</remarks> /// <returns>true if token was resolved.</returns> /// <exception cref="ArgumentNullException">if 'keyIdentifierClause' is null.</exception> protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token) { if (keyIdentifierClause == null) { throw new ArgumentNullException("keyIdentifierClause"); } token = null; NamedKeySecurityKeyIdentifierClause namedKeyIdentifierClause = keyIdentifierClause as NamedKeySecurityKeyIdentifierClause; if (namedKeyIdentifierClause != null) { IList <SecurityKey> resolvedKeys = null; if (this.keys.TryGetValue(namedKeyIdentifierClause.Name, out resolvedKeys)) { token = new NamedKeySecurityToken(namedKeyIdentifierClause.Name, namedKeyIdentifierClause.Id, resolvedKeys); return(true); } } if (IssuerTokenResolver != null && IssuerTokenResolver.TryResolveToken(keyIdentifierClause, out token)) { return(true); } return(base.TryResolveTokenCore(keyIdentifierClause, out token)); }
/// <summary> /// Gets the first<see cref="SecurityKey"/> that matches a <see cref="SecurityKeyIdentifierClause"/> /// </summary> /// <param name="keyIdentifierClause">the <see cref="SecurityKeyIdentifierClause"/> to match.</param> /// <returns>The first <see cref="SecurityKey"/> that matches the <see cref="SecurityKeyIdentifierClause"/>. /// <para>null if there is no match.</para></returns> /// <para>Only <see cref="NamedKeySecurityKeyIdentifierClause"/> are matched.</para> /// <exception cref="ArgumentNullException">'keyIdentifierClause' is null.</exception> public override SecurityKey ResolveKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause) { if (keyIdentifierClause == null) { throw new ArgumentNullException("keyIdentifierClause"); } // if name matches, return first non null NamedKeySecurityKeyIdentifierClause namedKeyIdentifierClause = keyIdentifierClause as NamedKeySecurityKeyIdentifierClause; if (namedKeyIdentifierClause != null) { if (string.Equals(namedKeyIdentifierClause.Name, this.name, StringComparison.Ordinal)) { foreach (SecurityKey securityKey in this.securityKeys) { if (securityKey == null) { continue; } return(securityKey); } } } return(null); }
/// <summary> /// Answers if the <see cref="SecurityKeyIdentifierClause"/> is a match. /// </summary> /// <param name="keyIdentifierClause">The <see cref="SecurityKeyIdentifierClause"/></param> /// <returns>true if matched.</returns> /// <remarks><para>A successful match occurs when <see cref="NamedKeySecurityKeyIdentifierClause.Name"/> == <see cref="Id"/>.</para> /// <para>Only <see cref="NamedKeySecurityKeyIdentifierClause"/> are matched.</para></remarks> /// <exception cref="ArgumentNullException">'keyIdentifierClause' is null.</exception> public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause) { if (keyIdentifierClause == null) { throw new ArgumentNullException("keyIdentifierClause"); } NamedKeySecurityKeyIdentifierClause namedKeyIdentifierClause = keyIdentifierClause as NamedKeySecurityKeyIdentifierClause; if (namedKeyIdentifierClause != null) { if (string.Equals(namedKeyIdentifierClause.Id, this.id, StringComparison.Ordinal) && string.Equals(namedKeyIdentifierClause.Name, this.name, StringComparison.Ordinal)) { return(true); } } return(false); }
/// <summary> /// Initializes a new instance of the <see cref="JwtHeader"/> class. With the Header Parameters as follows: /// <para>{ { typ, JWT }, { alg, Mapped( <see cref="System.IdentityModel.Tokens.SigningCredentials.SignatureAlgorithm"/> } } /// See: Algorithm Mapping below.</para> /// </summary> /// <param name="signingCredentials">The <see cref="SigningCredentials"/> that will be or were used to sign the <see cref="JwtSecurityToken"/>.</param> /// <remarks> /// <para>For each <see cref="SecurityKeyIdentifierClause"/> in signingCredentials.SigningKeyIdentifier</para> /// <para>if the clause is a <see cref="NamedKeySecurityKeyIdentifierClause"/> Header Parameter { clause.Name, clause.Id } will be added.</para> /// <para>For example, if clause.Name == 'kid' and clause.Id == 'SecretKey99'. The JSON object { kid, SecretKey99 } would be added.</para> /// <para>In addition, if the <see cref="SigningCredentials"/> is a <see cref="X509SigningCredentials"/> the JSON object { x5t, Base64UrlEncoded( <see cref="X509Certificate.GetCertHashString()"/> } will be added.</para> /// <para>This simplifies the common case where a X509Certificate is used.</para> /// <para>================= </para> /// <para>Algorithm Mapping</para> /// <para>================= </para> /// <para><see cref="System.IdentityModel.Tokens.SigningCredentials.SignatureAlgorithm"/> describes the algorithm that is discoverable by the CLR runtime.</para> /// <para>The { alg, 'value' } placed in the header reflects the JWT specification.</para> /// <see cref="JwtSecurityTokenHandler.OutboundAlgorithmMap"/> contains a signature mapping where the 'value' above will be translated according to this mapping. /// <para>Current mapping is:</para> /// <para>    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' => 'RS256'</para> /// <para>    'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' => 'HS256'</para> /// </remarks> public JwtHeader(SigningCredentials signingCredentials = null) : base(StringComparer.Ordinal) { this[JwtHeaderParameterNames.Typ] = JwtConstants.HeaderType; if (signingCredentials != null) { this.signingCredentials = signingCredentials; string algorithm = signingCredentials.SignatureAlgorithm; if (JwtSecurityTokenHandler.OutboundAlgorithmMap.ContainsKey(signingCredentials.SignatureAlgorithm)) { algorithm = JwtSecurityTokenHandler.OutboundAlgorithmMap[algorithm]; } this[JwtHeaderParameterNames.Alg] = algorithm; if (signingCredentials.SigningKeyIdentifier != null) { foreach (SecurityKeyIdentifierClause clause in signingCredentials.SigningKeyIdentifier) { NamedKeySecurityKeyIdentifierClause namedKeyClause = clause as NamedKeySecurityKeyIdentifierClause; if (namedKeyClause != null) { this[namedKeyClause.Name] = namedKeyClause.Id; } } } X509SigningCredentials x509SigningCredentials = signingCredentials as X509SigningCredentials; if (x509SigningCredentials != null && x509SigningCredentials.Certificate != null) { this[JwtHeaderParameterNames.X5t] = Base64UrlEncoder.Encode(x509SigningCredentials.Certificate.GetCertHash()); } } else { this[JwtHeaderParameterNames.Alg] = JwtAlgorithms.NONE; } }