/// <summary>
/// This method validates the Simple Web Token.
/// </summary>
/// <param name="token">A simple web token.</param>
/// <returns>A Claims Collection which contains all the claims from the token.</returns>
public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token)
{
if (token == null)
{
throw new ArgumentNullException("token");
}
SwtSecurityToken simpleWebToken = token as SwtSecurityToken;
if (simpleWebToken == null)
{
throw new ArgumentException("The token provided must be of type SimpleWebToken.");
}
if (DateTime.Compare(simpleWebToken.ValidTo.Add(Configuration.MaxClockSkew), DateTime.UtcNow) <= 0)
{
throw new SecurityTokenExpiredException("The incoming token has expired. Get a new access token from the Authorization Server.");
}
ValidateSignature(simpleWebToken);
ValidateAudience(simpleWebToken.Audience);
ClaimsIdentity claimsIdentity = CreateClaims(simpleWebToken);
if (this.Configuration.SaveBootstrapContext)
{
claimsIdentity.BootstrapContext = new BootstrapContext(simpleWebToken.SerializedToken);
}
List <ClaimsIdentity> claimCollection = new List <ClaimsIdentity>(new ClaimsIdentity[] { claimsIdentity });
return(claimCollection.AsReadOnly());
}
public SwtSecurityToken GetAccessToken()
{
string tokenString = RequestAccessToken();
NameValueCollection tokenParts = HttpUtility.ParseQueryString(tokenString);
var token = new SwtSecurityToken(tokenParts);
return token;
}
/// <summary>
/// Parses the string token and generates a <see cref="SecurityToken"/>.
/// </summary>
/// <param name="serializedToken">The serialized form of the token received.</param>
/// <returns>The parsed form of the token.</returns>
protected SecurityToken ReadSecurityTokenFromString(string serializedToken)
{
if (String.IsNullOrEmpty(serializedToken))
{
throw new ArgumentException("The parameter 'serializedToken' cannot be null or empty string.");
}
// Create a collection of SWT name value pairs
NameValueCollection properties = ParseToken(serializedToken);
SwtSecurityToken swt = new SwtSecurityToken(properties, serializedToken);
return(swt);
}
/// <summary>
/// Validates the signature on the incoming token.
/// </summary>
/// <param name="simpleWebToken">The incoming <see cref="SimpleWebToken"/>.</param>
protected virtual void ValidateSignature(SwtSecurityToken simpleWebToken)
{
if (simpleWebToken == null)
{
throw new ArgumentNullException("simpleWebToken");
}
if (String.IsNullOrEmpty(simpleWebToken.SerializedToken) || String.IsNullOrEmpty(simpleWebToken.Signature))
{
throw new SecurityTokenValidationException("The token does not have a signature to verify");
}
string serializedToken = simpleWebToken.SerializedToken;
string unsignedToken = null;
// Find the last parameter. The signature must be last per SWT specification.
int lastSeparator = serializedToken.LastIndexOf(ParameterSeparator);
// Check whether the last parameter is an hmac.
if (lastSeparator > 0)
{
string lastParamStart = ParameterSeparator + SwtSecurityTokenConstants.Signature + "=";
string lastParam = serializedToken.Substring(lastSeparator);
// Strip the trailing hmac to obtain the original unsigned string for later hmac verification.
if (lastParam.StartsWith(lastParamStart, StringComparison.Ordinal))
{
unsignedToken = serializedToken.Substring(0, lastSeparator);
}
}
SwtSecurityTokenKeyIdentifierClause clause = new SwtSecurityTokenKeyIdentifierClause(simpleWebToken.Audience);
InMemorySymmetricSecurityKey securityKey = null;
try
{
securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause);
}
catch (InvalidOperationException)
{
throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause.");
}
string generatedSignature = GenerateSignature(unsignedToken, securityKey.GetSymmetricKey());
if (string.CompareOrdinal(HttpUtility.UrlDecode(generatedSignature), HttpUtility.UrlDecode(simpleWebToken.Signature)) != 0)
{
throw new SecurityTokenValidationException("The signature on the incoming token is invalid.");
}
}
/// <summary>Creates <see cref="Claim"/>'s from the incoming token.
/// </summary>
/// <param name="simpleWebToken">The incoming <see cref="SimpleWebToken"/>.</param>
/// <returns>A <see cref="ClaimsIdentity"/> created from the token.</returns>
protected virtual ClaimsIdentity CreateClaims(SwtSecurityToken simpleWebToken)
{
if (simpleWebToken == null)
{
throw new ArgumentNullException("simpleWebToken");
}
NameValueCollection tokenProperties = simpleWebToken.GetAllProperties();
if (tokenProperties == null)
{
throw new SecurityTokenValidationException("No claims can be created from this Simple Web Token.");
}
if (Configuration.IssuerNameRegistry == null)
{
throw new InvalidOperationException("The Configuration.IssuerNameRegistry property of this SecurityTokenHandler is set to null. Tokens cannot be validated in this state.");
}
string normalizedIssuer = Configuration.IssuerNameRegistry.GetIssuerName(simpleWebToken);
ClaimsIdentity identity = new ClaimsIdentity(AuthenticationTypes.Federation);
foreach (string key in tokenProperties.Keys)
{
if (!IsReservedKeyName(key) && !string.IsNullOrEmpty(tokenProperties[key]))
{
identity.AddClaim(new Claim(key, tokenProperties[key], ClaimValueTypes.String, normalizedIssuer));
if (key == AcsNameClaimType)
{
// add a default name claim from the Name identifier claim.
identity.AddClaim(new Claim(DefaultNameClaimType, tokenProperties[key], ClaimValueTypes.String, normalizedIssuer));
}
}
}
return(identity);
}
public override SecurityToken CreateToken(SecurityTokenDescriptor tokenDescriptor)
{
if (tokenDescriptor == null)
{
throw new ArgumentNullException("tokenDescriptor");
}
NameValueCollection properties = new NameValueCollection();
properties.Add(SwtSecurityTokenConstants.Id, Guid.NewGuid().ToString());
properties.Add(SwtSecurityTokenConstants.Issuer, tokenDescriptor.TokenIssuerName);
properties.Add(SwtSecurityTokenConstants.Audience, tokenDescriptor.AppliesToAddress);
properties.Add(SwtSecurityTokenConstants.ExpiresOn, SecondsFromSwtBaseTime(tokenDescriptor.Lifetime.Expires));
properties.Add(SwtSecurityTokenConstants.ValidFrom, SecondsFromSwtBaseTime(tokenDescriptor.Lifetime.Created));
foreach (Claim claim in tokenDescriptor.Subject.Claims)
{
properties.Add(claim.Type, claim.Value);
}
SwtSecurityToken token = new SwtSecurityToken(properties);
return(token);
}
/// <summary>
/// Serializes the given SecurityToken to the XmlWriter.
/// </summary>
/// <param name="writer">XmlWriter into which the token is serialized.</param>
/// <param name="token">SecurityToken to be serialized.</param>
public override void WriteToken(XmlWriter writer, SecurityToken token)
{
SwtSecurityToken simpleWebToken = token as SwtSecurityToken;
if (simpleWebToken == null)
{
throw new SecurityTokenException("The given token is not of the expected type 'SimpleWebToken'.");
}
string signedToken = null;
if (String.IsNullOrEmpty(simpleWebToken.SerializedToken))
{
StringBuilder strBuilder = new StringBuilder();
bool skipDelimiter = true;
NameValueCollection tokenProperties = simpleWebToken.GetAllProperties();
// Remove the signature if present
if (String.IsNullOrEmpty(tokenProperties[SwtSecurityTokenConstants.Signature]))
{
tokenProperties.Remove(SwtSecurityTokenConstants.Signature);
}
foreach (string key in tokenProperties.Keys)
{
if (tokenProperties[key] != null)
{
if (!skipDelimiter)
{
strBuilder.Append(ParameterSeparator);
}
strBuilder.Append(String.Format(
CultureInfo.InvariantCulture,
"{0}={1}",
HttpUtility.UrlEncode(key),
HttpUtility.UrlEncode(tokenProperties[key])));
skipDelimiter = false;
}
}
string serializedToken = strBuilder.ToString();
SwtSecurityTokenKeyIdentifierClause clause = new SwtSecurityTokenKeyIdentifierClause(simpleWebToken.Audience);
InMemorySymmetricSecurityKey securityKey = null;
try
{
securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause);
}
catch (InvalidOperationException)
{
throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause.");
}
// append the signature
string signature = GenerateSignature(serializedToken, securityKey.GetSymmetricKey());
strBuilder.Append(String.Format(
CultureInfo.InvariantCulture,
"{0}{1}={2}",
ParameterSeparator,
HttpUtility.UrlEncode(SwtSecurityTokenConstants.Signature),
HttpUtility.UrlEncode(signature)));
signedToken = strBuilder.ToString();
}
else
{
// Reuse the stored serialized token if present
signedToken = simpleWebToken.SerializedToken;
}
string encodedToken = Convert.ToBase64String(Encoding.UTF8.GetBytes(signedToken));
writer.WriteStartElement(BinarySecurityToken);
writer.WriteAttributeString("Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", token.Id);
writer.WriteAttributeString(ValueType, SwtSecurityTokenConstants.ValueTypeUri);
writer.WriteAttributeString(EncodingType, Base64EncodingType);
writer.WriteString(encodedToken);
writer.WriteEndElement();
}
/// <summary>Creates <see cref="Claim"/>'s from the incoming token.
/// </summary>
/// <param name="simpleWebToken">The incoming <see cref="SimpleWebToken"/>.</param>
/// <returns>A <see cref="ClaimsIdentity"/> created from the token.</returns>
protected virtual ClaimsIdentity CreateClaims(SwtSecurityToken simpleWebToken)
{
if (simpleWebToken == null)
{
throw new ArgumentNullException("simpleWebToken");
}
NameValueCollection tokenProperties = simpleWebToken.GetAllProperties();
if (tokenProperties == null)
{
throw new SecurityTokenValidationException("No claims can be created from this Simple Web Token.");
}
if (Configuration.IssuerNameRegistry == null)
{
throw new InvalidOperationException("The Configuration.IssuerNameRegistry property of this SecurityTokenHandler is set to null. Tokens cannot be validated in this state.");
}
string normalizedIssuer = Configuration.IssuerNameRegistry.GetIssuerName(simpleWebToken);
ClaimsIdentity identity = new ClaimsIdentity(AuthenticationTypes.Federation);
foreach (string key in tokenProperties.Keys)
{
if (!IsReservedKeyName(key) && !string.IsNullOrEmpty(tokenProperties[key]))
{
identity.AddClaim(new Claim(key, tokenProperties[key], ClaimValueTypes.String, normalizedIssuer));
if (key == AcsNameClaimType)
{
// add a default name claim from the Name identifier claim.
identity.AddClaim(new Claim(DefaultNameClaimType, tokenProperties[key], ClaimValueTypes.String, normalizedIssuer));
}
}
}
return identity;
}
/// <summary>
/// Validates the signature on the incoming token.
/// </summary>
/// <param name="simpleWebToken">The incoming <see cref="SimpleWebToken"/>.</param>
protected virtual void ValidateSignature(SwtSecurityToken simpleWebToken)
{
if (simpleWebToken == null)
{
throw new ArgumentNullException("simpleWebToken");
}
if (String.IsNullOrEmpty(simpleWebToken.SerializedToken) || String.IsNullOrEmpty(simpleWebToken.Signature))
{
throw new SecurityTokenValidationException("The token does not have a signature to verify");
}
string serializedToken = simpleWebToken.SerializedToken;
string unsignedToken = null;
// Find the last parameter. The signature must be last per SWT specification.
int lastSeparator = serializedToken.LastIndexOf(ParameterSeparator);
// Check whether the last parameter is an hmac.
if (lastSeparator > 0)
{
string lastParamStart = ParameterSeparator + SwtSecurityTokenConstants.Signature + "=";
string lastParam = serializedToken.Substring(lastSeparator);
// Strip the trailing hmac to obtain the original unsigned string for later hmac verification.
if (lastParam.StartsWith(lastParamStart, StringComparison.Ordinal))
{
unsignedToken = serializedToken.Substring(0, lastSeparator);
}
}
SwtSecurityTokenKeyIdentifierClause clause = new SwtSecurityTokenKeyIdentifierClause(simpleWebToken.Audience);
InMemorySymmetricSecurityKey securityKey = null;
try
{
securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause);
}
catch (InvalidOperationException)
{
throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause.");
}
string generatedSignature = GenerateSignature(unsignedToken, securityKey.GetSymmetricKey());
if (string.CompareOrdinal(HttpUtility.UrlDecode(generatedSignature), HttpUtility.UrlDecode(simpleWebToken.Signature)) != 0)
{
throw new SecurityTokenValidationException("The signature on the incoming token is invalid.");
}
}
/// <summary>
/// Parses the string token and generates a <see cref="SecurityToken"/>.
/// </summary>
/// <param name="serializedToken">The serialized form of the token received.</param>
/// <returns>The parsed form of the token.</returns>
protected SecurityToken ReadSecurityTokenFromString(string serializedToken)
{
if (String.IsNullOrEmpty(serializedToken))
{
throw new ArgumentException("The parameter 'serializedToken' cannot be null or empty string.");
}
// Create a collection of SWT name value pairs
NameValueCollection properties = ParseToken(serializedToken);
SwtSecurityToken swt = new SwtSecurityToken(properties, serializedToken);
return swt;
}
public override SecurityToken CreateToken(SecurityTokenDescriptor tokenDescriptor)
{
if (tokenDescriptor == null)
{
throw new ArgumentNullException("tokenDescriptor");
}
NameValueCollection properties = new NameValueCollection();
properties.Add(SwtSecurityTokenConstants.Id, Guid.NewGuid().ToString());
properties.Add(SwtSecurityTokenConstants.Issuer, tokenDescriptor.TokenIssuerName);
properties.Add(SwtSecurityTokenConstants.Audience, tokenDescriptor.AppliesToAddress);
properties.Add(SwtSecurityTokenConstants.ExpiresOn, SecondsFromSwtBaseTime(tokenDescriptor.Lifetime.Expires));
properties.Add(SwtSecurityTokenConstants.ValidFrom, SecondsFromSwtBaseTime(tokenDescriptor.Lifetime.Created));
foreach (Claim claim in tokenDescriptor.Subject.Claims)
{
properties.Add(claim.Type, claim.Value);
}
SwtSecurityToken token = new SwtSecurityToken(properties);
return token;
}
