예제 #1
0
        public bool Validate(string expectedClientId, string expectedAlgorithm, string expectedIssuer, string accessToken = null)
        {
            // verify signature
            if (!Algorithm.Equals(expectedAlgorithm, StringComparison.OrdinalIgnoreCase))
            {
                throw new ArgumentOutOfRangeException(nameof(Algorithm), $"The id_token 'alg' does not match the expected algorithm value.  Expected '{expectedAlgorithm}' but found '{Algorithm}'.");
            }

            //TODO: Validate signature

            // Verify expiration claim
            if (Expiration < DateTime.UtcNow)
            {
                throw new ArgumentOutOfRangeException(nameof(Expiration), $"The id_token is expired");
            }

            // Verify issuer claim
            if (!Issuer.Equals(expectedIssuer, StringComparison.OrdinalIgnoreCase))
            {
                throw new ArgumentOutOfRangeException(nameof(Issuer), $"The id_token 'iss' claim does not match expected issuer value.  Expected '{expectedIssuer}' but fond '{Issuer}'.");
            }

            // Verify audience claim
            if (!Audience.Equals(expectedClientId, StringComparison.OrdinalIgnoreCase))
            {
                throw new ArgumentOutOfRangeException(nameof(Audience), $"The id_token 'aud' claim does not match the provided clientId value.")
                ;
            }
            // Verify Access Token Hash claim (if provided)
            if (!string.IsNullOrEmpty(accessToken) && !string.IsNullOrEmpty(AccessTokenHash))
            {
                var atHash = Util.Sha256AtHash(accessToken);

                if (!AccessTokenHash.Equals(atHash, StringComparison.Ordinal))
                {
                    throw new ArgumentOutOfRangeException(nameof(AccessTokenHash), $"The id_token 'at_hash' claim does not match the expected hash of the given token.  Expected {atHash} but found {AccessTokenHash}");
                }
            }

            return(true);
        }