/// <summary> /// Deserialize and verify the authentication ticket. /// </summary> /// <param name="ticket">The serialized ticket.</param> /// <returns>The authentication ticket.</returns> public Task <AuthenticationTicket> DeserializeTicketAsync(string ticket) { var handler = SecurityTokenHandler as ISecurityTokenValidator; if (handler == null) { return(Task.FromResult(DataFormat?.Unprotect(ticket))); } // Create new validation parameters to validate the security token. // ValidateAudience and ValidateLifetime are always set to false: // if necessary, the audience and the expiration can be validated // in InvokeValidationEndpointAsync or InvokeTokenEndpointAsync. var parameters = new TokenValidationParameters { IssuerSigningKey = SigningCredentials.SigningKey, ValidIssuer = Issuer, ValidateAudience = false, ValidateLifetime = false }; SecurityToken token; var principal = handler.ValidateToken(ticket, parameters, out token); // Parameters stored in AuthenticationProperties are lost // when the identity token is serialized using a security token handler. // To mitigate that, they are inferred from the claims or the security token. var properties = new AuthenticationProperties { ExpiresUtc = token.ValidTo, IssuedUtc = token.ValidFrom }; var audiences = principal.FindAll(JwtRegisteredClaimNames.Aud); if (audiences.Any()) { properties.SetAudiences(audiences.Select(claim => claim.Value)); } return(Task.FromResult(new AuthenticationTicket(principal, properties, Options.AuthenticationScheme))); }
private async Task <AuthenticationTicket> DeserializeIdentityTokenAsync(string token, OpenIdConnectMessage request) { try { var notification = new DeserializeIdentityTokenContext(Context, Options, request, token) { Issuer = Context.GetIssuer(Options), SecurityTokenHandler = Options.IdentityTokenHandler, SignatureProvider = Options.SignatureProvider, SigningKey = Options.SigningCredentials.Select(credentials => credentials.Key).FirstOrDefault() }; // Sets the default deserializer used to resolve the // authentication ticket corresponding to the identity token. notification.Deserializer = payload => { if (notification.SecurityTokenHandler == null) { return(Task.FromResult <AuthenticationTicket>(null)); } // Create new validation parameters to validate the security token. // ValidateAudience and ValidateLifetime are always set to false: // if necessary, the audience and the expiration can be validated // in InvokeValidationEndpointAsync or InvokeTokenEndpointAsync. var parameters = new TokenValidationParameters { IssuerSigningKey = notification.SigningKey, ValidIssuer = notification.Issuer, ValidateAudience = false, ValidateLifetime = false }; SecurityToken securityToken; var principal = notification.SecurityTokenHandler.ValidateToken(payload, parameters, out securityToken); // Parameters stored in AuthenticationProperties are lost // when the identity token is serialized using a security token handler. // To mitigate that, they are inferred from the claims or the security token. var properties = new AuthenticationProperties { ExpiresUtc = securityToken.ValidTo, IssuedUtc = securityToken.ValidFrom }; var audiences = principal.FindAll(JwtRegisteredClaimNames.Aud); if (audiences.Any()) { properties.SetAudiences(audiences.Select(claim => claim.Value)); } var usage = principal.FindFirst(OpenIdConnectConstants.Extra.Usage); if (usage != null) { properties.SetUsage(usage.Value); } if (principal.Claims.Any(claim => claim.Type == OpenIdConnectConstants.Extra.Confidential)) { properties.Items[OpenIdConnectConstants.Extra.Confidential] = "true"; } return(Task.FromResult(new AuthenticationTicket(principal, properties, Options.AuthenticationScheme))); }; await Options.Provider.DeserializeIdentityToken(notification); // Directly return the authentication ticket if one // has been provided by DeserializeIdentityToken. // Treat a non-null ticket like an implicit HandleResponse call. if (notification.HandledResponse || notification.AuthenticationTicket != null) { if (notification.AuthenticationTicket == null) { return(null); } // Ensure the received ticket is an identity token. if (!notification.AuthenticationTicket.IsIdentityToken()) { Logger.LogVerbose("The received token was not an identity token: {0}.", token); return(null); } return(notification.AuthenticationTicket); } else if (notification.Skipped) { return(null); } var ticket = await notification.DeserializeTicketAsync(token); if (ticket == null) { return(null); } // Ensure the received ticket is an identity token. if (!ticket.IsIdentityToken()) { Logger.LogVerbose("The received token was not an identity token: {0}.", token); return(null); } return(ticket); } catch (Exception exception) { Logger.LogWarning("An exception occured when deserializing an identity token.", exception); return(null); } }
private async Task <AuthenticationTicket> DeserializeAccessTokenAsync(string token, OpenIdConnectMessage request) { var notification = new DeserializeAccessTokenContext(Context, Options, request, token) { DataFormat = Options.AccessTokenFormat, Issuer = Context.GetIssuer(Options), SecurityTokenHandler = Options.AccessTokenHandler, SignatureProvider = Options.SignatureProvider, SigningCredentials = Options.SigningCredentials.FirstOrDefault() }; await Options.Provider.DeserializeAccessToken(notification); // Directly return the authentication ticket if one // has been provided by DeserializeAccessToken. if (notification.AuthenticationTicket != null) { return(notification.AuthenticationTicket); } var handler = notification.SecurityTokenHandler as ISecurityTokenValidator; if (handler == null) { return(notification.DataFormat?.Unprotect(token)); } // Create new validation parameters to validate the security token. // ValidateAudience and ValidateLifetime are always set to false: // if necessary, the audience and the expiration can be validated // in InvokeValidationEndpointAsync or InvokeTokenEndpointAsync. var parameters = new TokenValidationParameters { IssuerSigningKey = notification.SigningCredentials.Key, ValidIssuer = notification.Issuer, ValidateAudience = false, ValidateLifetime = false }; SecurityToken securityToken; ClaimsPrincipal principal; try { principal = handler.ValidateToken(token, parameters, out securityToken); } catch (Exception exception) { Logger.LogVerbose("An exception occured when deserializing an identity token: {Message}.", exception.Message); return(null); } // Parameters stored in AuthenticationProperties are lost // when the identity token is serialized using a security token handler. // To mitigate that, they are inferred from the claims or the security token. var properties = new AuthenticationProperties { ExpiresUtc = securityToken.ValidTo, IssuedUtc = securityToken.ValidFrom }; var audiences = principal.FindAll(JwtRegisteredClaimNames.Aud); if (audiences.Any()) { properties.SetAudiences(audiences.Select(claim => claim.Value)); } var usage = principal.FindFirst(OpenIdConnectConstants.Extra.Usage); if (usage != null) { properties.SetUsage(usage.Value); } if (principal.Claims.Any(claim => claim.Type == OpenIdConnectConstants.Extra.Confidential)) { properties.Items[OpenIdConnectConstants.Extra.Confidential] = "true"; } // Ensure the received ticket is an access token. var ticket = new AuthenticationTicket(principal, properties, Options.AuthenticationScheme); if (!ticket.IsAccessToken()) { Logger.LogVerbose("The received token was not an access token: {Token}.", token); return(null); } return(ticket); }