/// <summary> /// Decodes the specified token. /// </summary> /// <param name="token">The token.</param> /// <returns>The decoded token; Or null if it's invalid.</returns> private static Token Decode(string token) { var parts = token?.Split('.') ?? new string[0]; using (var hash = new HMACSHA256(Settings.ValidationKey)) { if (parts.Length != 3 || parts[0] != Header || Base64UrlEncoder.Encode(hash.ComputeHash(Encoding.Default.GetBytes($"{parts[0]}.{parts[1]}"))) != parts[2]) { return(null); } var payload = JsonConvert.DeserializeObject <Token>(Base64UrlEncoder.DecodeString(parts[1])); if (payload.Issuer != Issuer || Epoch.AddSeconds(payload.Expiration) < DateTime.UtcNow) { return(null); } return(payload); } }