internal static OAuthBearerAuthenticationOptions ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); var valParams = new TokenValidationParameters { ValidAudience = issuerProvider.Audience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; var tokenFormat = new JwtFormat(valParams, issuerProvider); var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider() }; return(bearerOptions); }
public OAuthOptions() { TokenEndpointPath = new PathString("/token"); AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60); AccessTokenFormat = new JwtFormat(this); Provider = new OAuthProvider(); AllowInsecureHttp = true; }
public OAuthConfig() { TokenEndpointPath = new PathString("/token"); AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(24*60); Provider = new SimpleOAuthProvider(); AccessTokenFormat = new JwtFormat(this); // TODO: Don't allow this in production. ALWAYS USE SSL AllowInsecureHttp = true; }
/// <summary> /// Adds Active Directory Federation Services (ADFS) issued JWT bearer token middleware to your web application pipeline. /// </summary> /// <param name="app">The IAppBuilder passed to your configuration method.</param> /// <param name="options">An options class that controls the middleware behavior.</param> /// <returns>The original app parameter.</returns> public static IAppBuilder UseActiveDirectoryFederationServicesBearerAuthentication(this IAppBuilder app, ActiveDirectoryFederationServicesBearerAuthenticationOptions options) { if (options == null) { throw new ArgumentNullException("options"); } var cachingSecurityTokenProvider = new WsFedCachingSecurityTokenProvider(options.MetadataEndpoint, options.BackchannelCertificateValidator, options.BackchannelTimeout, options.BackchannelHttpHandler); #pragma warning disable 618 JwtFormat jwtFormat = null; if (options.TokenValidationParameters != null) { if (!string.IsNullOrWhiteSpace(options.Audience)) { // Carry over obsolete property if set if (string.IsNullOrWhiteSpace(options.TokenValidationParameters.ValidAudience)) { options.TokenValidationParameters.ValidAudience = options.Audience; } else if (options.TokenValidationParameters.ValidAudiences == null) { options.TokenValidationParameters.ValidAudiences = new[] { options.Audience }; } else { options.TokenValidationParameters.ValidAudiences = options.TokenValidationParameters.ValidAudiences.Concat(new[] { options.Audience }); } } jwtFormat = new JwtFormat(options.TokenValidationParameters, cachingSecurityTokenProvider); } else { jwtFormat = new JwtFormat(options.Audience, cachingSecurityTokenProvider); } #pragma warning restore 618 if (options.TokenHandler != null) { jwtFormat.TokenHandler = options.TokenHandler; } var bearerOptions = new OAuthBearerAuthenticationOptions { Realm = options.Realm, Provider = options.Provider, AccessTokenFormat = jwtFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Description = options.Description }; app.UseOAuthBearerAuthentication(bearerOptions); return app; }
/// <summary> /// Adds Active Directory Federation Services (ADFS) issued JWT bearer token middleware to your web application pipeline. /// </summary> /// <param name="app">The IAppBuilder passed to your configuration method.</param> /// <param name="options">An options class that controls the middleware behavior.</param> /// <returns>The original app parameter.</returns> public static IAppBuilder UseActiveDirectoryFederationServicesBearerAuthentication(this IAppBuilder app, ActiveDirectoryFederationServicesBearerAuthenticationOptions options) { if (options == null) { throw new ArgumentNullException("options"); } var cachingSecurityTokenProvider = new WsFedCachingSecurityTokenProvider(options.MetadataEndpoint, options.BackchannelCertificateValidator, options.BackchannelTimeout, options.BackchannelHttpHandler); #pragma warning disable 618 JwtFormat jwtFormat = null; if (options.TokenValidationParameters != null) { if (!string.IsNullOrWhiteSpace(options.Audience)) { // Carry over obsolete property if set if (string.IsNullOrWhiteSpace(options.TokenValidationParameters.ValidAudience)) { options.TokenValidationParameters.ValidAudience = options.Audience; } else if (options.TokenValidationParameters.ValidAudiences == null) { options.TokenValidationParameters.ValidAudiences = new[] { options.Audience }; } else { options.TokenValidationParameters.ValidAudiences = options.TokenValidationParameters.ValidAudiences.Concat(new[] { options.Audience }); } } jwtFormat = new JwtFormat(options.TokenValidationParameters, cachingSecurityTokenProvider); } else { jwtFormat = new JwtFormat(options.Audience, cachingSecurityTokenProvider); } #pragma warning restore 618 if (options.TokenHandler != null) { jwtFormat.TokenHandler = options.TokenHandler; } var bearerOptions = new OAuthBearerAuthenticationOptions { Realm = options.Realm, Provider = options.Provider, AccessTokenFormat = jwtFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Description = options.Description }; app.UseOAuthBearerAuthentication(bearerOptions); return(app); }
internal static void UseLocalValidation(this IAppBuilder app, IdentityServerBearerTokenAuthenticationOptions options) { var discoveryEndpoint = options.Authority; if (!discoveryEndpoint.EndsWith("/")) { discoveryEndpoint += "/"; } discoveryEndpoint += ".well-known/openid-configuration"; var provider = new DiscoveryCachingSecurityTokenProvider( discoveryEndpoint, options.BackchannelCertificateValidator, options.BackchannelHttpHandler); JwtFormat jwtFormat = null; if (options.TokenValidationParameters != null) { jwtFormat = new JwtFormat(options.TokenValidationParameters, provider); } else { var valParams = new TokenValidationParameters { ValidAudience = provider.Audience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; jwtFormat = new JwtFormat(valParams, provider); } if (options.TokenHandler != null) { jwtFormat.TokenHandler = options.TokenHandler; } var bearerOptions = new OAuthBearerAuthenticationOptions { Realm = provider.Audience, Provider = options.Provider, AccessTokenFormat = jwtFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Description = options.Description }; app.UseOAuthBearerAuthentication(bearerOptions); }
public void Security_SymmetricKeyTokenVerificationFact() { var issuer = "http://katanatesting.com/"; var sentIdentity = new ClaimsIdentity("CustomJwt", "MyNameClaimType", "MyRoleClaimType"); sentIdentity.AddClaims(new Claim[] { new Claim("MyNameClaimType", "TestUser"), new Claim("MyRoleClaimType", "Administrator") }); for (int i = 0; i < 5; i++) { sentIdentity.AddClaim(new Claim("ClaimId" + i.ToString(), i.ToString())); } var authProperties = new AuthenticationProperties(); var sentTicket = new AuthenticationTicket(sentIdentity, authProperties); var signingAlgorithm = new AesManaged(); var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(signingAlgorithm.Key), SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest); var tokenValidationParameters = new TokenValidationParameters() { ValidAudience = issuer, SaveSigninToken = true, AuthenticationType = sentIdentity.AuthenticationType }; var formatter = new JwtFormat(tokenValidationParameters, new SymmetricKeyIssuerSecurityKeyProvider(issuer, signingAlgorithm.Key)); formatter.TokenHandler = new JwtSecurityTokenHandler(); var protectedtext = SecurityUtils.CreateJwtToken(sentTicket, issuer, signingCredentials); //Receive part var receivedTicket = formatter.Unprotect(protectedtext); var receivedClaims = receivedTicket.Identity.Claims; Assert.Equal("CustomJwt", receivedTicket.Identity.AuthenticationType); Assert.Equal(ClaimsIdentity.DefaultNameClaimType, receivedTicket.Identity.NameClaimType); Assert.Equal(ClaimsIdentity.DefaultRoleClaimType, receivedTicket.Identity.RoleClaimType); Assert.NotNull(receivedTicket.Identity.BootstrapContext); Assert.NotNull((receivedTicket.Identity.BootstrapContext) as string); Assert.Equal(issuer, receivedClaims.Where <Claim>(claim => claim.Type == "iss").FirstOrDefault().Value); Assert.Equal(issuer, receivedClaims.Where <Claim>(claim => claim.Type == "aud").FirstOrDefault().Value); Assert.NotEmpty(receivedClaims.Where <Claim>(claim => claim.Type == "exp").FirstOrDefault().Value); for (int i = 0; i < 5; i++) { sentIdentity.AddClaim(new Claim("ClaimId" + i.ToString(), i.ToString())); Assert.Equal(i.ToString(), receivedClaims.Where <Claim>(claim => claim.Type == "ClaimId" + i.ToString()).FirstOrDefault().Value); } Assert.Equal("TestUser", receivedClaims.Where <Claim>(claim => claim.Type == ClaimsIdentity.DefaultNameClaimType).FirstOrDefault().Value); Assert.Equal("Administrator", receivedClaims.Where <Claim>(claim => claim.Type == ClaimsIdentity.DefaultRoleClaimType).FirstOrDefault().Value); Assert.NotEmpty(receivedClaims.Where <Claim>(claim => claim.Type == "iat").FirstOrDefault().Value); Assert.NotEmpty(receivedClaims.Where <Claim>(claim => claim.Type == "jti").FirstOrDefault().Value); }
public void Security_X509CertificateTokenVerificationFact() { var issuer = "http://katanatesting.com/"; var sentIdentity = new ClaimsIdentity("CustomJwt", "MyNameClaimType", "MyRoleClaimType"); sentIdentity.AddClaims(new Claim[] { new Claim("MyNameClaimType", "TestUser"), new Claim("MyRoleClaimType", "Administrator") }); for (int i = 0; i < 5; i++) { sentIdentity.AddClaim(new Claim("ClaimId" + i.ToString(), i.ToString())); } var authProperties = new AuthenticationProperties(); var sentTicket = new AuthenticationTicket(sentIdentity, authProperties); var signingCertificate = GetACertificateWithPrivateKey(); var signingCredentials = new X509SigningCredentials(signingCertificate); var tokenValidationParameters = new TokenValidationParameters() { ValidAudience = issuer, SaveSigninToken = true, AuthenticationType = sentIdentity.AuthenticationType }; var formatter = new JwtFormat(tokenValidationParameters, new X509CertificateSecurityTokenProvider(issuer, signingCertificate)); formatter.TokenHandler = new JwtSecurityTokenHandler(); var protectedtext = SecurityUtils.CreateJwtToken(sentTicket, issuer, signingCredentials); //Receive part var receivedTicket = formatter.Unprotect(protectedtext); var receivedClaims = receivedTicket.Identity.Claims; Assert.Equal<string>("CustomJwt", receivedTicket.Identity.AuthenticationType); Assert.Equal<string>(ClaimsIdentity.DefaultNameClaimType, receivedTicket.Identity.NameClaimType); Assert.Equal<string>(ClaimsIdentity.DefaultRoleClaimType, receivedTicket.Identity.RoleClaimType); Assert.NotNull(receivedTicket.Identity.BootstrapContext); Assert.NotNull(((BootstrapContext)receivedTicket.Identity.BootstrapContext).Token); Assert.Equal<string>(issuer, receivedClaims.Where<Claim>(claim => claim.Type == "iss").FirstOrDefault().Value); Assert.Equal<string>(issuer, receivedClaims.Where<Claim>(claim => claim.Type == "aud").FirstOrDefault().Value); Assert.NotEmpty(receivedClaims.Where<Claim>(claim => claim.Type == "exp").FirstOrDefault().Value); for (int i = 0; i < 5; i++) { sentIdentity.AddClaim(new Claim("ClaimId" + i.ToString(), i.ToString())); Assert.Equal<string>(i.ToString(), receivedClaims.Where<Claim>(claim => claim.Type == "ClaimId" + i.ToString()).FirstOrDefault().Value); } Assert.Equal<string>("TestUser", receivedClaims.Where<Claim>(claim => claim.Type == ClaimsIdentity.DefaultNameClaimType).FirstOrDefault().Value); Assert.Equal<string>("Administrator", receivedClaims.Where<Claim>(claim => claim.Type == ClaimsIdentity.DefaultRoleClaimType).FirstOrDefault().Value); Assert.NotEmpty(receivedClaims.Where<Claim>(claim => claim.Type == "iat").FirstOrDefault().Value); Assert.NotEmpty(receivedClaims.Where<Claim>(claim => claim.Type == "jti").FirstOrDefault().Value); }
public static IAppBuilder UseJwtBearerAuthenticationWithTokenProvider(this IAppBuilder app, JwtBearerTokenAuthenticationOptions options) { if (app == null) { throw new ArgumentNullException("app"); } if (options == null) { throw new ArgumentNullException("options"); } JwtFormat jwtFormat; if (options.JwtBearerOptions.TokenValidationParameters != null) { jwtFormat = new JwtFormat(options.JwtBearerOptions.TokenValidationParameters); } else { jwtFormat = new JwtFormat(options.JwtBearerOptions.AllowedAudiences, options.JwtBearerOptions.IssuerSecurityTokenProviders); } if (options.JwtBearerOptions.TokenHandler != null) { jwtFormat.TokenHandler = options.JwtBearerOptions.TokenHandler; } var bearerOptions = new OAuthBearerAuthenticationOptions { Realm = options.JwtBearerOptions.Realm, Provider = options.JwtBearerOptions.Provider, AccessTokenFormat = jwtFormat, AuthenticationMode = options.JwtBearerOptions.AuthenticationMode, AuthenticationType = options.JwtBearerOptions.AuthenticationType, Description = options.JwtBearerOptions.Description }; bearerOptions.AccessTokenProvider = new JwtBearerTokenProvider(options.JwtOptions); app.UseOAuthBearerAuthentication(bearerOptions); return(app); }
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation( BearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { return(new Lazy <OAuthBearerAuthenticationOptions>(() => { // use discovery endpoint if (string.IsNullOrWhiteSpace(options.Authority)) { throw new Exception("Either set IssuerName and SigningCertificate - or Authority"); } var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; IIssuerSecurityKeyProvider issuerProvider = new DiscoveryDocumentIssuerSecurityKeyProvider( discoveryEndpoint, options, loggerFactory); var valParams = new TokenValidationParameters { NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; valParams.IssuerSigningKeyResolver = ResolveRsaKeys; valParams.ValidateAudience = false; var tokenFormat = new JwtFormat(valParams, issuerProvider); var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider(options.TokenProvider) }; return bearerOptions; }, LazyThreadSafetyMode.PublicationOnly)); }
public static IAppBuilder UseJwtBearerAuthenticationWithTokenProvider(this IAppBuilder app, JwtBearerTokenAuthenticationOptions options) { if (app == null) { throw new ArgumentNullException("app"); } if (options == null) { throw new ArgumentNullException("options"); } JwtFormat jwtFormat; if (options.JwtBearerOptions.TokenValidationParameters != null) { jwtFormat = new JwtFormat(options.JwtBearerOptions.TokenValidationParameters); } else { jwtFormat = new JwtFormat(options.JwtBearerOptions.AllowedAudiences, options.JwtBearerOptions.IssuerSecurityTokenProviders); } if (options.JwtBearerOptions.TokenHandler != null) { jwtFormat.TokenHandler = options.JwtBearerOptions.TokenHandler; } var bearerOptions = new OAuthBearerAuthenticationOptions { Realm = options.JwtBearerOptions.Realm, Provider = options.JwtBearerOptions.Provider, AccessTokenFormat = jwtFormat, AuthenticationMode = options.JwtBearerOptions.AuthenticationMode, AuthenticationType = options.JwtBearerOptions.AuthenticationType, Description = options.JwtBearerOptions.Description }; bearerOptions.AccessTokenProvider = new JwtBearerTokenProvider(options.JwtOptions); app.UseOAuthBearerAuthentication(bearerOptions); return app; }
/// <summary> /// Validates the specified JWT and builds an AuthenticationTicket from it. /// </summary> /// <param name="protectedText">The JWT to validate.</param> /// <returns>An AuthenticationTicket built from the <paramref name="protectedText"/>.</returns> /// <exception cref="T:System.ArgumentNullException"> /// Thrown if the <paramref name="protectedText"/> is null or empty. /// </exception> /// <exception cref="T:System.ArgumentOutOfRangeException"> /// Thrown if the <paramref name="protectedText"/> is not a JWT. /// </exception> public AuthenticationTicket Unprotect(string protectedText) { if (string.IsNullOrWhiteSpace(protectedText)) { throw new ArgumentNullException(nameof(protectedText)); } var jwt = this.privateKey != null?JWT.Decode(protectedText, this.privateKey) : protectedText; var securityTokenProviders = this.settings.AllowedServers.Select( server => new Microsoft.Owin.Security.Jwt.SymmetricKeyIssuerSecurityTokenProvider( server.Issuer, TextEncodings.Base64Url.Decode(server.Secret))); var jwtFormat = new JwtFormat(this.settings.AllowedClients, securityTokenProviders); var ticket = jwtFormat.Unprotect(jwt); return(ticket); }
/* * Configure the authorization OWIN middleware */ public void Configure(IAppBuilder app) { // Retrieve settings from web.settings (actually, web.settings.appSettings.exclude): // We want the ClientId / CallbackUri relevent to this API service _ib2COidcConfidentialClientSettingsConfiguration = this._keyVaultService .GetObject <AuthBearerTokenSettingsConfiguration>("bearerTokenAuth:"); // Configuring with an B2C url similar to: // https://login.microsoftonline.com/{authorityTenantName}/v2.0/.well-known/openid-configuration var openIdConnectCachingSecurityTokenProvider = new OpenIdConnectCachingSecurityTokenProvider( _ib2COidcConfidentialClientSettingsConfiguration.AuthorityUri, _ib2COidcConfidentialClientSettingsConfiguration.PolicyIdB2C); // TokenValidationParameters: parameters used by System.IdentityModel.Tokens.SecurityTokenHandler validating System.IdentityModel.Tokens.SecurityToken. var tvps = new TokenValidationParameters() { // Accept only those tokens where the audience of the token is equal to the client ID of this app ValidAudiences = GetValidAudiences(), // ensure that issuers are only what we deem are necessary, maybe dont want this in the future ValidIssuers = GetValidIssuers(openIdConnectCachingSecurityTokenProvider.Issuer), }; var accessTokenFormat = new JwtFormat(tvps, openIdConnectCachingSecurityTokenProvider); // We're using OIDC, but that's really just a formal extension to OAuth, so tell the OWIN // pipeline that we're adding an auth handler. app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions { // This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint AccessTokenFormat = accessTokenFormat, Provider = new OAuthBearerUserAuthenticationProvider(_oidcNotificationHandlerService) }); }
public async Task RequestToken_ValidateUsingExposedPublicKey_ValidationSucceded() { var mockServer = new MockIdentityServer(); var token = await mockServer.GetTokenForUser("blah"); var valParams = new TokenValidationParameters { IssuerSigningKeyResolver = (t, securityToken, keyIdentifier, validationParameters) => { var kid = keyIdentifier.OfType <NamedKeySecurityKeyIdentifierClause>() .Where(identifier => identifier.Name.Equals("kid")) .Select(identifier => identifier.Id) .Single(); return(validationParameters.IssuerSigningTokens.Single(key => key.Id == kid).SecurityKeys.First()); }, ValidAudience = "http://localhost/resources" }; var format = new JwtFormat(valParams, new Provider((await mockServer.GetPublicKeys()).Keys)); format.Unprotect(token); }
public void ProtectShouldThrowNotImplementedException() { var instance = new JwtFormat("http://contoso.com", new TestIssuerSecurityTokenProvider("urn:issuer")); Should.Throw<NotSupportedException>(() => instance.Protect(null)); }
internal static OAuthBearerAuthenticationOptions ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); var valParams = new TokenValidationParameters { ValidAudience = issuerProvider.Audience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; var tokenFormat = new JwtFormat(valParams, issuerProvider); var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = options.TokenProvider ?? new ContextTokenProvider(), }; return bearerOptions; }
internal static OAuthBearerAuthenticationOptions ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { JwtFormat tokenFormat = null; // use static configuration if (!string.IsNullOrWhiteSpace(options.IssuerName) && options.SigningCertificate != null) { var audience = options.IssuerName.EnsureTrailingSlash(); audience += "resources"; var valParams = new TokenValidationParameters { ValidIssuer = options.IssuerName, ValidAudience = audience, IssuerSigningToken = new X509SecurityToken(options.SigningCertificate), NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, }; tokenFormat = new JwtFormat(valParams); } else { // use discovery endpoint if (string.IsNullOrWhiteSpace(options.Authority)) { throw new Exception("Either set IssuerName and SigningCertificate - or Authority"); } var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); var valParams = new TokenValidationParameters { ValidAudience = issuerProvider.Audience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; tokenFormat = new JwtFormat(valParams, issuerProvider); } var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider() }; if (options.TokenProvider != null) { bearerOptions.Provider = options.TokenProvider; } return bearerOptions; }
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { return(new Lazy <OAuthBearerAuthenticationOptions>(() => { JwtFormat tokenFormat = null; // use static configuration if (!string.IsNullOrWhiteSpace(options.IssuerName) && options.SigningCertificate != null) { string audience = null; bool validateAudience = true; // if API name is set, do a strict audience check for //https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/677bf6863a27c851270436faf9dfac437f46d90d/src/IdentityServerAuthenticationOptions.cs#L192 if (!string.IsNullOrWhiteSpace(options.ApiName) && !options.LegacyAudienceValidation) { audience = options.ApiName; } else if (options.LegacyAudienceValidation) { audience = options.IssuerName.EnsureTrailingSlash() + "resources"; } else { // no audience validation, rely on scope checks only validateAudience = false; } var valParams = new TokenValidationParameters { ValidIssuer = options.IssuerName, ValidAudience = audience, ValidateAudience = validateAudience, IssuerSigningKey = new X509SecurityKey(options.SigningCertificate), NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, }; tokenFormat = new JwtFormat(valParams); } else { // use discovery endpoint if (string.IsNullOrWhiteSpace(options.Authority)) { throw new Exception("Either set IssuerName and SigningCertificate - or Authority"); } var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); string audience = issuerProvider.Audience; bool validateAudience = true; // if API name is set, do a strict audience check for //https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/677bf6863a27c851270436faf9dfac437f46d90d/src/IdentityServerAuthenticationOptions.cs#L192 if (string.IsNullOrWhiteSpace(audience) && !options.LegacyAudienceValidation) { // no audience validation, rely on scope checks only validateAudience = false; } var valParams = new TokenValidationParameters { ValidAudience = audience, ValidateAudience = validateAudience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; if (options.IssuerSigningKeyResolver != null) { valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver; } else { valParams.IssuerSigningKeyResolver = IssuerSigningKeyResolver; } tokenFormat = new JwtFormat(valParams, issuerProvider); } var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider(options.TokenProvider) }; return bearerOptions; }, LazyThreadSafetyMode.PublicationOnly)); }
public void ProtectShouldThrowNotImplementedException() { var instance = new JwtFormat("http://contoso.com", new TestIssuerSecurityTokenProvider("urn:issuer")); Should.Throw <NotSupportedException>(() => instance.Protect(null)); }
public void HandlerConstructorShouldNotThrowWithValidValues() { var instance = new JwtFormat("http://audience/", new TestIssuerSecurityTokenProvider("urn:issuer")); instance.ShouldNotBe(null); }
internal static void UseLocalValidation(this IAppBuilder app, IdentityServerBearerTokenAuthenticationOptions options) { JwtFormat tokenFormat = null; // use discovery document to fully configure middleware if (!string.IsNullOrEmpty(options.Authority)) { var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new CachingDiscoveryIssuerSecurityTokenProvider( discoveryEndpoint, options); if (options.TokenValidationParameters != null) { tokenFormat = new JwtFormat(options.TokenValidationParameters, issuerProvider); } else { var valParams = new TokenValidationParameters { ValidAudience = issuerProvider.Audience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; tokenFormat = new JwtFormat(valParams, issuerProvider); } } // use token validation parameters else if (options.TokenValidationParameters != null) { tokenFormat = new JwtFormat(options.TokenValidationParameters); } // use simplified manual configuration else { var valParams = new TokenValidationParameters { ValidIssuer = options.IssuerName, ValidAudience = options.IssuerName.EnsureTrailingSlash() + "resources", IssuerSigningToken = new X509SecurityToken(options.IssuerCertificate), NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; tokenFormat = new JwtFormat(valParams); } if (options.TokenHandler != null) { tokenFormat.TokenHandler = options.TokenHandler; } var bearerOptions = new OAuthBearerAuthenticationOptions { Provider = options.Provider, AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Description = options.Description }; app.UseOAuthBearerAuthentication(bearerOptions); }
/// <summary> /// /// </summary> /// <param name="app"></param> public void Configuration(IAppBuilder app) { // 有关如何配置应用程序的详细信息,请访问 https://go.microsoft.com/fwlink/?LinkID=316888 var issuer = "http://localhost:51912/"; //发行者 var audience = "fNm0EDIXbfuuDowUpAoq5GTEiywV8eg0TpiIVnV8"; //观众 var secret = TextEncodings.Base64Url.Decode(OAuthCommon.Constants.Consts.JWT.Security.SecretKey); //秘钥 var signingKey = new System.IdentityModel.Tokens.InMemorySymmetricSecurityKey(secret); //令牌验证参数 TokenValidationParameters tokenValidationParameters = new TokenValidationParameters() { ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, // Validate the JWT Issuer (iss) claim ValidateIssuer = true, ValidIssuer = "http://localhost:51912/", // Validate the JWT Audience (aud) claim ValidateAudience = false, ValidAudience = audience, // Validate the token expiry ValidateLifetime = true, ClockSkew = TimeSpan.Zero }; //配置JwtBearer授权中间件 这个中间件的作用主要是解决由JWT方式提供的身份认证。算是Resource资源,认证服务器需要另外开发 app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions() { TokenValidationParameters = tokenValidationParameters, AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active, AuthenticationType = "Bearer", AllowedAudiences = new[] { audience }, Description = new AuthenticationDescription(), Realm = "",//领域,范围; Provider = new OAuthBearerAuthenticationProvider() { //验证当前访客身份 OnValidateIdentity = context => { AuthenticationTicket ticket = context.Ticket; //校验身份是否过期 if (ticket.Properties.ExpiresUtc < DateTime.Now) { context.SetError("the token has expired!"); context.Rejected(); } else { context.Validated(ticket); } return(Task.FromResult <object>(context)); }, //处理授权令牌 OAuthBearerAuthenticationHandler //headers Authorization=Bear:token OnRequestToken = (context) => { context.Token = context.Token ?? context.Request.Query["access_token"]; if (context.Token != null) { context.Response.Headers["WWW-Authorization"] = "Bearer"; //protector IDataProtector protector = app.CreateDataProtector(typeof(OAuthAuthorizationServerMiddleware).Namespace, "Access_Token", "v1"); JwtFormat ticketDataFormat = new JwtFormat(tokenValidationParameters); var ticket = ticketDataFormat.Unprotect(context.Token);//从令牌字符串中,获取授权票据 context.Request.User = new ClaimsPrincipal(ticket.Identity); } return(Task.FromResult <object>(context)); }, OnApplyChallenge = (context) => { return(Task.FromResult <object>(context)); } }, IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) //对称加密 } }); }
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { return(new Lazy <OAuthBearerAuthenticationOptions>(() => { JwtFormat tokenFormat = null; // use static configuration if (!string.IsNullOrWhiteSpace(options.IssuerName) && options.SigningCertificate != null) { var audience = options.IssuerName.EnsureTrailingSlash(); audience += "resources"; var valParams = new TokenValidationParameters { ValidIssuer = options.IssuerName, ValidAudience = audience, IssuerSigningKey = new X509SecurityKey(options.SigningCertificate), NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, }; tokenFormat = new JwtFormat(valParams); } else { // use discovery endpoint if (string.IsNullOrWhiteSpace(options.Authority)) { throw new Exception("Either set IssuerName and SigningCertificate - or Authority"); } var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); var valParams = new TokenValidationParameters { ValidAudience = issuerProvider.Audience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; if (options.IssuerSigningKeyResolver != null) { valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver; } else { valParams.IssuerSigningKeyResolver = ResolveRsaKeys; } tokenFormat = new JwtFormat(valParams, issuerProvider); } var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider(options.TokenProvider) }; return bearerOptions; }, LazyThreadSafetyMode.PublicationOnly)); }
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { return(new Lazy <OAuthBearerAuthenticationOptions>(() => { JwtFormat tokenFormat = null; // use static configuration if (!string.IsNullOrWhiteSpace(options.IssuerName) && options.SigningCertificate != null) { // IdSrv3 hard-codes the value when issuing a token using the pattern below var audience = options.IssuerName.EnsureTrailingSlash() + "resources"; // Use the configured values if present, otherwise fallback to the defaulted value List <string> validAudiences; if (options.ValidAudiences != null && options.ValidAudiences.Count() > 0) { validAudiences = new List <string>(options.ValidAudiences); } else { validAudiences = new List <string>() { audience } }; var valParams = new TokenValidationParameters { ValidIssuer = options.IssuerName, ValidAudiences = validAudiences, ValidateAudience = true, IssuerSigningKey = new X509SecurityKey(options.SigningCertificate), NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, }; tokenFormat = new JwtFormat(valParams); } else { // use discovery endpoint if (string.IsNullOrWhiteSpace(options.Authority)) { throw new Exception("Either set IssuerName and SigningCertificate - or Authority"); } var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); // Use the configured values if present, otherwise fallback to the discovery document's value // (which is actually hard-coded to _issuer + "/resources") List <string> validAudiences; if (options.ValidAudiences != null && options.ValidAudiences.Count() > 0) { validAudiences = new List <string>(options.ValidAudiences); } else { validAudiences = new List <string>() { issuerProvider.Audience } }; var valParams = new TokenValidationParameters { ValidAudiences = validAudiences, ValidateAudience = true, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; if (options.IssuerSigningKeyResolver != null) { valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver; } else { valParams.IssuerSigningKeyResolver = IssuerSigningKeyResolver; } tokenFormat = new JwtFormat(valParams, issuerProvider); } var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider(options.TokenProvider) }; return bearerOptions; }, LazyThreadSafetyMode.PublicationOnly)); }
/// <summary> /// Adds Windows Azure Active Directory (WAAD) issued JWT bearer token middleware to your web application pipeline. /// </summary> /// <param name="app">The IAppBuilder passed to your configuration method.</param> /// <param name="options">An options class that controls the middleware behavior.</param> /// <returns>The original app parameter.</returns> public static IAppBuilder UseWindowsAzureActiveDirectoryBearerAuthentication(this IAppBuilder app, WindowsAzureActiveDirectoryBearerAuthenticationOptions options) { if (options == null) { throw new ArgumentNullException("options"); } if (string.IsNullOrWhiteSpace(options.MetadataAddress)) { if (string.IsNullOrWhiteSpace(options.Tenant)) { throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.Exception_OptionMustBeProvided, "Tenant")); } options.MetadataAddress = string.Format(CultureInfo.InvariantCulture, SecurityTokenServiceAddressFormat, options.Tenant); } var cachingSecurityTokenProvider = new WsFedCachingSecurityKeyProvider(options.MetadataAddress, options.BackchannelCertificateValidator, options.BackchannelTimeout, options.BackchannelHttpHandler); #pragma warning disable 618 JwtFormat jwtFormat = null; if (options.TokenValidationParameters != null) { if (!string.IsNullOrWhiteSpace(options.Audience)) { // Carry over obsolete property if set if (string.IsNullOrWhiteSpace(options.TokenValidationParameters.ValidAudience)) { options.TokenValidationParameters.ValidAudience = options.Audience; } else if (options.TokenValidationParameters.ValidAudiences == null) { options.TokenValidationParameters.ValidAudiences = new[] { options.Audience }; } else { options.TokenValidationParameters.ValidAudiences = options.TokenValidationParameters.ValidAudiences.Concat(new[] { options.Audience }); } } jwtFormat = new JwtFormat(options.TokenValidationParameters, cachingSecurityTokenProvider); } else { jwtFormat = new JwtFormat(options.Audience, cachingSecurityTokenProvider); } #pragma warning restore 618 if (options.TokenHandler != null) { jwtFormat.TokenHandler = options.TokenHandler; } var bearerOptions = new OAuthBearerAuthenticationOptions { Realm = options.Realm, Provider = options.Provider, AccessTokenFormat = jwtFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Description = options.Description }; app.UseOAuthBearerAuthentication(bearerOptions); return(app); }