private string CreatToken(User user)
{
var handler = new JwtSecurityTokenHandler();
string jti = Guid.NewGuid().ToString();
var claims = new List <Claim>
{
new Claim(JwtRegisteredClaimNames.Jti, jti),
new Claim("userId", user.Id.ToString()),
new Claim("role", user.Role.Code)
};
ClaimsIdentity identity = new ClaimsIdentity(new GenericIdentity(user.Code, "TokenAuth"), claims);
var token = handler.CreateEncodedJwt(new SecurityTokenDescriptor
{
Issuer = tokenOptions.Issuer,
Audience = tokenOptions.Audience,
SigningCredentials = new SigningCredentials(tokenOptions.SecretKey, SecurityAlgorithms.HmacSha256),
Expires = DateTime.Now.Add(tokenOptions.Expiration),
Subject = identity
});
return(token);
}
public static string CreateJwtToken(DateTime expires, IEnumerable <Claim> claims)
{
//从配置文件中读取 jwt的issuer 发行者 audience 受众 expires 过期时间 key 加密证书
var issuer = "mecode";
var audience = "mywebapp";
var jti = audience + expires.Millisecond + "postman_code";
jti = MD5Util.GetMD5(jti);
RSAUtil.TryGetKeyParameters(AppDomain.CurrentDomain.BaseDirectory, true, out RSAParameters rsaPrivatekey);
//获取签名证书
//包含用于生成数字签名的加密密钥
var rsakey = new RsaSecurityKey(rsaPrivatekey);
var signingCredentials = new SigningCredentials(rsakey, SecurityAlgorithms.RsaSha256Signature);
var handler = new JwtSecurityTokenHandler();
var claimsIdentity = new ClaimsIdentity(claims, "JWTTest");
claimsIdentity.AddClaim(new Claim("jti", jti));
claimsIdentity.AddClaim(new Claim("now", DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss")));
var jwt = handler.CreateEncodedJwt(new SecurityTokenDescriptor()
{
Subject = claimsIdentity, //声明的身份
Audience = audience,
Expires = expires,
Issuer = issuer,
SigningCredentials = signingCredentials
});
return(jwt);
}
public async Task When_Adding_Permission_Then_TicketId_Is_Returned()
{
var handler = new JwtSecurityTokenHandler();
var idtoken = handler.CreateEncodedJwt(
"test",
"test",
new ClaimsIdentity(new[] { new Claim("sub", "tester") }),
null,
null,
null,
null);
const string resourceSetId = "resource_set_id";
var addPermissionParameter = new PermissionRequest
{
ResourceSetId = resourceSetId,
Scopes = new[] { "scope" },
IdToken = idtoken
};
var resources = new[] { new ResourceSet {
Id = resourceSetId, Scopes = new[] { "scope" }
} };
InitializeFakeObjects(resources);
_ticketStoreStub.Setup(r => r.Add(It.IsAny <Ticket>(), It.IsAny <CancellationToken>())).ReturnsAsync(true);
var ticket = (await _requestPermissionHandler
.Execute("tester", CancellationToken.None, addPermissionParameter)
.ConfigureAwait(false) as Option <Ticket> .Result) !.Item;
Assert.NotEmpty(ticket.Requester);
}
public async Task WhenResourceSetDoesNotExistThenReturnsNotAuthorized()
{
var handler = new JwtSecurityTokenHandler();
var jsonWebKey = await _inMemoryJwksRepository.GetDefaultSigningKey().ConfigureAwait(false);
var token = handler.CreateEncodedJwt(
"test",
"test",
new ClaimsIdentity(),
null,
null,
null,
jsonWebKey);
var ticket = new Ticket {
Lines = new[] { new TicketLine {
ResourceSetId = "resource_set_id"
} }
};
_resourceSetRepositoryStub
.Setup(r => r.Get(It.IsAny <string>(), It.IsAny <string>(), It.IsAny <CancellationToken>()))
.Returns(() => Task.FromResult((ResourceSet)null));
var result = await _authorizationPolicyValidator.IsAuthorized(
ticket,
new Client { ClientId = "client_id" },
new ClaimTokenParameter { Format = UmaConstants.IdTokenType, Token = token },
CancellationToken.None)
.ConfigureAwait(false);
Assert.Equal(AuthorizationPolicyResultKind.NotAuthorized, result.Result);
}
private static string CreateJws(string id, string audience, string issuer,
DateTime expires, DateTime issuedAt, DateTime notBefore,
string module, string device, string iothub,
X509SecurityKey issuerSigningKey)
{
var tokenDescriptor = new SecurityTokenDescriptor
{
Audience = audience,
Expires = expires,
IssuedAt = issuedAt,
Issuer = issuer,
NotBefore = notBefore,
SigningCredentials = new SigningCredentials(issuerSigningKey, SecurityAlgorithms.RsaSha256)
};
tokenDescriptor.Claims = new Dictionary <string, object>
{
["jti"] = id,
["module"] = module,
["device"] = device,
["iothub"] = iothub
};
return(jwtHandler.CreateEncodedJwt(tokenDescriptor));
}
public async Task <string> GetToken(UserLoginRequest loginDataDto)
{
var user = await _userManager.FindByEmailAsync(loginDataDto.Email);
if (user == null)
{
return(null);
}
bool passwordCorrect = await _userManager.CheckPasswordAsync(user, loginDataDto.Password);
if (!passwordCorrect)
{
return(null);
}
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_configuration["JwtToken:Key"]);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, user.Id)
}),
Expires = DateTime.UtcNow.AddMinutes(
_configuration.GetValue <int>("JwtToken:ExpirationMinutes")),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key),
SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateEncodedJwt(tokenDescriptor);
return(token);
}
private async Task <(string clientSecret, DateTimeOffset expiresAt)> GenerateNewSecretAsync(
[NotNull] AppleGenerateClientSecretContext context)
{
var expiresAt = _clock.UtcNow.Add(context.Options.ClientSecretExpiresAfter).UtcDateTime;
var subject = new Claim("sub", context.Options.ClientId);
_logger.LogDebug(
"Generating new client secret for subject {Subject} that will expire at {ExpiresAt}.",
subject.Value,
expiresAt);
var tokenDescriptor = new SecurityTokenDescriptor()
{
Audience = context.Options.TokenAudience,
Expires = expiresAt,
Issuer = context.Options.TeamId,
Subject = new ClaimsIdentity(new[] { subject }),
};
byte[] keyBlob = await _keyStore.LoadPrivateKeyAsync(context);
string clientSecret;
using (var algorithm = CreateAlgorithm(keyBlob))
{
tokenDescriptor.SigningCredentials = CreateSigningCredentials(context.Options.KeyId !, algorithm);
clientSecret = _tokenHandler.CreateEncodedJwt(tokenDescriptor);
}
_logger.LogTrace("Generated new client secret with value {ClientSecret}.", clientSecret);
return(clientSecret, expiresAt);
}
private dynamic CreateToken(Account user, string audience)
{
ClaimsIdentity cliaims = new ClaimsIdentity(new Claim []
{
new Claim("uid", user.Id),
new Claim("uname", user.DisplayName)
});
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(JwtSettings.Key);
var authTime = DateTime.UtcNow;
var expiresAt = authTime.AddDays(JwtSettings.Expires);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = cliaims,
Issuer = JwtSettings.Issuer,
Audience = audience,
Expires = expiresAt,
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
return(new
{
access_token = tokenHandler.CreateEncodedJwt(tokenDescriptor),
token_type = "Bearer",
profile = new
{
auth_time = new DateTimeOffset(authTime).ToUnixTimeSeconds(),
expires_at = new DateTimeOffset(expiresAt).ToUnixTimeSeconds()
}
});
}
/// <summary>
/// 生成一个新的 Token
/// </summary>
/// <param name="user">用户信息实体</param>
/// <param name="expire">token 过期时间</param>
/// <param name="audience">Token 接收者</param>
/// <returns></returns>
private string CreateToken(dynamic user, DateTime expire, string audience)
{
var handler = new JwtSecurityTokenHandler();
string jti = audience + user.USER + new TimeSpan(expire.Ticks).TotalMilliseconds;
jti = jti.GetMd5(); // Jwt 的一个参数,用来标识 Token
var claims = new[]
{
new Claim(ClaimTypes.Role, string.Empty), // 添加角色信息
new Claim(ClaimTypes.NameIdentifier, user.ID.ToString()), // 用户 Id ClaimValueTypes.Integer32),
new Claim("jti", jti, ClaimValueTypes.String), // jti,用来标识 token
new Claim("userInfo", JsonHelper.ToJson(user))
};
ClaimsIdentity identity = new ClaimsIdentity(new GenericIdentity(user.USER, "TokenAuth"), claims);
var token = handler.CreateEncodedJwt(new SecurityTokenDescriptor
{
Issuer = ApplicationConfig.Issuer, // 指定 Token 签发者,也就是这个签发服务器的名称
Audience = audience, // 指定 Token 接收者
SigningCredentials = _tokenOptions.Credentials,
Subject = identity,
Expires = expire
});
return(token);
}
public string GenerateToken()
{
var signingCredentials = new SigningCredentials(appSettings.TokenSigningKey, SecurityAlgorithms.HmacSha256);
var ec = new EncryptingCredentials(appSettings.TokenEncryptionKey, JwtConstants.DirectKeyUseAlg, SecurityAlgorithms.Aes256CbcHmacSha512);
var handler = new JwtSecurityTokenHandler();
IList <Claim> claims = new List <Claim>();
claims.Add(new Claim(Constants.Claims.ObjectId, ObjectId, ClaimValueTypes.String, appSettings.IdTokenIssuer));
claims.Add(new Claim(Constants.Claims.TransactionReference, TransactionReference, ClaimValueTypes.String, appSettings.IdTokenIssuer));
claims.Add(new Claim(Constants.Claims.IsVerified, IsVerified.ToString(), ClaimValueTypes.String, appSettings.IdTokenIssuer));
claims.Add(new Claim(Constants.Claims.Message, Message ?? string.Empty, ClaimValueTypes.String, appSettings.IdTokenIssuer));
var jwt = handler.CreateEncodedJwt(
appSettings.IdTokenIssuer,
appSettings.IdTokenAudience,
new ClaimsIdentity(claims),
DateTime.Now,
DateTime.Now.AddDays(1),
DateTime.Now,
signingCredentials,
ec);
return(jwt);
}
public AuthDto GenerateToken(User user)
{
var claims = new[]
{
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
new Claim(ClaimTypes.Name, user.FirstName),
new Claim(ClaimTypes.Email, user.Email),
new Claim("mobileNumber", user.MobileNumber),
new Claim("points", user.Points.ToString()),
new Claim("isSubscribedMail", user.IsSubscribedMail.ToString()),
new Claim("isSubscribedSms", user.IsSubscribedSms.ToString())
};
var appKey = Encoding.UTF8.GetBytes(_configuration.GetSection("AppSetting:Token").Value);
var key = new SymmetricSecurityKey(appKey);
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha512Signature);
var tokenDescriptor = new SecurityTokenDescriptor()
{
Subject = new ClaimsIdentity(claims),
Expires = DateTime.Now.AddHours(5),
SigningCredentials = creds
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateEncodedJwt(tokenDescriptor);
return(new AuthDto()
{
Token = token
});
}
public void InboundFilterTest()
{
var handler = new JwtSecurityTokenHandler();
handler.OutboundClaimTypeMap.Clear();
var claims = ClaimSets.DefaultClaims;
string encodedJwt = handler.CreateEncodedJwt(Default.AsymmetricSignSecurityTokenDescriptor(claims));
handler.InboundClaimTypeMap.Clear();
handler.InboundClaimFilter.Add("aud");
handler.InboundClaimFilter.Add("exp");
handler.InboundClaimFilter.Add("iat");
handler.InboundClaimFilter.Add("iss");
handler.InboundClaimFilter.Add("nbf");
SecurityToken validatedToken;
ClaimsPrincipal claimsPrincipal = handler.ValidateToken(encodedJwt, Default.AsymmetricSignTokenValidationParameters, out validatedToken);
var context = new CompareContext {
IgnoreType = true
};
IdentityComparer.AreEqual(claimsPrincipal.Claims, claims, context);
TestUtilities.AssertFailIfErrors(context.Diffs);
}
private string GetToken(User user)
{
var symmetricKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(_options.SecretKey));
var claimsIdentity = new ClaimsIdentity(new List <Claim>()
{
new Claim(ClaimTypes.Name, user.UserName),
new Claim(ClaimTypes.Email, user.Email),
new Claim(ClaimTypes.NameIdentifier, user.Id)
});
var tokenDescriptor = new SecurityTokenDescriptor()
{
Audience = _options.Audience,
Issuer = _options.Issuer,
IssuedAt = DateTime.UtcNow,
NotBefore = DateTime.UtcNow,
Subject = claimsIdentity,
Expires = DateTime.UtcNow.AddDays(_options.ExpirationDays),
SigningCredentials = new SigningCredentials(symmetricKey, SecurityAlgorithms.HmacSha256)
};
var handler = new JwtSecurityTokenHandler();
return(handler.CreateEncodedJwt(tokenDescriptor));
}
private string GetJwt(OAuth2Params oauthParams)
{
_fileReader.Open(oauthParams.CertificateFilePath);
var pemReader = new PemReader(_fileReader.Reader);
var keyPair = (AsymmetricCipherKeyPair)pemReader.ReadObject();
var rsaParams = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)keyPair.Private);
var rsa = new RSACryptoServiceProvider(2048);
rsa.ImportParameters(rsaParams);
var tokenHandler = new JwtSecurityTokenHandler();
var now = DateTime.UtcNow;
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim("scope", oauthParams.ScopesAsString())
}),
Issuer = oauthParams.ClientId,
Audience = oauthParams.Audience,
Expires = now.AddHours(1),
SigningCredentials = new SigningCredentials(new RsaSecurityKey(rsa), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
};
return(tokenHandler.CreateEncodedJwt(tokenDescriptor));
}
public void TestJwtTokenCreationAndValidation()
{
IdentityModelEventSource.ShowPII = true;
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap.Clear();
var jwt = handler.CreateEncodedJwt(Default.AsymmetricSignSecurityTokenDescriptor(null));
var jwtToken = new JwtSecurityToken(jwt)
{
SigningKey = Default.AsymmetricSigningKey
};
SecurityToken token = null;
handler.ValidateToken(jwt, Default.AsymmetricSignTokenValidationParameters, out token);
var context = new CompareContext
{
PropertiesToIgnoreWhenComparing = new Dictionary <Type, List <string> >
{
{ typeof(JwtHeader), new List <string> {
"Item"
} },
{ typeof(JwtPayload), new List <string> {
"Item"
} }
}
};
if (!IdentityComparer.AreJwtSecurityTokensEqual(jwtToken, token as JwtSecurityToken, context))
{
TestUtilities.AssertFailIfErrors("TestJwtTokenCreationAndValidation", context.Diffs);
}
}
public IActionResult Authenticate(UserLoginModel model)
{
var key = Encoding.ASCII.GetBytes(_appSetting.Jwt.Secret);
var tokenHandler = new JwtSecurityTokenHandler();
var securityTokenDescriptor = new SecurityTokenDescriptor()
{
Audience = _appSetting.Jwt.Audience,
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, model.UserName)
}),
Expires = DateTime.Now.AddDays(7),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256),
Issuer = _appSetting.Jwt.Issuer,
IssuedAt = DateTime.Now
};
//var token = tokenHandler.CreateToken(securityTokenDescriptor);
//var tokenString = tokenHandler.WriteToken(token);
var tokenString2 = tokenHandler.WriteToken(tokenHandler.CreateJwtSecurityToken(securityTokenDescriptor));
var tokenString3 = tokenHandler.CreateEncodedJwt(securityTokenDescriptor);
return(Ok(new { token = tokenString2 }));
}
/// <summary>
/// 创建Jwt令牌
/// </summary>
/// <param name="expire">过期时间</param>
/// <param name="audience">接收jwt者</param>
/// <param name="credentials">签名证书</param>
public static string CreateJwtToken(Identity identity, DateTime expire, string audience, SigningCredentials credentials)
{
var handler = new JwtSecurityTokenHandler();
string jti = audience + identity.Name + expire.Millisecond;
jti = MD5Util.GetMD5(jti); // Jwt 的一个参数,用来标识 Token
var claims = new[]
{
new Claim(ClaimTypes.Role, string.Empty), // 添加角色信息
new Claim(ClaimTypes.NameIdentifier, identity.Id.ToString()), // 用户 Id
new Claim("jti", jti, ClaimValueTypes.String) // jti,用来标识 token
};
//一个基于声明的标识
var cid = new ClaimsIdentity(new GenericIdentity(identity.Name, "TokenAuth"), claims);
var token = handler.CreateEncodedJwt(new SecurityTokenDescriptor
{ //包含用于创建安全令牌的一些信息。
Issuer = "TestIssuer", // 指定 Token 签发者,也就是这个签发服务器的名称
Audience = audience, // 指定 Token 接收者
SigningCredentials = credentials, //签名证书
Subject = cid, //该JWT所面向的用户,是否使用是可选的
Expires = expire //jwt 过期时间
});
return(token);
}
public async Task WhenTokenIsForDifferentAudienceThenTokenIsNotValid()
{
var handler = new JwtSecurityTokenHandler();
using var rsa = new RSACryptoServiceProvider(2048);
var jwk = rsa.CreateSignatureJwk("1", true);
var keyset = new JsonWebKeySet().AddKey(rsa.CreateSignatureJwk("1", false));
var jwksStoreMock = new Mock <IJwksStore>();
jwksStoreMock.Setup(x => x.GetSigningKey(jwk.Alg, It.IsAny <CancellationToken>()))
.ReturnsAsync(new SigningCredentials(jwk, jwk.Alg));
jwksStoreMock.Setup(x => x.GetPublicKeys(It.IsAny <CancellationToken>())).ReturnsAsync(keyset);
var token = handler.CreateEncodedJwt(
"http://localhost",
"test",
new ClaimsIdentity(new[] { new Claim("sub", "tester"), }),
DateTime.UtcNow,
DateTime.UtcNow.AddYears(1),
DateTime.UtcNow,
new SigningCredentials(jwk, jwk.Alg));
var grantedToken = new GrantedToken
{
ClientId = "fake",
AccessToken = token,
ExpiresIn = 10000,
CreateDateTime = DateTimeOffset.UtcNow
};
var result = await grantedToken.CheckGrantedToken(jwksStoreMock.Object).ConfigureAwait(false);
Assert.False(result.IsValid);
}
public async Task When_Policy_Does_Not_Exist_Then_RequestSubmitted_Is_Returned()
{
var handler = new JwtSecurityTokenHandler();
var key = await _inMemoryJwksRepository.GetDefaultSigningKey().ConfigureAwait(false);
var token = handler.CreateEncodedJwt(
"test",
"test",
new ClaimsIdentity(new[] { new Claim("test", "test") }),
null,
DateTime.UtcNow.AddYears(1),
DateTime.UtcNow,
key);
var ticket = new Ticket {
Lines = new[] { new TicketLine {
ResourceSetId = "1"
} }
};
var resourceSet = new[] { new ResourceSet {
Id = "1"
} };
_resourceSetRepositoryStub.Setup(r => r.Get(It.IsAny <CancellationToken>(), It.IsAny <string[]>()))
.ReturnsAsync(resourceSet);
var result = await _authorizationPolicyValidator.IsAuthorized(
ticket,
new Client { ClientId = "client_id" },
new ClaimTokenParameter { Format = "access_token", Token = token },
CancellationToken.None)
.ConfigureAwait(false);
Assert.Equal(AuthorizationPolicyResultKind.RequestSubmitted, result.Result);
}
private string getToken(StudentUser user)
{
if (user == null)
{
throw new ArgumentNullException("Cannot Generate Token on a null user");
}
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_appSettings.Secret);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim("userId", user.Id),
new Claim("sid", user.StudentId.ToString()),
new Claim(ClaimTypes.Role, "Student")
}),
Expires = DateTime.UtcNow.AddHours(1),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key),
SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateEncodedJwt(tokenDescriptor);
return(token);
}
public IActionResult Login([FromBody] Login model)
{
var user = _userService.GetUser(model.Email, model.Password);
if (user == null)
{
return(BadRequest(new ErrorResponse(new List <Error> {
new Error("User cannot be verified")
})));
}
var key = Encoding.UTF8.GetBytes(_appSettings.Secret);
var tokenHandler = new JwtSecurityTokenHandler();
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Name, user.Id.ToString())
}),
Expires = DateTime.UtcNow.AddDays(7),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateEncodedJwt(tokenDescriptor);
return(Ok(new
{
User = user,
Token = token
}));
}
internal string GetToken(AuthInfo authInfo)
{
var handler = new JwtSecurityTokenHandler();
var signCreds = new SigningCredentials(new SymmetricSecurityKey(authInfo.SecureKey), SecurityAlgorithms.HmacSha256);
var identity = GetIdentity();
var token = handler.CreateEncodedJwt(authInfo.Issuer, authInfo.Audience, identity, notBefore: DateTime.Now, expires: null, issuedAt: DateTime.Now, signCreds);
return(token);
}
When_Generating_AuthorizationResponse_With_AccessToken_And_ThereIs_A_GrantedToken_Then_Token_Is_Added_To_The_Parameters()
{
const string clientId = "clientId";
const string scope = "openid";
var claimsIdentity = new ClaimsIdentity("fake");
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
var authorizationParameter = new AuthorizationParameter
{
ResponseType = ResponseTypeNames.Token,
ClientId = clientId,
Scope = scope
};
var handler = new JwtSecurityTokenHandler();
var issuedAt = DateTime.UtcNow;
const int expiresIn = 20000;
var defaultSigningKey = await _inMemoryJwksRepository.GetDefaultSigningKey().ConfigureAwait(false);
var accessToken = handler.CreateEncodedJwt(
"test",
clientId,
claimsIdentity,
null,
issuedAt.AddSeconds(expiresIn),
issuedAt,
defaultSigningKey);
var grantedToken = new GrantedToken
{
ClientId = clientId,
AccessToken = accessToken,
CreateDateTime = issuedAt,
ExpiresIn = expiresIn
};
_tokenStore.Setup(
x => x.GetToken(
It.IsAny <string>(),
It.IsAny <string>(),
It.IsAny <JwtPayload>(),
It.IsAny <JwtPayload>(),
It.IsAny <CancellationToken>()))
.ReturnsAsync(grantedToken);
var actionResult = await _generateAuthorizationResponse.Generate(
new EndpointResult { RedirectInstruction = new RedirectInstruction() },
authorizationParameter,
claimsPrincipal,
new Client { ClientId = clientId },
"test",
CancellationToken.None)
.ConfigureAwait(false);
Assert.Equal(
grantedToken.AccessToken,
actionResult.RedirectInstruction !.Parameters
.First(x => x.Name == StandardAuthorizationResponseNames.AccessTokenName)
.Value);
}
public string Generate()
{
var tokenHandler = new JwtSecurityTokenHandler();
byte[] key = Encoding.ASCII.GetBytes(secret);
var descriptor = CreateDescriptor(key);
return(tokenHandler.CreateEncodedJwt(descriptor));
}
public async Task <string> CreateJwt(JwtEnpoint endpoint, string issuer, string audience, ClaimsIdentity subject, DateTime?notBefore, DateTime?expires, DateTime?issuedAt)
{
//生成生成时用到的签名密钥
var signingCredentials = await _jwtGenerateCreateSignKeyService.Generate(endpoint, endpoint.CreateSignKeyType, endpoint.CreateSignKeyConfiguration);
//生成Jwt字符串
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
return(handler.CreateEncodedJwt(issuer, audience, subject, notBefore, expires, issuedAt, signingCredentials));
}
public async Task When_AuthorizationPolicy_Is_Correct_Then_Authorized_Is_Returned()
{
var handler = new JwtSecurityTokenHandler();
var key = await _inMemoryJwksRepository.GetDefaultSigningKey().ConfigureAwait(false);
var token = handler.CreateEncodedJwt(
"test",
"test",
new ClaimsIdentity(new[] { new Claim("test", "test") }),
null,
DateTime.UtcNow.AddYears(1),
DateTime.UtcNow,
key);
_clientStoreStub.Setup(x => x.GetById(It.IsAny <string>(), It.IsAny <CancellationToken>()))
.Returns <string, CancellationToken>(
(s, c) => Task.FromResult(new Client {
ClientId = s
}));
var ticket = new Ticket {
Lines = new[] { new TicketLine {
ResourceSetId = "1"
} }
};
var resourceSet = new[]
{
new ResourceSet
{
Id = "1",
AuthorizationPolicies = new[]
{
new PolicyRule
{
ClientIdsAllowed = new[] { "client_id" },
Claims = new[] { new ClaimData {
Type = "test", Value = "test"
} }
}
}
}
};
_resourceSetRepositoryStub.Setup(r => r.Get(It.IsAny <CancellationToken>(), It.IsAny <string[]>()))
.ReturnsAsync(resourceSet);
var result = await _authorizationPolicyValidator.IsAuthorized(
ticket,
new Client { ClientId = "client_id" },
new ClaimTokenParameter { Token = token, Format = UmaConstants.IdTokenType },
CancellationToken.None)
.ConfigureAwait(false);
Assert.Equal(AuthorizationPolicyResultKind.Authorized, result.Result);
}
private async Task GenerateToken(HttpContext context)
{
var appUser = await _accountService.FindUserAsync(context.Request.Form["userName"], context.Request.Form["password"]);
if (appUser == null)
{
context.Response.StatusCode = 200;
context.Response.ContentType = "application/json";
var result = new
{ token_result = "fail",
msg = "Invalid username or password" };
await context.Response.WriteAsync(JsonConvert.SerializeObject(result, new JsonSerializerSettings {
Formatting = Formatting.Indented, ContractResolver = new CamelCasePropertyNamesContractResolver()
}));
}
else
{
var identity = await _accountService.GetClaimsPrincipleForUser(appUser);
var userData = _accountService.GetUserInfo(identity.FindFirstValue(ClaimTypes.NameIdentifier)).Result;
var now = DateTime.UtcNow;
var _issuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_options.HmacSecretKey));
//Generate Token
var jwtHandler = new JwtSecurityTokenHandler();
var jws = jwtHandler.CreateEncodedJwt(new SecurityTokenDescriptor
{
Issuer = _options.Issuer,
IssuedAt = now,
NotBefore = now,
Audience = _options.Audience,
SigningCredentials = new SigningCredentials(_issuerSigningKey, SecurityAlgorithms.HmacSha256),
Subject = ((ClaimsIdentity)identity.Identity),
Expires = now.Add(_options.ExpiresSpan)
});
var response = new
{
access_token = jws,
token_result = "success",
user = userData,
expires_in = (int)_options.ExpiresSpan.TotalMinutes
};
// Serialize and return the response
context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(response, new JsonSerializerSettings {
Formatting = Formatting.Indented, ContractResolver = new CamelCasePropertyNamesContractResolver()
}));
//return new OkObjectResult(response);
}
}
public string CreateEncoded(string userName)
{
return(_tokenHandler.CreateEncodedJwt(new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new GenericIdentity(userName)),
Expires = DateTime.UtcNow.AddDays(_settings.TokenExpiration),
SigningCredentials = new SigningCredentials(_settings.SecurityKey, SecurityAlgorithms.HmacSha256Signature),
Audience = _settings.Audience,
Issuer = _settings.Issuer
}));
}
private string GetAuthState()
{
var tokenHandler = new JwtSecurityTokenHandler();
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_settings.ClientSecret));
return(tokenHandler.CreateEncodedJwt(new SecurityTokenDescriptor
{
Expires = DateTime.UtcNow + TimeSpan.FromMinutes(10),
SigningCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature)
}));
}
public static string CreateToken <TUser>(TUser user, IEnumerable <Claim> userClaims, SecurityOptions security, PublicApiOptions api) where TUser : IUserIdProvider
{
var now = DateTimeOffset.Now;
var expires = now.AddSeconds(security.Tokens.TimeToLiveSeconds);
/*
* See: https://tools.ietf.org/html/rfc7519#section-4.1
* All claims are optional, but since our JSON conventions elide null values,
* We need to ensure any optional claims are emitted as empty strings.
*/
// JWT.io claims:
var sub = user.Id ?? string.Empty;
var jti = $"{Guid.NewGuid()}";
var iat = now.ToUnixTimeSeconds().ToString();
var exp = expires.ToUnixTimeSeconds().ToString();
var nbf = now.ToUnixTimeSeconds().ToString();
var iss = security.Tokens?.Issuer ?? string.Empty;
var aud = security.Tokens?.Audience ?? string.Empty;
var claims = new List <Claim>
{
new Claim(JwtRegisteredClaimNames.Sub, sub, ClaimValueTypes.String),
new Claim(JwtRegisteredClaimNames.Jti, jti, ClaimValueTypes.String),
new Claim(JwtRegisteredClaimNames.Iat, iat, ClaimValueTypes.Integer64),
new Claim(JwtRegisteredClaimNames.Nbf, nbf, ClaimValueTypes.Integer64),
new Claim(JwtRegisteredClaimNames.Exp, exp, ClaimValueTypes.Integer64)
};
claims.AddRange(userClaims);
claims.TryAddClaim(security.Claims.ApplicationIdClaim, api.ApiVersion);
claims.TryAddClaim(security.Claims.ApplicationNameClaim, api.ApiName);
_signing = _signing ?? BuildSigningCredentials(security);
_encrypting = _encrypting ?? BuildEncryptingCredentials(security);
var handler = new JwtSecurityTokenHandler();
if (security.Tokens.Encrypt)
{
var descriptor = new SecurityTokenDescriptor
{
Audience = aud,
Issuer = iss,
Subject = new ClaimsIdentity(claims),
EncryptingCredentials = _encrypting
};
return(handler.CreateEncodedJwt(descriptor));
}
return(handler.WriteToken(new JwtSecurityToken(iss, aud, claims, now.UtcDateTime, expires.UtcDateTime, _signing)));
}