public OpenIdConnectJwtPolicy(Dictionary <string, string> config) { IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>( //"https://login.microsoftonline.com/PSGCustomerDev.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_absg-custom-login-ui", config["MetadataEndpoint"], new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration openIdConfig = configurationManager.GetConfigurationAsync(CancellationToken.None).Result; _validationParameters = new TokenValidationParameters { ValidIssuer = config["ValidIssuer"], //ValidAudiences = ValidAudiencesList, //new[] { audience }, IssuerSigningKeys = openIdConfig.SigningKeys }; if (config.ContainsKey("ValidAudiences")) { var ValidAudiences = config["ValidAudiences"].Split(';'); var ValidAudiencesList = ValidAudiences.Where(x => !string.IsNullOrWhiteSpace(x)); _validationParameters.ValidAudiences = ValidAudiencesList; } _handler = new JwtSecurityTokenHandler(); }
/// <summary> /// Returns the cached signing keys if they were retrieved previously. /// If they haven't been retrieved, or the cached keys are stale, then a fresh set of /// signing keys are retrieved from the OpenID Connect provider (issuer) cached and returned. /// This method will throw if the configuration cannot be retrieved, instead of returning null. /// </summary> /// <returns> /// The current set of the Open ID Connect issuer's signing keys. /// </returns> public async Task <IEnumerable <SecurityKey> > GetIssuerSigningKeysAsync() { OpenIdConnectConfiguration configuration = await _configurationManager.GetConfigurationAsync( CancellationToken.None); return(configuration.SigningKeys); }
public static async Task <ApplicationUser> ValidateIdToken(string domain, string audience, string idToken) { // Validate the id_token IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{domain}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidIssuer = openIdConfig.Issuer, ValidAudiences = new[] { audience }, IssuerSigningKeys = openIdConfig.SigningKeys, ValidateIssuer = true, ValidateAudience = true, ValidateLifetime = true }; SecurityToken validatedToken; JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); var claims = handler.ValidateToken(idToken, validationParameters, out validatedToken); var applicationUser = new ApplicationUser { UserName = claims.FindFirstValue(ClaimTypes.Email), Email = claims.FindFirstValue(ClaimTypes.Email), FirstName = claims.FindFirstValue(ClaimTypes.GivenName) ?? "", LastName = claims.FindFirstValue(ClaimTypes.Surname) ?? "", EmailConfirmed = true }; return(applicationUser); }
private async Task <JwtSecurityToken> TokenValidationAsync(string token, string validAudience, string validIssuer, bool validateLifetime, string issuerSigningKey = "") { TokenValidationParameters validationParameters = new TokenValidationParameters(); validationParameters.ValidateAudience = true; validationParameters.ValidAudience = validAudience; validationParameters.ValidateIssuer = true; validationParameters.ValidIssuer = validIssuer; validationParameters.ValidateIssuerSigningKey = true; validationParameters.ValidateLifetime = validateLifetime; if (string.IsNullOrEmpty(issuerSigningKey)) { string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration"; ConfigurationManager <OpenIdConnectConfiguration> configManager = new ConfigurationManager <OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync(); validationParameters.IssuerSigningKeys = config.SigningKeys; } else { var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(issuerSigningKey)); validationParameters.IssuerSigningKey = securityKey; } JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler(); SecurityToken jwt; IdentityModelEventSource.ShowPII = false; ClaimsPrincipal claimsPrincipal = tokendHandler.ValidateToken(token, validationParameters, out jwt); return(jwt as JwtSecurityToken); }
internal override void ProcessToken(string token) { TokenReadResult result = ReadToken(token); if (result.Success) { IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{result.Token.Issuer.EnsureTrailingSlash()}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration openIdConfig = configurationManager.GetConfigurationAsync(CancellationToken.None).Result; TokenValidationParameters validationParameters = new TokenValidationParameters { ValidIssuers = _issuers.Values, ValidAudiences = _audiences.Values, IssuerSigningKeys = openIdConfig.SigningKeys, ValidateLifetime = _lifetime.HasValue() }; SecurityToken validatedToken; JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); try { var user = handler.ValidateToken(token, validationParameters, out validatedToken); Logger.LogInformation("token is valid"); } catch (Exception ex) { throw new CommandException(ex.Message); } } else { Logger.LogError(new EventId(), result.Exception, "the token is invalid"); } }
public void OpenIdConnect() { SigningCredentials rsaSigningCredentials = new SigningCredentials( KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaSha256Signature ); //"<RSAKeyValue><Modulus>rCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>" OpenIdConnectConfiguration configuration = OpenIdConnectConfigurationRetriever.GetAsync(OpenIdConfigData.OpenIdConnectMetadataFileEnd2End, new FileDocumentRetriever(), CancellationToken.None).Result; JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); JwtSecurityToken jwtToken = tokenHandler.CreateJwtSecurityToken( configuration.Issuer, Default.Audience, ClaimSets.DefaultClaimsIdentity, DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1), DateTime.UtcNow + TimeSpan.FromHours(1), rsaSigningCredentials); tokenHandler.WriteToken(jwtToken); TokenValidationParameters validationParameters = new TokenValidationParameters { IssuerSigningKeys = configuration.SigningKeys, ValidAudience = Default.Audience, ValidIssuer = configuration.Issuer, }; SecurityToken securityToken = null; tokenHandler.ValidateToken(jwtToken.RawData, validationParameters, out securityToken); }
private static async Task<bool> ValidateBearer(string bearerToken, ILogger log) { string tenantID = System.Environment.GetEnvironmentVariable("TENANTID"); string audience = System.Environment.GetEnvironmentVariable("AUDIENCE2"); string stsDiscoveryEndPoint = $"https://login.microsoftonline.com/{tenantID}/v2.0/.well-known/openid-configuration"; ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndPoint, new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result; TokenValidationParameters validationParameters = new TokenValidationParameters { ValidAudience = audience, ValidIssuer = $"https://sts.windows.net/{tenantID}/", ValidateAudience = true, ValidateIssuer = true, IssuerSigningKeys = config.SigningKeys, ValidateIssuerSigningKey = true, ValidateLifetime = true }; System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler(); SecurityToken jwt; try { var result = tokendHandler.ValidateToken(bearerToken, validationParameters, out jwt); return true; } catch (Exception ex) { log.LogInformation($"JobExecutor:ValidateToken exception:{ex.Message}"); return false; } }
public void End2End_OpenIdConnect() { SigningCredentials rsaSigningCredentials = new SigningCredentials( KeyingMaterial.RsaSecurityKey_Private2048, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha256Digest, new SecurityKeyIdentifier(new NamedKeySecurityKeyIdentifierClause("kid", "NGTFvdK-fythEuLwjpwAJOM9n-A")) ); //"<RSAKeyValue><Modulus>rCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>" RSA rsa = KeyingMaterial.RsaSecurityKey_2048.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha1Signature, false) as RSA; OpenIdConnectConfiguration configuration = OpenIdConnectConfigurationRetriever.GetAsync(OpenIdConfigData.OpenIdConnectMetadataFile, CancellationToken.None).Result; JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); JwtSecurityToken jwt = tokenHandler.CreateToken( configuration.Issuer, IdentityUtilities.DefaultAudience, IdentityUtilities.DefaultClaimsIdentity, DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1), rsaSigningCredentials); TokenValidationParameters validationParameters = new TokenValidationParameters { IssuerSigningTokens = configuration.SigningTokens, ValidAudience = IdentityUtilities.DefaultAudience, ValidIssuer = configuration.Issuer, }; SecurityToken securityToken = null; tokenHandler.ValidateToken(jwt.RawData, validationParameters, out securityToken); }
public OpenIdConnectService( OpenIdConnectConfiguration openIdConnectConfiguration, IHttpClientFactory httpClientFactory) { _openIdConnectConfiguration = openIdConnectConfiguration; _httpClientFactory = httpClientFactory; }
/// <summary> /// Methods that constructs the token validation parameter for a given app. It pro-actively reads AAD configuration /// to obtain the value of the issuer and its signing tokens /// </summary> /// <param name="clientId">the client Id of the app</param> /// <param name="clientRedirectUri">the redirect URI of the app</param> /// <returns>A self-refreshing variable that contains token validation parameters</returns> private async Task <TokenValidationParameters> ConstructTokenValidationParameters(string clientId, string clientRedirectUri) { // Read AAD configuration OpenIdConnectConfiguration config = await AADAuthManager.GetOpenIdConnectConfiguration(discoveryOpenIdFormat, discoveryUrlFormat, clientId); // Create the data structure used to validate tokens. // Turn on validating the issuer and the audience // Set the valid audience to the appIDUri // Set the name claim to tenantID. It'll be used during tenant configuration to construct the URL // for discovering AAD tenant parameters. // Set the valid issuer and its tokens to values read from AAD // We'll make sure TenantConfig will run before validating tokens. return(new TokenValidationParameters { ValidateAudience = true, ValidateIssuer = true, ValidateLifetime = true, ValidateIssuerSigningKey = true, ValidAudience = clientRedirectUri, ValidIssuer = config.Issuer, IssuerSigningTokens = config.SigningTokens?.ToList(), CertificateValidator = X509CertificateValidator.None, NameClaimType = clientId }); }
public static string GetPayload(string _token, string _discoveryUrl) { try { ConfigurationManager <OpenIdConnectConfiguration> configManager = new ConfigurationManager <OpenIdConnectConfiguration>(_discoveryUrl, new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result; TokenValidationParameters validationParameters = new TokenValidationParameters { ValidateAudience = false, ValidIssuer = config.Issuer, IssuerSigningKeys = config.SigningKeys, ValidateIssuerSigningKey = false, ValidateIssuer = true, ValidateActor = false, ValidateLifetime = true }; JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler(); Microsoft.IdentityModel.Tokens.SecurityToken jwt; var result = tokendHandler.ValidateToken(_token, validationParameters, out jwt); return(((JwtSecurityToken)jwt).RawPayload); } catch (Exception e) { return("Error Parsing Token: " + e.Message); } }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{ Configuration["OpenId:Authority"] }.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration openIdConfig = configurationManager.GetConfigurationAsync(CancellationToken.None).Result; services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = true, ValidateAudience = true, ValidIssuer = Configuration["OpenId:Authority"], ValidAudiences = Configuration.GetSection("OpenId:Audiences").Get <List <string> >(), ValidateIssuerSigningKey = true, IssuerSigningKeys = openIdConfig.SigningKeys }; }); services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1); services.AddSingleton(_ => Configuration); services.AddTransient <IStudentService, StudentService>(); services.AddTransient <IStudentRepository, StudentRepository>(); services.AddCors(); services.AddSwaggerGen(c => { c.SwaggerDoc("v1", new Info { Title = "Booking API", Version = "v1" }); }); }
public HttpResponseMessage Get() { OpenIdConnectConfiguration oidcConfiguration = new OpenIdConnectConfiguration(); oidcConfiguration.Issuer = Settings.Default.ExtensionClaimsIssuer; oidcConfiguration.AuthorizationEndpoint = string.Format( "https://{0}/api/Authorize", Settings.Default.ExtensionEndpointHostName); oidcConfiguration.JwksUri = string.Format("http://{0}/.well-known/jwks", Settings.Default.ExtensionEndpointHostName); oidcConfiguration.GrantTypesSupported.Add("implicit"); oidcConfiguration.ResponseTypesSupported.Add("id_token"); oidcConfiguration.ResponseModesSupported.Add("form_post"); oidcConfiguration.ScopesSupported.Add("openid"); oidcConfiguration.IdTokenSigningAlgValuesSupported.Add("RS256"); oidcConfiguration.SubjectTypesSupported.Add("public"); foreach (string supportedClaim in Settings.Default.SupportedExtensionClaims) { oidcConfiguration.ClaimsSupported.Add(supportedClaim); } return(new HttpResponseMessage() { Content = new StringContent( JsonConvert.SerializeObject(oidcConfiguration, Formatting.None, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore }), Encoding.UTF8, "application/json") }); }
async static public Task <JwtSecurityToken> ToValidatedJwtSecurityToken(this string jwtEncodedString, string issuerUrl, string audience = null) { IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{ issuerUrl.ToValidIssuerUrl() }/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration openIdConfiguration = await configurationManager.GetConfigurationAsync(CancellationToken.None); var tokenHandler = new JwtSecurityTokenHandler(); var validationParameters = new TokenValidationParameters() { ValidIssuer = issuerUrl.ToValidIssuerUrl(), ValidAudience = audience, ValidateIssuerSigningKey = true, ValidateAudience = !String.IsNullOrEmpty(audience), IssuerSigningKeys = openIdConfiguration.SigningKeys }; try { SecurityToken validatedToken; IPrincipal principal = tokenHandler.ValidateToken(jwtEncodedString, validationParameters, out validatedToken); } catch (Exception ex) { throw new TokenValidationException($"Invalid token: { ex.Message }"); } return(jwtEncodedString.ToJwtSecurityToken()); }
private void ValidateToken(string token, OpenIdConnectConfiguration configuration) { if (configuration.SigningKeys == null) { throw new ConfigurationSigningKeysIsNull(); } var validationParameters = new TokenValidationParameters { // Clock skew compensates for server time drift. // We recommend 5 minutes or less: ClockSkew = TimeSpan.FromMinutes(5), // Specify the key used to sign the token: IssuerSigningKeys = configuration.SigningKeys, RequireSignedTokens = true, // Ensure the token hasn't expired: RequireExpirationTime = true, ValidateLifetime = true, // Ensure the token audience matches our audience value (default true): ValidateAudience = false, // Ensure the token was issued by a trusted authorization server (default true): ValidateIssuer = false }; JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); SecurityToken decodedToken; tokenHandler.ValidateToken(token, validationParameters, out decodedToken); }
private async Task EnrichIdentityViaUserInfoAsync(ClaimsIdentity subject, OpenIdConnectConfiguration openIdConfiguration, TokenResponse tokenResponse) { var userInfoResponse = await _httpClient.GetUserInfoAsync(new UserInfoRequest { Address = openIdConfiguration.UserInfoEndpoint, Token = tokenResponse.AccessToken, }).ConfigureAwait(false); // Claims returned from the UserInfoClient have issuer = "LOCAL AUTHORITY" by default var userInfoClaims = userInfoResponse.Claims .Select(x => new Claim(x.Type, x.Value, x.ValueType, _issuer, _issuer, subject)) .ToArray(); // Update ID token claims with fresh data from the /userinfo response var duplicateClaims = subject.Claims .Where(x => userInfoClaims.Any(y => y.Type == x.Type)) .ToArray(); foreach (var claim in duplicateClaims) { subject.RemoveClaim(claim); } subject.AddClaims(userInfoResponse.Claims); }
internal static IServiceCollection RegisterCommonServices( this IServiceCollection serviceCollection, Func <IServiceProvider, ServiceBusOptions> optionsRetriever) { serviceCollection .AddSingleton( sp => { var options = optionsRetriever.Invoke(sp); var serviceBusApiConfiguration = new ServiceBusApiConfiguration(options.ServiceBusApiEndpoint); return(serviceBusApiConfiguration); }); serviceCollection .AddSingleton( sp => { var options = optionsRetriever.Invoke(sp); var openIdConnectConfiguration = new OpenIdConnectConfiguration(options.TokenProviderUri, options.ClientId, options.ClientSecret, options.Scope); return(openIdConnectConfiguration); }); serviceCollection.AddSingleton <ITokenStore, InMemoryTokenStore>(); serviceCollection.AddSingleton <ITokenService, TokenService>(); serviceCollection.AddSingleton <IOpenIdConnectService, OpenIdConnectService>(); serviceCollection.AddSingleton <IHttpClientFactory, HttpClientFactory>(); serviceCollection.AddSingleton <IServiceBusApiService, ServiceBusApiService>(); return(serviceCollection); }
public void Configure(string name, JwtBearerOptions options) { var definitions = _localApiDescriptor.GetResourceDefinitions(); if (!definitions.ContainsKey(_apiName)) { return; } if (string.Equals(name, _scheme, StringComparison.Ordinal)) { options.Events = options.Events ?? new JwtBearerEvents(); options.Events.OnMessageReceived = ResolveAuthorityAndKeysAsync; options.Audience = _apiName; var staticConfiguration = new OpenIdConnectConfiguration { Issuer = options.Authority }; var manager = new StaticConfigurationManager(staticConfiguration); options.ConfigurationManager = manager; options.TokenValidationParameters.ValidIssuer = options.Authority; options.TokenValidationParameters.NameClaimType = "name"; options.TokenValidationParameters.RoleClaimType = "role"; } }
public async Task <ClaimsIdentity> AuthenticateAsync(string authHeader) { if (string.IsNullOrWhiteSpace(_microsoftAppId)) { throw new ArgumentNullException("microsoftAppId"); } if (_openIdConfig == null) { var configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(_openIdMetadataUrl, new OpenIdConnectConfigurationRetriever()); _openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None).ConfigureAwait(false); } try { var validationParameters = new TokenValidationParameters { ValidateIssuer = false, // do not validate issuer ValidAudiences = new[] { _microsoftAppId }, IssuerSigningKeys = _openIdConfig.SigningKeys, }; var handler = new JwtSecurityTokenHandler(); var user = handler.ValidateToken(authHeader.Replace("Bearer ", string.Empty), validationParameters, out var validatedToken); return(user.Identities.OfType <ClaimsIdentity>().FirstOrDefault()); } catch { return(null); } }
public void Defaults() { OpenIdConnectConfiguration configuration = new OpenIdConnectConfiguration(); Assert.NotNull(configuration.AcrValuesSupported); Assert.NotNull(configuration.ClaimsSupported); Assert.NotNull(configuration.ClaimsLocalesSupported); Assert.NotNull(configuration.ClaimTypesSupported); Assert.NotNull(configuration.DisplayValuesSupported); Assert.NotNull(configuration.GrantTypesSupported); Assert.NotNull(configuration.IdTokenEncryptionAlgValuesSupported); Assert.NotNull(configuration.IdTokenEncryptionEncValuesSupported); Assert.NotNull(configuration.IdTokenSigningAlgValuesSupported); Assert.NotNull(configuration.RequestObjectEncryptionAlgValuesSupported); Assert.NotNull(configuration.RequestObjectEncryptionEncValuesSupported); Assert.NotNull(configuration.RequestObjectSigningAlgValuesSupported); Assert.NotNull(configuration.ResponseModesSupported); Assert.NotNull(configuration.ResponseTypesSupported); Assert.NotNull(configuration.ScopesSupported); Assert.NotNull(configuration.SigningKeys); Assert.NotNull(configuration.SubjectTypesSupported); Assert.NotNull(configuration.TokenEndpointAuthMethodsSupported); Assert.NotNull(configuration.TokenEndpointAuthSigningAlgValuesSupported); Assert.NotNull(configuration.UILocalesSupported); Assert.NotNull(configuration.UserInfoEndpointEncryptionAlgValuesSupported); Assert.NotNull(configuration.UserInfoEndpointEncryptionEncValuesSupported); Assert.NotNull(configuration.UserInfoEndpointSigningAlgValuesSupported); }
private void GetAndCheckConfiguration(string jsonName, string propertyName, CompareContext context, string propertyValue = null) { string jsonValue = propertyValue; if (jsonValue == null) { jsonValue = Guid.NewGuid().ToString(); } string jsonString = @"{""" + jsonName + @""":""" + jsonValue + @"""}"; try { OpenIdConnectConfiguration openIdConnectConfiguration = new OpenIdConnectConfiguration(jsonString); OpenIdConnectConfiguration expectedConfiguration = new OpenIdConnectConfiguration(); TestUtilities.SetProperty(expectedConfiguration, propertyName, jsonValue); IdentityComparer.AreEqual(openIdConnectConfiguration, expectedConfiguration, context); } catch (Exception exception) { ExpectedException.NoExceptionExpected.ProcessException(exception, context.Diffs); } return; }
private async Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { string[] tenant = new string[1], client_id = new string[1], policy = new string[1]; if (!notification.Response.Headers.TryGetValue("tenant", out tenant) || !notification.Response.Headers.TryGetValue("client_id", out client_id) || !notification.Response.Headers.TryGetValue("policy", out policy) || string.IsNullOrEmpty(tenant[0]) || string.IsNullOrEmpty(client_id[0]) || string.IsNullOrEmpty(policy[0])) { notification.HandleResponse(); notification.Response.Redirect("/Home/Error?message=You need to input your app settings before you can try this flow."); return; } try { B2CConfigurationManager cm = new B2CConfigurationManager(String.Format("https://login.microsoftonline.com/{0}/v2.0/.well-known/openid-configuration", tenant[0])); OpenIdConnectConfiguration config = await cm.GetConfigurationAsync(new System.Threading.CancellationToken(), policy[0]); notification.ProtocolMessage.IssuerAddress = config.AuthorizationEndpoint; notification.ProtocolMessage.ClientId = client_id[0]; notification.ProtocolMessage.SetParameter("prompt", "login"); notification.Response.Headers.Remove("tenant"); notification.Response.Headers.Remove("client_id"); notification.Response.Headers.Remove("policy"); } catch (Exception e) { notification.HandleResponse(); notification.Response.Redirect("/Home/Error?message=Are you SURE you entered your app settings correctly?"); } return; }
private void RunOpenIdConnectConfigurationTest(object obj, OpenIdConnectConfiguration compareTo, ExpectedException expectedException, CompareContext context, bool asString = true) { bool exceptionHit = false; OpenIdConnectConfiguration openIdConnectConfiguration = null; try { if (obj is string || asString) { openIdConnectConfiguration = new OpenIdConnectConfiguration(obj as string); } expectedException.ProcessNoException(context.Diffs); } catch (Exception ex) { exceptionHit = true; expectedException.ProcessException(ex, context.Diffs); } if (!exceptionHit && compareTo != null) { IdentityComparer.AreEqual(openIdConnectConfiguration, compareTo, context); } }
private async Task <ClaimsPrincipal> ValidateTokenAsync(string jwtToken) { // _openIdMetadata only does a full refresh when the cache expires every 5 days OpenIdConnectConfiguration config = null; try { config = await _openIdMetadata.GetConfigurationAsync().ConfigureAwait(false); } catch (Exception e) { Trace.TraceError($"Error refreshing OpenId configuration: {e}"); // No config? We can't continue if (config == null) { throw; } } // Update the signing tokens from the last refresh _tokenValidationParameters.IssuerSigningTokens = config.SigningTokens; JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); SecurityToken parsedToken; ClaimsPrincipal principal = tokenHandler.ValidateToken(jwtToken, _tokenValidationParameters, out parsedToken); return(principal); }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { string stsDiscoveryEndpoint = Configuration.GetValue <string>("STSDiscoveryEndpoint"); string audience = Configuration.GetValue <string>("Audience"); string authorizationUri = Configuration.GetValue <string>("AuthorizationUri"); ConfigurationManager <OpenIdConnectConfiguration> configManager = new ConfigurationManager <OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result; services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.TokenValidationParameters = new TokenValidationParameters() { ValidateIssuer = true, ValidIssuer = config.Issuer, ValidateAudience = true, ValidAudience = audience, IssuerSigningKeys = config.SigningKeys }; options.Events = new JwtBearerEvents() { OnChallenge = (context) => { // Add a WWW-Authenticate header so the client application knows where to redirect to for authorization context.HttpContext.Response.Headers.Add("WWW-Authenticate", $"authorization_uri=\"{authorizationUri}\""); return(Task.FromResult(0)); } }; }); services.AddControllers(); }
public System.Security.Claims.ClaimsPrincipal ValidateIdToken(string idToken, string issuer, string audience) { System.Security.Claims.ClaimsPrincipal claimPrincipal = null; IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{issuer}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration openIdConfig = AsyncHelper.RunSync(async() => await configurationManager.GetConfigurationAsync(CancellationToken.None)); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidAudience = audience, ValidIssuer = issuer, IssuerSigningKeys = openIdConfig.SigningKeys, ValidateIssuerSigningKey = true, ValidateAudience = true, ValidateIssuer = true, ValidateLifetime = true }; Microsoft.IdentityModel.Tokens.SecurityToken validatedToken; System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler handler = new System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler(); try { claimPrincipal = handler.ValidateToken(idToken, validationParameters, out validatedToken); } catch (Exception ex) { var error = ex.Message; } return(claimPrincipal); }
//https://stackoverflow.com/questions/39866513/how-to-validate-azure-ad-security-token public static ClaimsPrincipal ValidateToken(string jwt, out JwtSecurityToken jwtSecurityToken) { var ada = (ActiveDirectoryAuthorizer)AuthLogic.Authorizer !; string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration"; var configManager = new ConfigurationManager <OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result; TokenValidationParameters validationParameters = new TokenValidationParameters { ValidAudience = ada.GetConfig().Azure_ApplicationID, ValidIssuer = "https://login.microsoftonline.com/" + ada.GetConfig().Azure_DirectoryID + "/v2.0", ValidateAudience = true, ValidateIssuer = true, IssuerSigningKeys = config.SigningKeys, //2. .NET Core equivalent is "IssuerSigningKeys" and "SigningKeys" ValidateLifetime = true }; JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler(); var result = tokendHandler.ValidateToken(jwt, validationParameters, out SecurityToken secutityToken); jwtSecurityToken = (JwtSecurityToken)secutityToken; return(result); }
public async Task ValidateAsync_InvalidToken() { var authenticationSettings = new AuthenticationSettings { Microsoft = new MicrosoftAuthenticationSettings { ClientId = ClientId, }, }; var options = Options.Create(authenticationSettings); var configuration = new OpenIdConnectConfiguration(); configuration.JsonWebKeySet = new JsonWebKeySet(); configuration.JsonWebKeySet.Keys.Add(jsonWebKey); using (var http = new HttpClientTestingFactory()) { var handler = new MicrosoftAssertionGrantHandler(options, http.HttpClient); var resultTask = handler.ValidateAsync("SomeBadAssertion"); http.Expect(ConfigurationEndpoint).Respond(OpenIdConnectConfiguration.Write(configuration)); var result = await resultTask; Assert.NotNull(result); Assert.False(result.IsSuccessful); http.EnsureNoOutstandingRequests(); } }
public static async Task <IUserIdentity> ValidateTokenAsync(Uri authorityUrl, string audiance, string jwt) { JwtSecurityToken token = new JwtSecurityToken(jwt); SecurityToken validatedToken = new JwtSecurityToken(); JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidAudience = audiance }; ConfigurationManager <OpenIdConnectConfiguration> configManager = new ConfigurationManager <OpenIdConnectConfiguration>( authorityUrl.ToString() + "/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync(); validationParameters.ValidIssuer = new Uri(config.Issuer).ToString(); validationParameters.IssuerSigningKeys = (IEnumerable <SecurityKey>)config.JsonWebKeySet; tokenHandler.ValidateToken(jwt, validationParameters, out validatedToken); IssuedIdentityToken issuedToken = new IssuedIdentityToken(); issuedToken.IssuedTokenType = IssuedTokenType.JWT; issuedToken.DecryptedTokenData = new UTF8Encoding(false).GetBytes(((JwtSecurityToken)validatedToken).RawData); return(new UserIdentity(issuedToken)); }
async static Task <JwtSecurityToken> Validate(string token) { string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration"; ConfigurationManager <OpenIdConnectConfiguration> configManager = new ConfigurationManager <OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever()); OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result; var openidConfiguration = await OpenIdConnectConfigurationRetriever.GetAsync(stsDiscoveryEndpoint, CancellationToken.None); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidateAudience = false, ValidateIssuer = false, IssuerSigningKeys = openidConfiguration.SigningKeys, ValidateLifetime = true, LifetimeValidator = CustomLifetimeValidator, }; JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler(); SecurityToken jwt; var result = tokendHandler.ValidateToken(token, validationParameters, out jwt); return(jwt as JwtSecurityToken); }
public ExpectedQueryValues(string authority, OpenIdConnectConfiguration configuration = null) { Authority = authority; Configuration = configuration ?? TestUtilities.DefaultOpenIdConnectConfiguration; }
public async Task SignOutSettingMessage() { var configuration = new OpenIdConnectConfiguration { EndSessionEndpoint = ExpectedLogoutRequest }; var queryValues = new ExpectedQueryValues(DefaultAuthority, configuration) { RequestType = OpenIdConnectRequestType.LogoutRequest }; var server = CreateServer(SetProtocolMessageOptions); var transaction = await SendAsync(server, DefaultHost + Signout); Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode); queryValues.CheckValues(transaction.Response.Headers.Location.AbsoluteUri, new string[] { }); }
public async Task ChallengeSettingMessage() { var configuration = new OpenIdConnectConfiguration { AuthorizationEndpoint = ExpectedAuthorizeRequest, }; var queryValues = new ExpectedQueryValues(DefaultAuthority, configuration) { RequestType = OpenIdConnectRequestType.Authentication }; var server = CreateServer(GetProtocolMessageOptions()); var transaction = await SendAsync(server, DefaultHost + Challenge); Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode); queryValues.CheckValues(transaction.Response.Headers.Location.AbsoluteUri, new string[] {}); }
public async Task ChallengeSettingMessage(string challenge, OpenIdConnectRequestType requestType) { var configuration = new OpenIdConnectConfiguration { AuthorizationEndpoint = ExpectedAuthorizeRequest, EndSessionEndpoint = ExpectedLogoutRequest }; var queryValues = new ExpectedQueryValues(DefaultAuthority, configuration) { RequestType = requestType }; var server = CreateServer(SetProtocolMessageOptions); var transaction = await SendAsync(server, DefaultHost + challenge); transaction.Response.StatusCode.ShouldBe(HttpStatusCode.Redirect); queryValues.CheckValues(transaction.Response.Headers.Location.AbsoluteUri, new string[] {}); }