public OpenIdConnectJwtPolicy(Dictionary <string, string> config)
{
IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(
//"https://login.microsoftonline.com/PSGCustomerDev.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_absg-custom-login-ui",
config["MetadataEndpoint"],
new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = configurationManager.GetConfigurationAsync(CancellationToken.None).Result;
_validationParameters = new TokenValidationParameters
{
ValidIssuer = config["ValidIssuer"],
//ValidAudiences = ValidAudiencesList, //new[] { audience },
IssuerSigningKeys = openIdConfig.SigningKeys
};
if (config.ContainsKey("ValidAudiences"))
{
var ValidAudiences = config["ValidAudiences"].Split(';');
var ValidAudiencesList = ValidAudiences.Where(x => !string.IsNullOrWhiteSpace(x));
_validationParameters.ValidAudiences = ValidAudiencesList;
}
_handler = new JwtSecurityTokenHandler();
}
/// <summary>
/// Returns the cached signing keys if they were retrieved previously.
/// If they haven't been retrieved, or the cached keys are stale, then a fresh set of
/// signing keys are retrieved from the OpenID Connect provider (issuer) cached and returned.
/// This method will throw if the configuration cannot be retrieved, instead of returning null.
/// </summary>
/// <returns>
/// The current set of the Open ID Connect issuer's signing keys.
/// </returns>
public async Task <IEnumerable <SecurityKey> > GetIssuerSigningKeysAsync()
{
OpenIdConnectConfiguration configuration = await _configurationManager.GetConfigurationAsync(
CancellationToken.None);
return(configuration.SigningKeys);
}
public static async Task <ApplicationUser> ValidateIdToken(string domain, string audience, string idToken)
{
// Validate the id_token
IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{domain}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None);
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
ValidIssuer = openIdConfig.Issuer,
ValidAudiences = new[] { audience },
IssuerSigningKeys = openIdConfig.SigningKeys,
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true
};
SecurityToken validatedToken;
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
var claims = handler.ValidateToken(idToken, validationParameters, out validatedToken);
var applicationUser = new ApplicationUser
{
UserName = claims.FindFirstValue(ClaimTypes.Email),
Email = claims.FindFirstValue(ClaimTypes.Email),
FirstName = claims.FindFirstValue(ClaimTypes.GivenName) ?? "",
LastName = claims.FindFirstValue(ClaimTypes.Surname) ?? "",
EmailConfirmed = true
};
return(applicationUser);
}
private async Task <JwtSecurityToken> TokenValidationAsync(string token, string validAudience, string validIssuer, bool validateLifetime, string issuerSigningKey = "")
{
TokenValidationParameters validationParameters = new TokenValidationParameters();
validationParameters.ValidateAudience = true;
validationParameters.ValidAudience = validAudience;
validationParameters.ValidateIssuer = true;
validationParameters.ValidIssuer = validIssuer;
validationParameters.ValidateIssuerSigningKey = true;
validationParameters.ValidateLifetime = validateLifetime;
if (string.IsNullOrEmpty(issuerSigningKey))
{
string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";
ConfigurationManager <OpenIdConnectConfiguration> configManager = new ConfigurationManager <OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync();
validationParameters.IssuerSigningKeys = config.SigningKeys;
}
else
{
var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(issuerSigningKey));
validationParameters.IssuerSigningKey = securityKey;
}
JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();
SecurityToken jwt;
IdentityModelEventSource.ShowPII = false;
ClaimsPrincipal claimsPrincipal = tokendHandler.ValidateToken(token, validationParameters, out jwt);
return(jwt as JwtSecurityToken);
}
internal override void ProcessToken(string token)
{
TokenReadResult result = ReadToken(token);
if (result.Success)
{
IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{result.Token.Issuer.EnsureTrailingSlash()}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = configurationManager.GetConfigurationAsync(CancellationToken.None).Result;
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidIssuers = _issuers.Values,
ValidAudiences = _audiences.Values,
IssuerSigningKeys = openIdConfig.SigningKeys,
ValidateLifetime = _lifetime.HasValue()
};
SecurityToken validatedToken;
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
try
{
var user = handler.ValidateToken(token, validationParameters, out validatedToken);
Logger.LogInformation("token is valid");
}
catch (Exception ex)
{
throw new CommandException(ex.Message);
}
}
else
{
Logger.LogError(new EventId(), result.Exception, "the token is invalid");
}
}
public void OpenIdConnect()
{
SigningCredentials rsaSigningCredentials =
new SigningCredentials(
KeyingMaterial.RsaSecurityKey_2048,
SecurityAlgorithms.RsaSha256Signature
);
//"<RSAKeyValue><Modulus>rCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
OpenIdConnectConfiguration configuration = OpenIdConnectConfigurationRetriever.GetAsync(OpenIdConfigData.OpenIdConnectMetadataFileEnd2End, new FileDocumentRetriever(), CancellationToken.None).Result;
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
JwtSecurityToken jwtToken =
tokenHandler.CreateJwtSecurityToken(
configuration.Issuer,
Default.Audience,
ClaimSets.DefaultClaimsIdentity,
DateTime.UtcNow,
DateTime.UtcNow + TimeSpan.FromHours(1),
DateTime.UtcNow + TimeSpan.FromHours(1),
rsaSigningCredentials);
tokenHandler.WriteToken(jwtToken);
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
IssuerSigningKeys = configuration.SigningKeys,
ValidAudience = Default.Audience,
ValidIssuer = configuration.Issuer,
};
SecurityToken securityToken = null;
tokenHandler.ValidateToken(jwtToken.RawData, validationParameters, out securityToken);
}
private static async Task<bool> ValidateBearer(string bearerToken, ILogger log)
{
string tenantID = System.Environment.GetEnvironmentVariable("TENANTID");
string audience = System.Environment.GetEnvironmentVariable("AUDIENCE2");
string stsDiscoveryEndPoint = $"https://login.microsoftonline.com/{tenantID}/v2.0/.well-known/openid-configuration";
ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndPoint, new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidAudience = audience,
ValidIssuer = $"https://sts.windows.net/{tenantID}/",
ValidateAudience = true,
ValidateIssuer = true,
IssuerSigningKeys = config.SigningKeys,
ValidateIssuerSigningKey = true,
ValidateLifetime = true
};
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();
SecurityToken jwt;
try {
var result = tokendHandler.ValidateToken(bearerToken, validationParameters, out jwt);
return true;
}
catch (Exception ex)
{
log.LogInformation($"JobExecutor:ValidateToken exception:{ex.Message}");
return false;
}
}
public void End2End_OpenIdConnect()
{
SigningCredentials rsaSigningCredentials =
new SigningCredentials(
KeyingMaterial.RsaSecurityKey_Private2048,
SecurityAlgorithms.RsaSha1Signature,
SecurityAlgorithms.Sha256Digest,
new SecurityKeyIdentifier(new NamedKeySecurityKeyIdentifierClause("kid", "NGTFvdK-fythEuLwjpwAJOM9n-A"))
);
//"<RSAKeyValue><Modulus>rCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
RSA rsa = KeyingMaterial.RsaSecurityKey_2048.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha1Signature, false) as RSA;
OpenIdConnectConfiguration configuration = OpenIdConnectConfigurationRetriever.GetAsync(OpenIdConfigData.OpenIdConnectMetadataFile, CancellationToken.None).Result;
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
JwtSecurityToken jwt = tokenHandler.CreateToken(
configuration.Issuer,
IdentityUtilities.DefaultAudience,
IdentityUtilities.DefaultClaimsIdentity,
DateTime.UtcNow,
DateTime.UtcNow + TimeSpan.FromHours(1),
rsaSigningCredentials);
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
IssuerSigningTokens = configuration.SigningTokens,
ValidAudience = IdentityUtilities.DefaultAudience,
ValidIssuer = configuration.Issuer,
};
SecurityToken securityToken = null;
tokenHandler.ValidateToken(jwt.RawData, validationParameters, out securityToken);
}
public OpenIdConnectService(
OpenIdConnectConfiguration openIdConnectConfiguration,
IHttpClientFactory httpClientFactory)
{
_openIdConnectConfiguration = openIdConnectConfiguration;
_httpClientFactory = httpClientFactory;
}
/// <summary>
/// Methods that constructs the token validation parameter for a given app. It pro-actively reads AAD configuration
/// to obtain the value of the issuer and its signing tokens
/// </summary>
/// <param name="clientId">the client Id of the app</param>
/// <param name="clientRedirectUri">the redirect URI of the app</param>
/// <returns>A self-refreshing variable that contains token validation parameters</returns>
private async Task <TokenValidationParameters> ConstructTokenValidationParameters(string clientId, string clientRedirectUri)
{
// Read AAD configuration
OpenIdConnectConfiguration config = await AADAuthManager.GetOpenIdConnectConfiguration(discoveryOpenIdFormat, discoveryUrlFormat, clientId);
// Create the data structure used to validate tokens.
// Turn on validating the issuer and the audience
// Set the valid audience to the appIDUri
// Set the name claim to tenantID. It'll be used during tenant configuration to construct the URL
// for discovering AAD tenant parameters.
// Set the valid issuer and its tokens to values read from AAD
// We'll make sure TenantConfig will run before validating tokens.
return(new TokenValidationParameters
{
ValidateAudience = true,
ValidateIssuer = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidAudience = clientRedirectUri,
ValidIssuer = config.Issuer,
IssuerSigningTokens = config.SigningTokens?.ToList(),
CertificateValidator = X509CertificateValidator.None,
NameClaimType = clientId
});
}
public static string GetPayload(string _token, string _discoveryUrl)
{
try
{
ConfigurationManager <OpenIdConnectConfiguration> configManager =
new ConfigurationManager <OpenIdConnectConfiguration>(_discoveryUrl, new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidIssuer = config.Issuer,
IssuerSigningKeys = config.SigningKeys,
ValidateIssuerSigningKey = false,
ValidateIssuer = true,
ValidateActor = false,
ValidateLifetime = true
};
JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();
Microsoft.IdentityModel.Tokens.SecurityToken jwt;
var result = tokendHandler.ValidateToken(_token, validationParameters, out jwt);
return(((JwtSecurityToken)jwt).RawPayload);
}
catch (Exception e)
{
return("Error Parsing Token: " + e.Message);
}
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{ Configuration["OpenId:Authority"] }.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = configurationManager.GetConfigurationAsync(CancellationToken.None).Result;
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidIssuer = Configuration["OpenId:Authority"],
ValidAudiences = Configuration.GetSection("OpenId:Audiences").Get <List <string> >(),
ValidateIssuerSigningKey = true,
IssuerSigningKeys = openIdConfig.SigningKeys
};
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddSingleton(_ => Configuration);
services.AddTransient <IStudentService, StudentService>();
services.AddTransient <IStudentRepository, StudentRepository>();
services.AddCors();
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info {
Title = "Booking API", Version = "v1"
});
});
}
public HttpResponseMessage Get()
{
OpenIdConnectConfiguration oidcConfiguration = new OpenIdConnectConfiguration();
oidcConfiguration.Issuer = Settings.Default.ExtensionClaimsIssuer;
oidcConfiguration.AuthorizationEndpoint = string.Format(
"https://{0}/api/Authorize", Settings.Default.ExtensionEndpointHostName);
oidcConfiguration.JwksUri = string.Format("http://{0}/.well-known/jwks",
Settings.Default.ExtensionEndpointHostName);
oidcConfiguration.GrantTypesSupported.Add("implicit");
oidcConfiguration.ResponseTypesSupported.Add("id_token");
oidcConfiguration.ResponseModesSupported.Add("form_post");
oidcConfiguration.ScopesSupported.Add("openid");
oidcConfiguration.IdTokenSigningAlgValuesSupported.Add("RS256");
oidcConfiguration.SubjectTypesSupported.Add("public");
foreach (string supportedClaim in Settings.Default.SupportedExtensionClaims)
{
oidcConfiguration.ClaimsSupported.Add(supportedClaim);
}
return(new HttpResponseMessage()
{
Content = new StringContent(
JsonConvert.SerializeObject(oidcConfiguration, Formatting.None, new JsonSerializerSettings {
NullValueHandling = NullValueHandling.Ignore
}),
Encoding.UTF8,
"application/json")
});
}
async static public Task <JwtSecurityToken> ToValidatedJwtSecurityToken(this string jwtEncodedString, string issuerUrl, string audience = null)
{
IConfigurationManager <OpenIdConnectConfiguration> configurationManager =
new ConfigurationManager <OpenIdConnectConfiguration>($"{ issuerUrl.ToValidIssuerUrl() }/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfiguration = await configurationManager.GetConfigurationAsync(CancellationToken.None);
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters()
{
ValidIssuer = issuerUrl.ToValidIssuerUrl(),
ValidAudience = audience,
ValidateIssuerSigningKey = true,
ValidateAudience = !String.IsNullOrEmpty(audience),
IssuerSigningKeys = openIdConfiguration.SigningKeys
};
try
{
SecurityToken validatedToken;
IPrincipal principal = tokenHandler.ValidateToken(jwtEncodedString, validationParameters, out validatedToken);
}
catch (Exception ex)
{
throw new TokenValidationException($"Invalid token: { ex.Message }");
}
return(jwtEncodedString.ToJwtSecurityToken());
}
private void ValidateToken(string token, OpenIdConnectConfiguration configuration)
{
if (configuration.SigningKeys == null)
{
throw new ConfigurationSigningKeysIsNull();
}
var validationParameters = new TokenValidationParameters
{
// Clock skew compensates for server time drift.
// We recommend 5 minutes or less:
ClockSkew = TimeSpan.FromMinutes(5),
// Specify the key used to sign the token:
IssuerSigningKeys = configuration.SigningKeys,
RequireSignedTokens = true,
// Ensure the token hasn't expired:
RequireExpirationTime = true,
ValidateLifetime = true,
// Ensure the token audience matches our audience value (default true):
ValidateAudience = false,
// Ensure the token was issued by a trusted authorization server (default true):
ValidateIssuer = false
};
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
SecurityToken decodedToken;
tokenHandler.ValidateToken(token, validationParameters, out decodedToken);
}
private async Task EnrichIdentityViaUserInfoAsync(ClaimsIdentity subject, OpenIdConnectConfiguration openIdConfiguration, TokenResponse tokenResponse)
{
var userInfoResponse = await _httpClient.GetUserInfoAsync(new UserInfoRequest
{
Address = openIdConfiguration.UserInfoEndpoint,
Token = tokenResponse.AccessToken,
}).ConfigureAwait(false);
// Claims returned from the UserInfoClient have issuer = "LOCAL AUTHORITY" by default
var userInfoClaims = userInfoResponse.Claims
.Select(x => new Claim(x.Type, x.Value, x.ValueType, _issuer, _issuer, subject))
.ToArray();
// Update ID token claims with fresh data from the /userinfo response
var duplicateClaims = subject.Claims
.Where(x => userInfoClaims.Any(y => y.Type == x.Type))
.ToArray();
foreach (var claim in duplicateClaims)
{
subject.RemoveClaim(claim);
}
subject.AddClaims(userInfoResponse.Claims);
}
internal static IServiceCollection RegisterCommonServices(
this IServiceCollection serviceCollection,
Func <IServiceProvider, ServiceBusOptions> optionsRetriever)
{
serviceCollection
.AddSingleton(
sp =>
{
var options = optionsRetriever.Invoke(sp);
var serviceBusApiConfiguration = new ServiceBusApiConfiguration(options.ServiceBusApiEndpoint);
return(serviceBusApiConfiguration);
});
serviceCollection
.AddSingleton(
sp =>
{
var options = optionsRetriever.Invoke(sp);
var openIdConnectConfiguration =
new OpenIdConnectConfiguration(options.TokenProviderUri, options.ClientId, options.ClientSecret, options.Scope);
return(openIdConnectConfiguration);
});
serviceCollection.AddSingleton <ITokenStore, InMemoryTokenStore>();
serviceCollection.AddSingleton <ITokenService, TokenService>();
serviceCollection.AddSingleton <IOpenIdConnectService, OpenIdConnectService>();
serviceCollection.AddSingleton <IHttpClientFactory, HttpClientFactory>();
serviceCollection.AddSingleton <IServiceBusApiService, ServiceBusApiService>();
return(serviceCollection);
}
public void Configure(string name, JwtBearerOptions options)
{
var definitions = _localApiDescriptor.GetResourceDefinitions();
if (!definitions.ContainsKey(_apiName))
{
return;
}
if (string.Equals(name, _scheme, StringComparison.Ordinal))
{
options.Events = options.Events ?? new JwtBearerEvents();
options.Events.OnMessageReceived = ResolveAuthorityAndKeysAsync;
options.Audience = _apiName;
var staticConfiguration = new OpenIdConnectConfiguration
{
Issuer = options.Authority
};
var manager = new StaticConfigurationManager(staticConfiguration);
options.ConfigurationManager = manager;
options.TokenValidationParameters.ValidIssuer = options.Authority;
options.TokenValidationParameters.NameClaimType = "name";
options.TokenValidationParameters.RoleClaimType = "role";
}
}
public async Task <ClaimsIdentity> AuthenticateAsync(string authHeader)
{
if (string.IsNullOrWhiteSpace(_microsoftAppId))
{
throw new ArgumentNullException("microsoftAppId");
}
if (_openIdConfig == null)
{
var configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(_openIdMetadataUrl, new OpenIdConnectConfigurationRetriever());
_openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None).ConfigureAwait(false);
}
try
{
var validationParameters =
new TokenValidationParameters
{
ValidateIssuer = false, // do not validate issuer
ValidAudiences = new[] { _microsoftAppId },
IssuerSigningKeys = _openIdConfig.SigningKeys,
};
var handler = new JwtSecurityTokenHandler();
var user = handler.ValidateToken(authHeader.Replace("Bearer ", string.Empty), validationParameters, out var validatedToken);
return(user.Identities.OfType <ClaimsIdentity>().FirstOrDefault());
}
catch
{
return(null);
}
}
public void Defaults()
{
OpenIdConnectConfiguration configuration = new OpenIdConnectConfiguration();
Assert.NotNull(configuration.AcrValuesSupported);
Assert.NotNull(configuration.ClaimsSupported);
Assert.NotNull(configuration.ClaimsLocalesSupported);
Assert.NotNull(configuration.ClaimTypesSupported);
Assert.NotNull(configuration.DisplayValuesSupported);
Assert.NotNull(configuration.GrantTypesSupported);
Assert.NotNull(configuration.IdTokenEncryptionAlgValuesSupported);
Assert.NotNull(configuration.IdTokenEncryptionEncValuesSupported);
Assert.NotNull(configuration.IdTokenSigningAlgValuesSupported);
Assert.NotNull(configuration.RequestObjectEncryptionAlgValuesSupported);
Assert.NotNull(configuration.RequestObjectEncryptionEncValuesSupported);
Assert.NotNull(configuration.RequestObjectSigningAlgValuesSupported);
Assert.NotNull(configuration.ResponseModesSupported);
Assert.NotNull(configuration.ResponseTypesSupported);
Assert.NotNull(configuration.ScopesSupported);
Assert.NotNull(configuration.SigningKeys);
Assert.NotNull(configuration.SubjectTypesSupported);
Assert.NotNull(configuration.TokenEndpointAuthMethodsSupported);
Assert.NotNull(configuration.TokenEndpointAuthSigningAlgValuesSupported);
Assert.NotNull(configuration.UILocalesSupported);
Assert.NotNull(configuration.UserInfoEndpointEncryptionAlgValuesSupported);
Assert.NotNull(configuration.UserInfoEndpointEncryptionEncValuesSupported);
Assert.NotNull(configuration.UserInfoEndpointSigningAlgValuesSupported);
}
private void GetAndCheckConfiguration(string jsonName, string propertyName, CompareContext context, string propertyValue = null)
{
string jsonValue = propertyValue;
if (jsonValue == null)
{
jsonValue = Guid.NewGuid().ToString();
}
string jsonString = @"{""" + jsonName + @""":""" + jsonValue + @"""}";
try
{
OpenIdConnectConfiguration openIdConnectConfiguration = new OpenIdConnectConfiguration(jsonString);
OpenIdConnectConfiguration expectedConfiguration = new OpenIdConnectConfiguration();
TestUtilities.SetProperty(expectedConfiguration, propertyName, jsonValue);
IdentityComparer.AreEqual(openIdConnectConfiguration, expectedConfiguration, context);
}
catch (Exception exception)
{
ExpectedException.NoExceptionExpected.ProcessException(exception, context.Diffs);
}
return;
}
private async Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
string[] tenant = new string[1], client_id = new string[1], policy = new string[1];
if (!notification.Response.Headers.TryGetValue("tenant", out tenant) ||
!notification.Response.Headers.TryGetValue("client_id", out client_id) ||
!notification.Response.Headers.TryGetValue("policy", out policy) ||
string.IsNullOrEmpty(tenant[0]) || string.IsNullOrEmpty(client_id[0]) || string.IsNullOrEmpty(policy[0]))
{
notification.HandleResponse();
notification.Response.Redirect("/Home/Error?message=You need to input your app settings before you can try this flow.");
return;
}
try
{
B2CConfigurationManager cm = new B2CConfigurationManager(String.Format("https://login.microsoftonline.com/{0}/v2.0/.well-known/openid-configuration", tenant[0]));
OpenIdConnectConfiguration config = await cm.GetConfigurationAsync(new System.Threading.CancellationToken(), policy[0]);
notification.ProtocolMessage.IssuerAddress = config.AuthorizationEndpoint;
notification.ProtocolMessage.ClientId = client_id[0];
notification.ProtocolMessage.SetParameter("prompt", "login");
notification.Response.Headers.Remove("tenant");
notification.Response.Headers.Remove("client_id");
notification.Response.Headers.Remove("policy");
}
catch (Exception e)
{
notification.HandleResponse();
notification.Response.Redirect("/Home/Error?message=Are you SURE you entered your app settings correctly?");
}
return;
}
private void RunOpenIdConnectConfigurationTest(object obj, OpenIdConnectConfiguration compareTo, ExpectedException expectedException, CompareContext context, bool asString = true)
{
bool exceptionHit = false;
OpenIdConnectConfiguration openIdConnectConfiguration = null;
try
{
if (obj is string || asString)
{
openIdConnectConfiguration = new OpenIdConnectConfiguration(obj as string);
}
expectedException.ProcessNoException(context.Diffs);
}
catch (Exception ex)
{
exceptionHit = true;
expectedException.ProcessException(ex, context.Diffs);
}
if (!exceptionHit && compareTo != null)
{
IdentityComparer.AreEqual(openIdConnectConfiguration, compareTo, context);
}
}
private async Task <ClaimsPrincipal> ValidateTokenAsync(string jwtToken)
{
// _openIdMetadata only does a full refresh when the cache expires every 5 days
OpenIdConnectConfiguration config = null;
try
{
config = await _openIdMetadata.GetConfigurationAsync().ConfigureAwait(false);
}
catch (Exception e)
{
Trace.TraceError($"Error refreshing OpenId configuration: {e}");
// No config? We can't continue
if (config == null)
{
throw;
}
}
// Update the signing tokens from the last refresh
_tokenValidationParameters.IssuerSigningTokens = config.SigningTokens;
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
SecurityToken parsedToken;
ClaimsPrincipal principal = tokenHandler.ValidateToken(jwtToken, _tokenValidationParameters, out parsedToken);
return(principal);
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
string stsDiscoveryEndpoint = Configuration.GetValue <string>("STSDiscoveryEndpoint");
string audience = Configuration.GetValue <string>("Audience");
string authorizationUri = Configuration.GetValue <string>("AuthorizationUri");
ConfigurationManager <OpenIdConnectConfiguration> configManager = new ConfigurationManager <OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidIssuer = config.Issuer,
ValidateAudience = true,
ValidAudience = audience,
IssuerSigningKeys = config.SigningKeys
};
options.Events = new JwtBearerEvents()
{
OnChallenge = (context) =>
{
// Add a WWW-Authenticate header so the client application knows where to redirect to for authorization
context.HttpContext.Response.Headers.Add("WWW-Authenticate", $"authorization_uri=\"{authorizationUri}\"");
return(Task.FromResult(0));
}
};
});
services.AddControllers();
}
public System.Security.Claims.ClaimsPrincipal ValidateIdToken(string idToken, string issuer, string audience)
{
System.Security.Claims.ClaimsPrincipal claimPrincipal = null;
IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{issuer}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = AsyncHelper.RunSync(async() => await configurationManager.GetConfigurationAsync(CancellationToken.None));
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
ValidAudience = audience,
ValidIssuer = issuer,
IssuerSigningKeys = openIdConfig.SigningKeys,
ValidateIssuerSigningKey = true,
ValidateAudience = true,
ValidateIssuer = true,
ValidateLifetime = true
};
Microsoft.IdentityModel.Tokens.SecurityToken validatedToken;
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler handler = new System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler();
try
{
claimPrincipal = handler.ValidateToken(idToken, validationParameters, out validatedToken);
}
catch (Exception ex)
{
var error = ex.Message;
}
return(claimPrincipal);
}
//https://stackoverflow.com/questions/39866513/how-to-validate-azure-ad-security-token
public static ClaimsPrincipal ValidateToken(string jwt, out JwtSecurityToken jwtSecurityToken)
{
var ada = (ActiveDirectoryAuthorizer)AuthLogic.Authorizer !;
string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";
var configManager = new ConfigurationManager <OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidAudience = ada.GetConfig().Azure_ApplicationID,
ValidIssuer = "https://login.microsoftonline.com/" + ada.GetConfig().Azure_DirectoryID + "/v2.0",
ValidateAudience = true,
ValidateIssuer = true,
IssuerSigningKeys = config.SigningKeys, //2. .NET Core equivalent is "IssuerSigningKeys" and "SigningKeys"
ValidateLifetime = true
};
JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();
var result = tokendHandler.ValidateToken(jwt, validationParameters, out SecurityToken secutityToken);
jwtSecurityToken = (JwtSecurityToken)secutityToken;
return(result);
}
public async Task ValidateAsync_InvalidToken()
{
var authenticationSettings = new AuthenticationSettings
{
Microsoft = new MicrosoftAuthenticationSettings
{
ClientId = ClientId,
},
};
var options = Options.Create(authenticationSettings);
var configuration = new OpenIdConnectConfiguration();
configuration.JsonWebKeySet = new JsonWebKeySet();
configuration.JsonWebKeySet.Keys.Add(jsonWebKey);
using (var http = new HttpClientTestingFactory())
{
var handler = new MicrosoftAssertionGrantHandler(options, http.HttpClient);
var resultTask = handler.ValidateAsync("SomeBadAssertion");
http.Expect(ConfigurationEndpoint).Respond(OpenIdConnectConfiguration.Write(configuration));
var result = await resultTask;
Assert.NotNull(result);
Assert.False(result.IsSuccessful);
http.EnsureNoOutstandingRequests();
}
}
public static async Task <IUserIdentity> ValidateTokenAsync(Uri authorityUrl, string audiance, string jwt)
{
JwtSecurityToken token = new JwtSecurityToken(jwt);
SecurityToken validatedToken = new JwtSecurityToken();
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidAudience = audiance
};
ConfigurationManager <OpenIdConnectConfiguration> configManager = new ConfigurationManager <OpenIdConnectConfiguration>(
authorityUrl.ToString() + "/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync();
validationParameters.ValidIssuer = new Uri(config.Issuer).ToString();
validationParameters.IssuerSigningKeys = (IEnumerable <SecurityKey>)config.JsonWebKeySet;
tokenHandler.ValidateToken(jwt, validationParameters, out validatedToken);
IssuedIdentityToken issuedToken = new IssuedIdentityToken();
issuedToken.IssuedTokenType = IssuedTokenType.JWT;
issuedToken.DecryptedTokenData = new UTF8Encoding(false).GetBytes(((JwtSecurityToken)validatedToken).RawData);
return(new UserIdentity(issuedToken));
}
async static Task <JwtSecurityToken> Validate(string token)
{
string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";
ConfigurationManager <OpenIdConnectConfiguration> configManager = new ConfigurationManager <OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;
var openidConfiguration = await OpenIdConnectConfigurationRetriever.GetAsync(stsDiscoveryEndpoint, CancellationToken.None);
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
IssuerSigningKeys = openidConfiguration.SigningKeys,
ValidateLifetime = true,
LifetimeValidator = CustomLifetimeValidator,
};
JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();
SecurityToken jwt;
var result = tokendHandler.ValidateToken(token, validationParameters, out jwt);
return(jwt as JwtSecurityToken);
}
public ExpectedQueryValues(string authority, OpenIdConnectConfiguration configuration = null)
{
Authority = authority;
Configuration = configuration ?? TestUtilities.DefaultOpenIdConnectConfiguration;
}
public async Task SignOutSettingMessage()
{
var configuration = new OpenIdConnectConfiguration
{
EndSessionEndpoint = ExpectedLogoutRequest
};
var queryValues = new ExpectedQueryValues(DefaultAuthority, configuration)
{
RequestType = OpenIdConnectRequestType.LogoutRequest
};
var server = CreateServer(SetProtocolMessageOptions);
var transaction = await SendAsync(server, DefaultHost + Signout);
Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode);
queryValues.CheckValues(transaction.Response.Headers.Location.AbsoluteUri, new string[] { });
}
public async Task ChallengeSettingMessage()
{
var configuration = new OpenIdConnectConfiguration
{
AuthorizationEndpoint = ExpectedAuthorizeRequest,
};
var queryValues = new ExpectedQueryValues(DefaultAuthority, configuration)
{
RequestType = OpenIdConnectRequestType.Authentication
};
var server = CreateServer(GetProtocolMessageOptions());
var transaction = await SendAsync(server, DefaultHost + Challenge);
Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode);
queryValues.CheckValues(transaction.Response.Headers.Location.AbsoluteUri, new string[] {});
}
public async Task ChallengeSettingMessage(string challenge, OpenIdConnectRequestType requestType)
{
var configuration = new OpenIdConnectConfiguration
{
AuthorizationEndpoint = ExpectedAuthorizeRequest,
EndSessionEndpoint = ExpectedLogoutRequest
};
var queryValues = new ExpectedQueryValues(DefaultAuthority, configuration)
{
RequestType = requestType
};
var server = CreateServer(SetProtocolMessageOptions);
var transaction = await SendAsync(server, DefaultHost + challenge);
transaction.Response.StatusCode.ShouldBe(HttpStatusCode.Redirect);
queryValues.CheckValues(transaction.Response.Headers.Location.AbsoluteUri, new string[] {});
}
