public void ValidateToken_ThrowsSecurityTokenValidationException_WhenValidFromIsAfterCurrentTime() { // Arrange TimeSpan lifetimeFiveMinute = new TimeSpan(0, 5, 0); DateTime tokenCreationDateInFuture = DateTime.UtcNow + new TimeSpan(1, 0, 0); DateTime tokenExpiryDate = tokenCreationDateInFuture + lifetimeFiveMinute; SecurityTokenDescriptor tokenDescriptor = this.GetTestSecurityTokenDescriptor(tokenCreationDateInFuture, tokenExpiryDate); JwtSecurityTokenHandler securityTokenHandler = new JwtSecurityTokenHandler(); JwtSecurityToken token = securityTokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken; // Act // Assert SecurityTokenNotYetValidException ex = Assert.Throws <SecurityTokenNotYetValidException>(() => MobileAppTokenHandler.ValidateToken(token.RawData, TestSecretKey)); Assert.Contains("IDX10222: Lifetime validation failed. The token is not yet valid", ex.Message, StringComparison.Ordinal); }
private void ConfigureAuthentication(IServiceCollection services) { services.AddAuthentication(authOptions => { authOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; authOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }).AddJwtBearer(jwtOptions => { jwtOptions.Authority = Configuration["Authentication:Authority"]; jwtOptions.Audience = Configuration["Authentication:Audience"]; jwtOptions.SaveToken = false; jwtOptions.IncludeErrorDetails = true; if (Environment.IsDevelopment()) { jwtOptions.RequireHttpsMetadata = false; } jwtOptions.TokenValidationParameters = new TokenValidationParameters { ValidateAudience = true, ValidateIssuerSigningKey = true, ValidateIssuer = true, ValidIssuer = Configuration["Authentication:Authority"], ValidateLifetime = true, }; jwtOptions.Events = new JwtBearerEvents { OnAuthenticationFailed = failedAuthContext => { failedAuthContext.NoResult(); failedAuthContext.Response.StatusCode = 500; failedAuthContext.Response.ContentType = "text/plain"; var errorMessage = failedAuthContext.Exception switch { SecurityTokenExpiredException _ => "Expired token.", SecurityTokenNotYetValidException _ => "Token not yet valid.", SecurityTokenInvalidLifetimeException _ => "Invalid token lifetime.", SecurityTokenNoExpirationException _ => "Missing token expiration.", SecurityTokenSignatureKeyNotFoundException _ => "Invalid token. Key not found.", _ => "An error occured processing your authentication." }; return(failedAuthContext.Response.WriteAsync(errorMessage)); }, // OnMessageReceived = debugContext => // { // var response = debugContext.Response; // return Task.CompletedTask; // } }; }); // services.AddAuthorization(policyOptions => // { // policyOptions.AddPolicy("Keycloak", new AuthorizationPolicyBuilder() // .RequireAuthenticatedUser() // .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme) // .Build()); // }); }
private static string CreateErrorDescription(Exception authFailure) { AggregateException ex = authFailure as AggregateException; IEnumerable <Exception> enumerable = (IEnumerable <Exception>)((ex == null) ? ((object)new Exception[1] { authFailure }) : ((object)ex.InnerExceptions)); List <string> list = new List <string>(); foreach (Exception item in enumerable) { SecurityTokenInvalidAudienceException ex2 = item as SecurityTokenInvalidAudienceException; if (ex2 == null) { SecurityTokenInvalidIssuerException ex3 = item as SecurityTokenInvalidIssuerException; if (ex3 == null) { if (!(item is SecurityTokenNoExpirationException)) { SecurityTokenInvalidLifetimeException ex4 = item as SecurityTokenInvalidLifetimeException; if (ex4 == null) { SecurityTokenNotYetValidException ex5 = item as SecurityTokenNotYetValidException; if (ex5 == null) { SecurityTokenExpiredException ex6 = item as SecurityTokenExpiredException; if (ex6 == null) { if (!(item is SecurityTokenSignatureKeyNotFoundException)) { if (item is SecurityTokenInvalidSignatureException) { list.Add("The signature is invalid"); } } else { list.Add("The signature key was not found"); } } else { list.Add("The token expired at '" + ex6.Expires.ToString(CultureInfo.InvariantCulture) + "'"); } } else { list.Add("The token is not valid before '" + ex5.NotBefore.ToString(CultureInfo.InvariantCulture) + "'"); } } else { list.Add("The token lifetime is invalid; NotBefore: '" + (ex4.NotBefore?.ToString(CultureInfo.InvariantCulture) ?? "(null)") + "', Expires: '" + (ex4.Expires?.ToString(CultureInfo.InvariantCulture) ?? "(null)") + "'"); } } else { list.Add("The token has no expiration"); } } else { list.Add("The issuer '" + (ex3.InvalidIssuer ?? "(null)") + "' is invalid"); } } else { list.Add("The audience '" + (ex2.InvalidAudience ?? "(null)") + "' is invalid"); } } return(string.Join("; ", list)); }
private void ConfigureAuthentication(IServiceCollection services) { services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }).AddJwtBearer(bearerOptions => { bearerOptions.Authority = Configuration["Jwt:Authority"]; bearerOptions.Audience = Configuration["Jwt:Audience"]; bearerOptions.SaveToken = true; bearerOptions.IncludeErrorDetails = true; if (Environment.IsDevelopment()) { bearerOptions.RequireHttpsMetadata = false; } var listAudiences = new List <string>(); listAudiences.Add(Configuration["Jwt:Audience"]); bearerOptions.TokenValidationParameters = new TokenValidationParameters { SaveSigninToken = true, ValidateIssuerSigningKey = true, ValidateIssuer = true, ValidIssuer = Configuration["Jwt:Authority"], ValidateAudience = true, ValidAudiences = listAudiences, ValidateLifetime = true }; bearerOptions.Events = new JwtBearerEvents { OnAuthenticationFailed = context => { context.NoResult(); context.Response.StatusCode = 401; context.Response.ContentType = "text/plain"; var errorMessage = context.Exception switch { SecurityTokenExpiredException _ => "Expired token.", SecurityTokenNotYetValidException _ => "Token not yet valid.", SecurityTokenInvalidLifetimeException _ => "Invalid token lifetime.", SecurityTokenNoExpirationException _ => "Missing token expiration.", SecurityTokenSignatureKeyNotFoundException _ => "Invalid token. Key not found.", _ => "An error occured processing your authentication." }; if (Environment.IsDevelopment()) { errorMessage += " - " + context.Exception.ToString(); } return(context.Response.WriteAsync(errorMessage)); }, OnTokenValidated = context => { var resourceAccess = JObject.Parse(context.Principal.FindFirstValue("resource_access")); var clientRoles = resourceAccess[Configuration["Jwt:Audience"]]["roles"]; var claimsIdentity = context.Principal.Identity as ClaimsIdentity; if (claimsIdentity != null) { foreach (var clientRole in clientRoles) { claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, clientRole.ToString())); } } return(Task.CompletedTask); } }; }); }