protected bool IsExpired(SimpleWebToken accessToken)
{
if (accessToken.ValidTo > DateTime.UtcNow)
{
return(false);
}
return(true);
}
private static IDictionary <string, string> ToDictionary(SimpleWebToken token)
{
var dictionary = new Dictionary <string, string>
{
{ "Issuer", token.Issuer },
{ "Audience", token.Audience }
};
return(dictionary);
}
public override SecurityToken GetTokenFromString(string token)
{
// TODO: validate
var items = HttpUtility.ParseQueryString(token);
var issuer = items[IssuerLabel];
items.Remove(IssuerLabel);
var audience = items[AudienceLabel];
items.Remove(AudienceLabel);
var expiresOn = items[ExpiresOnLabel];
items.Remove(ExpiresOnLabel);
var id = items[IdLabel];
items.Remove(IdLabel);
var algorithm = items[SignatureAlgorithmLabel];
items.Remove(SignatureAlgorithmLabel);
// Treat signature differently to avoid loosing characters like '+' in the decoding
var signature = ExtractSignature(HttpUtility.UrlDecode(token));
items.Remove(SignatureLabel);
byte[] signatureBytes = Convert.FromBase64String(signature);
DateTime validTo = this.GetDateTimeFromExpiresOn((ulong)Convert.ToInt64(expiresOn));
var swt = new SimpleWebToken(issuer)
{
Audience = audience,
Signature = signatureBytes,
TokenValidity = validTo - DateTime.UtcNow
};
if (id != null)
{
swt.SetId(id);
}
if (string.IsNullOrEmpty(algorithm))
{
swt.SignatureAlgorithm = algorithm;
}
foreach (string key in items.AllKeys)
{
swt.AddClaim(key, items[key]);
}
swt.RawToken = token;
return(swt);
}
protected bool IsValidSignature(SimpleWebToken token, byte[] signingKey)
{
var unsignedToken = this.GetUnsignedToken(token.RawToken);
if (string.IsNullOrEmpty(unsignedToken))
{
return(false);
}
var localSignature = GenerateSignature(unsignedToken, signingKey);
var incomingSignature = HttpUtility.UrlEncode(Convert.ToBase64String(token.Signature));
return(localSignature.Equals(incomingSignature, StringComparison.Ordinal));
}
protected bool IsAudienceTrusted(SimpleWebToken accessToken)
{
if (this.AudienceRestriction.AudienceMode == AudienceUriMode.Never)
{
return(true);
}
if (!string.IsNullOrEmpty(accessToken.Audience))
{
return(this.AudienceRestriction.AllowedAudienceUris.Contains(new Uri(accessToken.Audience)));
}
return(false);
}
private bool IsIssuerTrusted(SimpleWebToken accessToken, out string issuerName)
{
issuerName = null;
if (!string.IsNullOrEmpty(accessToken.Issuer))
{
if (this.IssuerNameRegistry != null)
{
issuerName = this.IssuerNameRegistry.GetIssuerName(accessToken);
if (!string.IsNullOrEmpty(issuerName))
{
return(true);
}
}
}
return(false);
}
public override string GetTokenAsString(SecurityToken token)
{
SimpleWebToken swt = token as SimpleWebToken;
if (swt == null)
{
throw new Exception("Incorrect token type. Expected SimpleWebToken");
}
if (this.SecurityTokenResolver == null)
{
throw new InvalidOperationException("SecurityTokenResolver is not configured");
}
var swtSigned = SerializeToken(swt, this.SecurityTokenResolver);
return(swtSigned);
}
protected static string SerializeToken(SimpleWebToken swt, SecurityTokenResolver tokenResolver)
{
StringBuilder builder = new StringBuilder(64);
builder.Append("Id=");
builder.Append(swt.Id);
builder.Append('&');
builder.Append(IssuerLabel);
builder.Append('=');
builder.Append(swt.Issuer);
if (swt.Parameters.Count > 0)
{
builder.Append('&');
foreach (string key in swt.Parameters.AllKeys)
{
builder.Append(key);
builder.Append('=');
builder.Append(swt.Parameters[key]);
builder.Append('&');
}
}
else
{
builder.Append('&');
}
builder.Append(ExpiresOnLabel);
builder.Append('=');
builder.Append(GetExpiresOn(swt.TokenValidity));
if (!string.IsNullOrEmpty(swt.Audience))
{
builder.Append('&');
builder.Append(AudienceLabel);
builder.Append('=');
builder.Append(swt.Audience);
}
builder.Append('&');
builder.Append(SignatureAlgorithmLabel);
builder.Append('=');
builder.Append(SignatureAlgorithm);
var keyIdentifierClause = new DictionaryBasedKeyIdentifierClause(ToDictionary(swt));
InMemorySymmetricSecurityKey securityKey;
try
{
securityKey = (InMemorySymmetricSecurityKey)tokenResolver.ResolveSecurityKey(keyIdentifierClause);
}
catch (InvalidOperationException)
{
throw new SecurityTokenValidationException(string.Format(CultureInfo.InvariantCulture, "Simmetryc key was not found for the key identifier clause: Keys='{0}', Values='{1}'", string.Join(",", keyIdentifierClause.Dictionary.Keys.ToArray()), string.Join(",", keyIdentifierClause.Dictionary.Values.ToArray())));
}
string signature = GenerateSignature(builder.ToString(), securityKey.GetSymmetricKey());
builder.Append("&" + SignatureLabel + "=");
builder.Append(signature);
return(builder.ToString());
}
public override ClaimsIdentityCollection ValidateToken(SecurityToken token)
{
if (token == null)
{
throw new ArgumentNullException("token is null");
}
if (this.SecurityTokenResolver == null)
{
throw new InvalidOperationException("SecurityTokenResolver is not configured");
}
if (this.IssuerNameRegistry == null)
{
throw new InvalidOperationException("IssuerNameRegistry is not configured");
}
if (this.AudienceRestriction == null)
{
throw new InvalidOperationException("AudienceRestriction is not configured");
}
SimpleWebToken accessToken = token as SimpleWebToken;
if (accessToken == null)
{
throw new ArgumentNullException("This handler expects a SimpleWebToken");
}
var keyIdentifierClause = new DictionaryBasedKeyIdentifierClause(ToDictionary(accessToken));
InMemorySymmetricSecurityKey securityKey;
try
{
securityKey = (InMemorySymmetricSecurityKey)this.SecurityTokenResolver.ResolveSecurityKey(keyIdentifierClause);
}
catch (InvalidOperationException)
{
throw new SecurityTokenValidationException(string.Format(CultureInfo.InvariantCulture, "Simmetryc key was not found for the key identifier clause: Keys='{0}', Values='{1}'", string.Join(",", keyIdentifierClause.Dictionary.Keys.ToArray()), string.Join(",", keyIdentifierClause.Dictionary.Values.ToArray())));
}
if (!this.IsValidSignature(accessToken, securityKey.GetSymmetricKey()))
{
throw new SecurityTokenValidationException("Signature is invalid");
}
if (this.IsExpired(accessToken))
{
throw new SecurityTokenException(string.Format("Token has been expired for {0} seconds already", (DateTime.UtcNow - accessToken.ValidTo).TotalSeconds));
}
string issuerName;
if (!this.IsIssuerTrusted(accessToken, out issuerName))
{
throw new SecurityTokenException(string.Format("The Issuer {0} is not trusted", accessToken.Issuer));
}
if (!this.IsAudienceTrusted(accessToken))
{
throw new SecurityTokenException(string.Format("The audience {0} of the token is not trusted", accessToken.Audience));
}
var identity = this.CreateClaimsIdentity(accessToken.Parameters, issuerName);
return(new ClaimsIdentityCollection(new IClaimsIdentity[] { identity }));
}
