public ActionResult Index(string token) { try { var validationParameters = new TokenValidationParameters { IssuerSigningToken = new BinarySecretSecurityToken( TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["auth0:ClientSecret"])), ValidIssuer = ConfigurationManager.AppSettings["auth0:Domain"], ValidAudience = ConfigurationManager.AppSettings["auth0:ClientId"] }; var handler = new JwtSecurityTokenHandler(); SecurityToken securityToken; ClaimsPrincipal principal = handler.ValidateToken(token, validationParameters, out securityToken); ClaimsIdentity identity = principal.Identity as ClaimsIdentity; identity.AddClaim(new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "Auth0")); identity.AddClaim(new Claim(ClaimTypes.Name, identity.FindFirst(ClaimTypes.Email).Value)); var sessionToken = new SessionSecurityToken(principal, TimeSpan.FromMinutes(15)); FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken); return RedirectToAction("Change"); } catch (Exception ex) { return RedirectToAction("Unauthorized"); } }
private void CreateTokenButton_Click(object sender, RoutedEventArgs e) { var principal = Principal.Create(AuthenticationTypes.Password, new Claim(ClaimTypes.Name, UserName.Text)); var sts = new Thinktecture.IdentityServer.Protocols.STS(); SecurityToken token; var success = sts.TryIssueToken( new EndpointReference("https://booking.oceanicairlines.com/"), principal, TokenTypes.JsonWebToken, out token); if (success) { var tokenString = new JwtSecurityTokenHandler().WriteToken(token); Output.Text = "Encoded JWT token:" + Environment.NewLine + tokenString + Environment.NewLine + Environment.NewLine; var tokenParts = tokenString.Split('.'); Output.Text += "JWT header:" + Environment.NewLine + DecodeBase64(tokenParts[0]) + Environment.NewLine + Environment.NewLine; Output.Text += "JWT body:" + Environment.NewLine + DecodeBase64(tokenParts[1]) + Environment.NewLine + Environment.NewLine; Output.Text += "JWT signature:" + Environment.NewLine + tokenParts[2]; } else { Output.Text = "Could not issue token."; } }
public Result<List<Claim>> ParseToken(string token) { var result = new Result<List<Claim>>(); if (String.IsNullOrEmpty(token)) return result; var tokenHandler = new JwtSecurityTokenHandler(); var validationParameters = new TokenValidationParameters() { ValidAudience = "https://api.knowthyshelf.com", IssuerSigningToken = new BinarySecretSecurityToken(TOKEN_SECURITY_KEY), ValidIssuer = "self" }; SecurityToken securityToken; var principal = tokenHandler.ValidateToken(token, validationParameters, out securityToken); var isValidClaim = principal.Claims.FirstOrDefault(); if (isValidClaim?.Value == "IsValid" && securityToken.ValidFrom <= DateTime.UtcNow && securityToken.ValidTo >= DateTime.UtcNow) { result.ResultCode = Enums.ResultCode.Ok; result.Data = principal.Claims.ToList(); } return result; }
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { string tokenRaw = string.Empty; try { if (!TryRetrieveToken(request, out tokenRaw)) { return base.SendAsync(request, cancellationToken); } var validationParameters = new TokenValidationParameters() { ValidIssuer = SecurityHelper.CertificateValidIssuer, ValidAudience = SecurityHelper.CertificateValidAudience, IssuerSigningToken = new X509SecurityToken(SecurityHelper.GetCertificate()), ValidateLifetime = false, ValidateAudience = true, ValidateIssuer = true, ValidateIssuerSigningKey = true, //ClockSkew = new TimeSpan(40, 0, 0) }; SecurityToken token = new JwtSecurityToken(); ClaimsPrincipal principal = new JwtSecurityTokenHandler().ValidateToken(tokenRaw, validationParameters, out token); Thread.CurrentPrincipal = principal; if (HttpContext.Current != null) { HttpContext.Current.User = Thread.CurrentPrincipal; } } catch (Exception ex) { Trace.Write(ex); } return base.SendAsync(request, cancellationToken); }
public LoginResult PostSignIn([FromBody] LoginCredential credentials) { var auth = new LoginResult() { Authenticated = false }; var userRoles = QueryableDependencies.GetLoginUserRoles(credentials.UserName, credentials.Password); if (userRoles.Count > 0) //if (userRoles.Where(r => r == "CredentialSystem").Any()) { auth.Authenticated = true; var allClaims = userRoles.Select(r => new Claim(ClaimTypes.Role, r.ToString())).ToList(); allClaims.Add(new Claim(ClaimTypes.Name, credentials.UserName)); allClaims.Add(new Claim(ClaimTypes.Role, userRoles[0].ToString())); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(allClaims), AppliesToAddress = ConfigurationManager.AppSettings["JwtAllowedAudience"], TokenIssuerName = ConfigurationManager.AppSettings["JwtValidIssuer"], SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(JwtTokenValidationHandler.SymmetricKey), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256") }; var tokenHandler = new JwtSecurityTokenHandler(); var token = tokenHandler.CreateToken(tokenDescriptor); var tokenString = tokenHandler.WriteToken(token); auth.Token = tokenString; } return auth; }
public static ClaimsPrincipal AuthenticateIdToken(HttpApplication application, string id_token) { var config = OpenIdConfiguration.Current; var handler = new JwtSecurityTokenHandler(); handler.CertificateValidator = X509CertificateValidator.None; if (!handler.CanReadToken(id_token)) { throw new InvalidOperationException("No SecurityTokenHandler can authenticate this id_token!"); } var parameters = new TokenValidationParameters(); parameters.AllowedAudience = AADClientId; // this is just for Saml // paramaters.AudienceUriMode = AudienceUriMode.Always; parameters.ValidateIssuer = false; var tokens = new List<SecurityToken>(); foreach (var key in config.IssuerKeys.Keys) { tokens.AddRange(key.GetSecurityTokens()); } parameters.SigningTokens = tokens; // validate var principal = (ClaimsPrincipal)handler.ValidateToken(id_token, parameters); // verify nonce VerifyNonce(principal.FindFirst(NonceClaimType).Value); return principal; }
static string CreateTokenWithInMemorySymmetricSecurityKey() { var now = DateTime.UtcNow; var tokenHandler = new JwtSecurityTokenHandler(); var symmetricKey = new RandomBufferGenerator(256 / 8).GenerateBufferFromSeed(256 / 8); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Name, "Tugberk"), new Claim(ClaimTypes.Role, "Sales"), }), TokenIssuerName = "self", AppliesToAddress = "http://www.example.com", Lifetime = new Lifetime(now, now.AddMinutes(2)), SigningCredentials = new SigningCredentials( new InMemorySymmetricSecurityKey(symmetricKey), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256") }; SecurityToken token = tokenHandler.CreateToken(tokenDescriptor); string tokenString = tokenHandler.WriteToken(token); return tokenString; }
public IHttpActionResult DecodeToken(string access_token) { var tokenReceived = new JwtSecurityToken(access_token); var publicOnly = new RSACryptoServiceProvider(); publicOnly.FromXmlString(_configuration.PublicKey.FromBase64String()); var validationParameters = new TokenValidationParameters { ValidIssuer = _configuration.Issuer ,ValidAudience = "http://mysite.com" ,IssuerSigningToken = new RsaSecurityToken(publicOnly) ,ValidateLifetime = true }; var recipientTokenHandler = new JwtSecurityTokenHandler(); SecurityToken securityToken; var claimsPrincipal = recipientTokenHandler.ValidateToken(access_token, validationParameters, out securityToken); var currentTime = (long) (DateTime.UtcNow - new DateTime(1970, 1, 1)).TotalSeconds; if (tokenReceived.Payload.Exp < currentTime) { throw new SecurityTokenValidationException(string.Format("Lifetime validation failed. The token is expired. ValidTo: '{0}' Current time: '{1}'.", tokenReceived.ValidTo, DateTime.UtcNow)); } return Ok(new { header = tokenReceived.Header, payload = tokenReceived.Payload, current = currentTime }); }
public static string CreateTokenString(JwtSecurityToken token) { JwtSecurityTokenHandler.OutboundClaimTypeMap = new Dictionary<string, string>(); var handler = new JwtSecurityTokenHandler(); return handler.WriteToken(token); }
private static void Main(string[] args) { var key = Convert.FromBase64String(SymmetricKey); var credentials = new SigningCredentials( new InMemorySymmetricSecurityKey(key), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, "bhogg"), new Claim(ClaimTypes.GivenName, "Boss"), new Claim(ClaimTypes.Surname, "Hogg"), new Claim(ClaimTypes.Role, "Manager"), new Claim(ClaimTypes.Role, "SeniorWorker"), }), TokenIssuerName = "corp", AppliesToAddress = "http://www.example.com", SigningCredentials = credentials, Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddYears(10)) }; var tokenHandler = new JwtSecurityTokenHandler(); var token = tokenHandler.CreateToken(tokenDescriptor); var tokenString = tokenHandler.WriteToken(token); Console.WriteLine(tokenString); Debug.WriteLine(tokenString); Console.ReadLine(); }
public string Post(Credential credential) { if (credential.username == "admin" && credential.password == "123") { var tokenHandler = new JwtSecurityTokenHandler(); var securityKey = Authorization.GetBytes("anyoldrandomtext"); var now = DateTime.UtcNow; var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new[] { new Claim( ClaimTypes.UserData,"IsValid", ClaimValueTypes.String, "(local)" ) }), TokenIssuerName = "self", AppliesToAddress = "https://www.mywebsite.com", Lifetime = new Lifetime(now, now.AddMinutes(60)), SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(securityKey), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"), }; var token = tokenHandler.CreateToken(tokenDescriptor); var tokenString = tokenHandler.WriteToken(token); return tokenString; } else { return string.Empty; } }
public string Protect(AuthenticationTicket data) { if (data == null) { throw new ArgumentNullException("data"); } string audienceId = System.Configuration.ConfigurationManager.AppSettings["as:AudienceId"]; string symmetricKeyAsBase64 = System.Configuration.ConfigurationManager.AppSettings["as:AudienceSecret"]; var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64); var signingKey = new HmacSigningCredentials(keyByteArray); var issued = data.Properties.IssuedUtc; var expires = data.Properties.ExpiresUtc; var token = new System.IdentityModel.Tokens.JwtSecurityToken(_issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey); var handler = new System.IdentityModel.Tokens.JwtSecurityTokenHandler(); var jwt = handler.WriteToken(token); //this.Unprotect("eyJ0eXAiOiJKV1QiLCJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTM4NCJ9.eyJuYW1laWQiOiIyZGMxZTRlMC0xNjdjLTQ4MWQtOTZjMC0zOGQzYmIxNzA5ZDgiLCJ1bmlxdWVfbmFtZSI6IlVzdWFyaW8iLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2FjY2Vzc2NvbnRyb2xzZXJ2aWNlLzIwMTAvMDcvY2xhaW1zL2lkZW50aXR5cHJvdmlkZXIiOiJBU1AuTkVUIElkZW50aXR5IiwiQXNwTmV0LklkZW50aXR5LlNlY3VyaXR5U3RhbXAiOiJiNWNiMGMxYi05OWI2LTQ1NmItOWRiMC0xODRiNjE0NzVjNDciLCJyb2xlIjoiVXNlciIsIk15VHlwZSI6IjQ1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDg5IiwiYXVkIjoiVHdpY2VUYWxlbnQiLCJleHAiOjE0ODk4NTMwNzgsIm5iZiI6MTQ4OTc2NjY3OH0.wuj8cRpwjCr75eyLrPpgvwUk8l0cmR07Cxetm_Ei2_Ym6At32QteM22tqT2hSaph"); return(jwt); }
public JwtAuthenticationOwinMiddlewareTests() { var signingCredentials = new SigningCredentials( new InMemorySymmetricSecurityKey(Convert.FromBase64String(Key)), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"); var now = DateTime.UtcNow; var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new [] { new Claim("sub", "Alice"), new Claim("email", "*****@*****.**"), }), TokenIssuerName = Issuer, AppliesToAddress = Audience, Lifetime = new Lifetime(now, now.AddMinutes(LifetimeInMinutes)), SigningCredentials = signingCredentials, }; var tokenHandler = new JwtSecurityTokenHandler(); var token = tokenHandler.CreateToken(tokenDescriptor); _tokenString = tokenHandler.WriteToken(token); }
public void CreateAndValidateTokens_DuplicateClaims() { SecurityToken validatedToken; string encodedJwt = IdentityUtilities.CreateJwtToken( new SecurityTokenDescriptor { AppliesToAddress = IdentityUtilities.DefaultAudience, SigningCredentials = IdentityUtilities.DefaultSymmetricSigningCredentials, Subject = new ClaimsIdentity(ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer)), TokenIssuerName = IdentityUtilities.DefaultIssuer, }); JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); JwtSecurityTokenHandler.InboundClaimFilter.Add("aud"); JwtSecurityTokenHandler.InboundClaimFilter.Add("exp"); JwtSecurityTokenHandler.InboundClaimFilter.Add("iat"); JwtSecurityTokenHandler.InboundClaimFilter.Add("iss"); JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf"); ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(encodedJwt, IdentityUtilities.DefaultSymmetricTokenValidationParameters, out validatedToken); Assert.IsTrue(IdentityComparer.AreEqual<IEnumerable<Claim>>(claimsPrincipal.Claims, ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer), new CompareContext { IgnoreProperties = true, IgnoreSubject = true })); JwtSecurityTokenHandler.InboundClaimFilter.Clear(); }
protected virtual Task<TokenValidationResult> ValidateJwtAccessTokenAsync(string jwt) { var handler = new JwtSecurityTokenHandler(); handler.Configuration = new SecurityTokenHandlerConfiguration(); handler.Configuration.CertificateValidationMode = X509CertificateValidationMode.None; handler.Configuration.CertificateValidator = X509CertificateValidator.None; var parameters = new TokenValidationParameters { ValidIssuer = _settings.GetIssuerUri(), SigningToken = new X509SecurityToken(_settings.GetSigningCertificate()), AllowedAudience = string.Format(Constants.AccessTokenAudience, _settings.GetIssuerUri()) }; try { var id = handler.ValidateToken(jwt, parameters); return Task.FromResult(new TokenValidationResult { Claims = id.Claims }); } catch (Exception ex) { _logger.ErrorFormat("JWT token validation error: {0}", ex.ToString()); return Task.FromResult(new TokenValidationResult { IsError = true, Error = Constants.ProtectedResourceErrors.InvalidToken }); } }
public string CreateAssertionToken() { var now = DateTime.Now.ToUniversalTime(); var jwt = new JwtSecurityToken(_clientId, _audience, new List<Claim>() { new Claim(JwtClaimTypes.JwtId, Guid.NewGuid().ToString()), new Claim(JwtClaimTypes.Subject, _clientId), new Claim(JwtClaimTypes.IssuedAt, EpochTime.GetIntDate(now).ToString(), ClaimValueTypes.Integer64) }, now, now.AddMinutes(1), new X509SigningCredentials(_certificate, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest ) ); if (_embedCertificate) { var rawCertificate = Convert.ToBase64String(_certificate.Export(X509ContentType.Cert)); jwt.Header.Add(JwtHeaderParameterNames.X5c, new[] {rawCertificate}); } var tokenHandler = new JwtSecurityTokenHandler(); return tokenHandler.WriteToken(jwt); }
/// <summary> /// Sets a JWT authorization header on the default request headers of an <see cref="HttpClient"/>. /// </summary> /// <param name="client">The client for which to set the authorization header.</param> /// <param name="signingCertificate">The signing certificate to sign the token.</param> /// <param name="appliesToAddress">The address for which the token is considered valid.</param> /// <param name="claims">The claims that define the user. Leave null for an anonymous user.</param> /// <param name="tokenIssuerName">Name of the token issuer. Defaults to "self".</param> /// <param name="tokenDuration"> /// The token duration for which it's considered valid. Defaults to 2 hours. /// </param> /// <exception cref="ArgumentNullException"> /// <paramref name="signingCertificate"/> is <see langword="null"/>. /// </exception> /// <exception cref="ArgumentException"> /// <paramref name="appliesToAddress"/> is <see langword="null"/> or empty. /// </exception> /// <exception cref="ArgumentException"> /// <paramref name="tokenIssuerName"/> is <see langword="null"/> or empty. /// </exception> public static void SetJwtAuthorizationHeader( this HttpClient client, X509Certificate2 signingCertificate, string appliesToAddress, IEnumerable<Claim> claims = null, string tokenIssuerName = "self", TimeSpan? tokenDuration = null) { signingCertificate.AssertNotNull("signingCertificate"); appliesToAddress.AssertNotNullOrWhitespace("appliesToAddress"); tokenIssuerName.AssertNotNullOrWhitespace("tokenIssuerName"); var now = DateTime.UtcNow; var tokenHandler = new JwtSecurityTokenHandler(); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(claims), TokenIssuerName = tokenIssuerName, AppliesToAddress = appliesToAddress, Lifetime = new Lifetime(now, now.Add(tokenDuration ?? TimeSpan.FromHours(2))), SigningCredentials = new X509SigningCredentials(signingCertificate) }; SecurityToken token = tokenHandler.CreateToken(tokenDescriptor); string tokenString = tokenHandler.WriteToken(token); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokenString); }
public JwtSecurityTokenTestVariation() { _notbefore = DateTime.UtcNow; _expires = DateTime.UtcNow + TimeSpan.FromHours( 1 ); _jwtHandler = new JwtSecurityTokenHandler(); _expectedException = ExpectedException.NoExceptionExpected; }
public ClaimsPrincipal Validate(string jwtTokenAsBase64, JwtOptions options) { var tokenHandler = new JwtSecurityTokenHandler(); string keyAsUtf8 = options.JwtSigningKeyAsUtf8; byte[] keyAsBytes = Encoding.UTF8.GetBytes(keyAsUtf8); SecurityToken signingToken = new BinarySecretSecurityToken(keyAsBytes); var tokenValidationParameters = new TokenValidationParameters { IssuerSigningToken = signingToken, ValidAudience = options.Audience, ValidIssuer = options.Issuer }; ClaimsPrincipal principal; try { SecurityToken validatedToken; principal = tokenHandler.ValidateToken(jwtTokenAsBase64, tokenValidationParameters, out validatedToken); } catch (Exception ex) { Debug.Write(ex, "error"); principal = new ClaimsPrincipal(new ClaimsIdentity(authenticationType:"")); } return principal; }
public void End2End_OpenIdConnect() { SigningCredentials rsaSigningCredentials = new SigningCredentials( KeyingMaterial.RsaSecurityKey_Private2048, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha256Digest, new SecurityKeyIdentifier(new NamedKeySecurityKeyIdentifierClause("kid", "NGTFvdK-fythEuLwjpwAJOM9n-A")) ); //"<RSAKeyValue><Modulus>rCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>" RSA rsa = KeyingMaterial.RsaSecurityKey_2048.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha1Signature, false) as RSA; OpenIdConnectConfiguration configuration = OpenIdConnectConfigurationRetriever.GetAsync(OpenIdConfigData.OpenIdConnectMetadataFile, CancellationToken.None).Result; JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); JwtSecurityToken jwt = tokenHandler.CreateToken( configuration.Issuer, IdentityUtilities.DefaultAudience, IdentityUtilities.DefaultClaimsIdentity, DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1), rsaSigningCredentials ); TokenValidationParameters validationParameters = new TokenValidationParameters { IssuerSigningTokens = configuration.SigningTokens, ValidAudience = IdentityUtilities.DefaultAudience, ValidIssuer = configuration.Issuer, }; SecurityToken securityToken = null; tokenHandler.ValidateToken(jwt.RawData, validationParameters, out securityToken); }
public async Task<IHttpActionResult> CreateToken(Token token) { var publicAndPrivate = new RSACryptoServiceProvider(); publicAndPrivate.FromXmlString(_configuration.PrivateKey.FromBase64String()); var jwtToken = new JwtSecurityToken( issuer: _configuration.Issuer, audience: "http://mysite.com" , claims: new List<Claim>() { new Claim(ClaimTypes.Name, token.username) } , notBefore: DateTime.UtcNow , expires: DateTime.UtcNow.AddMinutes(1) , signingCredentials: new SigningCredentials( new RsaSecurityKey(publicAndPrivate) ,SecurityAlgorithms.RsaSha256Signature ,SecurityAlgorithms.Sha256Digest) ); var tokenHandler = new JwtSecurityTokenHandler(); var tokenString = tokenHandler.WriteToken(jwtToken); return Ok(new { access_token = tokenString, expires_in = new TimeSpan(0,0, 1,0).TotalSeconds, expires_on = (long)(DateTime.UtcNow.AddMinutes(1) - new DateTime(1970, 1, 1)).TotalSeconds }); }
//http://blog.asteropesystems.com/securing-web-api-requests-with-json-web-tokens/ public string GetToken(string username, List<ActivityClaim> activityClaims) { var tokenHandler = new JwtSecurityTokenHandler(); var now = DateTime.UtcNow; var claims = new ClaimsIdentity(new[] { new Claim( ClaimTypes.UserData, "IsValid", ClaimValueTypes.String ), new Claim( ClaimTypes.Name, username, ClaimValueTypes.String ) }); claims.AddClaims(activityClaims.Select(c => new Claim(ClaimTypes.UserData, c.ToString(), ClaimValueTypes.String))); var tokenDescriptor = new SecurityTokenDescriptor { Subject = claims, TokenIssuerName = "self", AppliesToAddress = "https://api.knowthyshelf.com", Lifetime = new Lifetime(now, now.AddYears(10)), SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(TOKEN_SECURITY_KEY), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"), }; var token = tokenHandler.CreateToken(tokenDescriptor); var tokenString = tokenHandler.WriteToken(token); return tokenString; }
static string BearerToken() { var signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"; var digestAlgorithm = "http://www.w3.org/2001/04/xmlenc#sha256"; var securityKey = Convert.FromBase64String(mainKey); var inMemKey = new InMemorySymmetricSecurityKey(securityKey); ClaimsIdentity identity = new ClaimsIdentity(); identity.AddClaim(new Claim("scope", "Full")); JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); SecurityToken securityToken = handler.CreateToken(new SecurityTokenDescriptor() { TokenType = "Bearer", Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(1)), SigningCredentials = new SigningCredentials(inMemKey, signatureAlgorithm, digestAlgorithm), //This data I would get by matching the jwtSecurityToken.Audience to database or something TokenIssuerName = "PaulsSite", AppliesToAddress = "http://JoshsSite", Subject = identity } ); return handler.WriteToken(securityToken); }
public async Task<ActionResult> Callback(string code, string state) { CheckState(state); using (var client = new HttpClient()) { var resp = await client.PostAsync("https://accounts.google.com/o/oauth2/token", new FormUrlEncodedContent(new Dictionary<string, string> { {"code", code}, {"redirect_uri", RedirectUri}, {"grant_type", "authorization_code"}, {"client_id", ClientId}, {"client_secret", ClientSecret} })); resp.EnsureSuccessStatusCode(); var tokenResp = await resp.Content.ReadAsAsync<TokenResponse>(); var certs = await GoogleCertificates.GetCertificates(); var tokenHandler = new JwtSecurityTokenHandler { CertificateValidator = new GoogleCertificateValidator(certs.ToDictionary(t => t.Value.GetCertHashString(), t => t.Value)) }; var validationParameters = new TokenValidationParameters() { AllowedAudience = ClientId, ValidIssuer = "accounts.google.com", SigningTokens = certs.Select(p => new X509SecurityToken(p.Value)) }; var principal = tokenHandler.ValidateToken(tokenResp.id_token, validationParameters); var jwt = new JwtSecurityToken(tokenResp.id_token); var viewModel = new ViewModel { JwtHeader = jwt.Header, JwtPayload = jwt.Payload, Principal = principal }; client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokenResp.access_token); resp = await client.GetAsync("https://www.googleapis.com/tasks/v1/users/@me/lists"); resp.EnsureSuccessStatusCode(); var taskLists = await resp.Content.ReadAsAsync<TaskLists>(); foreach(var list in taskLists.items) { resp = await client.GetAsync(string.Format("https://www.googleapis.com/tasks/v1/lists/{0}/tasks",list.id)); resp.EnsureSuccessStatusCode(); var taskList = await resp.Content.ReadAsAsync<TaskList>(); viewModel.Tasks.AddRange(taskList.items.Select(item => item.title)); } return View(viewModel); } }
public CachedAccessTokenProvider( INonCachingAccessTokenProvider accessTokenProvider, TimeSpan tokenRefreshGracePeriod ) { m_accessTokenProvider = accessTokenProvider; m_tokenRefreshGracePeriod = tokenRefreshGracePeriod; m_tokenHandler = new JwtSecurityTokenHandler(); }
public static string GetJwtToken(this ClaimsIdentity identity, SecurityTokenDescriptor tokenDescriptor) { if (identity == null || tokenDescriptor == null) return null; tokenDescriptor.Subject = identity; var tokenHandler = new JwtSecurityTokenHandler(); var token = tokenHandler.CreateToken(tokenDescriptor); var tokenString = tokenHandler.WriteToken(token); return tokenString; }
public async Task<Client> FindClientByIdAsync(string clientId) { var clientsUri = $"admin-api/api/clients/{clientId}"; //var cert = Cert.Load(StoreName.My, StoreLocation.CurrentUser, "b512d01195667dbc7c4222ec6fd563ac64e3d450"); //var handler = new WebRequestHandler(); //handler.ClientCertificates.Add(cert); // Retrieve an access token from the IdentityAdmin /authorize OAuth endpoint using (var client = new HttpClient()) { client.BaseAddress = new Uri(this.identityAdminUri); client.DefaultRequestHeaders.Accept.Clear(); client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); var cert = Cert.Load(typeof(IOwinBootstrapper).Assembly, "Cert", "idsrv3test.pfx", "idsrv3test"); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new Claim[] { new Claim("name", "idServer"), new Claim("role", "IdentityAdminManager"), new Claim("scope", "idadmin-api") }), TokenIssuerName = "idServer", AppliesToAddress = this.identityAdminUri, Lifetime = new Lifetime(DateTime.Now, DateTime.Now.AddMinutes(10)), SigningCredentials = new X509SigningCredentials(cert) }; var tokenHandler = new JwtSecurityTokenHandler(); var securityToken = tokenHandler.CreateToken(tokenDescriptor); var accessToken = tokenHandler.WriteToken(securityToken); var jwtParams = new TokenValidationParameters { NameClaimType = "name", RoleClaimType = "role", ValidAudience = this.identityAdminUri, ValidIssuer = "idServer", IssuerSigningToken = new X509SecurityToken(cert) }; SecurityToken validatedToken; tokenHandler.ValidateToken(accessToken, jwtParams, out validatedToken); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken); var response = await client.GetAsync(clientsUri); var str = await response.Content.ReadAsStringAsync(); } return null; }
#pragma warning disable 1998 public override async Task<Result> Execute() { Result result = new Result(); try { Console.Out.WriteLine("Generating access token..."); // encryption key string key_s = ConfigurationManager.ConnectionStrings["JWTKey"].ConnectionString; byte[] key_b = new byte[key_s.Length * sizeof(char)]; System.Buffer.BlockCopy(key_s.ToCharArray(), 0, key_b, 0, key_b.Length); // create the token JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); ClaimsIdentity subject = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Uri, SiteUrl, ClaimValueTypes.String) }); SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor { Subject = subject, TokenIssuerName = "SpSat", Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(4)), SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(key_b), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256") }; SecurityToken token = tokenHandler.CreateToken(tokenDescriptor); using (ClientContext context = new ClientContext(SiteUrl)) { // authenticate string usernamePassword = ConfigurationManager.ConnectionStrings["SharePoint"].ConnectionString; dynamic usernamePassword_j = Newtonsoft.Json.JsonConvert.DeserializeObject(usernamePassword); string username = usernamePassword_j.username; string password = usernamePassword_j.password; SecureString password_s = new SecureString(); Array.ForEach(password.ToCharArray(), password_s.AppendChar); context.Credentials = new SharePointOnlineCredentials(username, password_s); // write the token to the property bag PropertyValues webProperties = context.Web.AllProperties; webProperties["accessToken"] = tokenHandler.WriteToken(token); context.Web.Update(); context.ExecuteQuery(); } Console.Out.WriteLine("Completed generating access token."); result.Status = Status.Success; } catch (Exception ex) { result.Status = Status.Failure; result.Log.Add(ex.Message); } return result; }
public static string CreateTokenAsBase64(this SecurityTokenDescriptor securityTokenDescriptor) { var tokenHandler = new JwtSecurityTokenHandler(); SecurityToken securityToken = tokenHandler.CreateToken(securityTokenDescriptor); string token = tokenHandler.WriteToken(securityToken); string tokenAsBase64 = token; return tokenAsBase64; }
private IEnumerable<Claim> ValidateIdentityToken(string token) { var parameters = new TokenValidationParameters { AllowedAudience = "implicitclient", ValidIssuer = "https://idsrv3.com", SigningToken = new X509SecurityToken(X509.LocalMachine.My.SubjectDistinguishedName.Find("CN=idsrv3test", false).First()) }; var id = new JwtSecurityTokenHandler().ValidateToken(token, parameters); return id.Claims; }
protected void Page_Load(object sender, EventArgs e) { string spAppToken = TokenHelper.GetContextTokenFromRequest(HttpContext.Current.Request); requestTokenValue.InnerText = spAppToken; SharePointContextToken spToken = ReadToken(spAppToken); requestTokenContents.InnerHtml = spToken.ToString().Replace(",", "<br/>"); string hostWeb = Page.Request["SPHostUrl"]; Uri hostUri = new Uri(hostWeb); string accessToken = TokenHelper.GetAccessToken(spToken, hostUri.Authority).AccessToken; accessTokenValue.InnerText = accessToken; JwtSecurityTokenHandler tokenHandler = new System.IdentityModel.Tokens.JwtSecurityTokenHandler(); SecurityToken st = tokenHandler.ReadToken(accessToken); accessTokenContents.InnerHtml = st.ToString().Replace(",", "<br/>"); }
public JwtTokenHelper() { this.jwtSecurityTokenHandler = new JwtSecurityTokenHandler(); }
private string CreateJwt(string userId, string role) { var key = Convert.FromBase64String(SymmetricKey); var credentials = new SigningCredentials( new InMemorySymmetricSecurityKey(key), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"); var expiration = DateTime.UtcNow.AddMinutes(20).ToLongTimeString(); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, userId), new Claim(ClaimTypes.Role, role), new Claim("exp", expiration) }), TokenIssuerName = Issuer, AppliesToAddress = Audience, SigningCredentials = credentials }; var tokenHandler = new JwtSecurityTokenHandler(); var token = tokenHandler.CreateToken(tokenDescriptor); var tokenString = tokenHandler.WriteToken(token); return tokenString; }