public ActionResult Index(string token)
{
try
{
var validationParameters = new TokenValidationParameters
{
IssuerSigningToken = new BinarySecretSecurityToken(
TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["auth0:ClientSecret"])),
ValidIssuer = ConfigurationManager.AppSettings["auth0:Domain"],
ValidAudience = ConfigurationManager.AppSettings["auth0:ClientId"]
};
var handler = new JwtSecurityTokenHandler();
SecurityToken securityToken;
ClaimsPrincipal principal = handler.ValidateToken(token, validationParameters, out securityToken);
ClaimsIdentity identity = principal.Identity as ClaimsIdentity;
identity.AddClaim(new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "Auth0"));
identity.AddClaim(new Claim(ClaimTypes.Name, identity.FindFirst(ClaimTypes.Email).Value));
var sessionToken = new SessionSecurityToken(principal, TimeSpan.FromMinutes(15));
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
return RedirectToAction("Change");
}
catch (Exception ex)
{
return RedirectToAction("Unauthorized");
}
}
private void CreateTokenButton_Click(object sender, RoutedEventArgs e)
{
var principal = Principal.Create(AuthenticationTypes.Password, new Claim(ClaimTypes.Name, UserName.Text));
var sts = new Thinktecture.IdentityServer.Protocols.STS();
SecurityToken token;
var success = sts.TryIssueToken(
new EndpointReference("https://booking.oceanicairlines.com/"),
principal,
TokenTypes.JsonWebToken,
out token);
if (success)
{
var tokenString = new JwtSecurityTokenHandler().WriteToken(token);
Output.Text = "Encoded JWT token:" + Environment.NewLine + tokenString + Environment.NewLine + Environment.NewLine;
var tokenParts = tokenString.Split('.');
Output.Text += "JWT header:" + Environment.NewLine + DecodeBase64(tokenParts[0]) + Environment.NewLine + Environment.NewLine;
Output.Text += "JWT body:" + Environment.NewLine + DecodeBase64(tokenParts[1]) + Environment.NewLine + Environment.NewLine;
Output.Text += "JWT signature:" + Environment.NewLine + tokenParts[2];
}
else
{
Output.Text = "Could not issue token.";
}
}
public Result<List<Claim>> ParseToken(string token)
{
var result = new Result<List<Claim>>();
if (String.IsNullOrEmpty(token))
return result;
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters()
{
ValidAudience = "https://api.knowthyshelf.com",
IssuerSigningToken = new BinarySecretSecurityToken(TOKEN_SECURITY_KEY),
ValidIssuer = "self"
};
SecurityToken securityToken;
var principal = tokenHandler.ValidateToken(token, validationParameters, out securityToken);
var isValidClaim = principal.Claims.FirstOrDefault();
if (isValidClaim?.Value == "IsValid" && securityToken.ValidFrom <= DateTime.UtcNow && securityToken.ValidTo >= DateTime.UtcNow)
{
result.ResultCode = Enums.ResultCode.Ok;
result.Data = principal.Claims.ToList();
}
return result;
}
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
string tokenRaw = string.Empty;
try
{
if (!TryRetrieveToken(request, out tokenRaw)) { return base.SendAsync(request, cancellationToken); }
var validationParameters = new TokenValidationParameters()
{
ValidIssuer = SecurityHelper.CertificateValidIssuer,
ValidAudience = SecurityHelper.CertificateValidAudience,
IssuerSigningToken = new X509SecurityToken(SecurityHelper.GetCertificate()),
ValidateLifetime = false,
ValidateAudience = true,
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
//ClockSkew = new TimeSpan(40, 0, 0)
};
SecurityToken token = new JwtSecurityToken();
ClaimsPrincipal principal = new JwtSecurityTokenHandler().ValidateToken(tokenRaw, validationParameters, out token);
Thread.CurrentPrincipal = principal;
if (HttpContext.Current != null) { HttpContext.Current.User = Thread.CurrentPrincipal; }
}
catch (Exception ex)
{
Trace.Write(ex);
}
return base.SendAsync(request, cancellationToken);
}
public LoginResult PostSignIn([FromBody] LoginCredential credentials)
{
var auth = new LoginResult() { Authenticated = false };
var userRoles = QueryableDependencies.GetLoginUserRoles(credentials.UserName, credentials.Password);
if (userRoles.Count > 0)
//if (userRoles.Where(r => r == "CredentialSystem").Any())
{
auth.Authenticated = true;
var allClaims = userRoles.Select(r => new Claim(ClaimTypes.Role, r.ToString())).ToList();
allClaims.Add(new Claim(ClaimTypes.Name, credentials.UserName));
allClaims.Add(new Claim(ClaimTypes.Role, userRoles[0].ToString()));
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(allClaims),
AppliesToAddress = ConfigurationManager.AppSettings["JwtAllowedAudience"],
TokenIssuerName = ConfigurationManager.AppSettings["JwtValidIssuer"],
SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(JwtTokenValidationHandler.SymmetricKey), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256")
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
auth.Token = tokenString;
}
return auth;
}
public static ClaimsPrincipal AuthenticateIdToken(HttpApplication application, string id_token)
{
var config = OpenIdConfiguration.Current;
var handler = new JwtSecurityTokenHandler();
handler.CertificateValidator = X509CertificateValidator.None;
if (!handler.CanReadToken(id_token))
{
throw new InvalidOperationException("No SecurityTokenHandler can authenticate this id_token!");
}
var parameters = new TokenValidationParameters();
parameters.AllowedAudience = AADClientId;
// this is just for Saml
// paramaters.AudienceUriMode = AudienceUriMode.Always;
parameters.ValidateIssuer = false;
var tokens = new List<SecurityToken>();
foreach (var key in config.IssuerKeys.Keys)
{
tokens.AddRange(key.GetSecurityTokens());
}
parameters.SigningTokens = tokens;
// validate
var principal = (ClaimsPrincipal)handler.ValidateToken(id_token, parameters);
// verify nonce
VerifyNonce(principal.FindFirst(NonceClaimType).Value);
return principal;
}
static string CreateTokenWithInMemorySymmetricSecurityKey()
{
var now = DateTime.UtcNow;
var tokenHandler = new JwtSecurityTokenHandler();
var symmetricKey = new RandomBufferGenerator(256 / 8).GenerateBufferFromSeed(256 / 8);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Name, "Tugberk"),
new Claim(ClaimTypes.Role, "Sales"),
}),
TokenIssuerName = "self",
AppliesToAddress = "http://www.example.com",
Lifetime = new Lifetime(now, now.AddMinutes(2)),
SigningCredentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(symmetricKey),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256")
};
SecurityToken token = tokenHandler.CreateToken(tokenDescriptor);
string tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
public IHttpActionResult DecodeToken(string access_token)
{
var tokenReceived = new JwtSecurityToken(access_token);
var publicOnly = new RSACryptoServiceProvider();
publicOnly.FromXmlString(_configuration.PublicKey.FromBase64String());
var validationParameters = new TokenValidationParameters
{
ValidIssuer = _configuration.Issuer
,ValidAudience = "http://mysite.com"
,IssuerSigningToken = new RsaSecurityToken(publicOnly)
,ValidateLifetime = true
};
var recipientTokenHandler = new JwtSecurityTokenHandler();
SecurityToken securityToken;
var claimsPrincipal = recipientTokenHandler.ValidateToken(access_token, validationParameters, out securityToken);
var currentTime = (long) (DateTime.UtcNow - new DateTime(1970, 1, 1)).TotalSeconds;
if (tokenReceived.Payload.Exp < currentTime)
{
throw new SecurityTokenValidationException(string.Format("Lifetime validation failed. The token is expired. ValidTo: '{0}' Current time: '{1}'.", tokenReceived.ValidTo, DateTime.UtcNow));
}
return Ok(new
{
header = tokenReceived.Header,
payload = tokenReceived.Payload,
current = currentTime
});
}
public static string CreateTokenString(JwtSecurityToken token)
{
JwtSecurityTokenHandler.OutboundClaimTypeMap = new Dictionary<string, string>();
var handler = new JwtSecurityTokenHandler();
return handler.WriteToken(token);
}
private static void Main(string[] args)
{
var key = Convert.FromBase64String(SymmetricKey);
var credentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(key),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256");
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim(ClaimTypes.Name, "bhogg"),
new Claim(ClaimTypes.GivenName, "Boss"),
new Claim(ClaimTypes.Surname, "Hogg"),
new Claim(ClaimTypes.Role, "Manager"),
new Claim(ClaimTypes.Role, "SeniorWorker"),
}),
TokenIssuerName = "corp",
AppliesToAddress = "http://www.example.com",
SigningCredentials = credentials,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddYears(10))
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
Console.WriteLine(tokenString);
Debug.WriteLine(tokenString);
Console.ReadLine();
}
public string Post(Credential credential)
{
if (credential.username == "admin" && credential.password == "123")
{
var tokenHandler = new JwtSecurityTokenHandler();
var securityKey = Authorization.GetBytes("anyoldrandomtext");
var now = DateTime.UtcNow;
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim( ClaimTypes.UserData,"IsValid", ClaimValueTypes.String, "(local)" )
}),
TokenIssuerName = "self",
AppliesToAddress = "https://www.mywebsite.com",
Lifetime = new Lifetime(now, now.AddMinutes(60)),
SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(securityKey),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256"),
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
else
{
return string.Empty;
}
}
public string Protect(AuthenticationTicket data)
{
if (data == null)
{
throw new ArgumentNullException("data");
}
string audienceId = System.Configuration.ConfigurationManager.AppSettings["as:AudienceId"];
string symmetricKeyAsBase64 = System.Configuration.ConfigurationManager.AppSettings["as:AudienceSecret"];
var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64);
var signingKey = new HmacSigningCredentials(keyByteArray);
var issued = data.Properties.IssuedUtc;
var expires = data.Properties.ExpiresUtc;
var token = new System.IdentityModel.Tokens.JwtSecurityToken(_issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey);
var handler = new System.IdentityModel.Tokens.JwtSecurityTokenHandler();
var jwt = handler.WriteToken(token);
//this.Unprotect("eyJ0eXAiOiJKV1QiLCJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTM4NCJ9.eyJuYW1laWQiOiIyZGMxZTRlMC0xNjdjLTQ4MWQtOTZjMC0zOGQzYmIxNzA5ZDgiLCJ1bmlxdWVfbmFtZSI6IlVzdWFyaW8iLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2FjY2Vzc2NvbnRyb2xzZXJ2aWNlLzIwMTAvMDcvY2xhaW1zL2lkZW50aXR5cHJvdmlkZXIiOiJBU1AuTkVUIElkZW50aXR5IiwiQXNwTmV0LklkZW50aXR5LlNlY3VyaXR5U3RhbXAiOiJiNWNiMGMxYi05OWI2LTQ1NmItOWRiMC0xODRiNjE0NzVjNDciLCJyb2xlIjoiVXNlciIsIk15VHlwZSI6IjQ1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDg5IiwiYXVkIjoiVHdpY2VUYWxlbnQiLCJleHAiOjE0ODk4NTMwNzgsIm5iZiI6MTQ4OTc2NjY3OH0.wuj8cRpwjCr75eyLrPpgvwUk8l0cmR07Cxetm_Ei2_Ym6At32QteM22tqT2hSaph");
return(jwt);
}
public JwtAuthenticationOwinMiddlewareTests()
{
var signingCredentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(Convert.FromBase64String(Key)),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256");
var now = DateTime.UtcNow;
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new []
{
new Claim("sub", "Alice"),
new Claim("email", "*****@*****.**"),
}),
TokenIssuerName = Issuer,
AppliesToAddress = Audience,
Lifetime = new Lifetime(now, now.AddMinutes(LifetimeInMinutes)),
SigningCredentials = signingCredentials,
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
_tokenString = tokenHandler.WriteToken(token);
}
public void CreateAndValidateTokens_DuplicateClaims()
{
SecurityToken validatedToken;
string encodedJwt = IdentityUtilities.CreateJwtToken(
new SecurityTokenDescriptor
{
AppliesToAddress = IdentityUtilities.DefaultAudience,
SigningCredentials = IdentityUtilities.DefaultSymmetricSigningCredentials,
Subject = new ClaimsIdentity(ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer)),
TokenIssuerName = IdentityUtilities.DefaultIssuer,
});
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
JwtSecurityTokenHandler.InboundClaimFilter.Add("aud");
JwtSecurityTokenHandler.InboundClaimFilter.Add("exp");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iat");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iss");
JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf");
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(encodedJwt, IdentityUtilities.DefaultSymmetricTokenValidationParameters, out validatedToken);
Assert.IsTrue(IdentityComparer.AreEqual<IEnumerable<Claim>>(claimsPrincipal.Claims, ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer), new CompareContext { IgnoreProperties = true, IgnoreSubject = true }));
JwtSecurityTokenHandler.InboundClaimFilter.Clear();
}
protected virtual Task<TokenValidationResult> ValidateJwtAccessTokenAsync(string jwt)
{
var handler = new JwtSecurityTokenHandler();
handler.Configuration = new SecurityTokenHandlerConfiguration();
handler.Configuration.CertificateValidationMode = X509CertificateValidationMode.None;
handler.Configuration.CertificateValidator = X509CertificateValidator.None;
var parameters = new TokenValidationParameters
{
ValidIssuer = _settings.GetIssuerUri(),
SigningToken = new X509SecurityToken(_settings.GetSigningCertificate()),
AllowedAudience = string.Format(Constants.AccessTokenAudience, _settings.GetIssuerUri())
};
try
{
var id = handler.ValidateToken(jwt, parameters);
return Task.FromResult(new TokenValidationResult
{
Claims = id.Claims
});
}
catch (Exception ex)
{
_logger.ErrorFormat("JWT token validation error: {0}", ex.ToString());
return Task.FromResult(new TokenValidationResult
{
IsError = true,
Error = Constants.ProtectedResourceErrors.InvalidToken
});
}
}
public string CreateAssertionToken()
{
var now = DateTime.Now.ToUniversalTime();
var jwt = new JwtSecurityToken(_clientId,
_audience,
new List<Claim>()
{
new Claim(JwtClaimTypes.JwtId, Guid.NewGuid().ToString()),
new Claim(JwtClaimTypes.Subject, _clientId),
new Claim(JwtClaimTypes.IssuedAt, EpochTime.GetIntDate(now).ToString(), ClaimValueTypes.Integer64)
},
now,
now.AddMinutes(1),
new X509SigningCredentials(_certificate,
SecurityAlgorithms.RsaSha256Signature,
SecurityAlgorithms.Sha256Digest
)
);
if (_embedCertificate)
{
var rawCertificate = Convert.ToBase64String(_certificate.Export(X509ContentType.Cert));
jwt.Header.Add(JwtHeaderParameterNames.X5c, new[] {rawCertificate});
}
var tokenHandler = new JwtSecurityTokenHandler();
return tokenHandler.WriteToken(jwt);
}
/// <summary>
/// Sets a JWT authorization header on the default request headers of an <see cref="HttpClient"/>.
/// </summary>
/// <param name="client">The client for which to set the authorization header.</param>
/// <param name="signingCertificate">The signing certificate to sign the token.</param>
/// <param name="appliesToAddress">The address for which the token is considered valid.</param>
/// <param name="claims">The claims that define the user. Leave null for an anonymous user.</param>
/// <param name="tokenIssuerName">Name of the token issuer. Defaults to "self".</param>
/// <param name="tokenDuration">
/// The token duration for which it's considered valid. Defaults to 2 hours.
/// </param>
/// <exception cref="ArgumentNullException">
/// <paramref name="signingCertificate"/> is <see langword="null"/>.
/// </exception>
/// <exception cref="ArgumentException">
/// <paramref name="appliesToAddress"/> is <see langword="null"/> or empty.
/// </exception>
/// <exception cref="ArgumentException">
/// <paramref name="tokenIssuerName"/> is <see langword="null"/> or empty.
/// </exception>
public static void SetJwtAuthorizationHeader(
this HttpClient client,
X509Certificate2 signingCertificate,
string appliesToAddress,
IEnumerable<Claim> claims = null,
string tokenIssuerName = "self",
TimeSpan? tokenDuration = null)
{
signingCertificate.AssertNotNull("signingCertificate");
appliesToAddress.AssertNotNullOrWhitespace("appliesToAddress");
tokenIssuerName.AssertNotNullOrWhitespace("tokenIssuerName");
var now = DateTime.UtcNow;
var tokenHandler = new JwtSecurityTokenHandler();
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(claims),
TokenIssuerName = tokenIssuerName,
AppliesToAddress = appliesToAddress,
Lifetime = new Lifetime(now, now.Add(tokenDuration ?? TimeSpan.FromHours(2))),
SigningCredentials = new X509SigningCredentials(signingCertificate)
};
SecurityToken token = tokenHandler.CreateToken(tokenDescriptor);
string tokenString = tokenHandler.WriteToken(token);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokenString);
}
public JwtSecurityTokenTestVariation()
{
_notbefore = DateTime.UtcNow;
_expires = DateTime.UtcNow + TimeSpan.FromHours( 1 );
_jwtHandler = new JwtSecurityTokenHandler();
_expectedException = ExpectedException.NoExceptionExpected;
}
public ClaimsPrincipal Validate(string jwtTokenAsBase64, JwtOptions options)
{
var tokenHandler = new JwtSecurityTokenHandler();
string keyAsUtf8 = options.JwtSigningKeyAsUtf8;
byte[] keyAsBytes = Encoding.UTF8.GetBytes(keyAsUtf8);
SecurityToken signingToken = new BinarySecretSecurityToken(keyAsBytes);
var tokenValidationParameters = new TokenValidationParameters
{
IssuerSigningToken = signingToken,
ValidAudience = options.Audience,
ValidIssuer = options.Issuer
};
ClaimsPrincipal principal;
try
{
SecurityToken validatedToken;
principal = tokenHandler.ValidateToken(jwtTokenAsBase64, tokenValidationParameters,
out validatedToken);
}
catch (Exception ex)
{
Debug.Write(ex, "error");
principal = new ClaimsPrincipal(new ClaimsIdentity(authenticationType:""));
}
return principal;
}
public void End2End_OpenIdConnect()
{
SigningCredentials rsaSigningCredentials =
new SigningCredentials(
KeyingMaterial.RsaSecurityKey_Private2048,
SecurityAlgorithms.RsaSha1Signature,
SecurityAlgorithms.Sha256Digest,
new SecurityKeyIdentifier(new NamedKeySecurityKeyIdentifierClause("kid", "NGTFvdK-fythEuLwjpwAJOM9n-A"))
);
//"<RSAKeyValue><Modulus>rCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
RSA rsa = KeyingMaterial.RsaSecurityKey_2048.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha1Signature, false) as RSA;
OpenIdConnectConfiguration configuration = OpenIdConnectConfigurationRetriever.GetAsync(OpenIdConfigData.OpenIdConnectMetadataFile, CancellationToken.None).Result;
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
JwtSecurityToken jwt = tokenHandler.CreateToken(
configuration.Issuer,
IdentityUtilities.DefaultAudience,
IdentityUtilities.DefaultClaimsIdentity,
DateTime.UtcNow,
DateTime.UtcNow + TimeSpan.FromHours(1),
rsaSigningCredentials );
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
IssuerSigningTokens = configuration.SigningTokens,
ValidAudience = IdentityUtilities.DefaultAudience,
ValidIssuer = configuration.Issuer,
};
SecurityToken securityToken = null;
tokenHandler.ValidateToken(jwt.RawData, validationParameters, out securityToken);
}
public async Task<IHttpActionResult> CreateToken(Token token)
{
var publicAndPrivate = new RSACryptoServiceProvider();
publicAndPrivate.FromXmlString(_configuration.PrivateKey.FromBase64String());
var jwtToken = new JwtSecurityToken(
issuer: _configuration.Issuer,
audience: "http://mysite.com"
, claims: new List<Claim>() { new Claim(ClaimTypes.Name, token.username) }
, notBefore: DateTime.UtcNow
, expires: DateTime.UtcNow.AddMinutes(1)
, signingCredentials: new SigningCredentials(
new RsaSecurityKey(publicAndPrivate)
,SecurityAlgorithms.RsaSha256Signature
,SecurityAlgorithms.Sha256Digest)
);
var tokenHandler = new JwtSecurityTokenHandler();
var tokenString = tokenHandler.WriteToken(jwtToken);
return Ok(new
{
access_token = tokenString,
expires_in = new TimeSpan(0,0, 1,0).TotalSeconds,
expires_on = (long)(DateTime.UtcNow.AddMinutes(1) - new DateTime(1970, 1, 1)).TotalSeconds
});
}
//http://blog.asteropesystems.com/securing-web-api-requests-with-json-web-tokens/
public string GetToken(string username, List<ActivityClaim> activityClaims)
{
var tokenHandler = new JwtSecurityTokenHandler();
var now = DateTime.UtcNow;
var claims = new ClaimsIdentity(new[]
{
new Claim( ClaimTypes.UserData, "IsValid", ClaimValueTypes.String ),
new Claim( ClaimTypes.Name, username, ClaimValueTypes.String )
});
claims.AddClaims(activityClaims.Select(c => new Claim(ClaimTypes.UserData, c.ToString(), ClaimValueTypes.String)));
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = claims,
TokenIssuerName = "self",
AppliesToAddress = "https://api.knowthyshelf.com",
Lifetime = new Lifetime(now, now.AddYears(10)),
SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(TOKEN_SECURITY_KEY),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256"),
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
static string BearerToken()
{
var signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256";
var digestAlgorithm = "http://www.w3.org/2001/04/xmlenc#sha256";
var securityKey = Convert.FromBase64String(mainKey);
var inMemKey = new InMemorySymmetricSecurityKey(securityKey);
ClaimsIdentity identity = new ClaimsIdentity();
identity.AddClaim(new Claim("scope", "Full"));
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
SecurityToken securityToken = handler.CreateToken(new SecurityTokenDescriptor()
{
TokenType = "Bearer",
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(1)),
SigningCredentials = new SigningCredentials(inMemKey, signatureAlgorithm, digestAlgorithm),
//This data I would get by matching the jwtSecurityToken.Audience to database or something
TokenIssuerName = "PaulsSite",
AppliesToAddress = "http://JoshsSite",
Subject = identity
}
);
return handler.WriteToken(securityToken);
}
public async Task<ActionResult> Callback(string code, string state)
{
CheckState(state);
using (var client = new HttpClient())
{
var resp = await client.PostAsync("https://accounts.google.com/o/oauth2/token",
new FormUrlEncodedContent(new Dictionary<string, string>
{
{"code", code},
{"redirect_uri", RedirectUri},
{"grant_type", "authorization_code"},
{"client_id", ClientId},
{"client_secret", ClientSecret}
}));
resp.EnsureSuccessStatusCode();
var tokenResp = await resp.Content.ReadAsAsync<TokenResponse>();
var certs = await GoogleCertificates.GetCertificates();
var tokenHandler = new JwtSecurityTokenHandler
{
CertificateValidator = new GoogleCertificateValidator(certs.ToDictionary(t => t.Value.GetCertHashString(), t => t.Value))
};
var validationParameters = new TokenValidationParameters()
{
AllowedAudience = ClientId,
ValidIssuer = "accounts.google.com",
SigningTokens = certs.Select(p => new X509SecurityToken(p.Value))
};
var principal = tokenHandler.ValidateToken(tokenResp.id_token, validationParameters);
var jwt = new JwtSecurityToken(tokenResp.id_token);
var viewModel = new ViewModel
{
JwtHeader = jwt.Header,
JwtPayload = jwt.Payload,
Principal = principal
};
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokenResp.access_token);
resp = await client.GetAsync("https://www.googleapis.com/tasks/v1/users/@me/lists");
resp.EnsureSuccessStatusCode();
var taskLists = await resp.Content.ReadAsAsync<TaskLists>();
foreach(var list in taskLists.items)
{
resp = await client.GetAsync(string.Format("https://www.googleapis.com/tasks/v1/lists/{0}/tasks",list.id));
resp.EnsureSuccessStatusCode();
var taskList = await resp.Content.ReadAsAsync<TaskList>();
viewModel.Tasks.AddRange(taskList.items.Select(item => item.title));
}
return View(viewModel);
}
}
public CachedAccessTokenProvider(
INonCachingAccessTokenProvider accessTokenProvider,
TimeSpan tokenRefreshGracePeriod
) {
m_accessTokenProvider = accessTokenProvider;
m_tokenRefreshGracePeriod = tokenRefreshGracePeriod;
m_tokenHandler = new JwtSecurityTokenHandler();
}
public static string GetJwtToken(this ClaimsIdentity identity, SecurityTokenDescriptor tokenDescriptor)
{
if (identity == null || tokenDescriptor == null) return null;
tokenDescriptor.Subject = identity;
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
public async Task<Client> FindClientByIdAsync(string clientId)
{
var clientsUri = $"admin-api/api/clients/{clientId}";
//var cert = Cert.Load(StoreName.My, StoreLocation.CurrentUser, "b512d01195667dbc7c4222ec6fd563ac64e3d450");
//var handler = new WebRequestHandler();
//handler.ClientCertificates.Add(cert);
// Retrieve an access token from the IdentityAdmin /authorize OAuth endpoint
using (var client = new HttpClient())
{
client.BaseAddress = new Uri(this.identityAdminUri);
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var cert = Cert.Load(typeof(IOwinBootstrapper).Assembly, "Cert", "idsrv3test.pfx", "idsrv3test");
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim("name", "idServer"),
new Claim("role", "IdentityAdminManager"),
new Claim("scope", "idadmin-api")
}),
TokenIssuerName = "idServer",
AppliesToAddress = this.identityAdminUri,
Lifetime = new Lifetime(DateTime.Now, DateTime.Now.AddMinutes(10)),
SigningCredentials = new X509SigningCredentials(cert)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(tokenDescriptor);
var accessToken = tokenHandler.WriteToken(securityToken);
var jwtParams = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role",
ValidAudience = this.identityAdminUri,
ValidIssuer = "idServer",
IssuerSigningToken = new X509SecurityToken(cert)
};
SecurityToken validatedToken;
tokenHandler.ValidateToken(accessToken, jwtParams, out validatedToken);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var response = await client.GetAsync(clientsUri);
var str = await response.Content.ReadAsStringAsync();
}
return null;
}
#pragma warning disable 1998
public override async Task<Result> Execute()
{
Result result = new Result();
try
{
Console.Out.WriteLine("Generating access token...");
// encryption key
string key_s = ConfigurationManager.ConnectionStrings["JWTKey"].ConnectionString;
byte[] key_b = new byte[key_s.Length * sizeof(char)];
System.Buffer.BlockCopy(key_s.ToCharArray(), 0, key_b, 0, key_b.Length);
// create the token
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
ClaimsIdentity subject = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Uri, SiteUrl, ClaimValueTypes.String) });
SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor
{
Subject = subject,
TokenIssuerName = "SpSat",
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(4)),
SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(key_b), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256")
};
SecurityToken token = tokenHandler.CreateToken(tokenDescriptor);
using (ClientContext context = new ClientContext(SiteUrl))
{
// authenticate
string usernamePassword = ConfigurationManager.ConnectionStrings["SharePoint"].ConnectionString;
dynamic usernamePassword_j = Newtonsoft.Json.JsonConvert.DeserializeObject(usernamePassword);
string username = usernamePassword_j.username;
string password = usernamePassword_j.password;
SecureString password_s = new SecureString();
Array.ForEach(password.ToCharArray(), password_s.AppendChar);
context.Credentials = new SharePointOnlineCredentials(username, password_s);
// write the token to the property bag
PropertyValues webProperties = context.Web.AllProperties;
webProperties["accessToken"] = tokenHandler.WriteToken(token);
context.Web.Update();
context.ExecuteQuery();
}
Console.Out.WriteLine("Completed generating access token.");
result.Status = Status.Success;
}
catch (Exception ex)
{
result.Status = Status.Failure;
result.Log.Add(ex.Message);
}
return result;
}
public static string CreateTokenAsBase64(this SecurityTokenDescriptor securityTokenDescriptor)
{
var tokenHandler = new JwtSecurityTokenHandler();
SecurityToken securityToken = tokenHandler.CreateToken(securityTokenDescriptor);
string token = tokenHandler.WriteToken(securityToken);
string tokenAsBase64 = token;
return tokenAsBase64;
}
private IEnumerable<Claim> ValidateIdentityToken(string token)
{
var parameters = new TokenValidationParameters
{
AllowedAudience = "implicitclient",
ValidIssuer = "https://idsrv3.com",
SigningToken = new X509SecurityToken(X509.LocalMachine.My.SubjectDistinguishedName.Find("CN=idsrv3test", false).First())
};
var id = new JwtSecurityTokenHandler().ValidateToken(token, parameters);
return id.Claims;
}
protected void Page_Load(object sender, EventArgs e)
{
string spAppToken = TokenHelper.GetContextTokenFromRequest(HttpContext.Current.Request);
requestTokenValue.InnerText = spAppToken;
SharePointContextToken spToken = ReadToken(spAppToken);
requestTokenContents.InnerHtml = spToken.ToString().Replace(",", "<br/>");
string hostWeb = Page.Request["SPHostUrl"];
Uri hostUri = new Uri(hostWeb);
string accessToken = TokenHelper.GetAccessToken(spToken, hostUri.Authority).AccessToken;
accessTokenValue.InnerText = accessToken;
JwtSecurityTokenHandler tokenHandler = new System.IdentityModel.Tokens.JwtSecurityTokenHandler();
SecurityToken st = tokenHandler.ReadToken(accessToken);
accessTokenContents.InnerHtml = st.ToString().Replace(",", "<br/>");
}
public JwtTokenHelper()
{
this.jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
}
private string CreateJwt(string userId, string role)
{
var key = Convert.FromBase64String(SymmetricKey);
var credentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(key),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256");
var expiration = DateTime.UtcNow.AddMinutes(20).ToLongTimeString();
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim(ClaimTypes.Name, userId),
new Claim(ClaimTypes.Role, role),
new Claim("exp", expiration)
}),
TokenIssuerName = Issuer,
AppliesToAddress = Audience,
SigningCredentials = credentials
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
