public void X509SecurityKey_Constructor() { X509SecurityKey x509SecurityKey; ExpectedException expectedException = new ExpectedException(typeExpected: typeof(ArgumentNullException), substringExpected: "certificate"); try { x509SecurityKey = new X509SecurityKey(null); expectedException.ProcessNoException(); } catch(Exception exception) { expectedException.ProcessException(exception); } X509Certificate2 x509Certificate2 = KeyingMaterial.DefaultCert_2048; expectedException = ExpectedException.NoExceptionExpected; try { x509SecurityKey = new X509SecurityKey(x509Certificate2); Assert.ReferenceEquals(x509Certificate2, x509SecurityKey.Certificate); } catch (Exception exception) { expectedException.ProcessException(exception); } }
public virtual async Task<TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true) { Logger.Info("Start identity token validation"); if (clientId.IsMissing()) { clientId = GetClientIdFromJwt(token); if (clientId.IsMissing()) { Logger.Error("No clientId supplied, can't find id in identity token."); return Invalid(Constants.ProtectedResourceErrors.InvalidToken); } } _log.ClientId = clientId; _log.ValidateLifetime = validateLifetime; var client = await _clients.FindClientByIdAsync(clientId); if (client == null) { LogError("Unknown or diabled client."); return Invalid(Constants.ProtectedResourceErrors.InvalidToken); } _log.ClientName = client.ClientName; var signingKey = new X509SecurityKey(_options.SigningCertificate); var result = await ValidateJwtAsync(token, clientId, signingKey, validateLifetime); result.Client = client; if (result.IsError) { LogError("Error validating JWT"); return result; } if (_options.DiagnosticsOptions.IncludeSensitiveDataInLogs) { _log.Claims = result.Claims.ToClaimsDictionary(); } var customResult = await _customValidator.ValidateIdentityTokenAsync(result); if (customResult.IsError) { LogError("Custom validator failed: " + customResult.Error ?? "unknown"); return customResult; } if (_options.DiagnosticsOptions.IncludeSensitiveDataInLogs) { _log.Claims = customResult.Claims.ToClaimsDictionary(); } LogSuccess(); return customResult; }
/// <summary> /// Signs the token. /// </summary> /// <param name="token">The token.</param> /// <returns> /// A protected and serialized security token /// </returns> public virtual async Task<string> SignTokenAsync(Token token) { var key = new X509SecurityKey(await _keyService.GetSigningKeyAsync()); var header = await CreateHeaderAsync(token, key); var payload = await CreatePayloadAsync(token); return await SignAsync(new JwtSecurityToken(header, payload)); }
public virtual async Task<TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true) { if (clientId.IsMissing()) { clientId = GetClientIdFromJwt(token); if (clientId.IsMissing()) { return Invalid(Constants.ProtectedResourceErrors.InvalidToken); } } var client = await _clients.FindClientByIdAsync(clientId); if (client == null) { return Invalid(Constants.ProtectedResourceErrors.InvalidToken); } SecurityKey signingKey; if (client.IdentityTokenSigningKeyType == SigningKeyTypes.ClientSecret) { signingKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(client.ClientSecret)); } else { signingKey = new X509SecurityKey(_options.SigningCertificate); } var result = await ValidateJwtAsync(token, clientId, signingKey, validateLifetime); result.Client = client; if (result.IsError) { return result; } Logger.Debug("Calling custom token validator"); var customResult = await _customValidator.ValidateIdentityTokenAsync(result); if (customResult.IsError) { Logger.Error("Custom validator failed: " + customResult.Error ?? "unknown"); } return customResult; }
/// <summary> /// Validates the <see cref="SecurityKey"/> that signed a <see cref="SecurityToken"/>. /// </summary> /// <param name="securityKey">The <see cref="SecurityKey"/> that signed the <see cref="SecurityToken"/>.</param> /// <param name="securityToken">The <see cref="SecurityToken"/> being validated.</param> /// <param name="validationParameters"><see cref="TokenValidationParameters"/> required for validation.</param> /// <exception cref="ArgumentNullException"> if 'vaidationParameters' is null.</exception> public static void ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters) { if (validationParameters == null) { throw new ArgumentNullException("validationParameters"); } if (!validationParameters.ValidateIssuerSigningKey) { return; } X509SecurityKey x509SecurityKey = securityKey as X509SecurityKey; if (x509SecurityKey != null) { //validationParameters.CertificateValidator.Validate(x509SecurityKey.Certificate); } }
public static TokenValidationParameters GetParameters() { var tvp = new TokenValidationParameters(); tvp.ValidAudience = ApplicationConfiguration.Get("audience"); tvp.ValidIssuer = ApplicationConfiguration.Get("issuer"); tvp.ValidateIssuer = true; tvp.ValidateAudience = true; tvp.ValidateIssuerSigningKey = true; tvp.ValidateLifetime = true; var keys = new List<X509SecurityKey>(); var certs = GetCertificates(); foreach (var certificate in certs) { var key = new X509SecurityKey(certificate); keys.Add(key); } tvp.IssuerSigningKeyResolver = (a, b, c, d) => keys; return tvp; }
public static IEnumerable<Claim> ValidateIdentityToken(string token, string issuer, string audience, X509Certificate2 signingCertificate) { ClaimsPrincipal cp = null; if (token != null) { JwtSecurityToken idToken = new JwtSecurityToken(token); JwtSecurityTokenHandler jwt = new JwtSecurityTokenHandler(); // Configure validation Byte[][] certBytes = getCertBytes(); for (int i = 0; i < certBytes.Length; i++) { X509Certificate2 certificate = new X509Certificate2(certBytes[i]); X509SecurityToken certToken = new X509SecurityToken(certificate); var key = new X509SecurityKey(certificate); // Set up token validation TokenValidationParameters tvp = new TokenValidationParameters(); tvp.ValidAudience = audience; tvp.IssuerSigningToken = certToken; tvp.ValidIssuer = "accounts.google.com"; tvp.IssuerSigningKeyResolver = (a, b, c, d) => key; // Enable / disable tests //tvp.ValidateNotBefore = false; //tvp.ValidateExpiration = true; //tvp.ValidateSignature = true; tvp.ValidateIssuer = true; tvp.ValidateAudience = true; tvp.ValidateIssuerSigningKey = true; tvp.ValidateLifetime = true; // Account for clock skew. Look at current time when getting the message // "The token is expired" in try/catch block. // This is relative to GMT, for example, GMT-8 is: //tvp.ClockSkew = TimeSpan.FromMinutes(3600 * 13); try { SecurityToken securityToken; // Validate using the provider cp = jwt.ValidateToken(token, tvp, out securityToken); } catch (Exception) { if (i == certBytes.Length) throw; } } } return cp.Claims; }