async Task <AccessTokenResult> ValidateUsingJWKs(HttpClient client, DiscoveryDocumentResponse disco, string token, CancellationToken cancellationToken = default) { // Replace with your authorization server URL: var configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>( _issuerUrl + "/.well-known/oauth-authorization-server", new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever()); var discoveryDocument = await configurationManager.GetConfigurationAsync(cancellationToken); var signingKeys = discoveryDocument.SigningKeys; var validationParameters = new TokenValidationParameters { RequireExpirationTime = true, RequireSignedTokens = true, ValidateIssuer = true, ValidIssuer = _issuerUrl, ValidateIssuerSigningKey = true, IssuerSigningKeys = signingKeys, ValidateAudience = false, ValidateLifetime = true, // Allow for some drift in server time // (a lower value is better; we recommend two minutes or less) ClockSkew = TimeSpan.FromMinutes(2), // See additional validation for aud below }; try { var principal = new JwtSecurityTokenHandler() .ValidateToken(token, validationParameters, out var rawValidatedToken); var securityToken = (JwtSecurityToken)rawValidatedToken; return(AccessTokenResult.Success(principal)); } catch (SecurityTokenValidationException ex) { // Logging, etc. return(AccessTokenResult.Expired()); } //var claimsColl = instrospectResponse.Claims; //var claimsIdentity = new ClaimsIdentity(claimsColl, "oidc"); //var principal = new ClaimsPrincipal(claimsIdentity); //return AccessTokenResult.Success(principal); }
async Task <AccessTokenResult> ValidateUsingUserInfo(HttpClient client, DiscoveryDocumentResponse disco, string token, CancellationToken cancellationToken = default) { var response = await client.GetUserInfoAsync(new UserInfoRequest { Address = disco.UserInfoEndpoint, Token = token }); var claimsColl = response.Claims; var claimsIdentity = new ClaimsIdentity(claimsColl, "oidc"); var principal = new ClaimsPrincipal(claimsIdentity); return(AccessTokenResult.Success(principal)); }
async Task <AccessTokenResult> ValidateUsingInstrospect(HttpClient client, DiscoveryDocumentResponse disco, string token, CancellationToken cancellationToken = default) { var instrospectResponse = await client.IntrospectTokenAsync(new TokenIntrospectionRequest() { Address = disco.IntrospectionEndpoint, ClientId = Environment.GetEnvironmentVariable("ClientId"), Token = token, TokenTypeHint = "access_token" }, CancellationToken.None); var claimsColl = instrospectResponse.Claims; var claimsIdentity = new ClaimsIdentity(claimsColl, "oidc"); var principal = new ClaimsPrincipal(claimsIdentity); return(AccessTokenResult.Success(principal)); }
public Task <AccessTokenResult> ValidateToken(HttpRequest request, CancellationToken cancellationToken = default) { try { if (request != null && request.Headers.ContainsKey(AUTH_HEADER_NAME) && request.Headers[AUTH_HEADER_NAME].ToString().StartsWith(BEARER_PREFIX)) { var token = request.Headers[AUTH_HEADER_NAME].ToString().Substring(BEARER_PREFIX.Length); var tokenParams = new TokenValidationParameters() { RequireSignedTokens = true, ValidAudience = _audience, ValidateAudience = true, ValidIssuer = _issuer, ValidateIssuer = true, ValidateIssuerSigningKey = true, ValidateLifetime = true, IssuerSigningKey = new SymmetricSecurityKey(Token) }; var handler = new JwtSecurityTokenHandler(); var result = handler.ValidateToken(token, tokenParams, out var securityToken); return(Task.FromResult <AccessTokenResult>(AccessTokenResult.Success(result))); } else { return(Task.FromResult <AccessTokenResult>(AccessTokenResult.NoToken())); } } catch (SecurityTokenExpiredException) { return(Task.FromResult <AccessTokenResult>(AccessTokenResult.Expired())); } catch (Exception ex) { return(Task.FromResult <AccessTokenResult>(AccessTokenResult.Error(ex))); } }