public SimpleWebToken ValidateToken(string token)
{
if (token == null)
{
throw new HttpException((int)HttpStatusCode.Unauthorized, "SWT not found");
}
var swt = new SimpleWebToken(token);
byte[] securityKey = Convert.FromBase64String(SharedKeyBase64);
if (securityKey == null)
{
throw new HttpException((int)HttpStatusCode.Unauthorized, "Missing shared key");
}
if (!IsHmacValid(swt.RawToken, securityKey))
{
throw new HttpException((int)HttpStatusCode.Unauthorized, "Invalid signature");
}
if (swt.IsExpired)
{
throw new HttpException((int)HttpStatusCode.Unauthorized, "Token expired");
}
if (AllowedAudiences != null && AllowedAudiences.Count > 0)
{
Uri swtAudienceUri;
if (!Uri.TryCreate(swt.Audience, UriKind.RelativeOrAbsolute, out swtAudienceUri))
{
throw new HttpException((int)HttpStatusCode.Unauthorized, "Invalid audience");
}
if (AllowedAudiences.All(uri => uri != swtAudienceUri))
{
throw new HttpException((int)HttpStatusCode.Unauthorized, "Audience not found");
}
}
if (!string.IsNullOrEmpty(AllowedIssuer))
{
if (!AllowedIssuer.Equals(swt.Issuer, StringComparison.Ordinal))
{
throw new HttpException((int)HttpStatusCode.Unauthorized, "Invalid issuer");
}
}
return(swt);
}
private bool IsValidAudience(string authority, string audience)
{
var isValid = !string.IsNullOrEmpty(audience) &&
(audience.Is(authority) ||
AllowedAudiences.Any() &&
AllowedAudiences.Contains(audience));
if (isValid)
{
return(true);
}
if (DetailedAuthenticationErrors)
{
throw new SecurityException("The Token Audience is not allowed.");
}
return(false);
}
