public static async Task <GrantedTokenValidationResult> CheckGrantedToken(this GrantedToken grantedToken, IJwksStore jwksStore, CancellationToken cancellationToken = default)
{
if (grantedToken == null)
{
return(new GrantedTokenValidationResult
{
MessageErrorCode = ErrorCodes.InvalidToken,
MessageErrorDescription = Strings.TheTokenIsNotValid,
IsValid = false
});
}
var expirationDateTime = grantedToken.CreateDateTime.AddSeconds(grantedToken.ExpiresIn);
var tokenIsExpired = DateTimeOffset.UtcNow > expirationDateTime;
if (tokenIsExpired)
{
return(new GrantedTokenValidationResult
{
MessageErrorCode = ErrorCodes.InvalidToken,
MessageErrorDescription = Strings.TheTokenIsExpired,
IsValid = false
});
}
var publicKeys = await jwksStore.GetPublicKeys(cancellationToken).ConfigureAwait(false);
var handler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
ValidateActor = false,
ValidAudience = grantedToken.ClientId,
ValidateIssuer = false,
IssuerSigningKeys = publicKeys.Keys
};
try
{
handler.ValidateToken(grantedToken.AccessToken, validationParameters, out _);
return(new GrantedTokenValidationResult {
IsValid = true
});
}
catch (Exception exception)
{
return(new GrantedTokenValidationResult
{
IsValid = false,
MessageErrorCode = exception.Message,
MessageErrorDescription = exception.Message
});
}
}
public async Task <IActionResult> RevokeSessionCallback([FromQuery] RevokeSessionRequest?request, CancellationToken cancellationToken)
{
var authenticatedUser = await _authenticationService.GetAuthenticatedUser(this, CookieNames.CookieName).ConfigureAwait(false);
if (authenticatedUser == null || authenticatedUser.Identity?.IsAuthenticated != true)
{
return(Ok(new { Authenticated = false }));
}
Response.Cookies.Delete(CoreConstants.SessionId);
await _authenticationService.SignOutAsync(HttpContext, CookieNames.CookieName, new AuthenticationProperties()).ConfigureAwait(false);
if (request != null &&
request.post_logout_redirect_uri != null &&
!string.IsNullOrWhiteSpace(request.id_token_hint))
{
var handler = new JwtSecurityTokenHandler();
var jsonWebKeySet = await _jwksStore.GetPublicKeys(cancellationToken).ConfigureAwait(false);
var tokenValidationParameters = new TokenValidationParameters
{
ValidateActor = false,
ValidateAudience = false,
ValidateIssuer = false,
IssuerSigningKeys = jsonWebKeySet.Keys
};
handler.ValidateToken(request.id_token_hint, tokenValidationParameters, out var token);
var jws = (token as JwtSecurityToken)?.Payload;
var claim = jws?.GetClaimValue(StandardClaimNames.Azp);
if (claim != null)
{
var client = await _clientRepository.GetById(claim, cancellationToken).ConfigureAwait(false);
if (client?.PostLogoutRedirectUris != null && client.PostLogoutRedirectUris.Any(x => x == request.post_logout_redirect_uri))
{
var redirectUrl = request.post_logout_redirect_uri;
if (!string.IsNullOrWhiteSpace(request.state))
{
redirectUrl = new Uri($"{redirectUrl.AbsoluteUri}?state={request.state}");
}
return(Redirect(redirectUrl.AbsoluteUri));
}
}
}
return(Ok(new { Authenticated = true }));
}