// todo [wanl]: hubName uses [AutoResolve]
public InputBindingProvider(IConfiguration configuration, INameResolver nameResolver, ISecurityTokenValidator securityTokenValidator, ISignalRConnectionInfoConfigurer signalRConnectionInfoConfigurer)
{
this.configuration = configuration;
this.nameResolver = nameResolver;
this.securityTokenValidator = securityTokenValidator;
this.signalRConnectionInfoConfigurer = signalRConnectionInfoConfigurer;
}
/// <summary>
/// Initialise a new instance of the Okta JWT Security Token Handler
/// </summary>
/// <param name="tokenService">The Token Service.</param>
/// <param name="tokenValidator">Token validator.</param>
/// <param name="userSessionUpdateOktaTokenService">User update okta token service.</param>
/// <param name="userSessionRetrievalByOktaIdService">User retrieval by okta id service.</param>
/// <param name="userRetrievalById">User retrieval by id service.</param>
/// <param name="userRetrievalByEmailService">User retrieval by email service.</param>
/// <param name="userRetrievalByOktaId">User retrieval by okta id.</param>
/// <param name="userUpdateService">Update user service.</param>
/// <param name="userCreationService">User creation service.</param>
/// <param name="oktaClient">Okta client.</param>
/// <param name="oktaTokenExpiryTime">Okta token expiry time.</param>
public OktaJwtSecurityTokenHandler(
ITokenService tokenService,
ISecurityTokenValidator tokenValidator,
IAsyncQueryHandler <UserSessionUpdateOktaTokenQuery, MeUserSession> userSessionUpdateOktaTokenService,
IAsyncQueryHandler <UserSessionRetrievalByOktaIdQuery, MeUserSession> userSessionRetrievalByOktaIdService,
IAsyncQueryHandler <UserRetrievalByIdQuery, MeUser> userRetrievalById,
IAsyncQueryHandler <UserRetrievalByOktaIdQuery, MeUser> userRetrievalByOktaId,
IAsyncQueryHandler <UserRetrievalByEmailQuery, MeUser> userRetrievalByEmailService,
IAsyncQueryHandler <UserUpdateQuery, MeUser> userUpdateService,
IAsyncQueryHandler <CreateUserQuery, MeUser> userCreationService,
IOktaClient oktaClient,
int oktaTokenExpiryTime)
{
_tokenHandler = tokenValidator;
_tokenService = tokenService;
_userSessionUpdateOktaTokenService = userSessionUpdateOktaTokenService;
_oktaTokenExpiryTime = oktaTokenExpiryTime;
_userSessionRetrievalByOktaIdService = userSessionRetrievalByOktaIdService;
_userRetrievalByEmailService = userRetrievalByEmailService;
_userCreationService = userCreationService;
_userRetrievalByOktaId = userRetrievalByOktaId;
_userRetrievalById = userRetrievalById;
_userUpdateService = userUpdateService;
_oktaClient = oktaClient;
}
public static void ValidateTokenReplay(string securityToken, ISecurityTokenValidator tokenValidator, TokenValidationParameters validationParameters)
{
if (!validationParameters.ValidateTokenReplay)
{
return;
}
TokenValidationParameters tvp = validationParameters.Clone();
TokenReplayCache replayCache =
new TokenReplayCache()
{
OnAddReturnValue = true,
OnFindReturnValue = false,
};
tvp.TokenReplayCache = replayCache;
TestUtilities.ValidateToken(securityToken, tvp, tokenValidator, ExpectedException.NoExceptionExpected);
replayCache.OnFindReturnValue = true;
TestUtilities.ValidateToken(securityToken, tvp, tokenValidator, ExpectedException.SecurityTokenReplayDetected());
replayCache.OnFindReturnValue = false;
replayCache.OnAddReturnValue = false;
TestUtilities.ValidateToken(securityToken, tvp, tokenValidator, ExpectedException.SecurityTokenReplayAddFailed());
}
public TokenController(IOptions <AuthOptions> options,
ISecurityTokenValidator jwtTokenValidator,
ILogger <TokenController> logger,
ITokenRefreshHandler tokenRefreshHandler,
ITokenValidationParametersFactory tokenValidationParametersFactory)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options), $"{nameof(options)} cannot be null");
}
if (jwtTokenValidator == null)
{
throw new ArgumentNullException(nameof(jwtTokenValidator), $"{nameof(jwtTokenValidator)} cannot be null");
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger), $"{nameof(logger )} cannot be null");
}
if (tokenRefreshHandler == null)
{
throw new ArgumentNullException(nameof(tokenRefreshHandler), $"{nameof(tokenRefreshHandler)} cannot be null");
}
_authOptions = options.Value;
_jwtTokenValidator = jwtTokenValidator;
_logger = logger;
_tokenRefreshHandler = tokenRefreshHandler;
_tokenValidationParametersFactory = tokenValidationParametersFactory;
}
public AccessTokenValidator(
ISecurityTokenValidator securityTokenValidator,
ILoggerFactory loggerFactory)
{
_securityTokenValidator = securityTokenValidator;
_logger = loggerFactory.CreateLogger <AccessTokenValidator>();
}
public Auth0ValueProvider(
HttpRequest request,
Auth0Options options,
FunctionTokenAttribute attribute,
ISecurityTokenValidator securityHandler)
: base(request, options.SigningOptions, attribute, securityHandler)
{
}
public JwtBearerOptionsValidatorConfigureOptions(ISecurityTokenValidator securityTokenValidator) : base(
JwtBearerDefaults.AuthenticationScheme,
options =>
{
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(securityTokenValidator);
})
{}
public TokenValidator(ISecurityTokenValidator securityTokenValidator, IConfigurationManager <OpenIdConnectConfiguration> configurationManager, IOptions <TokenValidatorConfiguration> tokenValidatorOptions, ILogger <TokenValidator> logger)
{
this.securityTokenValidator = securityTokenValidator ?? throw new ArgumentNullException(nameof(securityTokenValidator));
this.configurationManager = configurationManager ?? throw new ArgumentNullException(nameof(configurationManager));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
_ = tokenValidatorOptions ?? throw new ArgumentNullException(nameof(tokenValidatorOptions));
tokenValidatorConfiguration = tokenValidatorOptions.Value;
}
public SigningKeyValueProvider(
HttpRequest request,
TokenSigningKeyOptions options,
FunctionTokenAttribute attribute,
ISecurityTokenValidator securityHandler)
: base(request, options, attribute, securityHandler)
{
this.options = options;
}
public UserHandlers(
IUserApiClient userApiClient,
TokensJWT tokensJWT,
ISecurityTokenValidator securityTokenValidator)
{
this.userApiClient = userApiClient;
this.tokensJWT = tokensJWT;
this.securityTokenValidator = securityTokenValidator;
}
public AcmeJwsPKAuthenticationHandler(IOptionsMonitor <AcmeJwsAuthenticationOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock,
JWS.AcmeJwsSecurityTokenHandler validator,
Services.IReplayNonceRegistry nonceRegistry) : base(options, logger, encoder, clock)
{
_tokenValidator = validator;
_nonceRegistry = nonceRegistry;
}
public TokenValidationHandler()
{
_audience = ConfigurationManager.AppSettings["ida:Audience"];
_clientId = ConfigurationManager.AppSettings["ida:ClientId"];
var aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
_tenant = ConfigurationManager.AppSettings["ida:TenantId"];
_authority = string.Format(CultureInfo.InvariantCulture, aadInstance, _tenant);
_configManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{_authority}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
_tokenValidator = new JwtSecurityTokenHandler();
}
public BearerTokenB2CValueProvider(
HttpRequest request,
TokenAzureB2COptions options,
FunctionTokenAttribute attribute,
IAzureB2CTokensLoader loader,
ISecurityTokenValidator securityHandler)
: base(request, options, attribute, securityHandler)
{
this.options = options;
azureB2CTokensLoader = loader;
}
public SignalRConnectionInputBinding(
BindingProviderContext context,
IConfiguration configuration,
INameResolver nameResolver,
ISecurityTokenValidator securityTokenValidator,
ISignalRConnectionInfoConfigurer signalRConnectionInfoConfigurer) : base(context, configuration, nameResolver)
{
this.securityTokenValidator = securityTokenValidator;
this.signalRConnectionInfoConfigurer = signalRConnectionInfoConfigurer;
this.userType = context.Parameter.ParameterType;
}
/// <inheritdoc />
protected BearerTokenValueProvider(
HttpRequest request,
ITokenOptions options,
FunctionTokenAttribute attribute,
ISecurityTokenValidator tokenValidator)
{
InputAttribute = attribute;
Request = request;
Options = options;
securityTokenValidator = tokenValidator;
}
public SignalRConnectionInputBinding(
BindingProviderContext context,
IConfiguration configuration,
INameResolver nameResolver,
ISecurityTokenValidator securityTokenValidator,
ISignalRConnectionInfoConfigurer signalRConnectionInfoConfigurer) : base(context, configuration, nameResolver)
{
_securityTokenValidator = securityTokenValidator;
_signalRConnectionInfoConfigurer = signalRConnectionInfoConfigurer;
_managerStore = StaticServiceHubContextStore.ServiceManagerStore;
_userType = context.Parameter.ParameterType;
}
public TokenValidationHandler()
{
_audience = ConfigurationManager.AppSettings["ida:Audience"];
_clientId = ConfigurationManager.AppSettings["ida:ClientId"];
var aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
_tenant = ConfigurationManager.AppSettings["ida:TenantId"];
_authority = string.Format(CultureInfo.InvariantCulture, aadInstance, _tenant);
// The ConfigurationManager class holds properties to control the metadata refresh interval. For more details, https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.protocols.configurationmanager-1?view=azure-dotnet
_configManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{_authority}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
_tokenValidator = new JwtSecurityTokenHandler();
}
public SignalRConfigProvider(
INameResolver nameResolver,
ILoggerFactory loggerFactory,
IConfiguration configuration,
IServiceManagerStore serviceManagerStore,
ISecurityTokenValidator securityTokenValidator = null,
ISignalRConnectionInfoConfigurer signalRConnectionInfoConfigurer = null)
{
this.logger = loggerFactory.CreateLogger(LogCategories.CreateTriggerCategory("SignalR"));
this.nameResolver = nameResolver;
this.serviceManagerStore = serviceManagerStore;
this._dispatcher = new SignalRTriggerDispatcher();
inputBindingProvider = new InputBindingProvider(configuration, nameResolver, securityTokenValidator, signalRConnectionInfoConfigurer);
}
public SignalRConfigProvider(
IOptions <SignalROptions> options,
INameResolver nameResolver,
ILoggerFactory loggerFactory,
IConfiguration configuration,
ISecurityTokenValidator securityTokenValidator = null,
ISignalRConnectionInfoConfigurer signalRConnectionInfoConfigurer = null)
{
this.options = options.Value;
this.loggerFactory = loggerFactory;
this.logger = loggerFactory.CreateLogger(LogCategories.CreateTriggerCategory("SignalR"));
this.nameResolver = nameResolver;
this.configuration = configuration;
this._dispatcher = new SignalRTriggerDispatcher();
inputBindingProvider = new InputBindingProvider(configuration, nameResolver, securityTokenValidator, signalRConnectionInfoConfigurer);
}
public void SecurityTokenHandlerCollectionExtensions_Defaults()
{
SecurityTokenHandlerCollection securityTokenValidators = SecurityTokenHandlerCollectionExtensions.GetDefaultHandlers();
foreach (var tokenHandler in securityTokenValidators)
{
ISecurityTokenValidator tokenValidator = tokenHandler as ISecurityTokenValidator;
Assert.IsNotNull(tokenValidator, "tokenHandler is not ISecurityTokenHandler, is" + tokenHandler.GetType().ToString());
}
securityTokenValidators = SecurityTokenHandlerCollectionExtensions.GetDefaultHandlers();
foreach (var tokenHandler in securityTokenValidators)
{
ISecurityTokenValidator tokenValidator = tokenHandler as ISecurityTokenValidator;
Assert.IsNotNull(tokenValidator, "tokenHandler is not ISecurityTokenHandler, is" + tokenHandler.GetType().ToString());
}
}
internal AuthenticationService(Auth0ApiSettings apiSettings, IConfigurationManager <OpenIdConnectConfiguration> configManager, TokenValidationParameters validationParamOverrides, IAsyncPolicy <ClaimsPrincipal> validationRequestPolicy, ISecurityTokenValidator tokenValidator)
{
_apiSettings = apiSettings;
_configManager = configManager;
_validationRequestPolicy = validationRequestPolicy;
_validationParamOverrides = validationParamOverrides;
_tokenValidator = tokenValidator ?? new JwtSecurityTokenHandler();
if (_validationRequestPolicy == null)
{
_validationRequestPolicy = Policy
.Handle <SecurityTokenSignatureKeyNotFoundException>()
.RetryAsync(1, (ex, retryCount) =>
{
_configManager.RequestRefresh();
})
.AsAsyncPolicy <ClaimsPrincipal>();
}
}
public static ClaimsPrincipal ValidateToken(this SecurityTokenHandlerCollection tokenHandlers, string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
if (tokenHandlers == null)
{
throw new ArgumentNullException("tokenHandlers");
}
if (securityToken == null)
{
throw new ArgumentNullException("securityToken");
}
if (validationParameters == null)
{
throw new ArgumentNullException("validationParameters");
}
bool iSecurityTokenValidatorFound = false;
foreach (SecurityTokenHandler tokenHandler in tokenHandlers)
{
ISecurityTokenValidator securityTokenValidator = tokenHandler as ISecurityTokenValidator;
if (securityTokenValidator != null && securityTokenValidator.CanReadToken(securityToken))
{
iSecurityTokenValidatorFound = true;
return(securityTokenValidator.ValidateToken(securityToken, validationParameters, out validatedToken));
}
}
if (iSecurityTokenValidatorFound)
{
throw new SecurityTokenValidationException(ErrorMessages.IDX10201);
}
else
{
throw new SecurityTokenValidationException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10201, securityToken));
}
}
public static void ValidateTokenReplay(string securityToken, ISecurityTokenValidator tokenValidator, TokenValidationParameters validationParameters)
{
TokenValidationParameters tvp = validationParameters.Clone() as TokenValidationParameters;
Microsoft.IdentityModel.Test.TokenReplayCache replayCache =
new Microsoft.IdentityModel.Test.TokenReplayCache()
{
OnAddReturnValue = true,
OnFindReturnValue = false,
};
tvp.TokenReplayCache = replayCache;
TestUtilities.ValidateToken(securityToken, tvp, tokenValidator, ExpectedException.NoExceptionExpected);
replayCache.OnFindReturnValue = true;
TestUtilities.ValidateToken(securityToken, tvp, tokenValidator, ExpectedException.SecurityTokenReplayDetected());
replayCache.OnFindReturnValue = false;
replayCache.OnAddReturnValue = false;
TestUtilities.ValidateToken(securityToken, tvp, tokenValidator, ExpectedException.SecurityTokenReplayAddFailed());
}
public SecurityTokenTypeValidator(ISecurityTokenValidator underlyingValidator)
{
_underlyingValidator = underlyingValidator;
}
public RiskJwtBearerPostConfigureOptions(ISecurityTokenValidator securityTokenValidator)
{
_securityTokenValidator = securityTokenValidator;
}
public TokenValidationService(ISecurityTokenValidator jwtValidator)
{
_jwtValidator = jwtValidator;
}
public static ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, ISecurityTokenValidator tokenValidator, ExpectedException expectedException)
{
ClaimsPrincipal retVal = null;
try
{
retVal = tokenValidator.ValidateToken(securityToken, validationParameters, out SecurityToken validatedToken);
expectedException.ProcessNoException();
}
catch (Exception ex)
{
expectedException.ProcessException(ex);
}
return(retVal);
}
public async Task Invoke(HttpContext context,
ISecurityTokenValidator tokenValidator,
IOptions <DelegationOptions> options,
ITokenValidationParametersFactory tokenValidationParametersFactory)
{
if (tokenValidator == null)
{
throw new ArgumentNullException(nameof(tokenValidator), $"{nameof(tokenValidator)} cannot be null.");
}
if (tokenValidationParametersFactory == null)
{
throw new ArgumentNullException(nameof(tokenValidationParametersFactory), $"{nameof(tokenValidationParametersFactory)} cannot be null.");
}
var validationParameters = tokenValidationParametersFactory.Create();
// get DelegationUser added as scoped service
var delegationUser = context.RequestServices.GetService(typeof(IDelegationUser)) as DelegationUser;
bool delegationUserParsed = false;
var token = string.Empty;
try
{
token = GetDelegationJwtToken(context, options.Value.DelegationHeader);
if (!string.IsNullOrWhiteSpace(token))
{
if (tokenValidator.CanReadToken(token))
{
ClaimsPrincipal principal = null;
SecurityToken validatedToken = null;
try
{
principal = tokenValidator.ValidateToken(token, validationParameters, out validatedToken);
_logger.LogInformation($"Jwt delegation token validation succeeded");
}
catch (Exception ex)
{
_logger.LogInformation($"Jwt delegation token validation failed. Exception: {ex.ToString()}");
throw;
}
ClaimsIdentity claimsIdentity = principal.Identities?.FirstOrDefault();
if (claimsIdentity != null && delegationUser.TrySetValues(claimsIdentity, token))
{
delegationUserParsed = true;
}
}
}
}
catch (Exception ex)
{
_logger.LogInformation($"Processing delegation user failed. Exception: {ex.ToString()}");
throw;
}
if (delegationUserParsed)
{
delegationUser.SetValid(true);
_logger.LogInformation($"Request for delegated user: { delegationUser.Sub} ({delegationUser.GivenName} {delegationUser.SurName})");
}
else
{
delegationUser.SetValid(false);
var info = $"No delegated user detected for request { (string.IsNullOrWhiteSpace(token) ? "(no delegation token found)" : $"(delegation token: {token})") }.";
_logger.LogInformation(info);
}
await _next.Invoke(context);
}
private ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, ISecurityTokenValidator tokenValidator, ExpectedException expectedException)
{
ClaimsPrincipal princiapl = null;
try
{
SecurityToken validatedToken;
princiapl = tokenValidator.ValidateToken(securityToken, validationParameters, out validatedToken);
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
return(princiapl);
}
private ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, ISecurityTokenValidator tokenValidator, ExpectedException expectedException)
{
ClaimsPrincipal princiapl = null;
try
{
SecurityToken validatedToken;
princiapl = tokenValidator.ValidateToken(securityToken, validationParameters, out validatedToken);
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
return princiapl;
}
public SecurityTokenValidationInputBinding(ISecurityTokenValidator securityTokenValidator)
{
_securityTokenValidator = securityTokenValidator;
}
public static ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, ISecurityTokenValidator tokenValidator, ExpectedException expectedException)
{
ClaimsPrincipal retVal = null;
try
{
SecurityToken validatedToken;
retVal = tokenValidator.ValidateToken(securityToken, validationParameters, out validatedToken);
expectedException.ProcessNoException();
}
catch (Exception ex)
{
expectedException.ProcessException(ex);
}
return retVal;
}
public AzureAdTokenValidationService(IHttpContextAccessor httpContextAccessor, ISecurityTokenValidator securityTokenValidator, ILogger <AzureAdTokenValidationService> logger)
{
_httpContextAccessor = httpContextAccessor;
_securityTokenValidator = securityTokenValidator;
_logger = logger;
}
