async Task <string> ITokenSigner.SignAsync(UnsignedToken token)
{
JwtSecurityToken jwt;
using (D2LSecurityToken securityToken = await m_privateKeyProvider
.GetSigningCredentialsAsync()
.SafeAsync()
) {
jwt = new JwtSecurityToken(
issuer: token.Issuer,
audience: token.Audience,
claims: Enumerable.Empty <Claim>(),
notBefore: token.NotBefore,
expires: token.ExpiresAt,
signingCredentials: securityToken.GetSigningCredentials()
);
var claims = token.Claims;
foreach (var claim in claims)
{
if (jwt.Payload.ContainsKey(claim.Key))
{
throw new ValidationException($"'{claim.Key}' is already part of the payload");
}
jwt.Payload.Add(claim.Key, claim.Value);
}
var jwtHandler = new JwtSecurityTokenHandler();
string signedRawToken = jwtHandler.WriteToken(jwt);
return(signedRawToken);
}
}
async Task <IAccessToken> INonCachingAccessTokenProvider.ProvisionAccessTokenAsync(
IEnumerable <Claim> claimSet,
IEnumerable <Scope> scopes
)
{
List <Claim> claims = claimSet.ToList();
scopes = scopes ?? Enumerable.Empty <Scope>();
DateTime now = DateTime.UtcNow;
string issuer;
if (!claims.TryGetClaim(Constants.Claims.ISSUER, out issuer))
{
throw new InvalidOperationException("missing issuer claim");
}
var unsignedToken = new UnsignedToken(
issuer: issuer,
audience: Constants.ASSERTION_AUDIENCE,
claims: claims,
notBefore: now,
expiresAt: now + Constants.ASSERTION_TOKEN_LIFETIME);
string assertion = await m_tokenSigner
.SignAsync(unsignedToken)
.SafeAsync();
return(await m_client
.ProvisionAccessTokenAsync(assertion, scopes)
.SafeAsync());
}
public async Task SignsUnsignedToken_WithComplexClaims()
{
var claims = new Dictionary <string, object>();
claims.Add("https://service.com/claim/version", "1.0.0");
claims.Add("https://service.com/claim/roles", new string[] {
"https://service.com/roles#administrator",
"https://service.com/roles#user"
});
claims.Add("https://service.com/claim/context", new Dictionary <string, object>()
{
{ "id", "c1d887f0-a1a3-4bca-ae25-c375edcc131a" },
{ "type", new string[] { "https://service.com/types#type" } }
});
var token = new UnsignedToken(
issuer: "issuer",
audience: "audience",
claims: claims,
notBefore: new DateTime(2019, 1, 1, 0, 0, 0, DateTimeKind.Utc),
expiresAt: new DateTime(2019, 1, 1, 1, 0, 30, DateTimeKind.Utc)
);
var signed = await m_tokenSigner.SignAsync(token);
Assert.AreEqual(SignedComplexToken, signed);
}
public async Task SignsUnsignedToken()
{
var token = new UnsignedToken(
issuer: "issuer",
audience: "audience",
claims: new Dictionary <string, object>()
{
{ "scopes", "a:b:c a:b:d" },
{ "tenantid", "325cb46b-488d-4061-aa2c-eef5a12b6b7c" }
},
notBefore: new DateTime(2019, 1, 1, 0, 0, 0, DateTimeKind.Utc),
expiresAt: new DateTime(2019, 1, 1, 1, 0, 30, DateTimeKind.Utc)
);
var signed = await m_tokenSigner.SignAsync(token);
Assert.AreEqual(SignedToken, signed);
}
async Task<string> ITokenSigner.SignAsync( UnsignedToken token ) {
JwtSecurityToken jwt;
using( D2LSecurityToken securityToken = await m_privateKeyProvider
.GetSigningCredentialsAsync()
.SafeAsync()
) {
jwt = new JwtSecurityToken(
issuer: token.Issuer,
audience: token.Audience,
claims: token.Claims,
notBefore: token.NotBefore,
expires: token.ExpiresAt,
signingCredentials: securityToken.GetSigningCredentials()
);
var jwtHandler = new JwtSecurityTokenHandler();
string signedRawToken = jwtHandler.WriteToken( jwt );
return signedRawToken;
}
}
async Task <IAccessToken> INonCachingAccessTokenProvider.ProvisionAccessTokenAsync(
IEnumerable <Claim> claimSet,
IEnumerable <Scope> scopes
)
{
List <Claim> claims = claimSet.ToList();
scopes = scopes ?? Enumerable.Empty <Scope>();
DateTime now = DateTime.UtcNow;
string issuer = claims.FirstOrDefault(c => c.Type == Constants.Claims.ISSUER)?.Value;
if (issuer == null)
{
throw new InvalidOperationException("missing issuer claim");
}
var filteredClaims = claims
.Where(t => t.Type != Constants.Claims.ISSUER)
.ToDictionary(t => t.Type, t => (object)t.Value);
var unsignedToken = new UnsignedToken(
issuer: issuer,
audience: Constants.ASSERTION_AUDIENCE,
claims: filteredClaims,
notBefore: now,
expiresAt: now + Constants.ASSERTION_TOKEN_LIFETIME);
string assertion = await m_tokenSigner
.SignAsync(unsignedToken)
.ConfigureAwait(false);
return(await m_client
.ProvisionAccessTokenAsync(assertion, scopes)
.ConfigureAwait(false));
}
async Task <string> ITokenSigner.SignAsync(UnsignedToken token)
{
JwtSecurityToken jwt;
using (D2LSecurityToken securityToken = await m_privateKeyProvider
.GetSigningCredentialsAsync()
.SafeAsync()
) {
jwt = new JwtSecurityToken(
issuer: token.Issuer,
audience: token.Audience,
claims: token.Claims,
notBefore: token.NotBefore,
expires: token.ExpiresAt,
signingCredentials: securityToken.GetSigningCredentials()
);
var jwtHandler = new JwtSecurityTokenHandler();
string signedRawToken = jwtHandler.WriteToken(jwt);
return(signedRawToken);
}
}
public async Task <string> SignTokenBackdoor(UnsignedToken token)
{
return(await m_tokenSigner
.SignAsync(token)
.SafeAsync());
}
public async Task <string> SignTokenBackdoor(UnsignedToken token)
{
return(await m_tokenSigner
.SignAsync(token)
.ConfigureAwait(false));
}
