/// <summary>
/// Validates a secret
/// </summary>
/// <param name="secrets">The stored secrets.</param>
/// <param name="parsedSecret">The received secret.</param>
/// <returns>
/// A validation result
/// </returns>
/// <exception cref="System.ArgumentException">ParsedSecret.Credential is not a JWT token</exception>
public Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var fail = Task.FromResult(new SecretValidationResult {
Success = false
});
var success = Task.FromResult(new SecretValidationResult {
Success = true
});
if (parsedSecret.Type != Constants.ParsedSecretTypes.JwtBearer)
{
return(fail);
}
var jwtTokenString = parsedSecret.Credential as string;
if (jwtTokenString == null)
{
throw new ArgumentException("ParsedSecret.Credential is not a string.");
}
var enumeratedSecrets = secrets.ToList().AsReadOnly();
var trustedKeys = GetTrustedKeys(enumeratedSecrets, jwtTokenString);
if (!trustedKeys.Any())
{
Logger.Warn("There are no certificates available to validate client assertion.");
return(fail);
}
var tokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKeys = trustedKeys,
ValidateIssuerSigningKey = true,
ValidIssuer = parsedSecret.Id,
ValidateIssuer = true,
ValidAudience = audienceUri,
ValidateAudience = true,
RequireSignedTokens = true,
RequireExpirationTime = true
};
try
{
SecurityToken token;
var handler = new EmbeddedCertificateJwtSecurityTokenHandler();
handler.ValidateToken(jwtTokenString, tokenValidationParameters, out token);
var jwtToken = (JwtSecurityToken)token;
if (jwtToken.Subject != jwtToken.Issuer)
{
Logger.Warn("Both 'sub' and 'iss' in the client assertion token must have a value of client_id.");
return(fail);
}
return(success);
}
catch (Exception e)
{
Logger.Debug("JWT token validation error: " + e.Message);
return(fail);
}
}
/// <summary>
/// Validates a secret
/// </summary>
/// <param name="secrets">The stored secrets.</param>
/// <param name="parsedSecret">The received secret.</param>
/// <returns>
/// A validation result
/// </returns>
/// <exception cref="System.ArgumentException">ParsedSecret.Credential is not a JWT token</exception>
public Task<SecretValidationResult> ValidateAsync(IEnumerable<Secret> secrets, ParsedSecret parsedSecret)
{
var fail = Task.FromResult(new SecretValidationResult { Success = false });
var success = Task.FromResult(new SecretValidationResult { Success = true });
if (parsedSecret.Type != Constants.ParsedSecretTypes.JwtBearer)
{
return fail;
}
var jwtTokenString = parsedSecret.Credential as string;
if (jwtTokenString == null)
{
throw new ArgumentException("ParsedSecret.Credential is not a string.");
}
var enumeratedSecrets = secrets.ToList().AsReadOnly();
var trustedKeys = GetTrustedKeys(enumeratedSecrets, jwtTokenString);
if (!trustedKeys.Any())
{
Logger.Warn("There are no certificates available to validate client assertion.");
return fail;
}
var tokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKeys = trustedKeys,
ValidateIssuerSigningKey = true,
ValidIssuer = parsedSecret.Id,
ValidateIssuer = true,
ValidAudience = audienceUri,
ValidateAudience = true,
RequireSignedTokens = true,
RequireExpirationTime = true
};
try
{
SecurityToken token;
var handler = new EmbeddedCertificateJwtSecurityTokenHandler();
handler.ValidateToken(jwtTokenString, tokenValidationParameters, out token);
var jwtToken = (JwtSecurityToken)token;
if (jwtToken.Subject != jwtToken.Issuer)
{
Logger.Warn("Both 'sub' and 'iss' in the client assertion token must have a value of client_id.");
return fail;
}
return success;
}
catch (Exception e)
{
Logger.Debug("JWT token validation error: " + e.Message);
return fail;
}
}
