public void ManualWriteNoSig()
{
var jwt = new JsonWebToken
{
Header = new JwtHeader
{
SignatureAlgorithm = JwtConstants.SignatureAlgorithms.None
},
Audience = new Uri("http://foo.com"),
Issuer = "dominick",
ExpirationTime = 500000,
Claims = new List<Claim>
{
new Claim(ClaimTypes.Name, "dominick"),
new Claim(ClaimTypes.Email, "*****@*****.**")
}
};
var handler = new JsonWebTokenHandler();
var token = handler.WriteToken(jwt);
Trace.WriteLine(token);
Assert.IsTrue(!string.IsNullOrWhiteSpace(token));
var parts = token.Split('.');
Assert.IsTrue(parts.Length == 2, "JWT should have excactly 2 parts");
}
public override SecurityToken CreateToken(SecurityTokenDescriptor descriptor)
{
var jwt = new JsonWebToken();
if (descriptor.SigningCredentials == null)
{
jwt.Header.SignatureAlgorithm = JwtConstants.SignatureAlgorithms.None;
}
else
{
var algorithm = ParseSigningCredentials(descriptor.SigningCredentials);
jwt.Header.SigningCredentials = descriptor.SigningCredentials;
jwt.Header.SignatureAlgorithm = algorithm;
}
if (!string.IsNullOrWhiteSpace(descriptor.TokenIssuerName))
{
jwt.Issuer = descriptor.TokenIssuerName;
}
if (descriptor.Lifetime != null)
{
jwt.ExpirationTime = descriptor.Lifetime.Expires.Value.ToEpochTime();
}
if (!string.IsNullOrWhiteSpace(descriptor.AppliesToAddress))
{
jwt.Audience = new Uri(descriptor.AppliesToAddress);
}
if (descriptor.Subject != null)
{
foreach (var claim in descriptor.Subject.Claims)
{
jwt.AddClaim(claim.Type, claim.Value);
}
}
return jwt;
}
private static string CreateJsonWebToken()
{
var jwt = new JsonWebToken
{
Header = new JwtHeader
{
SignatureAlgorithm = JwtConstants.SignatureAlgorithms.HMACSHA256,
SigningCredentials = new HmacSigningCredentials(Constants.IdSrvSymmetricSigningKey)
},
Issuer = "http://selfissued.test",
Audience = new Uri(Constants.Realm),
Claims = new List<Sys.Claim>
{
new Sys.Claim(Sys.ClaimTypes.Name, "bob"),
new Sys.Claim(Sys.ClaimTypes.Email, "*****@*****.**")
}
};
var handler = new JsonWebTokenHandler();
return handler.WriteToken(jwt);
}
public void ManualWriteHmacSha256MissingSigningCredentials()
{
var jwt = new JsonWebToken
{
Header = new JwtHeader
{
SignatureAlgorithm = JwtConstants.SignatureAlgorithms.HMACSHA256
},
Audience = new Uri("http://foo.com"),
Issuer = "dominick",
ExpirationTime = 500000,
Claims = new List<Claim>
{
new Claim(ClaimTypes.Name, "dominick"),
new Claim(ClaimTypes.Email, "*****@*****.**")
}
};
var handler = new JsonWebTokenHandler();
var token = handler.WriteToken(jwt);
}
public void ManualWriteUnsupportedSignatureAlgorithm()
{
var jwt = new JsonWebToken
{
Header = new JwtHeader
{
SignatureAlgorithm = "unsupported",
SigningCredentials = new HmacSigningCredentials(SymmetricKeyGenerator.Create(48))
},
Audience = new Uri("http://foo.com"),
Issuer = "dominick",
ExpirationTime = 500000,
Claims = new List<Claim>
{
new Claim(ClaimTypes.Name, "dominick"),
new Claim(ClaimTypes.Email, "*****@*****.**")
}
};
var handler = new JsonWebTokenHandler();
var token = handler.WriteToken(jwt);
}
public void ManualWriteRoundtripDuplicateClaimTypes()
{
var signinKey = SymmetricKeyGenerator.Create(32);
var jwt = new JsonWebToken
{
Header = new JwtHeader
{
SignatureAlgorithm = JwtConstants.SignatureAlgorithms.HMACSHA256,
SigningCredentials = new HmacSigningCredentials(signinKey)
},
Audience = new Uri("http://foo.com"),
Issuer = "dominick",
ExpirationTime = 50000000000,
};
jwt.AddClaim(ClaimTypes.Name, "dominick");
jwt.AddClaim(ClaimTypes.Email, "*****@*****.**");
jwt.AddClaim(ClaimTypes.Role, "bar");
jwt.AddClaim(ClaimTypes.Role, "foo");
var handler = new JsonWebTokenHandler();
var token = handler.WriteToken(jwt);
Trace.WriteLine(token);
// token should not be empty
Assert.IsTrue(!string.IsNullOrWhiteSpace(token));
// token with signature needs to be 3 parts
var parts = token.Split('.');
Assert.IsTrue(parts.Length == 3, "JWT should have excactly 3 parts");
// signature must be 256 bits
var sig = Base64Url.Decode(parts[2]);
Assert.IsTrue(sig.Length == 32, "Signature is not 32 bits");
var jwtToken = handler.ReadToken(token);
var config = new SecurityTokenHandlerConfiguration();
var registry = new WebTokenIssuerNameRegistry();
registry.AddTrustedIssuer("dominick", "dominick");
config.IssuerNameRegistry = registry;
var issuerResolver = new WebTokenIssuerTokenResolver();
issuerResolver.AddSigningKey("dominick", Convert.ToBase64String(signinKey));
config.IssuerTokenResolver = issuerResolver;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri("http://foo.com"));
handler.Configuration = config;
var identity = handler.ValidateToken(jwtToken).First();
Assert.IsTrue(identity.Claims.Count() == 4);
Assert.IsTrue(identity.Claims.First().Issuer == "dominick");
}
public void ManualWriteHmacSha256KeySizeMismatch()
{
var jwt = new JsonWebToken
{
Header = new JwtHeader
{
SignatureAlgorithm = JwtConstants.SignatureAlgorithms.HMACSHA256,
SigningCredentials = new HmacSigningCredentials(SymmetricKeyGenerator.Create(48))
},
Audience = new Uri("http://foo.com"),
Issuer = "dominick",
ExpirationTime = 500000,
Claims = new Dictionary<string, string>
{
{ ClaimTypes.Name, "dominick" },
{ ClaimTypes.Email, "*****@*****.**" }
}
};
var handler = new JsonWebTokenHandler();
var token = handler.WriteToken(jwt);
}
protected virtual void VerifySignature(JsonWebToken jwt, SecurityKey signingKey)
{
var key = signingKey as InMemorySymmetricSecurityKey;
if (key == null)
{
throw new SecurityTokenValidationException("Unsupported signing key.");
}
string verifySignature;
using (var algorithm = key.GetKeyedHashAlgorithm(ValidateHmacAlgorithm(key.KeySize, jwt.Header.SignatureAlgorithm)))
{
verifySignature = Base64Url.Encode(algorithm.ComputeHash(Encoding.UTF8.GetBytes(jwt.UnsignedToken)));
}
if (!(ObfuscatingComparer.IsEqual(verifySignature, jwt.Signature)))
{
throw new SecurityTokenValidationException("Invalid signature.");
}
}
protected virtual string CreateHeader(JsonWebToken jwt)
{
StringBuilder sb = new StringBuilder();
StringWriter sw = new StringWriter(sb);
using (JsonWriter jsonWriter = new JsonTextWriter(sw))
{
jsonWriter.WriteStartObject();
jsonWriter.WritePropertyName(JwtConstants.Header.Type);
jsonWriter.WriteValue(jwt.Header.Type);
jsonWriter.WritePropertyName(JwtConstants.Header.Algorithm);
jsonWriter.WriteValue(jwt.Header.SignatureAlgorithm);
jsonWriter.WriteEndObject();
}
var json = sb.ToString();
Debug.WriteLine(json);
return Base64Url.Encode(Encoding.UTF8.GetBytes(json));
}
protected virtual void ReadHeader(string header, JsonWebToken jwt)
{
var json = JObject.Load(new JsonTextReader(new StringReader(header)));
var typ = json[JwtConstants.Header.Type];
if (typ != null && !string.IsNullOrWhiteSpace(typ.ToString()))
{
jwt.Header.Type = typ.ToString();
}
var alg = json[JwtConstants.Header.Algorithm];
if (alg == null || string.IsNullOrEmpty(alg.ToString()))
{
throw new SecurityTokenException("Algorithm header is missing.");
}
jwt.Header.SignatureAlgorithm = alg.ToString();
}
protected virtual void ReadClaims(string claims, JsonWebToken jwt)
{
var json = JObject.Load(new JsonTextReader(new StringReader(claims)));
foreach (var item in json)
{
switch (item.Key)
{
case JwtConstants.Claims.Audience:
jwt.Audience = new Uri(item.Value.ToString());
break;
case JwtConstants.Claims.ExpirationTime:
jwt.ExpirationTime = long.Parse(item.Value.ToString());
break;
case JwtConstants.Claims.IssuedAt:
jwt.IssuedAt = long.Parse(item.Value.ToString());
break;
case JwtConstants.Claims.Issuer:
jwt.Issuer = item.Value.ToString();
break;
case JwtConstants.Claims.NotBefore:
jwt.NotBefore = long.Parse(item.Value.ToString());
break;
case JwtConstants.Claims.Principal:
jwt.Principal = item.Value.ToString();
break;
default:
jwt.Claims.Add(item.Key, item.Value.ToString());
break;
}
}
}
public override SecurityToken ReadToken(string tokenString)
{
if (string.IsNullOrWhiteSpace(tokenString))
{
throw new ArgumentNullException("tokenString");
}
var jwt = new JsonWebToken();
var parts = tokenString.Split('.');
if (parts.Length < 2)
{
throw new SecurityTokenException("Malformed token");
}
var encodedHeader = parts[0];
var encodedClaims = parts[1];
ReadHeader(Encoding.UTF8.GetString(Base64Url.Decode(encodedHeader)), jwt);
string signature = string.Empty;
if (jwt.Header.SignatureAlgorithm != JwtConstants.SignatureAlgorithms.None)
{
if (parts.Length != 3)
{
throw new SecurityTokenException("Signature is missing");
}
signature = parts[2];
}
jwt.UnsignedToken = string.Format("{0}.{1}", encodedHeader, encodedClaims);
jwt.Signature = signature;
ReadClaims(Encoding.UTF8.GetString(Base64Url.Decode(encodedClaims)), jwt);
return jwt;
}
protected virtual void AddUserClaims(JsonWebToken jwt, JsonTextWriter writer)
{
foreach (var claim in jwt.Claims)
{
writer.WritePropertyName(claim.Key);
writer.WriteValue(claim.Value);
}
}
protected virtual void AddReservedClaims(JsonWebToken jwt, JsonTextWriter writer)
{
// exp
if (jwt.ExpirationTime.HasValue)
{
writer.WritePropertyName(JwtConstants.Claims.ExpirationTime);
writer.WriteValue(jwt.ExpirationTime.Value);
}
// nbf
if (jwt.NotBefore.HasValue)
{
writer.WritePropertyName(JwtConstants.Claims.NotBefore);
writer.WriteValue(jwt.NotBefore.Value);
}
// iat
if (jwt.IssuedAt.HasValue)
{
writer.WritePropertyName(JwtConstants.Claims.IssuedAt);
writer.WriteValue(jwt.IssuedAt.Value);
}
// iss
if (!string.IsNullOrWhiteSpace(jwt.Issuer))
{
writer.WritePropertyName(JwtConstants.Claims.Issuer);
writer.WriteValue(jwt.Issuer);
}
// aud
if (jwt.Audience != null)
{
writer.WritePropertyName(JwtConstants.Claims.Audience);
writer.WriteValue(jwt.Audience.AbsoluteUri);
}
// prn
if (!string.IsNullOrWhiteSpace(jwt.Principal))
{
writer.WritePropertyName(JwtConstants.Claims.Principal);
writer.WriteValue(jwt.Principal);
}
// jti
if (!string.IsNullOrWhiteSpace(jwt.JwtId))
{
writer.WritePropertyName(JwtConstants.Claims.Id);
writer.WriteValue(jwt.JwtId);
}
}
protected virtual string CreateClaimSet(JsonWebToken jwt)
{
StringBuilder sb = new StringBuilder();
StringWriter sw = new StringWriter(sb);
using (var jsonWriter = new JsonTextWriter(sw))
{
jsonWriter.WriteStartObject();
AddReservedClaims(jwt, jsonWriter);
AddUserClaims(jwt, jsonWriter);
jsonWriter.WriteEndObject();
}
var json = sb.ToString();
Debug.WriteLine(json);
return Base64Url.Encode(Encoding.UTF8.GetBytes(json));
}
protected virtual ClaimsIdentity CreateClaimsIdentity(JsonWebToken jwt)
{
var claims = new List<Claim>();
foreach (var item in jwt.Claims)
{
if (item.Value.Contains(','))
{
var items = item.Value.Split(',');
foreach (var part in items)
{
claims.Add(new Claim(item.Key, part, ClaimValueTypes.String, jwt.Issuer));
}
}
else
{
claims.Add(new Claim(item.Key, item.Value, ClaimValueTypes.String, jwt.Issuer));
}
}
//var claims = new List<Claim>(
// from c in jwt.Claims
// select new Claim(c.Type, c.Value, c.ValueType, jwt.Issuer));
if (!string.IsNullOrWhiteSpace(jwt.Principal))
{
claims.Add(new Claim("prn", jwt.Principal, ClaimValueTypes.String, jwt.Issuer));
}
if (jwt.IssuedAt.HasValue)
{
claims.Add(new Claim("iat", jwt.IssuedAt.Value.ToString(), ClaimValueTypes.String, jwt.Issuer));
}
return new ClaimsIdentity(claims, "JWT");
}
public void ManualWriteHmacSha256ValidSigningCredentials()
{
var jwt = new JsonWebToken
{
Header = new JwtHeader
{
SignatureAlgorithm = JwtConstants.SignatureAlgorithms.HMACSHA256,
SigningCredentials = new HmacSigningCredentials(SymmetricKeyGenerator.Create(32))
},
Audience = new Uri("http://foo.com"),
Issuer = "dominick",
ExpirationTime = 500000,
Claims = new List<Claim>
{
new Claim(ClaimTypes.Name, "dominick"),
new Claim(ClaimTypes.Email, "*****@*****.**")
}
};
var handler = new JsonWebTokenHandler();
var token = handler.WriteToken(jwt);
Trace.WriteLine(token);
// token should not be empty
Assert.IsTrue(!string.IsNullOrWhiteSpace(token));
// token with signature needs to be 3 parts
var parts = token.Split('.');
Assert.IsTrue(parts.Length == 3, "JWT should have excactly 3 parts");
// signature must be 256 bits
var sig = Base64Url.Decode(parts[2]);
Assert.IsTrue(sig.Length == 32, "Signature is not 32 bits");
}
protected virtual ClaimsIdentity CreateClaimsIdentity(JsonWebToken jwt)
{
var claims = new List<Claim>(
from c in jwt.Claims
select new Claim(c.ClaimType, c.Value, c.ValueType, jwt.Issuer));
if (!string.IsNullOrWhiteSpace(jwt.Principal))
{
claims.Add(new Claim("prn", jwt.Principal, ClaimValueTypes.String, jwt.Issuer));
}
if (jwt.IssuedAt.HasValue)
{
claims.Add(new Claim("iat", jwt.IssuedAt.Value.ToString(), ClaimValueTypes.String, jwt.Issuer));
}
return new ClaimsIdentity(claims, "JWT");
}
