public async Task <AuthenticationResult> AuthenticateClientWithPrivateKeyJwtAsync(AuthenticateInstruction instruction, string expectedIssuer) { if (instruction == null) { throw new ArgumentNullException("instruction"); } var clientAssertion = instruction.ClientAssertion; var isJwsToken = _jwtParser.IsJwsToken(clientAssertion); if (!isJwsToken) { return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJwsToken)); } var jws = instruction.ClientAssertion; var jwsPayload = _jwsParser.GetPayload(jws); if (jwsPayload == null) { return(new AuthenticationResult(null, ErrorDescriptions.TheJwsPayloadCannotBeExtracted)); } var clientId = jwsPayload.Issuer; var payload = await _jwtParser.UnSignAsync(jws, clientId); if (payload == null) { return(new AuthenticationResult(null, ErrorDescriptions.TheSignatureIsNotCorrect)); } return(await ValidateJwsPayLoad(payload, expectedIssuer)); }
public async Task RevokeSessionCallback() { var authenticatedUser = await _authenticationService.GetAuthenticatedUser(this, Constants.CookieNames.CookieName); if (authenticatedUser == null || !authenticatedUser.Identity.IsAuthenticated) { await this.DisplayInternalHtml("SimpleIdentityServer.Host.Views.UserNotConnected.html"); return; } var query = Request.Query; var serializer = new ParamSerializer(); RevokeSessionRequest request = null; if (query != null) { request = serializer.Deserialize <RevokeSessionRequest>(query); } Response.Cookies.Delete(Core.Constants.SESSION_ID); await _authenticationService.SignOutAsync(HttpContext, Constants.CookieNames.CookieName, new Microsoft.AspNetCore.Authentication.AuthenticationProperties()); if (request != null && !string.IsNullOrWhiteSpace(request.PostLogoutRedirectUri) && !string.IsNullOrWhiteSpace(request.IdTokenHint)) { var jws = await _jwtParser.UnSignAsync(request.IdTokenHint); if (jws != null) { var claim = jws.FirstOrDefault(c => c.Key == StandardClaimNames.Azp); if (!claim.Equals(default(KeyValuePair <string, object>)) && claim.Value != null) { var client = await _clientRepository.GetClientByIdAsync(claim.Value.ToString()); if (client != null) { if (client.PostLogoutRedirectUris != null && client.PostLogoutRedirectUris.Contains(request.PostLogoutRedirectUri)) { var redirectUrl = request.PostLogoutRedirectUri; if (!string.IsNullOrWhiteSpace(request.State)) { redirectUrl = $"{redirectUrl}?state={request.State}"; } Response.Redirect(redirectUrl); return; } } } } } await this.DisplayInternalHtml("SimpleIdentityServer.Host.Views.RevokeSessionCallback.html"); }
private async Task <AuthorizationRequest> GetAuthorizationRequestFromJwt(string token, string clientId) { var jwsToken = token; if (_jwtParser.IsJweToken(token)) { jwsToken = await _jwtParser.DecryptAsync(token, clientId); } var jwsPayload = await _jwtParser.UnSignAsync(jwsToken, clientId); return(jwsPayload == null ? null : jwsPayload.ToAuthorizationRequest()); }
public async Task <JwsPayload> GetPayload(Client client, string jwsToken) { if (client == null) { throw new ArgumentNullException(nameof(client)); } if (string.IsNullOrWhiteSpace(jwsToken)) { throw new ArgumentNullException(nameof(jwsToken)); } var signedResponseAlg = client.GetIdTokenSignedResponseAlg(); var encryptResponseAlg = client.GetIdTokenEncryptedResponseAlg(); if (encryptResponseAlg != null) // Decrypt the token. { jwsToken = await _jwtParser.DecryptAsync(jwsToken, client.ClientId); } return(await _jwtParser.UnSignAsync(jwsToken, client.ClientId)); }
public async Task When_Passing_Null_To_Unsign_Without_ClientId_Then_Exception_Is_Thrown() { // ARRANGE InitializeFakeObjects(); // ACT & ASSERT await Assert.ThrowsAsync <ArgumentNullException>(() => _jwtParser.UnSignAsync(string.Empty)); }
private async Task ProcessIdTokenHint( ActionResult actionResult, AuthorizationParameter authorizationParameter, ICollection <PromptParameter> prompts, ClaimsPrincipal claimsPrincipal, string issuerName) { if (!string.IsNullOrWhiteSpace(authorizationParameter.IdTokenHint) && prompts.Contains(PromptParameter.none) && actionResult.Type == TypeActionResult.RedirectToCallBackUrl) { var token = authorizationParameter.IdTokenHint; if (!_jwtParser.IsJweToken(token) && !_jwtParser.IsJwsToken(token)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdTokenHintParameterIsNotAValidToken, authorizationParameter.State); } string jwsToken; if (_jwtParser.IsJweToken(token)) { jwsToken = await _jwtParser.DecryptAsync(token); if (string.IsNullOrWhiteSpace(jwsToken)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdTokenHintParameterCannotBeDecrypted, authorizationParameter.State); } } else { jwsToken = token; } var jwsPayload = await _jwtParser.UnSignAsync(jwsToken); if (jwsPayload == null) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheSignatureOfIdTokenHintParameterCannotBeChecked, authorizationParameter.State); } if (jwsPayload.Audiences == null || !jwsPayload.Audiences.Any() || !jwsPayload.Audiences.Contains(issuerName)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdentityTokenDoesntContainSimpleIdentityServerAsAudience, authorizationParameter.State); } var currentSubject = string.Empty; var expectedSubject = jwsPayload.GetClaimValue(Jwt.Constants.StandardResourceOwnerClaimNames.Subject); if (claimsPrincipal != null && claimsPrincipal.IsAuthenticated()) { currentSubject = claimsPrincipal.GetSubject(); } if (currentSubject != expectedSubject) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheCurrentAuthenticatedUserDoesntMatchWithTheIdentityToken, authorizationParameter.State); } } }