public async void Subscribe_OnTokenValidatedDefault_CompletesSuccessfully()
{
_jwtEvents = _jwtDiagnostics.Subscribe(_jwtEvents);
await _jwtEvents.TokenValidated(new TokenValidatedContext(_httpContext, _authScheme, _jwtOptions)).ConfigureAwait(false);
AssertSuccess(false);
}
internal JwtBearerEvents JwtEvent()
{
var bearer = new JwtBearerEvents();
return(new JwtBearerEvents()
{
OnMessageReceived = e =>
{
e.Token = InternalTokenRetriever(e.Request);
return bearer.MessageReceived(e);
},
OnTokenValidated = e => bearer.TokenValidated(e),
OnAuthenticationFailed = e => bearer.AuthenticationFailed(e),
OnChallenge = e => bearer.Challenge(e)
});
}
internal void ConfigureJwtBearer(JwtBearerOptions jwtOptions)
{
jwtOptions.Authority = Authority;
jwtOptions.RequireHttpsMetadata = RequireHttpsMetadata;
jwtOptions.BackchannelTimeout = BackChannelTimeouts;
jwtOptions.RefreshOnIssuerKeyNotFound = true;
jwtOptions.SaveToken = SaveToken;
jwtOptions.Events = new JwtBearerEvents
{
OnMessageReceived = e =>
{
e.Token = InternalTokenRetriever(e.Request);
return(JwtBearerEvents.MessageReceived(e));
},
OnTokenValidated = e => JwtBearerEvents.TokenValidated(e),
OnAuthenticationFailed = e => JwtBearerEvents.AuthenticationFailed(e),
OnChallenge = e => JwtBearerEvents.Challenge(e)
};
if (DiscoveryDocumentRefreshInterval.HasValue)
{
var parsedUrl = DiscoveryEndpoint.ParseUrl(Authority);
var httpClient = new HttpClient(JwtBackChannelHandler ?? new HttpClientHandler())
{
Timeout = BackChannelTimeouts,
MaxResponseContentBufferSize = 1024 * 1024 * 10 // 10 MB
};
var manager = new ConfigurationManager <OpenIdConnectConfiguration>(
parsedUrl.Url,
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(httpClient)
{
RequireHttps = RequireHttpsMetadata
})
{
AutomaticRefreshInterval = DiscoveryDocumentRefreshInterval.Value
};
jwtOptions.ConfigurationManager = manager;
}
if (JwtBackChannelHandler != null)
{
jwtOptions.BackchannelHttpHandler = JwtBackChannelHandler;
}
// if API name is set, do a strict audience check for
if (!string.IsNullOrWhiteSpace(ApiName) && !LegacyAudienceValidation)
{
jwtOptions.Audience = ApiName;
}
else
{
// no audience validation, rely on scope checks only
jwtOptions.TokenValidationParameters.ValidateAudience = false;
}
jwtOptions.TokenValidationParameters.NameClaimType = NameClaimType;
jwtOptions.TokenValidationParameters.RoleClaimType = RoleClaimType;
if (JwtValidationClockSkew.HasValue)
{
jwtOptions.TokenValidationParameters.ClockSkew = JwtValidationClockSkew.Value;
}
if (InboundJwtClaimTypeMap != null)
{
var handler = new JwtSecurityTokenHandler
{
InboundClaimTypeMap = InboundJwtClaimTypeMap
};
jwtOptions.SecurityTokenValidators.Clear();
jwtOptions.SecurityTokenValidators.Add(handler);
}
}
/// <summary>
/// 使用 JWT 认证。
/// </summary>
/// <param name="app">项目构建器。</param>
/// <param name="events">认证配置。</param>
/// <returns></returns>
public static IApplicationBuilder UseJwtBearer(this IApplicationBuilder app, JwtBearerEvents events)
{
if (events is null)
{
throw new ArgumentNullException(nameof(events));
}
return(app.Use(next =>
{
return context =>
{
var receivedContext = new MessageReceivedContext(context);
events.MessageReceived(receivedContext);
if (string.IsNullOrEmpty(receivedContext.Token))
{
#if NET40
next.Invoke(context);
return;
#else
return next.Invoke(context);
#endif
}
var tokenValidateContext = new TokenValidateContext(receivedContext);
events.TokenValidate(tokenValidateContext);
if (tokenValidateContext.UserData is null || tokenValidateContext.UserData.Count == 0)
{
#if NET40
next.Invoke(context);
return;
#else
return next.Invoke(context);
#endif
}
var tokenValidatedContext = new TokenValidatedContext(tokenValidateContext);
events.TokenValidated(tokenValidatedContext);
if (tokenValidatedContext.User?.Identity?.IsAuthenticated ?? false)
{
context.User = tokenValidatedContext.User;
#if NET40
Thread.CurrentPrincipal = tokenValidatedContext.User;
#endif
}
#if NET40
next.Invoke(context);
return;
#else
return next.Invoke(context);
#endif
};
}));
}
internal void ConfigureJwtBearer(JwtBearerOptions jwtOptions)
{
jwtOptions.Authority = Authority;
jwtOptions.RequireHttpsMetadata = RequireHttpsMetadata;
jwtOptions.BackchannelTimeout = BackChannelTimeouts;
jwtOptions.RefreshOnIssuerKeyNotFound = true;
jwtOptions.SaveToken = SaveToken;
jwtOptions.Events = new JwtBearerEvents
{
OnMessageReceived = e =>
{
e.Token = InternalTokenRetriever(e.Request);
return(JwtBearerEvents.MessageReceived(e));
},
OnTokenValidated = e => JwtBearerEvents.TokenValidated(e),
OnAuthenticationFailed = e => JwtBearerEvents.AuthenticationFailed(e),
OnChallenge = e => JwtBearerEvents.Challenge(e)
};
if (DiscoveryDocumentRefreshInterval.HasValue)
{
var parsedUrl = DiscoveryClient.ParseUrl(Authority);
var httpClient = new HttpClient(JwtBackChannelHandler ?? new HttpClientHandler())
{
Timeout = BackChannelTimeouts,
MaxResponseContentBufferSize = 1024 * 1024 * 10 // 10 MB
};
var manager = new ConfigurationManager <OpenIdConnectConfiguration>(
parsedUrl.Url,
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(httpClient)
{
RequireHttps = RequireHttpsMetadata
})
{
AutomaticRefreshInterval = DiscoveryDocumentRefreshInterval.Value
};
jwtOptions.ConfigurationManager = manager;
}
if (JwtBackChannelHandler != null)
{
jwtOptions.BackchannelHttpHandler = JwtBackChannelHandler;
}
// if API name is set, do a strict audience check for
if (!string.IsNullOrWhiteSpace(ApiName) && !LegacyAudienceValidation)
{
jwtOptions.Audience = ApiName;
}
else
{
// no audience validation, rely on scope checks only
jwtOptions.TokenValidationParameters.ValidateAudience = false;
}
jwtOptions.TokenValidationParameters.NameClaimType = NameClaimType;
jwtOptions.TokenValidationParameters.RoleClaimType = RoleClaimType;
if (TokenDecryptionKey != null)
{
jwtOptions.TokenValidationParameters.TokenDecryptionKey = TokenDecryptionKey;
}
else if (!string.IsNullOrWhiteSpace(CertificateThumbprint))
{
var certStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certStore.Open(OpenFlags.ReadOnly);
var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, CertificateThumbprint, true);
if (certCollection.Count == 0)
{
throw new Exception("CertificateNotFound");
}
var certificate = certCollection[0];
jwtOptions.TokenValidationParameters.TokenDecryptionKey = new X509SecurityKey(certificate);
}
jwtOptions.TokenValidationParameters.RequireSignedTokens = RequireSignedTokens;
jwtOptions.TokenValidationParameters.ValidateIssuer = ValidateIssuer;
if (JwtValidationClockSkew.HasValue)
{
jwtOptions.TokenValidationParameters.ClockSkew = JwtValidationClockSkew.Value;
}
if (InboundJwtClaimTypeMap != null)
{
var handler = new JwtSecurityTokenHandler
{
InboundClaimTypeMap = InboundJwtClaimTypeMap
};
jwtOptions.SecurityTokenValidators.Clear();
jwtOptions.SecurityTokenValidators.Add(handler);
}
}
