public TokenDecoded(string token, bool verify)
{
if (verify)
{
var json = JwtBuilder.Create()
.WithAlgorithm(new HMACSHA256Algorithm()) // symmetric
.WithSecret(GlobalVariables.TokenDecodeString)
.MustVerifySignature()
.Decode(token);
TokenDecoded aux = JsonUtility.FromJson <TokenDecoded>(json);
this.userTag = aux.userTag;
this.iat = aux.iat;
this.exp = aux.exp;
}
else
{
var json = JwtBuilder.Create()
.WithAlgorithm(new HMACSHA256Algorithm()) // symmetric
.WithSecret(GlobalVariables.TokenDecodeString)
.Decode(token);
TokenDecoded aux = JsonUtility.FromJson <TokenDecoded>(json);
this.userTag = aux.userTag;
this.iat = aux.iat;
this.exp = aux.exp;
}
}
public static (bool, IDictionary <string, object>) ValidatePublicJWTToken(string jwtToken, IDictionary <string, string> claims)
{
try
{
var validationParameters = ValidationParameters.None;
validationParameters.ValidateExpirationTime = true;
var data = JwtBuilder.Create()
.WithDateTimeProvider(new UtcDateTimeProvider())
.WithValidationParameters(validationParameters)
.WithSerializer(new JsonNetSerializer())
.WithUrlEncoder(new JwtBase64UrlEncoder())
.Decode <IDictionary <string, object> >(jwtToken);
foreach (var claim in claims)
{
var value = data.GetOrDefault(claim.Key, "").ToString();
if (value != claim.Value)
{
return(false, null);
}
}
return(true, data);
}
catch (TokenExpiredException)
{
Logger.Log?.LogError($"Token {jwtToken} is expired");
return(false, null);
}
catch (Exception ex)
{
Logger.Log?.LogError($"Parsing token {jwtToken} error {ex.Message}");
return(false, null);
}
}
private void DecodeToken(string token)
{
try
{
var payload = JwtBuilder.Create()
.WithAlgorithm(new HMACSHA256Algorithm()) // symmetric
.WithSecret(Secret)
.MustVerifySignature()
.Decode <IDictionary <string, object> >(token);
UserId = payload["userId"].ToString();
TokenValidState = TokenValidState.Valid;
}
catch (TokenExpiredException)
{
//表示过期
TokenValidState = TokenValidState.Expired;
}
catch (SignatureVerificationException)
{
//表示验证不通过
TokenValidState = TokenValidState.Invalid;
}
catch (Exception e)
{
TokenValidState = TokenValidState.Error;
}
}
public override ApiHandlerOutput Process(ApiInputHandler input)
{
string bearer = input.Context.Request.Headers["ZestyApiBearer"];
if (String.IsNullOrWhiteSpace(bearer))
{
ThrowApplicationError("Bearer non found");
}
string secret = Business.User.GetSecret(bearer);
string token = JwtBuilder.Create()
.WithAlgorithm(new HMACSHA256Algorithm())
.WithSecret(secret)
.AddClaim("exp", DateTimeOffset.UtcNow.AddHours(12).ToUnixTimeSeconds())
.AddClaim("user", Context.Current.User)
.Encode();
logger.Debug($"token generated: {token}");
Business.User.SaveBearer(Context.Current.User.Id, token);
RefreshResponse response = new RefreshResponse()
{
Bearer = token
};
return(GetOutput());
}
/// <summary>
/// Builds a JSON Web Token value.
/// </summary>
/// <returns></returns>
public static string GetJwtString()
{
string tokenString = null;
using (RockContext rockContext = new RockContext())
{
var settings = GetSettings(rockContext);
if (settings != null)
{
var zoomApiKey = GetSettingValue(settings, "rocks.kfs.ZoomApiKey", true);
var zoomApiSecret = GetSettingValue(settings, "rocks.kfs.ZoomApiSecret", true);
if (!String.IsNullOrWhiteSpace(zoomApiKey) && !String.IsNullOrWhiteSpace(zoomApiKey))
{
tokenString = JwtBuilder.Create()
.WithAlgorithm(new HMACSHA256Algorithm())
.WithSecret(zoomApiSecret)
.AddClaim("aud", null)
.AddClaim("iss", zoomApiKey)
.AddClaim("exp", DateTimeOffset.UtcNow.AddHours(1).Subtract(new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds) // Replace .Subtract() with .ToUnixTimeSeconds() once assembly is moved to .NET 4.6+
.AddClaim("iat", DateTimeOffset.UtcNow.Subtract(new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds) // Replace .Subtract() with .ToUnixTimeSeconds() once assembly is moved to .NET 4.6+
.Encode();
}
}
}
return(tokenString);
}
/// <summary>
/// This constructor initializes a new RequestValidator instance.
/// </summary>
///
/// <param name="secret">signing key. Can be retrieved from https://dashboard.messagebird.com/developers/settings. This is NOT your API key.</param>
/// <param name="skipURLValidation">whether url_hash claim validation should be skipped. Note that when true, no query parameters should be trusted.</param>
/// <see href="https://developers.messagebird.com/docs/verify-http-requests" />
public RequestValidator(string secret, bool skipURLValidation = false)
{
_jwtBuilder = JwtBuilder.Create()
.WithAlgorithmFactory(new JWT.Algorithms.HMACSHAAlgorithmFactory())
.WithSecret(secret)
.MustVerifySignature();
_skipURLValidation = skipURLValidation;
}
public Jwt()
{
Builder = JwtBuilder.Create()
.WithAlgorithm(new HMACSHA256Algorithm())
.WithSerializer(new JsonNetSerializer())
.WithUrlEncoder(new JwtBase64UrlEncoder())
.WithSecret(Secret);
}
private void LoadUser(HttpContext context)
{
Context.Current.Reset();
Context.Current.User = context.Session.Get <Entities.User>(Keys.SessionUser);
if (Context.Current.User != null)
{
return;
}
string bearer = context.Request.Headers["ZestyApiBearer"];
if (String.IsNullOrWhiteSpace(bearer))
{
return;
}
logger.Info($"Bearer received: {bearer}");
string secret = Business.User.GetSecret(bearer);
if (String.IsNullOrWhiteSpace(secret))
{
throw new SecurityException("Invalid token");
}
var json = JwtBuilder.Create()
.WithAlgorithm(new HMACSHA256Algorithm())
.WithSecret(secret)
.MustVerifySignature()
.Decode(bearer);
logger.Debug($"Json from bearer: {json}");
Bearer b = JsonHelper.Deserialize <Bearer>(json);
if (b == null || b.User == null)
{
return;
}
DateTime expiration = DateTimeHelper.GetFromUnixTimestamp(b.Exp);
if (expiration < DateTime.Now && context.Request.Path != refreshResource)
{
throw new ApiTokenExpiredException("Token expired");
}
if (b.User.DomainId != Guid.Empty)
{
List <Domain> domains = Business.User.GetDomains(b.User.Username);
b.User.Domain = domains.Where(x => x.Id == b.User.DomainId).FirstOrDefault();
}
Context.Current.User = b.User;
}
public void Decode_Should_Return_Token()
{
var token = JwtBuilder.Create()
.WithAlgorithm(TestData.RS256Algorithm)
.Decode(TestData.Token);
token.Should()
.NotBeNullOrEmpty("because the decoded token contains values and they should have been decoded");
}
public void DecodeHeader_Should_Return_Header()
{
var header = JwtBuilder.Create()
.WithAlgorithm(TestData.RS256Algorithm)
.DecodeHeader(TestData.TokenByAsymmetricAlgorithm);
header.Should()
.NotBeNullOrEmpty("because decoding header should be possible without validator or algorithm");
}
public void Encode_Without_Dependencies_Should_Throw_Exception()
{
Action action = () =>
JwtBuilder.Create()
.Encode();
action.Should()
.Throw <InvalidOperationException>("because a JWT can't be built without dependencies");
}
public void Decode_Without_Validator_Should_Return_Token()
{
var token = JwtBuilder.Create()
.WithAlgorithm(TestData.RS256Algorithm)
.WithValidator(null)
.Decode(TestData.Token);
token.Should()
.NotBeNullOrEmpty("because a JWT should not necessary have validator to be decoded");
}
public void Decode_Without_VerifySignature_Should_Return_Token()
{
var token = JwtBuilder.Create()
.WithAlgorithm(TestData.RS256Algorithm)
.DoNotVerifySignature()
.Decode(TestData.Token);
token.Should()
.NotBeNullOrEmpty("because token should have been decoded without errors");
}
public void Decode_Without_Serializer_Should_Throw_Exception()
{
Action action =
() => JwtBuilder.Create()
.WithSerializer(null)
.Decode(TestData.Token);
action.Should()
.Throw <InvalidOperationException>("because token can't be decoded without valid serializer");
}
public void Decode_Without_Token_Should_Throw_Exception()
{
Action action =
() => JwtBuilder.Create()
.WithAlgorithm(TestData.RS256Algorithm)
.Decode(null);
action.Should()
.Throw <ArgumentException>("because null is not valid value for token");
}
public void Decode_With_VerifySignature_Should_Return_Token_When_Algorithm_Is_Asymmetric()
{
var token = JwtBuilder.Create()
.WithAlgorithm(TestData.RS256Algorithm)
.MustVerifySignature()
.Decode(TestData.TokenByAsymmetricAlgorithm);
token.Should()
.NotBeNullOrEmpty("because the signature must have been verified successfully and the JWT correctly decoded");
}
public void NoneAlgorithmFluentApi()
{
String jwtString = JwtBuilder.Create().WithAlgorithm(NoneAlgorithmType.None)
.Encode(Payload);
Payload payload = JwtBuilder.Create().WithAlgorithm(NoneAlgorithmType.None)
.Decode <Payload>(jwtString);
Assert.IsTrue(payload != null && Payload.Username == payload.Username);
}
private async Task <KeycloakUser> GetKeycloakUser(string username, string password, string totp)
{
var httpClient = GetHttpClient();
var keyValues = new List <KeyValuePair <string, string> >();
keyValues.Add(new KeyValuePair <string, string>("username", username));
keyValues.Add(new KeyValuePair <string, string>("password", password));
keyValues.Add(new KeyValuePair <string, string>("grant_type", "password"));
keyValues.Add(new KeyValuePair <string, string>("client_id", Resource));
if (!String.IsNullOrWhiteSpace(ClientSecret))
{
keyValues.Add(new KeyValuePair <string, string>("client_secret", ClientSecret));
}
if (!String.IsNullOrWhiteSpace(totp))
{
keyValues.Add(new KeyValuePair <string, string>("totp", totp));
}
var content = new FormUrlEncodedContent(keyValues);
var response = await httpClient.PostAsync(TokenURI, content).ConfigureAwait(false);
var responseStream = await response.Content.ReadAsStreamAsync().ConfigureAwait(false);
var parsed = await JsonSerializer.DeserializeAsync <KeycloakTokenResponse>(responseStream).ConfigureAwait(false);
if (parsed == null)
{
return(null);
}
try
{
var jwtToken = JwtBuilder.Create().Decode <IDictionary <string, object> >(parsed.access_token);
List <string> perms = new List <string>();
try
{
var resourceAccess = (JObject)jwtToken["resource_access"];
perms = ((JArray)(((JObject)resourceAccess[Resource])["roles"])).ToObject <List <string> >();
}
catch (Exception ex)
{
_logger.LogError(ex, $"Could not parse permissions for resource {Resource}");
}
return(new KeycloakUser {
Username = username, Permissions = perms
});
}
catch (Exception ex)
{
_logger.LogError(ex, "Error parsing jwt token");
}
return(null);
}
public void Decode_Without_TimeProvider_Should_Throw_Exception()
{
Action action =
() => JwtBuilder.Create()
.WithAlgorithm(TestData.RS256Algorithm)
.WithDateTimeProvider(null)
.Decode(TestData.Token);
action.Should()
.Throw <InvalidOperationException>("because token can't be decoded without valid DateTimeProvider");
}
public void Decode_With_VerifySignature_And_Without_AlgorithmFactory_Should_Throw_Exception()
{
Action action =
() => JwtBuilder.Create()
.WithAlgorithmFactory(null)
.MustVerifySignature()
.Decode(TestData.Token);
action.Should()
.Throw <InvalidOperationException>("because token can't be decoded without valid algorithm or algorithm factory");
}
private void CreateToken()
{
var token = JwtBuilder.Create()
.WithAlgorithm(new HMACSHA256Algorithm()) // symmetric
.WithSecret(Secret)
.AddClaim("exp", Expire)
.AddClaim("userId", UserId)
.Encode();
Token = token;
}
public void Decode_Without_VerifySignature_And_Without_Algorithm_Should_Return_Token()
{
var token = JwtBuilder.Create()
.WithAlgorithm(null)
.WithValidator(null)
.DoNotVerifySignature()
.Decode(TestData.Token);
token.Should()
.NotBeNullOrEmpty("because the decoding process without validating signature must be successful without validator and algorithm");
}
public void Decode_ToObject_With_Multiple_Secrets_Should_Return_Object()
{
var token = JwtBuilder.Create()
.WithAlgorithm(TestData.HMACSHA256Algorithm)
.WithSecret(TestData.Secrets)
.MustVerifySignature()
.Decode <Customer>(TestData.Token);
token.FirstName.Should().Be("Jesus");
token.Age.Should().Be(33);
}
public void Decode_With_VerifySignature_With_Multiple_Secrets_Should_Return_Token()
{
var token = JwtBuilder.Create()
.WithAlgorithm(TestData.HMACSHA256Algorithm)
.WithSecret(TestData.Secrets)
.MustVerifySignature()
.Decode(TestData.Token);
token.Should()
.NotBeNullOrEmpty("because one of the provided signatures must have been verified successfully and the JWT correctly decoded");
}
public void HS512AlgorithmFluentApi()
{
String jwtString = JwtBuilder.Create().WithAlgorithm(SymmetricAlgorithmType.HS512)
.WithKey(KeySet.Key)
.Encode(Payload);
Payload payload = JwtBuilder.Create().WithAlgorithm(SymmetricAlgorithmType.HS512)
.WithKey(KeySet.Key)
.Decode <Payload>(jwtString);
Assert.IsTrue(payload != null && Payload.Username == payload.Username);
}
public static IDictionary <string, object> DecodeJWTToken(string jwtToken)
{
try
{
return(JwtBuilder.Create()
.Decode <IDictionary <string, object> >(jwtToken));
}
catch (Exception)
{
return(new Dictionary <string, object>());
}
}
public void ES512AlgorithmFluentApi()
{
String jwtString = JwtBuilder.Create().WithAlgorithm(AsymmetricAlgorithmType.ES512)
.WithKey((PemPrivateKey)KeySet.EcdsaPrivateKey)
.Encode(Payload);
Payload payload = JwtBuilder.Create().WithAlgorithm(AsymmetricAlgorithmType.ES512)
.WithKey((PemPublicKey)KeySet.EcdsaPublicKey)
.Decode <Payload>(jwtString);
Assert.IsTrue(payload != null && Payload.Username == payload.Username);
}
public void Decode_With_Serializer_Should_Return_Token()
{
var serializer = new JsonNetSerializer();
var token = JwtBuilder.Create()
.WithAlgorithm(TestData.RS256Algorithm)
.WithSerializer(serializer)
.Decode(TestData.Token);
token.Should()
.NotBeNullOrEmpty("because token should be correctly decoded and its data extracted");
}
public void Decode_With_UrlEncoder_Should_Return_Token()
{
var urlEncoder = new JwtBase64UrlEncoder();
var token = JwtBuilder.Create()
.WithAlgorithm(TestData.RS256Algorithm)
.WithUrlEncoder(urlEncoder)
.Decode(TestData.Token);
token.Should()
.NotBeNullOrEmpty("because token should have been correctly decoded with the valid base64 encoder");
}
public void Decode_With_VerifySignature_With_Byte_Multiple_Secrets_Empty_One_Should_Throw_Exception()
{
Action action =
() => JwtBuilder.Create()
.WithAlgorithm(TestData.HMACSHA256Algorithm)
.WithSecret(new byte[0], new byte[1])
.MustVerifySignature()
.Decode(TestData.Token);
action.Should()
.Throw <ArgumentOutOfRangeException>("because secrets can't be empty");
}
