public void CreateTokenAndParseEncodedMultipleClaims()
{
var handler = new SimpleWebTokenHandler();
string key;
var token = this.GetToken(out key);
var tokenString = TokenToString(token);
var signedToken = handler.ReadToken(new XmlTextReader(new StringReader(tokenString)));
handler.Configuration = new SecurityTokenHandlerConfiguration();
var registry = new WebTokenIssuerNameRegistry();
//I think there is currently a bug in this issuer as this really doesn't make sense to me
registry.AddTrustedIssuer("http://www.thinktecture.com", "TestIssuerName");
handler.Configuration.IssuerNameRegistry = registry;
handler.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://www.thinktecture.com/"));
var tokenResolver = new WebTokenIssuerTokenResolver();
tokenResolver.AddSigningKey("http://www.thinktecture.com", key);
handler.Configuration.IssuerTokenResolver = tokenResolver;
var claims = handler.ValidateToken(signedToken);
Assert.IsTrue(claims[0].Claims.Count == 3);
Assert.IsTrue(claims[0].Claims[0].Value == this.Claims()[0].Value);
Assert.IsTrue(claims[0].Claims[1].Value == this.Claims()[1].Value);
Assert.IsTrue(claims[0].Claims[2].Value == this.Claims()[2].Value);
}
private static void ValidateSwtToken(string tokenString)
{
var configuration = new SecurityTokenHandlerConfiguration();
var validationKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(signingKey));
// audience validation
configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(realm));
// signature & issuer validation
var resolverTable = new Dictionary <string, IList <SecurityKey> >
{
{ issuerUri, new SecurityKey[] { validationKey } }
};
configuration.IssuerTokenResolver = new NamedKeyIssuerTokenResolver(resolverTable);
var handler = new SimpleWebTokenHandler();
handler.Configuration = configuration;
var token = handler.ReadToken(tokenString);
var ids = handler.ValidateToken(token);
"\n\nValidated Claims:".ConsoleYellow();
foreach (var claim in ids.First().Claims)
{
Console.WriteLine("{0}\n {1}\n", claim.Type, claim.Value);
}
}
public void AddSimpleWebToken(string issuer, string audience, string signingKey, AuthenticationOptions options)
{
var config = new SecurityTokenHandlerConfiguration();
var registry = new WebTokenIssuerNameRegistry();
registry.AddTrustedIssuer(issuer, issuer);
config.IssuerNameRegistry = registry;
var issuerResolver = new WebTokenIssuerTokenResolver();
issuerResolver.AddSigningKey(issuer, signingKey);
config.IssuerTokenResolver = issuerResolver;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audience));
var handler = new SimpleWebTokenHandler();
handler.Configuration = config;
AddMapping(new AuthenticationOptionMapping
{
TokenHandler = new SecurityTokenHandlerCollection {
handler
},
Options = options
});
}
public void CreateTokenAndParseEncodedMultipleClaims()
{
var handler = new SimpleWebTokenHandler();
byte[] key = GetKey();
var token = this.CreateToken(key);
var tokenString = TokenToString(token);
var signedToken = handler.ReadToken(new XmlTextReader(new StringReader(tokenString)));
handler.Configuration = new SecurityTokenHandlerConfiguration();
var symmetricKey = new InMemorySymmetricSecurityKey(key);
handler.Configuration.AudienceRestriction.AllowedAudienceUris.Add(
new Uri("http://audience"));
var resolverTable = new Dictionary <string, IList <SecurityKey> >
{
{ "http://issuer", new SecurityKey[] { symmetricKey } }
};
handler.Configuration.IssuerTokenResolver = new NamedKeyIssuerTokenResolver(resolverTable);
var ids = handler.ValidateToken(signedToken);
var id = ids.FirstOrDefault();
Assert.IsNotNull(id);
var testClaims = GetClaims();
Assert.IsTrue(id.Claims.Count() == 3);
Assert.IsTrue(id.HasClaim(testClaims[0].Type, testClaims[0].Value));
Assert.IsTrue(id.HasClaim(testClaims[1].Type, testClaims[1].Value));
Assert.IsTrue(id.HasClaim(testClaims[2].Type, testClaims[2].Value));
}
/// <summary>
/// This method parses the incoming token and validates it.
/// </summary>
/// <param name="accessToken">The incoming access token.</param>
/// <param name="error">This out paramter is set if any error occurs.</param>
/// <returns>True on success, False on error.</returns>
protected bool ReadAndValidateToken(string accessToken, out ResourceAccessErrorResponse error)
{
bool tokenValid = false;
error = null;
SecurityToken token = null;
ClaimsIdentityCollection claimsIdentityCollection = null;
try
{
var handler = new SimpleWebTokenHandler(_issuer, _tokenSigningKey);
// read the token
token = handler.ReadToken(accessToken);
// validate the token
claimsIdentityCollection = handler.ValidateToken(token, _realm);
// create a claims Principal from the token
var claimsPrincipal = ClaimsPrincipal.CreateFromIdentities(claimsIdentityCollection);
if (claimsPrincipal != null)
{
tokenValid = true;
// push it through the pipeline
foreach (var step in authenticationPipeline)
{
claimsPrincipal = step.Authenticate(token, claimsPrincipal);
}
// assign to threads
if (HttpContext.Current != null)
{
HttpContext.Current.User = claimsPrincipal;
}
Thread.CurrentPrincipal = claimsPrincipal;
}
}
catch (InvalidTokenReceivedException ex)
{
error = new ResourceAccessErrorResponse(_realm, ex.ErrorCode, ex.ErrorDescription);
}
catch (ExpiredTokenReceivedException ex)
{
error = new ResourceAccessErrorResponse(_realm, ex.ErrorCode, ex.ErrorDescription);
}
catch (Exception)
{
error = new ResourceAccessErrorResponse(_realm, "SWT401", "Token validation failed");
}
return(tokenValid);
}
public void GetTokenClaimsAsEncodedArrayString()
{
string key;
var token = this.GetToken(out key);
var builder = new StringBuilder();
SimpleWebTokenHandler.CreateClaims(token, builder);
var builderOutput = builder.ToString();
Assert.AreEqual(builderOutput, "http%3a%2f%2fschemas.microsoft.com%2fws%2f2008%2f06%2fidentity%2fclaims%2frole=Administrator%2cDomain%2bAdministrator%2cSome%252cNotVeryNice%252cEncodedClaim&");
}
private SimpleWebToken ResponseToSimpleWebToken(string response)
{
var tokenString =
Uri.UnescapeDataString(
response.Split('&')
.Single(value => value.StartsWith("wrap_access_token=", StringComparison.OrdinalIgnoreCase))
.Split('=')[1]);
var handler = new SimpleWebTokenHandler();
var swt = handler.ReadToken(tokenString) as SimpleWebToken;
return(swt);
}
private string GetRawToken()
{
string rawToken = OAuthClientModule.GetAccessToken(this._realm, false);
var tokenHandler = new SimpleWebTokenHandler();
var token = tokenHandler.ReadToken(Encoding.ASCII.GetString(Convert.FromBase64String(rawToken)));
if (DateTime.Compare(token.ValidTo, DateTime.UtcNow.Add(_skew)) <= 0)
{
rawToken = OAuthClientModule.GetAccessToken(this._realm, true);
}
return(rawToken);
}
public CustomSecurityTokenServiceConfiguration()
: base("PassiveSTS")
{
this.SecurityTokenService = typeof(PassiveSTS.CustomSecurityTokenService);
SimpleWebTokenHandler tokenHandler = new SimpleWebTokenHandler();
this.SecurityTokenHandlers.Add(tokenHandler);
CustomIssuerTokenResolver customTokenResolver = new SimpleWebToken.CustomIssuerTokenResolver();
customTokenResolver.AddAudienceKeyPair("http://localhost:19851/", Base64SymmetricKey);
this.IssuerTokenResolver = customTokenResolver;
this.DefaultTokenType = SimpleWebTokenHandler.SimpleWebTokenTypeUri;
}
public SimpleWebToken CreateToken(byte[] key)
{
var descripter = new SecurityTokenDescriptor
{
TokenIssuerName = "http://issuer",
AppliesToAddress = "http://audience",
Lifetime = new Lifetime(DateTime.Now, DateTime.Now.AddMinutes(5)),
Subject = new ClaimsIdentity(GetClaims()),
SigningCredentials = new HmacSigningCredentials(key),
};
var handler = new SimpleWebTokenHandler();
return(handler.CreateToken(descripter) as SimpleWebToken);
}
public SimpleWebToken GetToken(out string keyValue)
{
var key = Guid.NewGuid().ToByteArray().ToList();
key.AddRange(Guid.NewGuid().ToByteArray());
keyValue = Convert.ToBase64String(key.ToArray());
var descripter = new SecurityTokenDescriptor();
descripter.Lifetime = new Lifetime(DateTime.Now, DateTime.Now.AddMinutes(5));
descripter.TokenIssuerName = "http://www.thinktecture.com";
descripter.SigningCredentials = new HmacSigningCredentials(key.ToArray());
descripter.Subject = new ClaimsIdentity(this.Claims());
descripter.AppliesToAddress = "https://www.thinktecture.com/";
var output = new SimpleWebTokenHandler().CreateToken(descripter) as SimpleWebToken;
return(output);
}
public static void AddSimpleWebToken(this AuthenticationConfiguration configuration, string issuer, string audience, string signingKey, AuthenticationOptions options)
{
var config = new SecurityTokenHandlerConfiguration();
var registry = new WebTokenIssuerNameRegistry();
registry.AddTrustedIssuer(issuer, issuer);
config.IssuerNameRegistry = registry;
var issuerResolver = new WebTokenIssuerTokenResolver();
issuerResolver.AddSigningKey(issuer, signingKey);
config.IssuerTokenResolver = issuerResolver;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audience));
var handler = new SimpleWebTokenHandler();
handler.Configuration = config;
configuration.AddMapping(new AuthenticationOptionMapping
{
TokenHandler = new SecurityTokenHandlerCollection { handler },
Options = options
});
}
