/// <summary> /// Validates the JWT Structure for correctness. /// </summary> /// <param name="context">The context.</param> /// <returns></returns> public async Task <TokenValidationResult> ValidateJWTStructure(HttpContext context) { TokenValidationResult result = new TokenValidationResult(); _logger.LogDebug("Started JWTToken Validation"); var body = await context.Request.ReadFormAsync(); if (body != null) { var jwttoken = body["jwttoken"].FirstOrDefault(); if (jwttoken.IsPresent()) { var printablejwt = GetPrintableJWT(jwttoken); _logger.LogDebug($"JWT Token found (truncated): {printablejwt}"); if (jwttoken.Contains(".")) { if (jwttoken.Length > _options.InputLengthRestrictions.Jwt) { _logger.LogWarn("JWT too long"); result = new TokenValidationResult { IsError = true, Error = OidcConstants.ProtectedResourceErrors.InvalidToken, ErrorDescription = "Token too long" }; } else { result = new TokenValidationResult { IsError = false, Jwt = jwttoken }; } } else { _logger.LogWarn("Invalid Token Format"); result = new TokenValidationResult { IsError = true, Error = OidcConstants.ProtectedResourceErrors.InvalidToken, ErrorDescription = "Invalid Token Format" }; } } else { _logger.LogWarn("JWT Token wasn't found"); result.IsError = true; result.Error = "Invalid_Token"; result.ErrorDescription = "JWT Token missing"; } } return(result); }
public Task <TokenValidationResult> ValidateAccessTokenAsync(string token, string expectedScope = null) { // this key should store in the KeyVault service, then we can securely access in anywhere var key = "cw_0x689RpI-jtRR7oE8h_eQsKImvJapLeSbXpwF4e4=".UrlSafe64Decode(); var jwt64Token = SimpleFernet.Decrypt(key, token, out var timestamp); var jwtToken = jwt64Token.UrlSafe64Encode().FromBase64String(); if (string.IsNullOrEmpty(jwtToken)) { return(Task.FromResult(new TokenValidationResult { IsError = true })); } var result = new TokenValidationResult { IsError = false, Claims = new List <Claim> { new Claim(JwtClaimTypes.Scope, jwtToken) } }; return(Task.FromResult(result)); }
public override async Task <TokenValidationResult> ValidateAccessTokenAsync(TokenValidationResult result) { var subjectId = result.ReferenceToken != null ? result.ReferenceToken.SubjectId : result.Claims.GetFirstClaimValueByType("sub"); var user = await LocalUserService.GetUserBySubjectAsync(subjectId); var tempClaims = result.Claims.Where(c => c.Type != "role").ToList(); if (user != null) { if (user?.Roles != null) { foreach (var role in user.Roles) { tempClaims.Add(new Claim("role", role.Name)); } } foreach (var roleClaim in user.Claims.Where(c => c.Type == "role")) { tempClaims.Add(new Claim("role", roleClaim.Value)); } } result.Claims = tempClaims; return(result); }
protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { string requestToken = null; string authorization = Request.Headers["Authorization"]; if (string.IsNullOrEmpty(authorization)) { return(AuthenticateResult.Fail("No Authorization Header is sent.")); } if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) { requestToken = authorization.Substring("Bearer ".Length).Trim(); } if (string.IsNullOrEmpty(requestToken)) { return(AuthenticateResult.Fail("No Access Token is sent.")); } TokenValidationResult result = await _tokenValidator.ValidateAccessTokenAsync(requestToken, Options.ExpectedScope); if (result.IsError) { return(AuthenticateResult.Fail(result.Error)); } ClaimsIdentity claimsIdentity = new ClaimsIdentity(result.Claims, Scheme.Name); ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(claimsIdentity); AuthenticationTicket authenticationTicket = new AuthenticationTicket(claimsPrincipal, Scheme.Name); return(AuthenticateResult.Success(authenticationTicket)); }
public async Task ValidateAsync_Successful(string audience, TokenModel tokenModel, TokenValidationResult tokenValidationResult, TokenValidationRequest validationRequest, TokenValidationResponse tokenValidationResponse) { // Arrange _tokenValidationService .Setup(x => x.ValidateAsync(audience, tokenModel, It.IsAny <CancellationToken>())) .ReturnsAsync(tokenValidationResult); _mapper.Setup(x => x.Map <TokenModel>(It.Is <TokenValidationRequest>(p => p.Token == validationRequest.Token))).Returns(tokenModel); _mapper.Setup(x => x.Map <TokenValidationResponse>(tokenValidationResult)).Returns(tokenValidationResponse); // Act var result = await _client.PostAsync(string.Format(ValidationRequestPath, audience), new JsonContent(validationRequest)); // Assert result.StatusCode.Should().Be(StatusCodes.Status200OK); var resultValue = await result.Content.ReadAsAsync <TokenValidationResponse>(); resultValue.Should().BeEquivalentTo(tokenValidationResponse); _mapper.VerifyAll(); _tokenValidationService.VerifyAll(); }
/// <inheritdoc /> public TokenValidationResult TryValidate(Jwt jwt) { if (jwt is null) { ThrowHelper.ThrowArgumentNullException(ExceptionArgument.jwt); } if (jwt.Payload is null) { return(TokenValidationResult.MalformedToken()); } var claim = jwt.Payload[_claim]; if (claim is null) { return(TokenValidationResult.MissingClaim(jwt, _claim)); } for (int i = 0; i < _values.Count; i++) { if (_values[i] !.Equals((TClaim)claim)) { return(TokenValidationResult.Success(jwt)); } } return(TokenValidationResult.InvalidClaim(jwt, _claim)); }
/// <inheritdoc /> public TokenValidationResult TryValidate(Jwt jwt) { if (jwt is null) { ThrowHelper.ThrowArgumentNullException(ExceptionArgument.jwt); } if (jwt.Payload is null) { return(TokenValidationResult.MalformedToken()); } var claim = jwt.Payload[_claim]; if (claim is null) { return(TokenValidationResult.MissingClaim(jwt, _claim)); } if (_value != (double?)claim) { return(TokenValidationResult.InvalidClaim(jwt, _claim)); } return(TokenValidationResult.Success(jwt)); }
protected override async Task <AuthenticationTicket> AuthenticateCoreAsync() { string requestToken = null; string authorization = Request.Headers["Authorization"]; if (string.IsNullOrEmpty(authorization)) { return(null); } if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) { requestToken = authorization.Substring("Bearer ".Length).Trim(); } if (string.IsNullOrEmpty(requestToken)) { return(null); } TokenValidator tokenValidator = Context.Environment.ResolveDependency <TokenValidator>(); TokenValidationResult result = await tokenValidator.ValidateAccessTokenAsync(requestToken, Options.ExpectedScope); if (result.IsError) { return(null); } AuthenticationProperties properties = new AuthenticationProperties(); ClaimsIdentity identity = new ClaimsIdentity(result.Claims, Options.AuthenticationType); return(new AuthenticationTicket(identity, properties)); }
/// <summary> /// Custom validation logic for identity tokens. /// </summary> /// <param name="result">The validation result so far.</param> /// <returns> /// The validation result /// </returns> public virtual async Task <TokenValidationResult> ValidateIdentityTokenAsync(TokenValidationResult result) { // make sure user is still active (if sub claim is present) var subClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject); if (subClaim != null) { var principal = Principal.Create("tokenvalidator", result.Claims.ToArray()); var isActiveCtx = new IsActiveContext(principal, result.Client); await _users.IsActiveAsync(isActiveCtx); if (isActiveCtx.IsActive == false) { Logger.Warn("User marked as not active: " + subClaim.Value); result.IsError = true; result.Error = Constants.ProtectedResourceErrors.InvalidToken; result.Claims = null; return(result); } } return(result); }
public async Task ValidateAsync_Successful(string audience, TokenModel tokenModel, TokenValidationRequest validationRequest, TokenValidationResult tokenValidationResult, TokenValidationResponse tokenValidationResponse) { // Arrange _tokenValidationService .Setup(x => x.ValidateAsync(audience, tokenModel, CancellationToken.None)) .ReturnsAsync(tokenValidationResult); _mapper.Setup(x => x.Map <TokenValidationResponse>(tokenValidationResult)).Returns(tokenValidationResponse); _mapper.Setup(x => x.Map <TokenModel>(It.Is <TokenValidationRequest>(p => p.Token == validationRequest.Token))).Returns(tokenModel); // Act var result = await _controller.ValidateAsync(audience, validationRequest, CancellationToken.None); // Assert var okObjectResult = result.Should().BeOfType <OkObjectResult>(); okObjectResult.Subject.Value.Should().Be(tokenValidationResponse); _mapper.VerifyAll(); _tokenValidationService.VerifyAll(); }
public void ValidateIdTokenSignatureShouldNotValidateWhenKeysetNull() { var token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3QifQ.eyJhenAiOiJNekZsWmpreFpHSXRPV1UyTlMwMFpURm1MVGt3TXpjdE5UUXpOamRrTURCa016Y3pPbTl3WlhKaGRHOXlMV0U9IiwiYXV0aF90aW1lIjoxNDcwMzI2ODIwLCJhdWQiOlsiTXpGbFpqa3haR0l0T1dVMk5TMDBaVEZtTFRrd016Y3ROVFF6Tmpka01EQmtNemN6T205d1pYSmhkRzl5TFdFPSJdLCJhbXIiOlsiU0lNX1BJTiJdLCJub25jZSI6ImFkNjVmOGUwNzA3MTRlYTU5Yzc2NDRlZjE1OGM1MjM3IiwiaWF0IjoxNDcwMzI2ODIwLCJpc3MiOiJpbnRlZ3JhdGlvbjIuc2FuZGJveC5tb2JpbGVjb25uZWN0LmlvIiwiYWNyIjoiMiIsImV4cCI6MTQ3MDMzMDQyMCwic3ViIjoiYzIzMjQ2N2MtNDliMi0xMWU2LTlhYTgtMDI0MmFjMTEwMDAzIn0.PKN_cBANpXLegnmu6My4yhqcdbZaRVRLlseQJ4y1gMyFzLfRfYFHhbQC4xrIaN6ryxIsgJvFZ-047WfMwyptIhcP87exuYt6253k9gddndmjJtLuT9d5DB9bjiKkK49IdVsu91xyT1bXBHiWnZ-alFgnC4NfsCN3ec9TAynlivhzlBwghfdc6T8V27ewHWKg1ds0ZZbLQYZ0PtuLd0PW_SEOAnajVICBN7xm0rgxf9CTgOs5mBnKVCgPu1sJ-6bdcfA2VpLGLleuDHb9J9t6kbMytEMUjs4eDjdgxlogIUBOvY4MWfuu4l85GPZPMJ29aGmvAbns9e5Pufm8nO9DEA"; TokenValidationResult actual = TokenValidation.ValidateIdTokenSignature(token, null); Assert.AreEqual(TokenValidationResult.JWKSError, actual); }
public async Task ValidateJwtTest() { AuthorizationTokensViewmodel result = await _jwtLogic.CreateJwt(new TestUserDto().User); TokenValidationResult validationResult = _jwtLogic.ValidateJwt(result.Jwt); Assert.True(validationResult.IsValid); }
private AuthenticateResult CreateSuccessResult(TokenValidationResult tokenValidationResult) { var identity = new ClaimsIdentity(tokenValidationResult.Claims, Scheme.Name); var principal = new ClaimsPrincipal(identity); var ticket = new AuthenticationTicket(principal, Scheme.Name); return(AuthenticateResult.Success(ticket)); }
public override Task <TokenValidationResult> ValidateAccessTokenAsync(string token, string expectedScope = null) { var result = new TokenValidationResult { Error = Constants.ProtectedResourceErrors.InvalidToken }; return(Task.FromResult(result)); }
public override Task <TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true) { var result = new TokenValidationResult { Error = Constants.ProtectedResourceErrors.InvalidToken }; return(Task.FromResult(result)); }
/// <summary> /// Extensão que faz a validação de um token. /// </summary> /// <param name="token">Objeto referenciado</param> /// <param name="settings">Configurações de autoridade</param> /// <returns>Resultado da validação do token</returns> public static async Task <TokenValidationResult> ValidateAsync(this JwtSecurityToken token, IdentityConfigurations settings) { TokenValidationResult result; try { var tokenDecoder = new JwtSecurityTokenHandler(); var parameters = await settings.GetTokenParametesAsync(token); var principal = tokenDecoder.ValidateToken(token.RawData, parameters, out SecurityToken validatedToken); result = new TokenValidationResult(TokenValidation.Valid) { Principal = principal, SecurityToken = validatedToken }; } catch (SecurityTokenExpiredException ex) { result = new TokenValidationResult(TokenValidation.Expired, ex.Message); } catch (SecurityTokenInvalidAudienceException ex) { result = new TokenValidationResult(TokenValidation.InvalidAudience, ex.Message); } catch (SecurityTokenInvalidLifetimeException ex) { result = new TokenValidationResult(TokenValidation.InvalidLifetime, ex.Message); } catch (SecurityTokenInvalidSignatureException ex) { result = new TokenValidationResult(TokenValidation.InvalidSignature, ex.Message); } catch (SecurityTokenNoExpirationException ex) { result = new TokenValidationResult(TokenValidation.NoExpiration, ex.Message); } catch (SecurityTokenNotYetValidException ex) { result = new TokenValidationResult(TokenValidation.NotYetValid, ex.Message); } catch (SecurityTokenReplayAddFailedException ex) { result = new TokenValidationResult(TokenValidation.ReplayAdd, ex.Message); } catch (SecurityTokenReplayDetectedException ex) { result = new TokenValidationResult(TokenValidation.ReplayDetected, ex.Message); } catch (Exception ex) { result = new TokenValidationResult(TokenValidation.Error, ex.Message); } return(result); }
public void ValidateIdTokenShouldNotValidateWhenNoIdToken() { var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\"}]}"; var idToken = ""; var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson); TokenValidationResult actual = TokenValidation.ValidateIdToken(idToken, clientId, issuer, nonce, maxAge, jwks, _allValidationSupportedVersion); Assert.AreEqual(TokenValidationResult.IdTokenMissing, actual); }
public void ValidateIdTokenShouldNotValidateWhenClaimInvalid() { var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\"}]}"; var idToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJub25jZSI6IjEyMzQ1Njc4OTAiLCJhdWQiOiJ4LWNsaWVudGlkLXkiLCJhenAiOiJ4LWNsaWVudGlkLXkiLCJpc3MiOiJodHRwOi8vbW9iaWxlY29ubmVjdC5pbyIsImV4cCI6MjE0NzQ4MzY0NywiYXV0aF90aW1lIjoyMTQ3NDgzNjQ3LCJpYXQiOjE0NzEwMDc2NzR9.byu8aDef11sJPpPD9WM_j5uv92CsQEJLJ23SVCwrmf-btdyViTe5q1Q0X1hjVzv6FcCQLlrdJj1ib4sky6It1kVEEDk_E7w8KHH1CmmApghWh2lozJRlg8LQTQXgvfnUPeSLsoGBDYWI502aUhyy9V_zm9M0F3Vi0GWmDVZeXIvUlqdGd1YdzO0cmEfc9nyQSchimVmc-0etCGJn8qehvCZa_x96_u-qJeUiOb_7NypECoVDv8UzAZ48P5Dq-iDCYP6jCmOjdZ36b4JO6co1OnYp4cGONqZTQadVDewAfskKtGkspm6XUdil0WDct1DMuPnDuH1eweQtYopxtHRsjw"; var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson); TokenValidationResult actual = TokenValidation.ValidateIdToken(idToken, clientId, issuer, nonce, maxAge, jwks, _allValidationSupportedVersion); Assert.AreEqual(TokenValidationResult.InvalidAudAndAzp, actual); }
public void ValidateIdTokenShouldReturnValidWhenUnsupportedVersionAndValidationPassed() { var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\"}]}"; var idToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJub25jZSI6IjEyMzQ1Njc4OTAiLCJhdWQiOiJ4LWNsaWVudGlkLXgiLCJhenAiOiJ4LWNsaWVudGlkLXgiLCJpc3MiOiJodHRwOi8vbW9iaWxlY29ubmVjdC5pbyIsImV4cCI6MjE0NzQ4MzY0NywiYXV0aF90aW1lIjoyMTQ3NDgzNjQ3LCJpYXQiOjE0NzEwMDczMjd9.U9c5iuybG4GIvrbQH5BT9AgllRbPL6SuIzL4Y3MW7VlCVIQOc_HFfkiLa0LNvqZiP-kFlADmnkzuuQxPq7IyaOILVYct20mrcOb_U_zMli4jg-t9P3BxHaq3ds9JlLBjz0oewd01ZQtWHgRnrGymfKAIojzHlde-aePuL1M26Eld5zoKQvCLcKAynZsjKsWF_6YdLk-uhlC5ofMOaOoPirPSPAxYvbj91z3o9XIgSHoU-umN7AJ6UQ4H-ulfftlRGK8hz0Yzpf2MHOy9OHg1u3ayfCaaf8g5zKGngcz0LgK9VAw2B31xJw-RHkPPh0Hz82FgBc4588oEFC1c22GGTw"; var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson); TokenValidationResult actual = TokenValidation.ValidateIdToken(idToken, clientId, issuer, nonce, maxAge, jwks, _validationUnsupportedVersion); Assert.AreEqual(TokenValidationResult.IdTokenValidationSkipped, actual); }
public void ValidateIdTokenSignatureShouldNotValidateWhenNoMatchingKey() { var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\",\"kid\":\"test1\",},{\"e\":\"AQAB\",\"n\":\"sj_E_-OM6We6kM3Zl8LFQCbp4J1GA_RArvFo8Y0jLXR1xK20nJ0UIhCR1u4a3WD9dSwDRmcDa-3nT_1g5mzMOjBBO1I0VFDG61LyTkrbHhaz-VtRKjMcZMaVPHGC-nRogg92984s-ahO-Q4hkE05tiO96u3xj4S8_A3bsMIQCLQRYKS9_ovl_HxEJne3NFRkSZiiTym5g0H_nOrl2RlBYfV7GPst8Vzq45Mn1uDtCHocSeM3zunLG8TNOz0t6U_s0hAd0gKukoxgaGc1JDSsRWNs8r9SPniRMclKkcMWpdZQbLdT9ARsEB7i6w4x4C1p9i75PloXhwE-EOZ9kCeOtw\",\"kty\":\"RSA\",\"kid\":\"nottest\"}]}"; var token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3QifQ.eyJhenAiOiJNekZsWmpreFpHSXRPV1UyTlMwMFpURm1MVGt3TXpjdE5UUXpOamRrTURCa016Y3pPbTl3WlhKaGRHOXlMV0U9IiwiYXV0aF90aW1lIjoxNDcwMzI2ODIwLCJhdWQiOlsiTXpGbFpqa3haR0l0T1dVMk5TMDBaVEZtTFRrd016Y3ROVFF6Tmpka01EQmtNemN6T205d1pYSmhkRzl5TFdFPSJdLCJhbXIiOlsiU0lNX1BJTiJdLCJub25jZSI6ImFkNjVmOGUwNzA3MTRlYTU5Yzc2NDRlZjE1OGM1MjM3IiwiaWF0IjoxNDcwMzI2ODIwLCJpc3MiOiJpbnRlZ3JhdGlvbjIuc2FuZGJveC5tb2JpbGVjb25uZWN0LmlvIiwiYWNyIjoiMiIsImV4cCI6MTQ3MDMzMDQyMCwic3ViIjoiYzIzMjQ2N2MtNDliMi0xMWU2LTlhYTgtMDI0MmFjMTEwMDAzIn0.PKN_cBANpXLegnmu6My4yhqcdbZaRVRLlseQJ4y1gMyFzLfRfYFHhbQC4xrIaN6ryxIsgJvFZ-047WfMwyptIhcP87exuYt6253k9gddndmjJtLuT9d5DB9bjiKkK49IdVsu91xyT1bXBHiWnZ-alFgnC4NfsCN3ec9TAynlivhzlBwghfdc6T8V27ewHWKg1ds0ZZbLQYZ0PtuLd0PW_SEOAnajVICBN7xm0rgxf9CTgOs5mBnKVCgPu1sJ-6bdcfA2VpLGLleuDHb9J9t6kbMytEMUjs4eDjdgxlogIUBOvY4MWfuu4l85GPZPMJ29aGmvAbns9e5Pufm8nO9DEA"; var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson); TokenValidationResult actual = TokenValidation.ValidateIdTokenSignature(token, jwks); Assert.AreEqual(TokenValidationResult.NoMatchingKey, actual); }
public void ValidateIdTokenSignatureShouldValidateUsingMatchingAlgKey() { var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\"}]}"; var token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhenAiOiJNekZsWmpreFpHSXRPV1UyTlMwMFpURm1MVGt3TXpjdE5UUXpOamRrTURCa016Y3pPbTl3WlhKaGRHOXlMV0U9IiwiYXV0aF90aW1lIjoxNDcwMzI2ODIwLCJhdWQiOlsiTXpGbFpqa3haR0l0T1dVMk5TMDBaVEZtTFRrd016Y3ROVFF6Tmpka01EQmtNemN6T205d1pYSmhkRzl5TFdFPSJdLCJhbXIiOlsiU0lNX1BJTiJdLCJub25jZSI6ImFkNjVmOGUwNzA3MTRlYTU5Yzc2NDRlZjE1OGM1MjM3IiwiaWF0IjoxNDcwMzI2ODIwLCJpc3MiOiJpbnRlZ3JhdGlvbjIuc2FuZGJveC5tb2JpbGVjb25uZWN0LmlvIiwiYWNyIjoiMiIsImV4cCI6MTQ3MDMzMDQyMCwic3ViIjoiYzIzMjQ2N2MtNDliMi0xMWU2LTlhYTgtMDI0MmFjMTEwMDAzIn0.QOdjTBG5xzX9ROIYmEyJ5ozamcd1O8R6Zna0GpO14n2lFu2oG2FP7HWws3VvgDqMkgwhyt-l7wFs-SDxYWsXj6a3wCGOHQSkOwdFWx5QZwHf4abOCVbcD0HMcFRWAAhBU8K0k9gBlNOdblArEusXWUtNOb3zA9kE5X8aX8v3anh_utrxaKYSvndjHIe7d50XybsOip4QOsqMEUbeBdos4hqSc_KW9qQvZcqBoZs3J7n-n8nPX5TcXu7OZd62pT48GvpL1Y1O6xvBA-gvLEpba3KffucBkgSXtLYsfw8n109A335z9TWIM_9D6OrRkWQrYBLm3B6GfcGOUDJIISegTA"; var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson); TokenValidationResult actual = TokenValidation.ValidateIdTokenSignature(token, jwks); Assert.AreEqual(TokenValidationResult.Valid, actual); }
private static void EnforceJwtIssuerIsTenant(TokenValidationResult validatedToken, string tenantAttestUri) { // Verify that the JWT issuer is indeed the tenantAttestUri (tenant specific URI) var jwtTokenIssuerClaim = validatedToken.ClaimsIdentity.Claims.First(c => c.Type == "iss"); if (!string.Equals(tenantAttestUri, jwtTokenIssuerClaim.Value, StringComparison.OrdinalIgnoreCase)) { throw new ArgumentException("Policy JWT is not valid (iss claim does not match attest URI)"); } }
public void ValidateIdTokenSignatureShouldNotValidateWhenAlgNotRS256() { var jwksJson = "{\"keys\":[{\"alg\":\"HS256\",\"kty\":\"oct\",\"use\":\"sig\",\"secret\":\"E5JqlByqY5vGQmeczEigRRr43fr-m7KdJMkN3eSDHOiv3UYYhRTr6OIirFHaYDdUgA4iq3WQ3lkHd3r-KV_iWlDzpha0dmaGaHvzYMThO5WKUBlsekGHT17V7tnnYq7aameaAUmVOZocKQ5svXrPNQJcFhDs-XO6Kcsin2zaYL6eCdLZF8w_YUYtGfxYD0SqB5mdmmE5jIam3f1dnodkoLmfGxUeSSAgCCJXHQtM-SwPpyZfGbYrhTAkcahPmrJOiQwZ7WPtFlMYR-T8U12STNaTDv63hjPW57cwLfjeTW8NEYO00KCWZD7HZo-8Tg4j93FG6b78VE7QUB-vjopQlw\"}]}"; var token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhenAiOiJNekZsWmpreFpHSXRPV1UyTlMwMFpURm1MVGt3TXpjdE5UUXpOamRrTURCa016Y3pPbTl3WlhKaGRHOXlMV0U9IiwiYXV0aF90aW1lIjoxNDcwMzI2ODIwLCJhdWQiOlsiTXpGbFpqa3haR0l0T1dVMk5TMDBaVEZtTFRrd016Y3ROVFF6Tmpka01EQmtNemN6T205d1pYSmhkRzl5TFdFPSJdLCJhbXIiOlsiU0lNX1BJTiJdLCJub25jZSI6ImFkNjVmOGUwNzA3MTRlYTU5Yzc2NDRlZjE1OGM1MjM3IiwiaWF0IjoxNDcwMzI2ODIwLCJpc3MiOiJpbnRlZ3JhdGlvbjIuc2FuZGJveC5tb2JpbGVjb25uZWN0LmlvIiwiYWNyIjoiMiIsImV4cCI6MTQ3MDMzMDQyMCwic3ViIjoiYzIzMjQ2N2MtNDliMi0xMWU2LTlhYTgtMDI0MmFjMTEwMDAzIn0.iTLUvv-HCYBkDzeVX0tRc5k3URY8kbjqvY1EgyXUE2s"; var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson); TokenValidationResult actual = TokenValidation.ValidateIdTokenSignature(token, jwks); Assert.AreEqual(TokenValidationResult.IncorrectAlgorithm, actual); }
public void ValidateIdTokenSignatureShouldNotValidateWhenSignatureMissing() { var jwksJson = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"n\":\"hzr2li5ABVbbQ4BvdDskl6hejaVw0tIDYO-C0GBr5lRA-AXtmCO7bh0CEC9-R6mqctkzUhVnU22Vrj-B1J0JtJoaya9VTC3DdhzI_-7kxtIc5vrHq-ss5wo8-tK7UqtKLSRf9DcyZA0H9FEABbO5Qfvh-cfK4EI_ytA5UBZgO322RVYgQ9Do0D_-jf90dcuUgoxz_JTAOpVNc0u_m9LxGnGL3GhMbxLaX3eUublD40aK0nS2k37dOYOpQHxuAS8BZxLvS6900qqaZ6z0kwZ2WFq-hhk3Imd6fweS724fzqVslY7rHpM5n7z5m7s1ArurU1dBC1Dxw1Hzn6ZeJkEaZQ\",\"kty\":\"RSA\",\"use\":\"sig\"}]}"; var token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhenAiOiJNekZsWmpreFpHSXRPV1UyTlMwMFpURm1MVGt3TXpjdE5UUXpOamRrTURCa016Y3pPbTl3WlhKaGRHOXlMV0U9IiwiYXV0aF90aW1lIjoxNDcwMzI2ODIwLCJhdWQiOlsiTXpGbFpqa3haR0l0T1dVMk5TMDBaVEZtTFRrd016Y3ROVFF6Tmpka01EQmtNemN6T205d1pYSmhkRzl5TFdFPSJdLCJhbXIiOlsiU0lNX1BJTiJdLCJub25jZSI6ImFkNjVmOGUwNzA3MTRlYTU5Yzc2NDRlZjE1OGM1MjM3IiwiaWF0IjoxNDcwMzI2ODIwLCJpc3MiOiJpbnRlZ3JhdGlvbjIuc2FuZGJveC5tb2JpbGVjb25uZWN0LmlvIiwiYWNyIjoiMiIsImV4cCI6MTQ3MDMzMDQyMCwic3ViIjoiYzIzMjQ2N2MtNDliMi0xMWU2LTlhYTgtMDI0MmFjMTEwMDAzIn0."; var jwks = JsonConvert.DeserializeObject <JWKeyset>(jwksJson); TokenValidationResult actual = TokenValidation.ValidateIdTokenSignature(token, jwks); Assert.AreEqual(TokenValidationResult.InvalidSignature, actual); }
/// <summary> /// Custom validation logic for access tokens. /// </summary> /// <param name="result">The validation result so far.</param> /// <returns> /// The validation result /// </returns> public virtual async Task <TokenValidationResult> ValidateAccessTokenAsync(TokenValidationResult result) { if (result.IsError) { return(result); } // make sure user is still active (if sub claim is present) var subClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject); if (subClaim != null) { var principal = Principal.Create("tokenvalidator", result.Claims.ToArray()); if (result.ReferenceTokenId.IsPresent()) { principal.Identities.First().AddClaim(new Claim(Constants.ClaimTypes.ReferenceTokenId, result.ReferenceTokenId)); } var isActiveCtx = new IsActiveContext(principal, result.Client); await _users.IsActiveAsync(isActiveCtx); if (isActiveCtx.IsActive == false) { Logger.Warn("User marked as not active: " + subClaim.Value); result.IsError = true; result.Error = Constants.ProtectedResourceErrors.InvalidToken; result.Claims = null; return(result); } } // make sure client is still active (if client_id claim is present) var clientClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.ClientId); if (clientClaim != null) { var client = await _clients.FindClientByIdAsync(clientClaim.Value); if (client == null || client.Enabled == false) { Logger.Warn("Client deleted or disabled: " + clientClaim.Value); result.IsError = true; result.Error = Constants.ProtectedResourceErrors.InvalidToken; result.Claims = null; return(result); } } return(result); }
/// <inheritdoc /> protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { _logger.LogTrace("HandleAuthenticateAsync called"); string token = null; string authorization = Request.Headers["Authorization"]; if (string.IsNullOrEmpty(authorization)) { return(AuthenticateResult.Fail("No Authorization Header is sent.")); } if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) { token = authorization.Substring("Bearer ".Length).Trim(); } if (string.IsNullOrEmpty(token)) { return(AuthenticateResult.Fail("No Access Token is sent.")); } _logger.LogTrace("Token found: {token}", token); TokenValidationResult result = await _tokenValidator.ValidateAccessTokenAsync(token, Options.ExpectedScope); if (result.IsError) { _logger.LogTrace("Failed to validate the token"); return(AuthenticateResult.Fail(result.Error)); } _logger.LogTrace("Successfully validated the token."); ClaimsIdentity claimsIdentity = new ClaimsIdentity(result.Claims, Scheme.Name, JwtClaimTypes.Name, JwtClaimTypes.Role); ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(claimsIdentity); AuthenticationProperties authenticationProperties = new AuthenticationProperties(); if (Options.SaveToken) { authenticationProperties.StoreTokens(new[] { new AuthenticationToken { Name = "access_token", Value = token } }); } AuthenticationTicket authenticationTicket = new AuthenticationTicket(claimsPrincipal, authenticationProperties, Scheme.Name); return(AuthenticateResult.Success(authenticationTicket)); }
public async Task ValidateAccessToken(OAuthValidateTokenContext <IAccessToken> context) { var result = new TokenValidationResult <IAccessToken>(context.Token); if (context.Token == null || string.IsNullOrWhiteSpace(context.Token.Ticket)) { context.Rejected(); return; } context.Validated(); }
private void ValidateAccessToken(string encryptedUserCred) { string option = AccessTokenValidatorFactory.ACCESS_TOKEN_WCF; IAccessTokenValidator tokenValidator = AccessTokenValidatorFactory.GetAccessTokenValidator(option); TokenValidationResult result = tokenValidator.IsUserCredentialValid(encryptedUserCred); if (!result.IsValidationSuccess) { throw new TokenValidationException(result.Message, result.Status); } }
/// <summary> /// Custom validation logic for access tokens. /// </summary> /// <param name="result">The validation result so far.</param> /// <returns> /// The validation result /// </returns> public async Task <TokenValidationResult> ValidateAccessTokenAsync(TokenValidationResult result) { if (!string.IsNullOrWhiteSpace(result.Jwt) && !result.IsError) { Token token = await Store.GetReferenceTokenAsync(result.Jwt); if (token == null) { result.IsError = true; } } return(result); }
public override Task <TokenValidationResult> ValidateAccessTokenAsync(string token, string expectedScope = null) { var result = new TokenValidationResult { IsError = false, Claims = new[] { new Claim(Constants.ClaimTypes.Subject, "unique_subject"), new Claim(Constants.ClaimTypes.Name, "subject name") } }; return(Task.FromResult(result)); }
public Task<TokenValidationResult> ValidateIdentityTokenAsync(TokenValidationResult result, Core.Models.CoreSettings settings, Core.Services.IClientService clients, Core.Services.IUserService users) { throw new NotImplementedException(); }
/// <summary> /// Gets the Message for the specified Token Validation Result /// </summary> /// <param name="tokenResult">TokenValidationResult</param> /// <returns>String Message</returns> private String GetTokenValidationResultMessage(TokenValidationResult tokenResult) { switch (tokenResult) { case TokenValidationResult.Success: return "Success"; case TokenValidationResult.FailureExpired: return "Expired Token"; case TokenValidationResult.FailureInvalid: return "Invalid Token"; case TokenValidationResult.FailureHash: return "Hash Failure"; default: return "Unknown Error"; } }
public Task<TokenValidationResult> ValidateAccessTokenAsync(TokenValidationResult result, Core.Models.CoreSettings settings, Core.Services.IClientService clients, Core.Services.IUserService users) { return Task.FromResult(result); }