/// <summary>
/// Configure message handlers to use JwtBasedSecurityMessageHandler as
/// SecurityMessageHandler for all the requests
/// </summary>
/// <param name="config">The config</param>
/// <param name="options">The jwt validation options</param>
/// <param name="forceAuthentication">Indicates whether or not authentication must be enforced</param>
public static void UseJwtAuthentication(
this HttpConfiguration config,
JwtValidationOptions options,
bool forceAuthentication = false)
{
config.MessageHandlers.Add(
new JwtBasedSecurityMessageHandler(options, forceAuthentication));
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="options">Options to validate then token when presents</param>
/// <param name="forceAuthentication">Indicates whether or not the token must be present to process the request</param>
public JwtBasedSecurityMessageHandler(
JwtValidationOptions options,
bool forceAuthentication = false)
{
options.NotNull(nameof(options));
Options = options;
ForceAuthentication = forceAuthentication;
}
private static TokenValidationParameters GetValidationParameters(
JwtValidationOptions options)
{
var parameters = new TokenValidationParameters
{
RequireExpirationTime = options.RequireExpirationTime,
RequireSignedTokens = !options.SigningKey.IsNullOrEmpty(),
ValidateAudience = false,
ValidateIssuer = false,
ValidateLifetime = options.RequireExpirationTime,
};
if (!options.SigningKey.IsNullOrEmpty())
parameters.IssuerSigningKey = new InMemorySymmetricSecurityKey(
Convert.FromBase64String(options.SigningKey));
return parameters;
}
public static bool TryValidateToken(
this JwtSecurityTokenHandler handler,
string securityToken,
JwtValidationOptions options,
out IPrincipal principal)
{
try
{
principal = handler
.RetrievePrincipal(securityToken, GetValidationParameters(options));
}
catch (SecurityTokenValidationException)
{
principal = null;
}
return principal.IsNotNull();
}
private static Task<HttpResponseMessage> SendAsync(
JwtSecurityTokenHandler tokenHandler,
JwtValidationOptions options = null,
Action<HttpRequestMessage, IPrincipal> assignPrincipalAction = null)
{
return new HttpMessageInvoker(
CreateSubjectUnderTest(false, null, tokenHandler, options ?? new JwtValidationOptions(), assignPrincipalAction))
.SendAsync(
GetHttpRequestMessage(ObjectMother.Create<string>()),
It.IsAny<CancellationToken>());
}
private static JwtBasedSecurityMessageHandler CreateSubjectUnderTest(
bool forceAuthentication,
HttpResponseMessage response,
JwtSecurityTokenHandler tokenHandler,
JwtValidationOptions options = null,
Action<HttpRequestMessage, IPrincipal> assignPrincipalAction = null)
{
IPrincipal principal;
if (assignPrincipalAction.IsNull())
assignPrincipalAction = (r, p) => principal = p;
var sut = new JwtBasedSecurityMessageHandler(
options ?? new JwtValidationOptions(), forceAuthentication);
sut.InnerHandler = new TestHandler(response);
sut.SetSecurityTokenHandlerFactory(() => tokenHandler);
sut.SetAssignPrincipalFactory(assignPrincipalAction);
return sut;
}