private async Task <AuthorizationRequest> GetAuthorizationRequestFromJwt(string token, string clientId) { var jwsToken = token; if (_jwtParser.IsJweToken(token)) { jwsToken = await _jwtParser.DecryptAsync(token, clientId); } var jwsPayload = await _jwtParser.UnSignAsync(jwsToken, clientId); return(jwsPayload == null ? null : jwsPayload.ToAuthorizationRequest()); }
public async Task <JwsPayload> GetPayload(Client client, string jwsToken) { if (client == null) { throw new ArgumentNullException(nameof(client)); } if (string.IsNullOrWhiteSpace(jwsToken)) { throw new ArgumentNullException(nameof(jwsToken)); } var signedResponseAlg = client.GetIdTokenSignedResponseAlg(); var encryptResponseAlg = client.GetIdTokenEncryptedResponseAlg(); if (encryptResponseAlg != null) // Decrypt the token. { jwsToken = await _jwtParser.DecryptAsync(jwsToken, client.ClientId); } return(await _jwtParser.UnSignAsync(jwsToken, client.ClientId)); }
private async Task ProcessIdTokenHint( ActionResult actionResult, AuthorizationParameter authorizationParameter, ICollection <PromptParameter> prompts, ClaimsPrincipal claimsPrincipal, string issuerName) { if (!string.IsNullOrWhiteSpace(authorizationParameter.IdTokenHint) && prompts.Contains(PromptParameter.none) && actionResult.Type == TypeActionResult.RedirectToCallBackUrl) { var token = authorizationParameter.IdTokenHint; if (!_jwtParser.IsJweToken(token) && !_jwtParser.IsJwsToken(token)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdTokenHintParameterIsNotAValidToken, authorizationParameter.State); } string jwsToken; if (_jwtParser.IsJweToken(token)) { jwsToken = await _jwtParser.DecryptAsync(token); if (string.IsNullOrWhiteSpace(jwsToken)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdTokenHintParameterCannotBeDecrypted, authorizationParameter.State); } } else { jwsToken = token; } var jwsPayload = await _jwtParser.UnSignAsync(jwsToken); if (jwsPayload == null) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheSignatureOfIdTokenHintParameterCannotBeChecked, authorizationParameter.State); } if (jwsPayload.Audiences == null || !jwsPayload.Audiences.Any() || !jwsPayload.Audiences.Contains(issuerName)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdentityTokenDoesntContainSimpleIdentityServerAsAudience, authorizationParameter.State); } var currentSubject = string.Empty; var expectedSubject = jwsPayload.GetClaimValue(Jwt.Constants.StandardResourceOwnerClaimNames.Subject); if (claimsPrincipal != null && claimsPrincipal.IsAuthenticated()) { currentSubject = claimsPrincipal.GetSubject(); } if (currentSubject != expectedSubject) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheCurrentAuthenticatedUserDoesntMatchWithTheIdentityToken, authorizationParameter.State); } } }