public async Task PersistsSigningKey()
{
var cred1 = await signingStore.GetSigningCredentialsAsync();
var cred2 = await CreateSut().GetSigningCredentialsAsync();
Assert.Equal(cred1.Kid, cred2.Kid);
Assert.Equal(Time(14), scd.CacheExpiresAt);
}
private async Task <SecurityToken> CreateSecurityTokenAsync(SignInValidationResult result, ClaimsIdentity outgoingSubject)
{
var credentials = await _keys.GetSigningCredentialsAsync().ConfigureAwait(false);
var x509Key = new X509SecurityKey(credentials.Key.GetX509Certificate(_keys));
var relyingParty = result.RelyingParty;
var descriptor = new SecurityTokenDescriptor
{
Audience = result.Client.ClientId,
IssuedAt = DateTime.UtcNow,
NotBefore = DateTime.UtcNow,
Expires = DateTime.UtcNow.AddSeconds(result.Client.IdentityTokenLifetime),
SigningCredentials = new SigningCredentials(x509Key, relyingParty.SignatureAlgorithm, relyingParty.DigestAlgorithm),
Subject = outgoingSubject,
#if DUENDE
Issuer = await _issuerNameService.GetCurrentAsync().ConfigureAwait(false),
#else
Issuer = _contextAccessor.HttpContext.GetIdentityServerIssuerUri(),
#endif
};
if (result.RelyingParty.EncryptionCertificate != null)
{
descriptor.EncryptingCredentials = new X509EncryptingCredentials(result.RelyingParty.EncryptionCertificate);
}
var handler = CreateTokenHandler(result.RelyingParty.TokenType);
return(handler.CreateToken(descriptor));
}
public async Task <SigningCredentials> GetSigningCredentialsAsync()
{
if (_signingCredential != null)
{
return(await _signingCredential.GetSigningCredentialsAsync());
}
return(null);
}
public async Task <IActionResult> GetPublicKey()
{
var securityKey = (await _signingCredentialStore.GetSigningCredentialsAsync()).Key;
if (securityKey is X509SecurityKey x509SecurityKey)
{
var publickey = x509SecurityKey.Certificate.ExportRSAPKCS8PublicKey();
return(Content(publickey));
}
return(NoContent());
}
/// <summary>
/// Generates the asynchronous.
/// </summary>
/// <param name="wsfedEndpoint">The wsfed endpoint.</param>
/// <returns></returns>
public async Task <WsFederationConfiguration> GenerateAsync(string wsfedEndpoint)
{
var credentials = await _keys.GetSigningCredentialsAsync().ConfigureAwait(false);
var key = credentials.Key;
var keyInfo = new KeyInfo(key.GetX509Certificate(_keys));
var issuer = _contextAccessor.HttpContext.GetIdentityServerIssuerUri();
var signingCredentials = new SigningCredentials(key, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest);
var config = new WsFederationConfiguration()
{
Issuer = issuer,
TokenEndpoint = wsfedEndpoint,
SigningCredentials = signingCredentials,
};
config.SigningKeys.Add(key);
config.KeyInfos.Add(keyInfo);
return(config);
}
/// <summary>
/// Creates the JWT header
/// </summary>
/// <param name="token">The token.</param>
/// <param name="credential">The credentials.</param>
/// <returns>The JWT header</returns>
protected virtual async Task <JwtHeader> CreateHeaderAsync(Token token)
{
var credential = await _credentialStore.GetSigningCredentialsAsync();
if (credential == null)
{
throw new InvalidOperationException("No signing credential is configured. Can't create JWT token");
}
var header = new JwtHeader(credential);
// emit x5t claim for backwards compatibility with v4 of MS JWT library
var x509key = credential.Key as X509SecurityKey;
if (x509key != null)
{
header.Add("x5t", Base64Url.Encode(x509key.Certificate.GetCertHash()));
}
return(header);
}