private ClaimsPrincipal ValidateSignature(string accessToken, IdentityModel.Jwk.JsonWebKey cnf, JwtSecurityTokenHandler handler, TokenValidationParameters parameters)
{
if (parameters.RequireSignedTokens)
{
// read keys from provider information
var keys = new List <SecurityKey>();
// todo: only supports RSA keys right now
if (cnf.E.IsPresent() && cnf.N.IsPresent())
{
var e = Base64Url.Decode(cnf.E);
var n = Base64Url.Decode(cnf.N);
var key = new RsaSecurityKey(new RSAParameters {
Exponent = e, Modulus = n
});
key.KeyId = cnf.Kid;
keys.Add(key);
_logger.LogDebug("Added signing key with kid: {kid}", key?.KeyId ?? "not set");
}
else
{
_logger.LogDebug("Signing key with kid: {kid} currently not supported", cnf.Kid ?? "not set");
}
parameters.IssuerSigningKeys = keys;
}
SecurityToken token;
return(handler.ValidateToken(accessToken, parameters, out token));
}
public async Task <JsonWebKey> GetAsync()
{
if (_jwk == null)
{
var keyBundle = await GetSigningKeyAsync();
_keyBundle = keyBundle;
_keyIdentifier = keyBundle.KeyIdentifier;
_jwk = new JsonWebKey(keyBundle.Key.ToString());
}
return(_jwk);
}
public async Task <IEnumerable <JsonWebKey> > GetAllAsync()
{
if (_jwks == null)
{
_jwks = new List <JsonWebKey>();
var keyBundles = await GetKeyBundleVersionsAsync();
var query = from item in keyBundles
where item.Attributes.Enabled != null && (bool)item.Attributes.Enabled
select item;
keyBundles = query.ToList();
foreach (var keyBundle in keyBundles)
{
var jwk = new JsonWebKey(keyBundle.Key.ToString());
_jwks.Add(jwk);
}
}
return(_jwks);
}
public static IdentityModel.Jwk.JsonWebKeySet CreateKeySet(RsaSecurityKey key)
{
var parameters = key.Rsa?.ExportParameters(false) ?? key.Parameters;
var exponent = Base64Url.Encode(parameters.Exponent);
var modulus = Base64Url.Encode(parameters.Modulus);
var webKey = new IdentityModel.Jwk.JsonWebKey
{
Kty = "RSA",
Use = "sig",
Kid = key.KeyId,
E = exponent,
N = modulus,
};
var set = new IdentityModel.Jwk.JsonWebKeySet();
set.Keys.Add(webKey);
return(set);
}
