public IDictionary <string, string> ToParameters()
{
IDictionary <string, string> parameters = new Dictionary <string, string>();
#if DESKTOP || NETSTANDARD1_3
if (ClientCredential != null)
{
if (!string.IsNullOrEmpty(ClientCredential.Secret))
{
parameters[OAuth2Parameter.ClientSecret] = ClientCredential.Secret;
}
else
{
if (ClientCredential.Assertion == null || ClientCredential.ValidTo != 0)
{
bool assertionNearExpiry = (ClientCredential.ValidTo <=
JsonWebToken.ConvertToTimeT(DateTime.UtcNow +
TimeSpan.FromMinutes(
Constants
.ExpirationMarginInMinutes)));
if (assertionNearExpiry)
{
RequestContext.Logger.Info("Client Assertion does not exist or near expiry.");
JsonWebToken jwtToken = new JsonWebToken(ClientId,
Authority.SelfSignedJwtAudience);
ClientCredential.Assertion = jwtToken.Sign(ClientCredential.Certificate);
ClientCredential.ValidTo = jwtToken.Payload.ValidTo;
}
else
{
RequestContext.Logger.Info("Reusing the unexpired Client Assertion...");
}
}
parameters[OAuth2Parameter.ClientAssertionType] = OAuth2AssertionType.JwtBearer;
parameters[OAuth2Parameter.ClientAssertion] = ClientCredential.Assertion;
}
}
#endif
return(parameters);
}
/// <summary>
/// Determines whether or not the cached client assertion can be used again for the next authentication request by
/// checking it's
/// values against incoming request parameters.
/// </summary>
/// <returns>Returns true if the previously cached client assertion is valid</returns>
public static bool ValidateClientAssertion(ClientCredentialWrapper clientCredential, AuthorityEndpoints endpoints, bool sendX5C)
{
if (clientCredential == null)
{
throw new ArgumentNullException(nameof(clientCredential));
}
else if (string.IsNullOrWhiteSpace(clientCredential.Assertion))
{
return(false);
}
//Check if all current client assertion values match incoming parameters and expiration time
//The clientCredential object contains the previously used values in the cached client assertion string
bool expired = clientCredential.ValidTo <=
JsonWebToken.ConvertToTimeT(
DateTime.UtcNow + TimeSpan.FromMinutes(Constants.ExpirationMarginInMinutes));
bool parametersMatch = clientCredential.Audience == endpoints?.SelfSignedJwtAudience &&
clientCredential.ContainsX5C == sendX5C;
return(!expired && parametersMatch);
}
/// <summary>
/// Determines whether or not the cached client assertion can be used again for the next authentication request by
/// checking its values against incoming request parameters.
/// </summary>
/// <returns>Returns true if the previously cached client assertion is valid</returns>
public static bool ValidateClientAssertion(ClientCredentialWrapper clientCredential, string audience, bool sendX5C)
{
if (clientCredential == null)
{
throw new ArgumentNullException(nameof(clientCredential));
}
if (string.IsNullOrWhiteSpace(clientCredential.CachedAssertion))
{
return(false);
}
//Check if all current client assertion values match incoming parameters and expiration time
//The clientCredential object contains the previously used values in the cached client assertion string
bool expired = clientCredential.ValidTo <=
JsonWebToken.ConvertToTimeT(
DateTime.UtcNow + TimeSpan.FromMinutes(Constants.ExpirationMarginInMinutes));
bool parametersMatch = string.Equals(clientCredential.Audience, audience, StringComparison.OrdinalIgnoreCase) &&
clientCredential.ContainsX5C == sendX5C;
return(!expired && parametersMatch);
}