/// <summary> /// Validates the JWT token /// </summary> protected virtual async Task <JsonWebToken> ValidateJwtAsync(JwtRequestValidationContext context, IEnumerable <SecurityKey> keys) { var tokenValidationParameters = new TokenValidationParameters { IssuerSigningKeys = keys, ValidateIssuerSigningKey = true, ValidIssuer = context.Client.ClientId, ValidateIssuer = true, ValidAudience = await GetAudienceUri(), ValidateAudience = true, RequireSignedTokens = true, RequireExpirationTime = true }; var strictJarValidation = context.StrictJarValidation.HasValue ? context.StrictJarValidation.Value : Options.StrictJarValidation; if (strictJarValidation) { tokenValidationParameters.ValidTypes = new[] { JwtClaimTypes.JwtTypes.AuthorizationRequest }; } var result = Handler.ValidateToken(context.JwtTokenString, tokenValidationParameters); if (!result.IsValid) { throw result.Exception; } return((JsonWebToken)result.SecurityToken); }
/// <summary> /// Processes the JWT contents /// </summary> /// <param name="context"></param> /// <param name="token">The JWT token</param> /// <returns></returns> protected virtual Task <List <Claim> > ProcessPayloadAsync(JwtRequestValidationContext context, JsonWebToken token) { // filter JWT validation values var filter = Constants.Filters.JwtRequestClaimTypesFilter.ToList(); if (context.IncludeJti) { // don't filter out the jti claim filter.Remove(JwtClaimTypes.JwtId); } var filtered = token.Claims.Where(claim => !filter.Contains(claim.Type)); return(Task.FromResult(filtered.ToList())); }
/// <inheritdoc/> public virtual async Task <JwtRequestValidationResult> ValidateAsync(JwtRequestValidationContext context) { using var activity = Tracing.BasicActivitySource.StartActivity("JwtRequestValidator.Validate"); if (context == null) { throw new ArgumentNullException(nameof(context)); } if (context.Client == null) { throw new ArgumentNullException(nameof(context.Client)); } if (String.IsNullOrWhiteSpace(context.JwtTokenString)) { throw new ArgumentNullException(nameof(context.JwtTokenString)); } var fail = new JwtRequestValidationResult { IsError = true }; List <SecurityKey> trustedKeys; try { trustedKeys = await GetKeysAsync(context.Client); } catch (Exception e) { Logger.LogError(e, "Could not parse client secrets"); return(fail); } if (!trustedKeys.Any()) { Logger.LogError("There are no keys available to validate JWT."); return(fail); } JsonWebToken jwtSecurityToken; try { jwtSecurityToken = await ValidateJwtAsync(context, trustedKeys); } catch (Exception e) { Logger.LogError(e, "JWT token validation error"); return(fail); } if (jwtSecurityToken.TryGetPayloadValue <string>(OidcConstants.AuthorizeRequest.Request, out _) || jwtSecurityToken.TryGetPayloadValue <string>(OidcConstants.AuthorizeRequest.RequestUri, out _)) { Logger.LogError("JWT payload must not contain request or request_uri"); return(fail); } var payload = await ProcessPayloadAsync(context, jwtSecurityToken); var result = new JwtRequestValidationResult { IsError = false, Payload = payload }; Logger.LogDebug("JWT request object validation success."); return(result); }