public TokenState FinaliseLoad(bool validJwtRequired, TokenValidationParameters tokenValidationParameters) { if (RequestHeader["Content-Type"] == "application/x-www-form-urlencoded") { // body contains &-separated parameters ParseParameters(Encoding.ASCII.GetString(Body)); } //no token required and no token supplied. if (!validJwtRequired && !RequestHeader.ContainsKey("Authorization")) { return(TokenState.NotRequired); } //no token required but token supplied and invalid. if (!validJwtRequired && RequestHeader.ContainsKey("Authorization") && !RequestHeader["Authorization"].StartsWith("Bearer ")) { return(TokenState.Invalid); } //token required but valid token not supplied if (validJwtRequired && (!RequestHeader.ContainsKey("Authorization") || !RequestHeader["Authorization"].StartsWith("Bearer "))) { return(TokenState.Invalid); } var payload = RequestHeader["Authorization"].Substring(7); try { SecurityToken token; if (validJwtRequired) { _securityTokenHandler.ValidateToken(payload, tokenValidationParameters, out token); } else { token = _securityTokenHandler.ReadToken(payload); } SecurityToken = (JwtSecurityToken)token; return(TokenState.Ok); } catch (SecurityTokenExpiredException ex) { logger.Trace($".net ValidateToken threw {ex.GetType().Name}"); return(TokenState.Expired); } catch (SecurityTokenNotYetValidException ex) { logger.Trace($".net ValidateToken threw {ex.GetType().Name}"); return(TokenState.NotYetValid); } catch (SecurityTokenException ex) // The order of these is important: SecurityTokenException is a base class of SecurityTokenExpiredException and SecurityTokenNotYetValidException as well as others. { logger.Trace($".net ValidateToken threw {ex.GetType().Name}"); return(TokenState.Invalid); } catch (ArgumentException ex) // Base class of ArgumentNullException { logger.Trace($".net ValidateToken threw {ex.GetType().Name}"); return(TokenState.Invalid); } }