protected virtual IClaimsPrincipal GetUserPrincipal() { // // Look for the authorization header. If present, extract the Simple Web Token. // string authorizationHeader = HttpContext.Current.Request.Headers["Authorization"]; if (!string.IsNullOrEmpty(authorizationHeader)) { string rawToken = GetTokenFromHeader(authorizationHeader); if (!String.IsNullOrEmpty(rawToken)) { SimpleWebToken swt = SimpleWebToken.FromString(rawToken); if (!swt.SignVerify(Convert.FromBase64String(ConfigurationManager.AppSettings.Get("SigningKey")))) { throw new InvalidSecurityException("Token signature is invalid. Ensure that the correct signing key is configured in Web.config."); } if (!StringComparer.OrdinalIgnoreCase.Equals(swt.Audience, "https://oauth2RelyingParty/")) { throw new InvalidSecurityException("Token is not issued for this relying party."); } if (DateTime.Compare(swt.ExpiresOn, DateTime.Now) < 0) { throw new InvalidSecurityException("Token is expired."); } // // Additional checks omitted for brevity. // In a real-world application, the issuer and claims would likely be verified as well. // return(ClaimsPrincipal.CreateFromIdentity(new ClaimsIdentity(swt.Claims))); } } return(null); }