// internal for testing
internal static async Task <Payload> ValidateInternalAsync(string jwt, ValidationSettings validationSettings)
{
var settings = validationSettings.ThrowIfNull(nameof(validationSettings)).Clone();
var verificationOptions = validationSettings.ToVerificationOptions();
var signedToken = SignedToken <Header, Payload> .FromSignedToken(jwt);
// Start general validation task ...
var generalValidationTask = SignedTokenVerification.VerifySignedTokenAsync(signedToken, verificationOptions, default);
// ... and do Google specific validation in the meantime.
// Google signed tokens must not exceed this length.
// It's not clear if there's an absolute size limit for all possible tokens,
// that's why this check is only here and not on SignedTokenVerification.
if (jwt.Length > MaxJwtLength)
{
throw new InvalidJwtException($"JWT exceeds maximum allowed length of {MaxJwtLength}");
}
// Google signed tokens are signed with RS256.
if (signedToken.Header.Algorithm != SupportedJwtAlgorithm)
{
throw new InvalidJwtException($"JWT algorithm must be '{SupportedJwtAlgorithm}'");
}
// Google signed tokens can contain a G Suite hosted domain claim.
if (settings.HostedDomain != null && signedToken.Payload.HostedDomain != settings.HostedDomain)
{
throw new InvalidJwtException("JWT contains invalid 'hd' claim.");
}
// ... finally wait for the general verifications to be done.
await generalValidationTask.ConfigureAwait(false);
// All verification passed, return payload.
return(signedToken.Payload);
}
