/// <summary>
/// Method that queries the OP server to obtain the OpenID configuration.
/// </summary>
/// <param name="hostname">The hostname of the OP to be queried.</param>
/// <param name="expectedIssuer">(optional) the issuer expected from the OP configuration.
/// This information can come, for instance, from a previous issuer discovery process
/// via webfinger.</param>
/// <returns>An oject describing all relevant properties of the OP.</returns>
/// <exception cref="OpenIDClient.OIDCException">Thrown when the returned message from server
/// is not valid or if wrong issuer is found in the answer.</exception>
public OIDCProviderMetadata ObtainProviderInformation(string hostname, string expectedIssuer = null)
{
string query = "/.well-known/openid-configuration";
WebRequest webRequest = WebRequest.Create(hostname + query);
Dictionary <string, object> o = WebOperations.GetUrlContent(webRequest);
OIDCProviderMetadata providerMetadata = new OIDCProviderMetadata(o);
if (expectedIssuer != null && !expectedIssuer.Equals(providerMetadata.Issuer))
{
throw new OIDCException("Wrong issuer, discarding configuration");
}
return(providerMetadata);
}
/// <summary>
/// Method that queries the OP server to obtain the OpenID configuration.
/// </summary>
/// <param name="hostname">The hostname of the OP to be queried.</param>
/// <param name="expectedIssuer">(optional) the issuer expected from the OP configuration.
/// This information can come, for instance, from a previous issuer discovery process
/// via webfinger.</param>
/// <returns>An oject describing all relevant properties of the OP.</returns>
/// <exception cref="OpenIDClient.OIDCException">Thrown when the returned message from server
/// is not valid or if wrong issuer is found in the answer.</exception>
public OIDCProviderMetadata ObtainProviderInformation(string hostname, string expectedIssuer = null)
{
string query = "/.well-known/openid-configuration";
WebRequest webRequest = WebRequest.Create(hostname + query);
Dictionary<string,object> o = WebOperations.GetUrlContent(webRequest);
OIDCProviderMetadata providerMetadata = new OIDCProviderMetadata(o);
if (expectedIssuer != null && !expectedIssuer.Equals(providerMetadata.Issuer))
{
throw new OIDCException("Wrong issuer, discarding configuration");
}
return providerMetadata;
}
public void GetProviderMetadata()
{
string hostname = GetBaseUrl("/");
OpenIdRelyingParty rp = new OpenIdRelyingParty();
providerMetadata = rp.ObtainProviderInformation(hostname);
}
public void ValidateIdToken(OIDCIdToken idToken, OIDCClientInformation clientInformation, OIDCProviderMetadata providerMetadata, string nonce)
{
if (idToken.Iss.Trim('/') != providerMetadata.Issuer.Trim('/'))
{
throw new OIDCException("Wrong issuer for the token.");
}
if (!idToken.Aud.Contains(clientInformation.ClientId))
{
throw new OIDCException("Intended audience of the token does not include client_id.");
}
if (idToken.Aud.Count > 1 && idToken.Azp == null)
{
throw new OIDCException("Multiple audience but no authorized party specified.");
}
if (idToken.Azp != null && idToken.Azp != clientInformation.ClientId)
{
throw new OIDCException("The authorized party does not match client_id.");
}
if (idToken.Exp < DateTime.UtcNow - new TimeSpan(0, 10, 0))
{
throw new OIDCException("The token is expired.");
}
if (idToken.Iat < DateTime.Now - new TimeSpan(24, 0, 0))
{
throw new OIDCException("The token has ben issued more than a day ago.");
}
if (nonce != null && idToken.Nonce != nonce)
{
throw new OIDCException("Wrong nonce value in token.");
}
}
