private async void onVerifyClick(object sender, RoutedEventArgs e) { // do something string issuer = ""; List<SecurityToken> signingTokens = null; try { string stsDiscoveryEndpoint = string.Format("{0}/.well-known/openid-configuration", authority); ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint); OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync(); issuer = config.Issuer; signingTokens = config.SigningTokens.ToList(); JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidAudience = audience, ValidIssuer = issuer, IssuerSigningTokens = signingTokens, CertificateValidator = X509CertificateValidator.None }; // Validate token. SecurityToken validatedToken = new JwtSecurityToken(); ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(m_access_token, validationParameters, out validatedToken); var puid = claimsPrincipal.FindFirst(@"puid"); MessageBox.Show("Verify Access token success! "); } catch(Exception ex) { string message = ex.Message; if (ex.InnerException != null) { message += "Verifing Access token get Inner Exception : " + ex.InnerException.Message; } MessageBox.Show(message); } }
// // SendAsync checks that incoming requests have a valid access token, and sets the current user identity using that access token. // protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { string authHeader = null; string jwtToken = null; string issuer; string stsDiscoveryEndpoint = string.Format("{0}/.well-known/openid-configuration", authority); List<SecurityToken> signingTokens; // The header is of the form "bearer <accesstoken>", so extract to the right of the whitespace to find the access token. authHeader = HttpContext.Current.Request.Headers["Authorization"]; if (authHeader != null) { int startIndex = authHeader.LastIndexOf(' '); if (startIndex > 0) { jwtToken = authHeader.Substring(startIndex).Trim(); } } if (jwtToken == null) { HttpResponseMessage response = BuildResponseErrorMessage(HttpStatusCode.Unauthorized); return response; } try { // The issuer and signingTokens are cached for 24 hours. They are updated if any of the conditions in the if condition is true. if (DateTime.UtcNow.Subtract(_stsMetadataRetrievalTime).TotalHours > 24 || string.IsNullOrEmpty(_issuer) || _signingTokens == null) { // Get tenant information that's used to validate incoming jwt tokens ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint); OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync(); _issuer = config.Issuer; _signingTokens = config.SigningTokens.ToList(); _stsMetadataRetrievalTime = DateTime.UtcNow; } issuer = _issuer; signingTokens = _signingTokens; } catch (Exception) { return new HttpResponseMessage(HttpStatusCode.InternalServerError); } JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidAudience = audience, ValidIssuer = issuer, IssuerSigningTokens = signingTokens, CertificateValidator = X509CertificateValidator.None }; try { // Validate token. SecurityToken validatedToken = new JwtSecurityToken(); ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(jwtToken, validationParameters, out validatedToken); // Set the ClaimsPrincipal on the current thread. Thread.CurrentPrincipal = claimsPrincipal; // Set the ClaimsPrincipal on HttpContext.Current if the app is running in web hosted environment. if (HttpContext.Current != null) { HttpContext.Current.User = claimsPrincipal; } // If the token is scoped, verify that required permission is set in the scope claim. if (ClaimsPrincipal.Current.FindFirst(scopeClaimType) != null && ClaimsPrincipal.Current.FindFirst(scopeClaimType).Value != "user_impersonation") { HttpResponseMessage response = BuildResponseErrorMessage(HttpStatusCode.Forbidden); return response; } return await base.SendAsync(request, cancellationToken); } catch (SecurityTokenValidationException) { HttpResponseMessage response = BuildResponseErrorMessage(HttpStatusCode.Unauthorized); return response; } catch (Exception) { return new HttpResponseMessage(HttpStatusCode.InternalServerError); } }