public JwtAuthenticationOwinMiddlewareTests()
{
var signingCredentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(Convert.FromBase64String(Key)),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256");
var now = DateTime.UtcNow;
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new []
{
new Claim("sub", "Alice"),
new Claim("email", "*****@*****.**"),
}),
TokenIssuerName = Issuer,
AppliesToAddress = Audience,
Lifetime = new Lifetime(now, now.AddMinutes(LifetimeInMinutes)),
SigningCredentials = signingCredentials,
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
_tokenString = tokenHandler.WriteToken(token);
}
/// <summary>
/// Sets a JWT authorization header on the default request headers of an <see cref="HttpClient"/>.
/// </summary>
/// <param name="client">The client for which to set the authorization header.</param>
/// <param name="signingCertificate">The signing certificate to sign the token.</param>
/// <param name="appliesToAddress">The address for which the token is considered valid.</param>
/// <param name="claims">The claims that define the user. Leave null for an anonymous user.</param>
/// <param name="tokenIssuerName">Name of the token issuer. Defaults to "self".</param>
/// <param name="tokenDuration">
/// The token duration for which it's considered valid. Defaults to 2 hours.
/// </param>
/// <exception cref="ArgumentNullException">
/// <paramref name="signingCertificate"/> is <see langword="null"/>.
/// </exception>
/// <exception cref="ArgumentException">
/// <paramref name="appliesToAddress"/> is <see langword="null"/> or empty.
/// </exception>
/// <exception cref="ArgumentException">
/// <paramref name="tokenIssuerName"/> is <see langword="null"/> or empty.
/// </exception>
public static void SetJwtAuthorizationHeader(
this HttpClient client,
X509Certificate2 signingCertificate,
string appliesToAddress,
IEnumerable<Claim> claims = null,
string tokenIssuerName = "self",
TimeSpan? tokenDuration = null)
{
signingCertificate.AssertNotNull("signingCertificate");
appliesToAddress.AssertNotNullOrWhitespace("appliesToAddress");
tokenIssuerName.AssertNotNullOrWhitespace("tokenIssuerName");
var now = DateTime.UtcNow;
var tokenHandler = new JwtSecurityTokenHandler();
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(claims),
TokenIssuerName = tokenIssuerName,
AppliesToAddress = appliesToAddress,
Lifetime = new Lifetime(now, now.Add(tokenDuration ?? TimeSpan.FromHours(2))),
SigningCredentials = new X509SigningCredentials(signingCertificate)
};
SecurityToken token = tokenHandler.CreateToken(tokenDescriptor);
string tokenString = tokenHandler.WriteToken(token);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokenString);
}
//http://blog.asteropesystems.com/securing-web-api-requests-with-json-web-tokens/
public string GetToken(string username, List<ActivityClaim> activityClaims)
{
var tokenHandler = new JwtSecurityTokenHandler();
var now = DateTime.UtcNow;
var claims = new ClaimsIdentity(new[]
{
new Claim( ClaimTypes.UserData, "IsValid", ClaimValueTypes.String ),
new Claim( ClaimTypes.Name, username, ClaimValueTypes.String )
});
claims.AddClaims(activityClaims.Select(c => new Claim(ClaimTypes.UserData, c.ToString(), ClaimValueTypes.String)));
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = claims,
TokenIssuerName = "self",
AppliesToAddress = "https://api.knowthyshelf.com",
Lifetime = new Lifetime(now, now.AddYears(10)),
SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(TOKEN_SECURITY_KEY),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256"),
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
public string Post(Credential credential)
{
if (credential.username == "admin" && credential.password == "123")
{
var tokenHandler = new JwtSecurityTokenHandler();
var securityKey = Authorization.GetBytes("anyoldrandomtext");
var now = DateTime.UtcNow;
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim( ClaimTypes.UserData,"IsValid", ClaimValueTypes.String, "(local)" )
}),
TokenIssuerName = "self",
AppliesToAddress = "https://www.mywebsite.com",
Lifetime = new Lifetime(now, now.AddMinutes(60)),
SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(securityKey),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256"),
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
else
{
return string.Empty;
}
}
static string CreateTokenWithInMemorySymmetricSecurityKey()
{
var now = DateTime.UtcNow;
var tokenHandler = new JwtSecurityTokenHandler();
var symmetricKey = new RandomBufferGenerator(256 / 8).GenerateBufferFromSeed(256 / 8);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Name, "Tugberk"),
new Claim(ClaimTypes.Role, "Sales"),
}),
TokenIssuerName = "self",
AppliesToAddress = "http://www.example.com",
Lifetime = new Lifetime(now, now.AddMinutes(2)),
SigningCredentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(symmetricKey),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256")
};
SecurityToken token = tokenHandler.CreateToken(tokenDescriptor);
string tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
public void End2End_OpenIdConnect()
{
SigningCredentials rsaSigningCredentials =
new SigningCredentials(
KeyingMaterial.RsaSecurityKey_Private2048,
SecurityAlgorithms.RsaSha1Signature,
SecurityAlgorithms.Sha256Digest,
new SecurityKeyIdentifier(new NamedKeySecurityKeyIdentifierClause("kid", "NGTFvdK-fythEuLwjpwAJOM9n-A"))
);
//"<RSAKeyValue><Modulus>rCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
RSA rsa = KeyingMaterial.RsaSecurityKey_2048.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha1Signature, false) as RSA;
OpenIdConnectConfiguration configuration = OpenIdConnectConfigurationRetriever.GetAsync(OpenIdConfigData.OpenIdConnectMetadataFile, CancellationToken.None).Result;
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
JwtSecurityToken jwt = tokenHandler.CreateToken(
configuration.Issuer,
IdentityUtilities.DefaultAudience,
IdentityUtilities.DefaultClaimsIdentity,
DateTime.UtcNow,
DateTime.UtcNow + TimeSpan.FromHours(1),
rsaSigningCredentials );
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
IssuerSigningTokens = configuration.SigningTokens,
ValidAudience = IdentityUtilities.DefaultAudience,
ValidIssuer = configuration.Issuer,
};
SecurityToken securityToken = null;
tokenHandler.ValidateToken(jwt.RawData, validationParameters, out securityToken);
}
public LoginResult PostSignIn([FromBody] LoginCredential credentials)
{
var auth = new LoginResult() { Authenticated = false };
var userRoles = QueryableDependencies.GetLoginUserRoles(credentials.UserName, credentials.Password);
if (userRoles.Count > 0)
//if (userRoles.Where(r => r == "CredentialSystem").Any())
{
auth.Authenticated = true;
var allClaims = userRoles.Select(r => new Claim(ClaimTypes.Role, r.ToString())).ToList();
allClaims.Add(new Claim(ClaimTypes.Name, credentials.UserName));
allClaims.Add(new Claim(ClaimTypes.Role, userRoles[0].ToString()));
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(allClaims),
AppliesToAddress = ConfigurationManager.AppSettings["JwtAllowedAudience"],
TokenIssuerName = ConfigurationManager.AppSettings["JwtValidIssuer"],
SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(JwtTokenValidationHandler.SymmetricKey), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256")
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
auth.Token = tokenString;
}
return auth;
}
static string BearerToken()
{
var signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256";
var digestAlgorithm = "http://www.w3.org/2001/04/xmlenc#sha256";
var securityKey = Convert.FromBase64String(mainKey);
var inMemKey = new InMemorySymmetricSecurityKey(securityKey);
ClaimsIdentity identity = new ClaimsIdentity();
identity.AddClaim(new Claim("scope", "Full"));
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
SecurityToken securityToken = handler.CreateToken(new SecurityTokenDescriptor()
{
TokenType = "Bearer",
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(1)),
SigningCredentials = new SigningCredentials(inMemKey, signatureAlgorithm, digestAlgorithm),
//This data I would get by matching the jwtSecurityToken.Audience to database or something
TokenIssuerName = "PaulsSite",
AppliesToAddress = "http://JoshsSite",
Subject = identity
}
);
return handler.WriteToken(securityToken);
}
private static void Main(string[] args)
{
var key = Convert.FromBase64String(SymmetricKey);
var credentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(key),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256");
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim(ClaimTypes.Name, "bhogg"),
new Claim(ClaimTypes.GivenName, "Boss"),
new Claim(ClaimTypes.Surname, "Hogg"),
new Claim(ClaimTypes.Role, "Manager"),
new Claim(ClaimTypes.Role, "SeniorWorker"),
}),
TokenIssuerName = "corp",
AppliesToAddress = "http://www.example.com",
SigningCredentials = credentials,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddYears(10))
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
Console.WriteLine(tokenString);
Debug.WriteLine(tokenString);
Console.ReadLine();
}
public static string GetJwtToken(this ClaimsIdentity identity, SecurityTokenDescriptor tokenDescriptor)
{
if (identity == null || tokenDescriptor == null) return null;
tokenDescriptor.Subject = identity;
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
public async Task<Client> FindClientByIdAsync(string clientId)
{
var clientsUri = $"admin-api/api/clients/{clientId}";
//var cert = Cert.Load(StoreName.My, StoreLocation.CurrentUser, "b512d01195667dbc7c4222ec6fd563ac64e3d450");
//var handler = new WebRequestHandler();
//handler.ClientCertificates.Add(cert);
// Retrieve an access token from the IdentityAdmin /authorize OAuth endpoint
using (var client = new HttpClient())
{
client.BaseAddress = new Uri(this.identityAdminUri);
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var cert = Cert.Load(typeof(IOwinBootstrapper).Assembly, "Cert", "idsrv3test.pfx", "idsrv3test");
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim("name", "idServer"),
new Claim("role", "IdentityAdminManager"),
new Claim("scope", "idadmin-api")
}),
TokenIssuerName = "idServer",
AppliesToAddress = this.identityAdminUri,
Lifetime = new Lifetime(DateTime.Now, DateTime.Now.AddMinutes(10)),
SigningCredentials = new X509SigningCredentials(cert)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(tokenDescriptor);
var accessToken = tokenHandler.WriteToken(securityToken);
var jwtParams = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role",
ValidAudience = this.identityAdminUri,
ValidIssuer = "idServer",
IssuerSigningToken = new X509SecurityToken(cert)
};
SecurityToken validatedToken;
tokenHandler.ValidateToken(accessToken, jwtParams, out validatedToken);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var response = await client.GetAsync(clientsUri);
var str = await response.Content.ReadAsStringAsync();
}
return null;
}
#pragma warning disable 1998
public override async Task<Result> Execute()
{
Result result = new Result();
try
{
Console.Out.WriteLine("Generating access token...");
// encryption key
string key_s = ConfigurationManager.ConnectionStrings["JWTKey"].ConnectionString;
byte[] key_b = new byte[key_s.Length * sizeof(char)];
System.Buffer.BlockCopy(key_s.ToCharArray(), 0, key_b, 0, key_b.Length);
// create the token
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
ClaimsIdentity subject = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Uri, SiteUrl, ClaimValueTypes.String) });
SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor
{
Subject = subject,
TokenIssuerName = "SpSat",
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(4)),
SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(key_b), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256")
};
SecurityToken token = tokenHandler.CreateToken(tokenDescriptor);
using (ClientContext context = new ClientContext(SiteUrl))
{
// authenticate
string usernamePassword = ConfigurationManager.ConnectionStrings["SharePoint"].ConnectionString;
dynamic usernamePassword_j = Newtonsoft.Json.JsonConvert.DeserializeObject(usernamePassword);
string username = usernamePassword_j.username;
string password = usernamePassword_j.password;
SecureString password_s = new SecureString();
Array.ForEach(password.ToCharArray(), password_s.AppendChar);
context.Credentials = new SharePointOnlineCredentials(username, password_s);
// write the token to the property bag
PropertyValues webProperties = context.Web.AllProperties;
webProperties["accessToken"] = tokenHandler.WriteToken(token);
context.Web.Update();
context.ExecuteQuery();
}
Console.Out.WriteLine("Completed generating access token.");
result.Status = Status.Success;
}
catch (Exception ex)
{
result.Status = Status.Failure;
result.Log.Add(ex.Message);
}
return result;
}
public static string CreateTokenAsBase64(this SecurityTokenDescriptor securityTokenDescriptor)
{
var tokenHandler = new JwtSecurityTokenHandler();
SecurityToken securityToken = tokenHandler.CreateToken(securityTokenDescriptor);
string token = tokenHandler.WriteToken(securityToken);
string tokenAsBase64 = token;
return tokenAsBase64;
}
static string GetClientAssertion(string tenantId, string clientId, X509Certificate2 cert)
{
var claims = new List<Claim>();
claims.Add(new Claim("sub", clientId));
var handler = new JwtSecurityTokenHandler();
var credentials = new X509SigningCredentials(cert);
return handler.CreateToken(
issuer: clientId,
audience: String.Format(TokenEndpoint, tenantId),
subject: new ClaimsIdentity(claims),
signingCredentials: credentials).RawData;
}
public static string CreateJwtToken(string userName, string role)
{
var claimList = new List<Claim>()
{
new Claim(ClaimTypes.Name, userName),
new Claim(ClaimTypes.Role, role) //Not sure what this is for
};
var tokenHandler = new JwtSecurityTokenHandler() { RequireExpirationTime = true };
var sSKey = new InMemorySymmetricSecurityKey(SecurityConstants.KeyForHmacSha256);
var jwtToken = tokenHandler.CreateToken(makeSecurityTokenDescriptor(sSKey, claimList));
return tokenHandler.WriteToken(jwtToken);
}
private string GetJwtString(string email, string firstName, string lastName)
{
var jwtTokenHandler = new JwtSecurityTokenHandler();
var token = jwtTokenHandler.CreateToken(new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim(Authentication.ClaimTypes.Name, email),
new Claim(Authentication.ClaimTypes.Email, email),
new Claim(Authentication.ClaimTypes.Name, $"{firstName} {lastName}"),
new Claim(Authentication.ClaimTypes.GivenName, firstName)
}),
});
return jwtTokenHandler.WriteToken(token);
}
public static Token CreateToken(UserInfo user, string perms)
{
var claims = new List<Claim>()
{
new Claim(ClaimTypes.UserData, user.UserId.ToString()),
new Claim(ClaimTypes.PrimarySid, user.UserId.ToString()),
new Claim(ClaimTypes.Sid, user.UserId.ToString()),
new Claim(ClaimTypes.Name, user.FullName.ToString())
};
var key = new InMemorySymmetricSecurityKey(TokenConstants.TokenKey);
var jwt = new JwtSecurityTokenHandler() { TokenLifetimeInMinutes = TokenConstants.TokenLifetimeInMinutes };
var token = jwt.CreateToken(CreateSecurityTokenDescriptor(claims, key));
return new Token() { Value = jwt.WriteToken(token), Expiry = TokenConstants.TokenLifetimeInMinutes, User = user.FullName, Perms = perms };
}
public async Task<IActionResult> Post([FromBody] RegistrationRequestModel registrationRequestModel)
{
if (!ModelState.IsValid)
{
return HttpUnauthorized();
}
if (UserManager.Users.Any(u => u.UserName == registrationRequestModel.UserName))
{
return HttpBadRequest($"User {registrationRequestModel.UserName} is already exists");
// throw new DuplicateNameException();
}
var result = await UserManager.CreateAsync(new User()
{
UserName = registrationRequestModel.UserName,
Email = registrationRequestModel.Email
}, registrationRequestModel.Password);
if (!result.Succeeded)
{
//TODO: change to aprop error
return HttpUnauthorized();
}
var user = UserManager.Users.First(u => u.UserName == registrationRequestModel.UserName);
var roles = await UserManager.GetRolesAsync(user);
var claims = new List<Claim>(new Claim[] { new Claim(ClaimTypes.Name, user.UserName) });
claims.AddRange(roles.Select(r => new Claim(ClaimTypes.Role, r)));
claims.AddRange(user.Claims.Select(c => new Claim(c.ClaimType, c.ClaimValue)));
var identity = new ClaimsIdentity(claims, "JWT");
var handler = new JwtSecurityTokenHandler();
var rsa = new RSACryptoServiceProvider(2048);
var rsaParams = rsa.ExportParameters(true);
var rsaKey = new RsaSecurityKey(rsaParams);
var secKey = string.Empty; // Shared secure key that used for JWT auth
var secToken = handler.CreateToken("myself", "myself", identity, DateTime.UtcNow, DateTime.UtcNow.AddDays(1),
new SigningCredentials(rsaKey, JwtAlgorithms.RSA_SHA256, JwtAlgorithms.RSA_SHA256, secKey));
var token = handler.WriteToken(secToken);
return this.Ok(token);
}
/// <summary>
/// Generate an token.
/// </summary>
/// <param name="username">The username.</param>
/// <returns></returns>
public string Generate(string username)
{
var tokenHandler = new JwtSecurityTokenHandler();
var now = DateTime.UtcNow;
//The contents of the JWT token
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, username) }),
TokenIssuerName = JwtTokenGenerator.TokenIssuer,
Lifetime = new Lifetime(now, now.AddHours(JwtTokenGenerator.LifetimeInHours)),
SigningCredentials = this.credentials
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return tokenHandler.WriteToken(token);
}
public Task<string> GenerateAccessToken(SecurityTokenDescriptor tokenDescriptor, TokenValidationParameters validationParameters)
{
return Task.Run(() =>
{
tokenDescriptor.SigningCredentials = new X509SigningCredentials(this.cert);
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(tokenDescriptor);
var accessToken = tokenHandler.WriteToken(securityToken);
validationParameters.IssuerSigningToken = new X509SecurityToken(this.cert);
SecurityToken validatedToken;
tokenHandler.ValidateToken(accessToken, validationParameters, out validatedToken);
return accessToken;
});
}
public void AsymmetricSignatureProvider_Extensibility()
{
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
string newAlgorithmValue = "bobsYourUncle";
string originalAlgorithmValue = ReplaceAlgorithm(SecurityAlgorithms.RsaSha256Signature, newAlgorithmValue, JwtSecurityTokenHandler.OutboundAlgorithmMap);
JwtSecurityToken jwt = handler.CreateToken(issuer: IdentityUtilities.DefaultIssuer, audience: IdentityUtilities.DefaultAudience, signingCredentials: KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2) as JwtSecurityToken;
ReplaceAlgorithm(SecurityAlgorithms.RsaSha256Signature, originalAlgorithmValue, JwtSecurityTokenHandler.OutboundAlgorithmMap);
// outbound mapped algorithm is "bobsYourUncle", inbound map will not find this
ExpectedException expectedException = ExpectedException.SignatureVerificationFailedException(substringExpected: "IDX10502:", innerTypeExpected: typeof(InvalidOperationException));
RunAlgorithmMappingTest(jwt.RawData, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, handler, expectedException);
// inbound is mapped to Rsa256
originalAlgorithmValue = ReplaceAlgorithm(newAlgorithmValue, SecurityAlgorithms.RsaSha256Signature, JwtSecurityTokenHandler.InboundAlgorithmMap);
RunAlgorithmMappingTest(jwt.RawData, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, handler, ExpectedException.NoExceptionExpected);
ReplaceAlgorithm(newAlgorithmValue, originalAlgorithmValue, JwtSecurityTokenHandler.InboundAlgorithmMap);
}
static void Main(string[] args)
{
var securityKey = GetBytes("ThisIsAnImportantStringAndIHaveNoIdeaIfThisIsVerySecureOrNot!");
var tokenHandler = new JwtSecurityTokenHandler();
// Token Creation
var now = DateTime.UtcNow;
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Name, "Pedro"),
new Claim(ClaimTypes.Role, "Author"),
}),
TokenIssuerName = "self",
AppliesToAddress = "http://www.example.com",
Lifetime = new Lifetime(now, now.AddMinutes(2)),
SigningCredentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(securityKey),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256"),
};
var token = tokenHandler.CreateToken(tokenDescriptor);
// Generate Token and return string
var tokenString = tokenHandler.WriteToken(token);
Console.WriteLine(tokenString);
// Token Validation
var validationParameters = new TokenValidationParameters()
{
AllowedAudience = "http://www.example.com",
SigningToken = new BinarySecretSecurityToken(securityKey),
ValidIssuer = "self"
};
// from Token to ClaimsPrincipal - easy!
var principal = tokenHandler.ValidateToken(tokenString, validationParameters);
Console.WriteLine(principal.Claims.Single(x => x.Type == ClaimTypes.Name).Value);
Console.ReadLine();
}
internal static JwtSecurityToken CreateTokenFromClaims(IEnumerable<Claim> claims, string secretKey, string audience, string issuer, TimeSpan? lifetime)
{
DateTime created = DateTime.UtcNow;
// we allow for no expiry (if lifetime is null)
DateTime? expiry = (lifetime != null) ? created + lifetime : null;
var tokenDescriptor = new SecurityTokenDescriptor
{
AppliesToAddress = audience,
TokenIssuerName = issuer,
SigningCredentials = new HmacSigningCredentials(secretKey),
Lifetime = new Lifetime(created, expiry),
Subject = new ClaimsIdentity(claims),
};
var securityTokenHandler = new JwtSecurityTokenHandler() { SetDefaultTimesOnTokenCreation = false };
return securityTokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
}
public void Can_create_and_validate_token()
{
var tokenHandler = new JwtSecurityTokenHandler();
var symmetricKey = GetRandomBytes(256 / 8);
var now = DateTime.UtcNow;
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Name, "Pedro"),
new Claim(ClaimTypes.NameIdentifier, "*****@*****.**"),
new Claim(ClaimTypes.Role, "Author"),
new Claim("iat", ToEpochTime(now).ToString(),ClaimValueTypes.Integer),
}),
TokenIssuerName = "self",
AppliesToAddress = "http://www.example.com",
Lifetime = new Lifetime(now, now.AddMinutes(2)),
SigningCredentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(symmetricKey),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256"),
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
Console.WriteLine(tokenString);
var validationParameters = new TokenValidationParameters()
{
AllowedAudience = "http://www.example.com",
SigningToken = new BinarySecretSecurityToken(symmetricKey),
ValidIssuer = "self"
};
var principal = tokenHandler.ValidateToken(tokenString, validationParameters);
Assert.True(principal.Identities.First().Claims
.Any(c => c.Type == ClaimTypes.Name && c.Value == "Pedro"));
Assert.True(principal.Identities.First().Claims
.Any(c => c.Type == ClaimTypes.Role && c.Value == "Author"));
}
public static string CreateJwtToken(AuthenticationTicket data, string issuer, SigningCredentials signingCredentials)
{
string audience = issuer;
// As JWT doesn't have a mechanism of passing metadata about what claim should be the name/subject the JWT handler
// users the default Name claim type. If the identity has another claim type as the name type we need to
// switch it to the DefaultNameClaimType.
var identity = new ClaimsIdentity(data.Identity);
if (identity.NameClaimType != ClaimsIdentity.DefaultNameClaimType && !string.IsNullOrWhiteSpace(identity.Name))
{
identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, identity.Name));
identity.RemoveClaim(identity.Claims.First(c => c.Type == identity.NameClaimType));
}
// And now do the same for roles.
List<Claim> roleClaims = identity.Claims.Where(c => c.Type == identity.RoleClaimType).ToList();
if (identity.RoleClaimType != ClaimsIdentity.DefaultRoleClaimType && roleClaims.Any())
{
foreach (var roleClaim in roleClaims)
{
identity.RemoveClaim(roleClaim);
identity.AddClaim(new Claim(ClaimsIdentity.DefaultRoleClaimType, roleClaim.Value, roleClaim.ValueType, roleClaim.Issuer, roleClaim.OriginalIssuer));
}
}
identity.AddClaims(new[]
{
new Claim("iat", GetEpocTimeStamp()),
new Claim("jti", Guid.NewGuid().ToString("N"))
});
Lifetime lifetime = new Lifetime(null, null);
if (data.Properties.IssuedUtc != null || data.Properties.ExpiresUtc != null)
{
lifetime = new Lifetime(data.Properties.IssuedUtc != null ? (DateTime?)((DateTimeOffset)data.Properties.IssuedUtc).UtcDateTime : null, data.Properties.ExpiresUtc != null ? (DateTime?)((DateTimeOffset)data.Properties.ExpiresUtc).UtcDateTime : null);
}
var handler = new JwtSecurityTokenHandler();
return handler.CreateToken(issuer, audience, identity, lifetime.Created, lifetime.Expires, signingCredentials).RawData;
}
public TokenResponse ConvertToJwt(GenericXmlSecurityToken securityToken, string appliesToAddress, string issuerName, X509Certificate2 SigningCertificate)
{
var subject = this.tokenValidator.ValidateSamlToken(securityToken);
var descriptor = new SecurityTokenDescriptor
{
Subject = subject,
AppliesToAddress = appliesToAddress,
SigningCredentials = new X509SigningCredentials(SigningCertificate),
TokenIssuerName = issuerName,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(tokenLifeTimeMinutes))
};
var jwtHandler = new JwtSecurityTokenHandler();
var jwt = jwtHandler.CreateToken(descriptor);
return new TokenResponse
{
AccessToken = jwtHandler.WriteToken(jwt),
ExpiresIn = tokenLifeTimeMinutes
};
}
private static void AddAuthHeader(HttpClient client, string audience = "http://www.enyu.com")
{
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var signingCert = store.Certificates
.Cast<X509Certificate2>()
.FirstOrDefault(certificate => certificate.Subject == CertificateName);
var tokenDescriptor = new SecurityTokenDescriptor
{
TokenIssuerName = "DMN",
AppliesToAddress = audience,
SigningCredentials = new X509SigningCredentials(signingCert)
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokenString);
}
public string CreateToken(string userId, string login)
{
var tokenHandler = new JwtSecurityTokenHandler();
ClaimsIdentity claimsIdentity = GetClaimIdentity(userId, login);
SigningCredentials sc = new SigningCredentials(
new InMemorySymmetricSecurityKey(GetSymmetricKey),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256"
);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = claimsIdentity,
TokenIssuerName = Issuer,
AppliesToAddress = AllowedAudience,
Lifetime = new Lifetime(_dtp.Now, _dtp.Now.AddMinutes(TokenLifetimeInMinutes)),
SigningCredentials = sc
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return tokenHandler.WriteToken(token);
}
private string GetToken(string user, DateTime? expires)
{
var handler = new JwtSecurityTokenHandler();
// Here, you should create or look up an identity for the user which is being authenticated.
// For now, just creating a simple generic identity.
ClaimsIdentity identity = new ClaimsIdentity(new GenericIdentity(user, "TokenAuth"), new[] { new Claim("EntityID", "1", ClaimValueTypes.Integer) });
var securityToken = handler.CreateToken(
issuer: tokenOptions.Issuer,
audience: tokenOptions.Audience,
signingCredentials: tokenOptions.SigningCredentials,
subject: identity,
expires: expires
);
return handler.WriteToken(securityToken);
}
private string CreateJwt(string userId, string role)
{
var key = Convert.FromBase64String(SymmetricKey);
var credentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(key),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256");
var expiration = DateTime.UtcNow.AddMinutes(20).ToLongTimeString();
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim(ClaimTypes.Name, userId),
new Claim(ClaimTypes.Role, role),
new Claim("exp", expiration)
}),
TokenIssuerName = Issuer,
AppliesToAddress = Audience,
SigningCredentials = credentials
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
