internal DerivedKeySecurityToken(int generation, int offset, int length, string label, byte[] nonce, SecurityToken tokenToDerive, SecurityKeyIdentifierClause tokenToDeriveIdentifier, string derivationAlgorithm, string id) { this.length = -1; this.offset = -1; this.generation = -1; this.Initialize(id, generation, offset, length, label, nonce, tokenToDerive, tokenToDeriveIdentifier, derivationAlgorithm, false); }
/// <summary> /// Gets the name of the issuer. /// </summary> /// <param name="securityToken">The security token.</param> /// <returns></returns> public override string GetIssuerName(SecurityToken securityToken) { if (securityToken == null) { throw new ArgumentNullException("securityToken"); } var x509Token = securityToken as X509SecurityToken; if (x509Token != null) { var issuer = x509Token.Certificate.Thumbprint; Debug.WriteLine("Certificate thumbprint: " + issuer); return issuer; } var rsaToken = securityToken as RsaSecurityToken; if (rsaToken != null) { var issuer = rsaToken.Rsa.ToXmlString(false); Debug.WriteLine("RSA: " + issuer); return issuer; } throw new SecurityTokenException(securityToken.GetType().FullName); }
private void ResolveSecurityToken() { if (this._securityToken == null) { lock (this._lock) { if (this._securityToken == null) { ClientCredentialsSecurityTokenManager.KerberosSecurityTokenProviderWrapper wrapper = this._tokenProvider as ClientCredentialsSecurityTokenManager.KerberosSecurityTokenProviderWrapper; if (wrapper != null) { this._securityToken = wrapper.GetToken(new TimeoutHelper(this._timeout).RemainingTime(), this._channelBinding); } else { this._securityToken = this._tokenProvider.GetToken(new TimeoutHelper(this._timeout).RemainingTime()); } } } } if (this._securityToken == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.ServiceModel.SR.GetString("SecurityTokenNotResolved", new object[] { this._tokenProvider.GetType().ToString() }))); } }
void ResolveSecurityToken() { if ( _securityToken == null ) { lock ( _lock ) { if ( _securityToken == null ) { ClientCredentialsSecurityTokenManager.KerberosSecurityTokenProviderWrapper kerbTokenProvider = _tokenProvider as ClientCredentialsSecurityTokenManager.KerberosSecurityTokenProviderWrapper; if (kerbTokenProvider != null) { _securityToken = kerbTokenProvider.GetToken((new TimeoutHelper(_timeout)).RemainingTime(), _channelBinding); } else { _securityToken = _tokenProvider.GetToken((new TimeoutHelper(_timeout)).RemainingTime()); } } } } if ( _securityToken == null ) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new SecurityTokenException( SR.GetString( SR.SecurityTokenNotResolved, _tokenProvider.GetType().ToString() ) ) ); } return; }
/// <summary> /// Turns a RST/ProofKey pair into a GenericXmlSecurityToken. /// </summary> /// <param name="rstr">The RSTR.</param> /// <param name="proofKey">The ProofKey.</param> /// <returns>A GenericXmlSecurityToken</returns> public static GenericXmlSecurityToken ToGenericXmlSecurityToken(this RequestSecurityTokenResponse rstr, SecurityToken proofKey) { DateTime? created = null; DateTime? expires = null; if (rstr.Lifetime != null) { created = rstr.Lifetime.Created; expires = rstr.Lifetime.Expires; if (!created.HasValue) { created = new DateTime?(DateTime.UtcNow); } if (!expires.HasValue) { expires = new DateTime?(DateTime.UtcNow.AddHours(10.0)); } } else { created = new DateTime?(DateTime.UtcNow); expires = new DateTime?(DateTime.UtcNow.AddHours(10.0)); } return new GenericXmlSecurityToken( ExtractTokenXml(rstr), proofKey, created.Value, expires.Value, rstr.RequestedAttachedReference, rstr.RequestedUnattachedReference, new ReadOnlyCollection<IAuthorizationPolicy>(new List<IAuthorizationPolicy>())); }
protected override void WriteTokenCore(System.Xml.XmlWriter writer, System.IdentityModel.Tokens.SecurityToken token) { UserNameSecurityToken userToken = token as UserNameSecurityToken; string tokennamespace = "o"; DateTime created = DateTime.Now; string createdStr = created.ToString("yyyy-MM-ddThh:mm:ss.fffZ"); // unique Nonce value - encode with SHA-1 for 'randomness' // in theory the nonce could just be the GUID by itself string phrase = Guid.NewGuid().ToString(); var nonce = GetSHA1String(phrase); // in this case password is plain text // for digest mode password needs to be encoded as: // PasswordAsDigest = Base64(SHA-1(Nonce + Created + Password)) // and profile needs to change to //string password = GetSHA1String(nonce + createdStr + userToken.Password); string password = userToken.Password; writer.WriteRaw(string.Format( "<{0}:UsernameToken u:Id=\"" + token.Id + "\" xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" + "<{0}:Username>" + userToken.UserName + "</{0}:Username>" + "<{0}:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">" + password + "</{0}:Password>" + "<{0}:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">" + nonce + "</{0}:Nonce>" + "<u:Created>" + createdStr + "</u:Created></{0}:UsernameToken>", tokennamespace)); }
public SupportingTokenSpecification(SecurityToken token, ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters) : base(token, tokenPolicies) { SecurityTokenAttachmentModeHelper.Validate(attachmentMode); _tokenAttachmentMode = attachmentMode; _tokenParameters = tokenParameters; }
/// <summary> /// Overrides the base class. Validates the given issuer token. For a incoming SAML token /// the issuer token is the Certificate that signed the SAML token. /// </summary> /// <param name="securityToken">Issuer token to be validated.</param> /// <returns>Friendly name representing the Issuer.</returns> public override string GetIssuerName(SecurityToken securityToken) { CustomTextTraceSource ts = new CustomTextTraceSource("IdpAds.IdpAdsIssuerNameRegistry.GetIssuerName", "MyTraceSource", SourceLevels.Information); //TraceSource ts = new TraceSource("System.ServiceModel"); X509SecurityToken x509Token = securityToken as X509SecurityToken; if (x509Token != null) { // Warning: This sample does a simple compare of the Issuer Certificate // to a subject name. This is not appropriate for production use. // Check your validation policy and authenticate issuers based off the policy. string commonName = x509Token.Certificate.GetNameInfo(X509NameType.SimpleName, false); ts.TraceInformation("Certificate CN: " + commonName); // TODO: Why this is different in the if (CertificateUtil.ValidateCertificate(StoreName.TrustedPeople, StoreLocation.LocalMachine, x509Token.Certificate)) { ts.TraceInformation("Certificate VALID"); return x509Token.Certificate.SubjectName.Name; } } ts.TraceInformation("Untrusted issuer"); throw new SecurityTokenException("Untrusted issuer."); }
protected override bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token) { bool flag = false; token = null; flag = this.tokenResolver.TryResolveToken(keyIdentifier, false, false, out token); if (!flag && (this.outOfBandTokenResolvers != null)) { for (int i = 0; i < this.outOfBandTokenResolvers.Count; i++) { flag = this.outOfBandTokenResolvers[i].TryResolveToken(keyIdentifier, out token); if (flag) { break; } } } if (!flag) { for (int j = 0; j < keyIdentifier.Count; j++) { if (this.TryResolveTokenFromIntrinsicKeyClause(keyIdentifier[j], out token)) { return true; } } } return flag; }
protected override void WriteTokenCore(System.Xml.XmlWriter writer, System.IdentityModel.Tokens.SecurityToken token) { UserNameSecurityToken userToken = token as UserNameSecurityToken; string tokennamespace = "o"; DateTime created = DateTime.UtcNow; string createdStr = created.ToString("yyyy-MM-ddTHH:mm:ss.fffZ"); string phrase = Guid.NewGuid().ToString(); var nonce = Convert.ToBase64String(Encoding.UTF8.GetBytes(phrase)); SHA1CryptoServiceProvider sha1Hasher = new SHA1CryptoServiceProvider(); //Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ) string Password_Digest = Convert.ToBase64String(sha1Hasher.ComputeHash(Encoding.UTF8.GetBytes(phrase + createdStr + userToken.Password))); // pxLqPLCXU1EiUS+NnpRuCw== var stringToWrite = string.Format( "<{0}:UsernameToken u:Id=\"" + token.Id + "\" xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" + "<{0}:Username>" + userToken.UserName + "</{0}:Username>" + "<{0}:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">" + Password_Digest + "</{0}:Password>" + "<{0}:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">" + nonce + "</{0}:Nonce>" + "<u:Created>" + createdStr + "</u:Created></{0}:UsernameToken>", tokennamespace); writer.WriteRaw(stringToWrite); }
/// <summary> /// Copy constructor /// </summary> /// <param name="other">The SamlClientCredentials to create a copy of</param> protected SamlClientCredentials(SamlClientCredentials other) : base ( other ) { // Just do reference copy given sample nature this.assertion = other.assertion; this.claims = other.claims; this.proofToken = other.proofToken; }
public async Task<string> SamlToJwtAsync(SecurityToken token, string realm) { var samlToken = token as SamlSecurityToken; if (samlToken == null) throw new ArgumentException("token not an instance of a SamlSecurityToken"); return await SamlToJwtAsync(samlToken.ToTokenXmlString(), realm); }
public bool TryIssueToken(EndpointReference appliesTo, ClaimsPrincipal principal, string tokenType, out SecurityToken token) { token = null; var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = appliesTo, KeyType = KeyTypes.Bearer, TokenType = tokenType }; try { var rstr = _sts.Issue(principal, rst); token = rstr.RequestedSecurityToken.SecurityToken; return true; } catch (Exception e) { Tracing.Error("Failed to issue token. An exception occurred. " + e); return false; } }
internal protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle) { if (token is GenericXmlSecurityToken) return base.CreateGenericXmlTokenKeyIdentifierClause(token, referenceStyle); else return this.CreateKeyIdentifierClause<SecurityContextKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); }
public JwtAuthenticationOwinMiddleware(AppFunc next, IEnumerable<string> AllowedAudiences, string Issuer, SecurityToken SigningToken) { this.next = next; this.AllowedAudiences = AllowedAudiences; this.Issuer = Issuer; this.SigningToken = SigningToken; }
public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token) { if (token == null) { throw new ArgumentNullException(); } var userNameToken = token as UserNameSecurityToken; if (userNameToken == null) { throw new SecurityTokenException("Invalid token"); } Validator.Validate( userNameToken.UserName, userNameToken.Password ); IEnumerable<Claim> claims = new List<Claim> { new Claim( "http://schemas.microsoft.com/ws/2008/06/identity/claims/ClaimTypes.AuthenticationInstant", XmlConvert.ToString( DateTime.UtcNow, "yyyy-MM-ddTHH:mm:ss.fffZ" ), "http://www.w3.org/2001/XMLSchema#dateTime" ), new Claim( System.IdentityModel.Claims.ClaimTypes.Name, userNameToken.UserName) }; return new ReadOnlyCollection<ClaimsIdentity>(new List<ClaimsIdentity> { new ClaimsIdentity(claims, "Password") }); }
public DerivedKeySecurityToken CreateToken(SecurityToken tokenToDerive, int maxKeyLength) { DerivedKeySecurityToken result = new DerivedKeySecurityToken(this.generation, this.offset, this.length, this.label, this.nonce, tokenToDerive, this.tokenToDeriveIdentifier, this.derivationAlgorithm, this.Id); result.InitializeDerivedKey(maxKeyLength); return result; }
/// <summary> /// Overrides the base class. Validates the given issuer token. For a incoming SAML token /// the issuer token is the Certificate that signed the SAML token. /// </summary> /// <param name="securityToken">Issuer token to be validated.</param> /// <returns>Friendly name representing the Issuer.</returns> public override string GetIssuerName(SecurityToken securityToken) { Common.CustomTextTraceSource ts = new Common.CustomTextTraceSource("CommercialVehicleCollisionWebservice.WspTrustedIssuerNameRegistry.GetIssuerName", "MyTraceSource", SourceLevels.Information); X509SecurityToken x509Token = securityToken as X509SecurityToken; if (x509Token != null) { // Warning: This sample does a simple compare of the Issuer Certificate // to a subject name. This is not appropriate for production use. // Check your validation policy and authenticate issuers based off the policy. ts.TraceInformation("IssuerName: " + x509Token.Certificate.SubjectName.Name); string commonName = x509Token.Certificate.GetNameInfo(X509NameType.SimpleName, false); ts.TraceInformation("CommonName: " + commonName); if (CertificateUtil.ValidateCertificate(StoreName.TrustedPeople, StoreLocation.LocalMachine, x509Token.Certificate)) { ts.TraceInformation("Certificate is valid"); return x509Token.Certificate.SubjectName.Name; } else { ts.TraceInformation("Certificate is NOT VALID"); } } throw new SecurityTokenException("Untrusted issuer."); }
public static SecurityToken GetToken(SecurityToken dobstsToken, string endpointUri, string spRealm) { // WSTrust call over SSL with credentails sent in the message. var binding = new IssuedTokenWSTrustBinding(); binding.SecurityMode = SecurityMode.TransportWithMessageCredential; var factory = new WSTrustChannelFactory( binding, endpointUri); factory.TrustVersion = TrustVersion.WSTrust13; factory.Credentials.SupportInteractive = false; // Request Bearer Token so no keys or encryption required. var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointAddress(spRealm), KeyType = KeyTypes.Bearer }; // Make the request with the DobstsToken. factory.ConfigureChannelFactory(); var channel = factory.CreateChannelWithIssuedToken(dobstsToken); return channel.Issue(rst) as GenericXmlSecurityToken; }
public static ClaimsPrincipal ValidateJwtToken(string jwtToken, out JwtSecurityToken parsedJwt) { var tokenHandler = new JwtSecurityTokenHandler() { }; // Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>) parsedJwt = tokenHandler.ReadToken(jwtToken) as JwtSecurityToken; var audience = ConfigurationManager.AppSettings["JwtAllowedAudience"] ?? "http://localhost:8080"; var issuer = ConfigurationManager.AppSettings["JwtValidIssuer"] ?? "DotNetNancysolutions"; var configValidateAudience = ConfigurationManager.AppSettings["JwtValidateAudience"]; var configValidateIssuer = ConfigurationManager.AppSettings["JwtValidateIssuer"]; bool validateAudience = configValidateAudience == null ? false : Convert.ToBoolean(configValidateAudience); bool validateIssuer = configValidateIssuer == null ? true : Convert.ToBoolean(configValidateIssuer); TokenValidationParameters validationParams = new TokenValidationParameters() { ValidAudience = audience, ValidateAudience = validateAudience, ValidIssuer = issuer, ValidateIssuer = validateIssuer, IssuerSigningToken = new BinarySecretSecurityToken(SecurityConstants.KeyForHmacSha256), }; System.IdentityModel.Tokens.SecurityToken securityToken = null; return(tokenHandler.ValidateToken(jwtToken, validationParams, out securityToken)); }
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { //eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1bmlxdWVfbmFtZSI6Ikphc29uIExlZSIsInN1YiI6Ikphc29uIExlZSIsInJvbGUiOlsiTWFuYWdlciIsIlN1cGVydmlzb3IiXSwiaXNzIjoiaHR0cDovL2p3dGF1dGh6c3J2LmF6dXJld2Vic2l0ZXMubmV0IiwiYXVkIjoiUm9ja2V0IiwiZXhwIjoxNDQxOTgwMjE5LCJuYmYiOjE0NDE5NzY2MTl9.yegylhGkz5uasu5E--aEbCAHfi5aE9Z17_pZAE63Bog validatedToken = null; var key = "IxrAjDoa2FqElO7IhrSrUJELhUckePEPVpaePlS_Xaw"; try { var raw = JsonWebToken.Decode(securityToken, key); var payLoad = JsonConvert.DeserializeObject<List<KeyValuePair<string, string>>>(raw); var claims = new List<Claim>(); foreach (var row in payLoad) { var claim = new Claim(row.Key, row.Value); claims.Add(claim); } var claimsIdentity = new ClaimsIdentity(claims, "jwt"); return new ClaimsPrincipal(claimsIdentity); } catch (Exception ex) { return null; } }
public static SecurityToken GetIssuedToken(string STSUrl, string audience, string signingCertificateNameClient, SecurityToken bootstrapToken) { var certificate2Client = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, signingCertificateNameClient); var certificate2Service = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, SigningCertificateNameSTS); return TokenClient.GetIssuedToken(new Uri(audience), certificate2Client, certificate2Service, new Uri(STSUrl), bootstrapToken); }
/// <summary> /// Overrides the base class. Validates the given issuer token. For a incoming SAML token /// the issuer token is the Certificate that signed the SAML token. /// </summary> /// <param name="securityToken">Issuer token to be validated.</param> /// <returns>Friendly name representing the Issuer.</returns> public override string GetIssuerName(SecurityToken securityToken) { CustomTextTraceSource ts = new CustomTextTraceSource("IdentityProviderSts.IdentityProviderIssuerNameRegistry.GetIssuerName", "MyTraceSource", SourceLevels.Information); X509SecurityToken x509Token = securityToken as X509SecurityToken; if (x509Token != null) { // Warning: This sample does a simple compare of the Issuer Certificate // to a subject name. This is not appropriate for production use. // Check your validation policy and authenticate issuers based off the policy. string commonName = x509Token.Certificate.GetNameInfo(X509NameType.SimpleName, false); ts.TraceInformation("Certificate CN: " + commonName); //if (String.Equals(x509Token.Certificate.SubjectName.Name, "O=CA for Ref GFIPM, [email protected], C=US, S=GA, CN=Reference GFIPM Federation") || // String.Equals(x509Token.Certificate.SubjectName.Name, "O=CISA, C=US, S=GA, CN=cisaidp.swbs.gtri.gatech.edu")) //if (String.Equals(x509Token.Certificate.SubjectName.Name, "O=CISA, C=US, S=GA, CN=cisaidp.swbs.gtri.gatech.edu")) if (String.Equals(commonName.ToUpper(), "HA50IDP")) { return x509Token.Certificate.SubjectName.Name; } } ts.TraceInformation("Untrusted issuer"); throw new SecurityTokenException("Untrusted issuer."); }
private void EnsureWrappedToken(SecurityToken token, Message message) { if (!(token is WrappedKeySecurityToken)) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("IncomingSigningTokenMustBeAnEncryptedKey")), message); } }
public RequestSecurityTokenResponse(string context, string tokenType, int keySize, EndpointAddress appliesTo, SecurityToken requestedSecurityToken, SecurityToken requestedProofToken, bool computeKey ) : base(context, tokenType, keySize, appliesTo) { this.m_requestedSecurityToken = requestedSecurityToken; this.m_requestedProofToken = requestedProofToken; this.m_computeKey = computeKey; }
/// <summary> /// Gets the name of the issuer. /// </summary> /// <param name="securityToken">The security token.</param> /// <returns></returns> public override string GetIssuerName(SecurityToken securityToken) { if (securityToken == null) { Tracing.Error("SimpleIssuerNameRegistry: securityToken is null"); throw new ArgumentNullException("securityToken"); } X509SecurityToken token = securityToken as X509SecurityToken; if (token != null) { Tracing.Information("SimpleIssuerNameRegistry: X509 SubjectName: " + token.Certificate.SubjectName.Name); Tracing.Information("SimpleIssuerNameRegistry: X509 Thumbprint : " + token.Certificate.Thumbprint); return token.Certificate.Thumbprint; } RsaSecurityToken token2 = securityToken as RsaSecurityToken; if (token2 == null) { throw new SecurityTokenException(securityToken.GetType().FullName); } Tracing.Information("SimpleIssuerNameRegistry: RSA Key: " + token2.Rsa.ToXmlString(false)); return token2.Rsa.ToXmlString(false); }
public override void WriteToken(XmlWriter writer, SecurityToken token) { writer.WriteStartElement("stringToken"); string tokenString = this.GetTokenAsString(token); writer.WriteString(tokenString); writer.WriteEndElement(); }
//public override bool CanReadToken(XmlReader reader) //{ // bool canRead = false; // if (reader != null) // { // if (reader.IsStartElement(BinarySecurityToken) // && (reader.GetAttribute(ValueType) == SimpleWebTokenConstants.ValueTypeUri)) // { // canRead = true; // } // } // return canRead; //} public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token) { if (token == null) { throw new ArgumentNullException("token"); } var saml2Token = token as Saml2SecurityToken; if (saml2Token == null) { throw new ArgumentException("The token provided must be of type Saml2SecurityToken."); } if (DateTime.Compare(saml2Token.ValidTo.Add(Configuration.MaxClockSkew), DateTime.UtcNow) <= 0) { throw new SecurityTokenExpiredException( "The incoming token has expired. Get a new access token from the Authorization Server."); } //this.ValidateSignature(simpleWebToken); //ValidateAudience(simpleWebToken.Audience); ClaimsIdentity claimsIdentity = CreateClaims(saml2Token); //if (this.Configuration.SaveBootstrapContext) //{ // claimsIdentity.BootstrapContext = new BootstrapContext(saml2Token.SerializedToken); //} var claimCollection = new List<ClaimsIdentity>(new[] { claimsIdentity }); return claimCollection.AsReadOnly(); }
/// <summary> /// Initializes a new instance of the <see cref="CompressedSecurityToken"/> class. /// </summary> /// <param name="token">The token to be compressed.</param> public CompressedSecurityToken(SecurityToken token) { Contract.Requires(token != null); _token = token; }
/// <summary> /// Parameterized constructor /// </summary> /// <param name="context">The value of the wst:RequestSecurityToken/@Context attribute</param> /// <param name="tokenType">The content of the wst:RequestSecurityToken/wst:TokenType element</param> /// <param name="requestType"></param> /// <param name="keySize">The content of the wst:RequestSecurityToken/wst:KeySize element</param> /// <param name="keyType"></param> /// <param name="proofKey"></param> /// <param name="entropy">A SecurityToken that represents entropy provided by the requester in the wst:RequestSecurityToken/wst:Entropy element</param> /// <param name="claimTypeRequirements"></param> /// <param name="appliesTo">The content of the wst:RequestSecurityToken/wst:KeySize element</param> public RequestSecurityToken(string context, string tokenType, string requestType, int keySize, string keyType , SecurityToken proofKey, SecurityToken entropy, EndpointAddress appliesTo) : base ( context, tokenType,keySize, appliesTo ) { this.keyType = keyType; this.proofKey = proofKey; this.requestType = requestType; this.requestorEntropy = entropy; }
protected override bool CanValidateTokenCore(SecurityToken token) { #if FEATURE_CORECLR return token is X509SecurityToken; #else return false; #endif // FEATURE_CORECLR }
public SecurityTokenContainer(SecurityToken token) { if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } _token = token; }
protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(System.IdentityModel.Tokens.SecurityToken token, SecurityTokenReferenceStyle referenceStyle) { if (referenceStyle == SecurityTokenReferenceStyle.Internal) { return(token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>()); } throw new NotSupportedException("External references are not supported for tokens"); }
public SecurityTokenSpecification(System.IdentityModel.Tokens.SecurityToken token, ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies) { this.token = token; if (tokenPolicies == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenPolicies"); } this.tokenPolicies = tokenPolicies; }
public static string WriteSaml2Token(SecurityToken4x token) { StringBuilder sb = new StringBuilder(); XmlWriter writer = XmlWriter.Create(sb); new Saml2SecurityTokenHandler4x().WriteToken(writer, token); writer.Flush(); writer.Close(); return(sb.ToString()); }
/// <summary> /// Validates the token. /// </summary> /// <param name="token">The token.</param> /// <returns>Collection of identity claims</returns> public override ClaimsIdentityCollection ValidateToken(System.IdentityModel.Tokens.SecurityToken token) { UserNameSecurityToken userNameSecurityToken = token as UserNameSecurityToken; MembershipProvider provider = Membership.Provider; bool isValidated = provider.ValidateUser(userNameSecurityToken.UserName, userNameSecurityToken.Password); ClaimsIdentity claimsIdentity = new ClaimsIdentity(new Claim[] { new Claim(System.IdentityModel.Claims.ClaimTypes.Name, userNameSecurityToken.UserName) }); ClaimsIdentityCollection claimIdentityCollection = new ClaimsIdentityCollection(new IClaimsIdentity[] { claimsIdentity }); return(claimIdentityCollection); }
public static string WriteSaml2Token(SecurityToken4x token) { using (var memoryStream = new MemoryStream()) { using (var writer = XmlDictionaryWriter.CreateTextWriter(memoryStream, Encoding.UTF8, false)) { new Saml2SecurityTokenHandler4x().WriteToken(writer, token); writer.Flush(); writer.Close(); return(Encoding.UTF8.GetString(memoryStream.ToArray())); } } }
public override string GetIssuerName(System.IdentityModel.Tokens.SecurityToken securityToken) { var x509 = securityToken as X509SecurityToken; if (x509 != null) { if (x509.Certificate.Thumbprint.Equals(trustedThumbrpint, StringComparison.OrdinalIgnoreCase)) { return(x509.Certificate.Subject); } } return(null); }
public override string GetIssuerName(System.IdentityModel.Tokens.SecurityToken securityToken) { if (securityToken == null) { throw new Exception("securityToken"); } X509SecurityToken token = securityToken as X509SecurityToken; if (token != null) { string thumbprint = token.Certificate.Thumbprint; if (this.ConfiguredTrustedIssuers.ContainsKey(thumbprint)) //Breakpoint here { return(this.ConfiguredTrustedIssuers[thumbprint]); } } return(null); //var ret = base.GetIssuerName(securityToken); //return ret; }
internal static WCFSecurityToken CreateGenericXmlSecurityToken(WsTrustRequest request, WsTrustResponse trustResponse, WsSerializationContext serializationContext, SecurityAlgorithmSuite algorithmSuite) { // Create GenericXmlSecurityToken // Assumes that token is first and Saml2SecurityToken. RequestSecurityTokenResponse response = trustResponse.RequestSecurityTokenResponseCollection[0]; // Get attached and unattached references GenericXmlSecurityKeyIdentifierClause internalSecurityKeyIdentifierClause = null; if (response.AttachedReference != null) { internalSecurityKeyIdentifierClause = GetSecurityKeyIdentifierForTokenReference(response.AttachedReference); } GenericXmlSecurityKeyIdentifierClause externalSecurityKeyIdentifierClause = null; if (response.UnattachedReference != null) { externalSecurityKeyIdentifierClause = GetSecurityKeyIdentifierForTokenReference(response.UnattachedReference); } // Get proof token WCFSecurityToken proofToken = GetProofToken(request, response, serializationContext, algorithmSuite); // Get lifetime DateTime created = response.Lifetime?.Created ?? DateTime.UtcNow; DateTime expires = response.Lifetime?.Expires ?? created.AddDays(1); return(new GenericXmlSecurityToken(response.RequestedSecurityToken.TokenElement, proofToken, created, expires, internalSecurityKeyIdentifierClause, externalSecurityKeyIdentifierClause, null)); }
public override string GetIssuerName(System.IdentityModel.Tokens.SecurityToken securityToken, string requestedIssuerName) { var ret = base.GetIssuerName(securityToken, requestedIssuerName); return(ret); }
public static ClaimsPrincipal ValidateSaml2Token(string securityToken, TokenValidationParameters4x validationParameters, out SecurityToken4x validatedToken) { return(new Saml2SecurityTokenHandler4x().ValidateToken(securityToken, validationParameters, out validatedToken)); }
/// <summary> /// When implemented in the derived class the method returns the issuer name /// of the given SecurityToken's issuer. The requested issuer name may be considered /// in determining the issuer's name. /// </summary> /// <param name="securityToken">The SecurityToken whose name is requested.</param> /// <param name="requestedIssuerName">Input to determine the issuer name</param> /// <remarks>The default implementation ignores the requestedIsserName parameter and simply calls the /// GetIssuerName( SecurityToken securityToken ) method</remarks> /// <returns>Issuer name as a string.</returns> public virtual string GetIssuerName(SecurityToken securityToken, string requestedIssuerName) { return(GetIssuerName(securityToken)); }
/// <summary> /// Checks if Audience Enforcement checks are required for the given token /// based on this SamlSecurityTokenRequirement settings. /// </summary> /// <param name="audienceUriMode"> /// The <see cref="AudienceUriMode"/> defining the audience requirement. /// </param> /// <param name="token">The Security token to be tested for Audience /// Enforcement.</param> /// <returns>True if Audience Enforcement should be applied.</returns> /// <exception cref="ArgumentNullException">The input argument 'token' is null.</exception> public virtual bool ShouldEnforceAudienceRestriction(AudienceUriMode audienceUriMode, SecurityToken token) { if (null == token) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } // // Use AudienceUriMode to determine whether the audience // should be enforced // switch (audienceUriMode) { case AudienceUriMode.Always: return(true); case AudienceUriMode.Never: return(false); case AudienceUriMode.BearerKeyOnly: #pragma warning suppress 56506 return(null == token.SecurityKeys || 0 == token.SecurityKeys.Count); default: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4025, audienceUriMode))); } }
public abstract string GetIssuerName(SecurityToken securityToken);
public virtual string GetIssuerName(SecurityToken securityToken, System.String requestedIssuerName) { throw new NotImplementedException(); }
protected override void WriteTokenCore(XmlWriter writer, SecurityToken token) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.StandardsManagerCannotWriteObject, token.GetType()))); }
protected override bool CanWriteTokenCore(SecurityToken token) { return(false); }
public virtual void ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver) { if (reader == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("reader")); } if (samlSerializer == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("samlSerializer"); } SamlDictionary samlDictionary = samlSerializer.DictionaryManager.SamlDictionary; reader.MoveToContent(); reader.Read(); if (reader.IsStartElement(samlDictionary.NameIdentifier, samlDictionary.Namespace)) { this.nameFormat = reader.GetAttribute(samlDictionary.NameIdentifierFormat, null); this.nameQualifier = reader.GetAttribute(samlDictionary.NameIdentifierNameQualifier, null); reader.MoveToContent(); this.name = reader.ReadString(); if (this.name == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLNameIdentifierMissingIdentifierValueOnRead"))); } reader.MoveToContent(); reader.ReadEndElement(); } if (reader.IsStartElement(samlDictionary.SubjectConfirmation, samlDictionary.Namespace)) { reader.MoveToContent(); reader.Read(); while (reader.IsStartElement(samlDictionary.SubjectConfirmationMethod, samlDictionary.Namespace)) { string str = reader.ReadString(); if (string.IsNullOrEmpty(str)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLBadSchema", new object[] { samlDictionary.SubjectConfirmationMethod.Value }))); } this.confirmationMethods.Add(str); reader.MoveToContent(); reader.ReadEndElement(); } if (this.confirmationMethods.Count == 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLSubjectConfirmationClauseMissingConfirmationMethodOnRead"))); } if (reader.IsStartElement(samlDictionary.SubjectConfirmationData, samlDictionary.Namespace)) { reader.MoveToContent(); this.confirmationData = reader.ReadString(); reader.MoveToContent(); reader.ReadEndElement(); } if (reader.IsStartElement(samlSerializer.DictionaryManager.XmlSignatureDictionary.KeyInfo, samlSerializer.DictionaryManager.XmlSignatureDictionary.Namespace)) { XmlDictionaryReader reader2 = XmlDictionaryReader.CreateDictionaryReader(reader); this.securityKeyIdentifier = SamlSerializer.ReadSecurityKeyIdentifier(reader2, keyInfoSerializer); this.crypto = SamlSerializer.ResolveSecurityKey(this.securityKeyIdentifier, outOfBandTokenResolver); if (this.crypto == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SamlUnableToExtractSubjectKey"))); } this.subjectToken = SamlSerializer.ResolveSecurityToken(this.securityKeyIdentifier, outOfBandTokenResolver); } if ((this.confirmationMethods.Count == 0) && string.IsNullOrEmpty(this.name)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLSubjectRequiresNameIdentifierOrConfirmationMethodOnRead"))); } reader.MoveToContent(); reader.ReadEndElement(); } reader.MoveToContent(); reader.ReadEndElement(); }
protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifier keyIdentifier, out System.IdentityModel.Tokens.SecurityToken token) { throw new NotImplementedException(); }
protected override void WriteTokenCore(System.Xml.XmlWriter writer, System.IdentityModel.Tokens.SecurityToken token) { throw new NotImplementedException(); }
/// <summary> /// Attempt to add a new entry or update an existing entry. /// </summary> /// <param name="key">Key to use when adding item</param> /// <param name="securityToken">SecurityToken to add to cache, can be null</param> /// <param name="expirationTime">The expiration time of the entry.</param> public abstract void AddOrUpdate(string key, SecurityToken securityToken, DateTime expirationTime);
protected override bool CanWriteTokenCore(System.IdentityModel.Tokens.SecurityToken token) { throw new NotImplementedException(); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(System.IdentityModel.Tokens.SecurityToken token) { var securityToken = token as SecurityToken; if (securityToken != null) { // Note that we cannot authenticate the token w/o a password, so it must be retrieved from somewhere if (securityToken.ValidateToken(_passwordProvider.RetrievePassword("User1")) != true) { throw new SecurityTokenValidationException("Token validation failed"); } // Add claims about user here var userClaimSet = new DefaultClaimSet(new Claim(ClaimTypes.Name, securityToken.Info.Username, Rights.PossessProperty)); var policies = new List <IAuthorizationPolicy>(1) { new SecurityTokenAuthorizationPolicy(userClaimSet) }; return(policies.AsReadOnly()); } return(null); }
protected override bool CanValidateTokenCore(System.IdentityModel.Tokens.SecurityToken token) { return(token is SecurityToken); }
/// <summary> /// Writes the given UsernameSecurityToken to the XmlWriter. /// </summary> /// <param name="writer">XmlWriter to write the token to.</param> /// <param name="token">SecurityToken to be written.</param> /// <exception cref="InvalidOperationException">The given token is not a UsernameSecurityToken.</exception> /// <exception cref="ArgumentNullException">The parameter 'writer' or 'token' is null.</exception> public override void WriteToken(XmlWriter writer, SecurityToken token) { if (writer == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer"); } if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } UserNameSecurityToken usernameSecurityToken = token as UserNameSecurityToken; if (usernameSecurityToken == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(UserNameSecurityToken))); } // <wsse:UsernameToken writer.WriteStartElement( WSSecurity10Constants.Elements.UsernameToken, WSSecurity10Constants.Namespace ); if (!string.IsNullOrEmpty(token.Id)) { // wsu:Id="..." writer.WriteAttributeString( WSUtilityConstants.Attributes.IdAttribute, WSUtilityConstants.NamespaceURI, token.Id ); } // <wsse:Username>...</wsse:Username> writer.WriteElementString( WSSecurity10Constants.Elements.Username, WSSecurity10Constants.Namespace, usernameSecurityToken.UserName ); // <wsse:Password>...</wsse:Password> if (usernameSecurityToken.Password != null) { writer.WriteStartElement( WSSecurity10Constants.Elements.Password, WSSecurity10Constants.Namespace ); writer.WriteAttributeString( WSSecurity10Constants.Attributes.Type, null, WSSecurity10Constants.UPTokenPasswordTextValue ); writer.WriteString(usernameSecurityToken.Password); writer.WriteEndElement(); } writer.WriteEndElement(); writer.Flush(); }
public override ClaimsIdentityCollection ValidateToken(SecurityToken token) { CustomTextTraceSource ts = new CustomTextTraceSource("IdpSts.CustomUserNameSecurityTokenHandler.ValidateToken", "MyTraceSource", SourceLevels.Information); //StackTracer.TraceStack(ts); UserNameSecurityToken usernameToken = token as UserNameSecurityToken; if (usernameToken == null) { throw new ArgumentException("usernameToken", "The security token is not a valid username security token."); } // will throw if fails UsernameCredentialStore.AuthenticateUser(usernameToken.UserName, usernameToken.Password); ClaimsIdentityCollection identities = new ClaimsIdentityCollection(); IClaimsIdentity claimsIdentity = new ClaimsIdentity("CustomUserNameSecurityTokenHandler"); claimsIdentity.Claims.Add(new Claim(System.IdentityModel.Claims.ClaimTypes.Name, usernameToken.UserName)); identities.Add(claimsIdentity); return identities; }