private static void CreateClaims(SimpleWebToken swt, StringBuilder sb) { var claims = new Dictionary<string, string>(); foreach (var claim in swt.Claims) { claims.Add(claim.ClaimType, claim.Value); } foreach (var kv in claims) { sb.AppendFormat("{0}={1}&", HttpUtility.UrlEncode(kv.Key), HttpUtility.UrlEncode(kv.Value)); } }
/// <summary> /// Reads a serialized token and converts it into a <see cref="SecurityToken"/>. /// </summary> /// <param name="rawToken">The token in serialized form.</param> /// <returns>The parsed form of the token.</returns> public SecurityToken ReadToken(string rawToken) { char parameterSeparator = '&'; Uri audienceUri = null; string issuer = null; string signature = null; string unsignedString = null; string expires = null; if (string.IsNullOrEmpty(rawToken)) { throw new ArgumentNullException("rawToken"); } // // Find the last parameter. The signature must be last per SWT specification. // int lastSeparator = rawToken.LastIndexOf(parameterSeparator); // Check whether the last parameter is an hmac. // if (lastSeparator > 0) { string lastParamStart = parameterSeparator + Digest256Label + "="; string lastParam = rawToken.Substring(lastSeparator); // Strip the trailing hmac to obtain the original unsigned string for later hmac verification. // e.g. name1=value1&name2=value2&HMACSHA256=XXX123 -> name1=value1&name2=value2 // if (lastParam.StartsWith(lastParamStart, StringComparison.Ordinal)) { unsignedString = rawToken.Substring(0, lastSeparator); } } else { throw new WebFaultException<string>("The Simple Web Token must have a signature at the end. The incoming token did not have a signature at the end of the token.", HttpStatusCode.BadRequest); } // Signature is a mandatory parameter, and it must be the last one. // If there's no trailing hmac, Return error. // if (unsignedString == null) { throw new WebFaultException<string>("The Simple Web Token must have a signature at the end. The incoming token did not have a signature at the end of the token.", HttpStatusCode.BadRequest); } // Create a collection of SWT claims // NameValueCollection rawClaims = ParseToken(rawToken); audienceUri = new Uri(rawClaims[AudienceLabel]); if (audienceUri != null) { rawClaims.Remove(AudienceLabel); } else { throw new WebFaultException<string>("Then incoming token does not have an AudienceUri.", HttpStatusCode.BadRequest); } expires = rawClaims[ExpiresOnLabel]; if (expires != null) { rawClaims.Remove(ExpiresOnLabel); } else { throw new WebFaultException<string>("Then incoming token does not have an expiry time.", HttpStatusCode.BadRequest); } issuer = rawClaims[IssuerLabel]; if (issuer != null) { rawClaims.Remove(IssuerLabel); } else { throw new WebFaultException<string>("Then incoming token does not have an Issuer", HttpStatusCode.BadRequest); } signature = rawClaims[Digest256Label]; if (signature != null) { rawClaims.Remove(Digest256Label); } else { throw new WebFaultException<string>("Then incoming token does not have a signature", HttpStatusCode.BadRequest); } List<Claim> claims = DecodeClaims(issuer, rawClaims); SimpleWebToken swt = new SimpleWebToken(audienceUri, issuer, DecodeExpiry(expires), claims, signature, unsignedString, rawToken); return swt; }
/// <summary> /// Requests an SWT Token using an input SWT token. /// </summary> /// <param name="token">The input SWT token.</param> /// <param name="scope">The requested scope.</param> /// <returns>The requested SWT token</returns> public SimpleWebToken Issue(SimpleWebToken token, Uri scope) { return IssueAssertion(token.ToString(), "SWT", scope); }