public override ClaimsIdentityCollection ValidateToken(SecurityToken token)
{
SimpleWebToken swt = token as SimpleWebToken;
if (swt == null)
{
throw new WebFaultException<string>("The received token is of incorrect token type.Expected SimpleWebToken", HttpStatusCode.BadRequest);
}
// check issuer name registry for allowed issuers
string issuerName = null;
if (base.Configuration.IssuerNameRegistry != null)
{
issuerName = base.Configuration.IssuerNameRegistry.GetIssuerName(token);
if (string.IsNullOrEmpty(issuerName))
{
throw new SecurityTokenException("Invalid issuer");
}
}
// retrieve signing key
var clause = new SwtSecurityKeyClause(swt.Issuer);
var securityKey = Configuration.IssuerTokenResolver.ResolveSecurityKey(clause) as InMemorySymmetricSecurityKey;
if (securityKey == null)
{
throw new InvalidOperationException("No signing key found");
}
// check signature
if (!swt.SignVerify(securityKey.GetSymmetricKey()))
{
throw new SecurityTokenValidationException("Signature verification of the incoming token failed.");
}
// check expiration
if (DateTime.Compare(swt.ValidTo, DateTime.UtcNow) <= 0)
{
throw new SecurityTokenExpiredException("The incoming token has expired. Get a new access token from the Authorization Server.");
}
// check audience
if (base.Configuration.AudienceRestriction.AudienceMode != System.IdentityModel.Selectors.AudienceUriMode.Never)
{
var allowedAudiences = base.Configuration.AudienceRestriction.AllowedAudienceUris;
if (!allowedAudiences.Any(uri => uri == swt.AudienceUri))
{
throw new AudienceUriValidationFailedException();
}
}
var id = new ClaimsIdentity();
foreach (var claim in swt.Claims)
{
claim.Value.Split(',').ToList().ForEach(v => id.Claims.Add(new Claim(claim.ClaimType, v, ClaimValueTypes.String, issuerName)));
}
return new ClaimsIdentityCollection(new IClaimsIdentity[] { id });
}
public string WriteToken(SecurityToken token)
{
var swt = token as SimpleWebToken;
if (swt == null)
{
throw new InvalidOperationException("token");
}
var sb = new StringBuilder();
CreateClaims(swt, sb);
sb.AppendFormat("Issuer={0}&", HttpUtility.UrlEncode(swt.Issuer));
sb.AppendFormat("Audience={0}&", HttpUtility.UrlEncode(swt.AudienceUri.AbsoluteUri));
sb.AppendFormat("ExpiresOn={0:0}", swt.ValidTo.ToEpochTime());
var unsignedToken = sb.ToString();
// retrieve signing key
var clause = new SwtSecurityKeyClause(swt.Issuer);
var key = Configuration.IssuerTokenResolver.ResolveSecurityKey(clause) as InMemorySymmetricSecurityKey;
if (key == null)
{
throw new InvalidOperationException("No signing key found");
}
var hmac = new HMACSHA256(key.GetSymmetricKey());
var sig = hmac.ComputeHash(Encoding.ASCII.GetBytes(unsignedToken));
var signedToken = String.Format("{0}&HMACSHA256={1}",
unsignedToken,
HttpUtility.UrlEncode(Convert.ToBase64String(sig)));
return signedToken;
}
