WCF server, for JWT handling/validation


 

1 <system.identityModel> 2 <identityConfiguration> 3 <audienceUris mode="Never"> 4 <add value="http://localhost:1500/Service.svc" /> 5 <add value="https://rapmlsqa.com/TodoListService" /> 6 </audienceUris> 7 <issuerNameRegistry type="WcfServiceJWT.Utils.DatabaseIssuerNameRegistry, WcfServiceJWT" /> 8 <certificateValidation certificateValidationMode="None" /> 9 <securityTokenHandlers> 10 <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /> 11 <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /> 12 <add type="WcfServiceJWT.CustomJWT, WcfServiceJWT" /> 13 </securityTokenHandlers> 14 </identityConfiguration> 15 </system.identityModel>

and

1 using System; 2 using System.Collections.Generic; 3 using System.Linq; 4 using System.Web; 5 using System; 6 using System.Collections.Generic; 7 using System.Linq; 8 using System.Web; 9 using System.IdentityModel.Tokens; 10 using System.Security.Claims; 11 using System.Xml; 12 using System.Text; 13 using System.IO; 14 using System.IdentityModel.Metadata; 15 using System.Security.Cryptography.X509Certificates; 16 using System.ServiceModel.Security; 17 using System.IdentityModel.Services; 18 using System.Net.Http; 19 using System.Threading.Tasks; 20 using System.Web.Configuration; 21 using System.Threading; 22 using System.Net; 23 using System.IdentityModel.Selectors; 24 25 namespace WcfServiceJWT 26 { 27 public class CustomJWT : JwtSecurityTokenHandler 28 { 29 public override ClaimsPrincipal ValidateToken(JwtSecurityToken jwt) 30 { 31 ClaimsPrincipal v2; 32 string stsMetadataAddress = String.Format("https://login.windows.net/{0}/federationmetadata/2007-06/federationmetadata.xml", jwt.Payload["tid"]); 33 34 MetadataSerializer serializer = new MetadataSerializer() 35 { 36 CertificateValidationMode = X509CertificateValidationMode.None, 37 }; 38 List<X509SecurityToken> signingTokens = new List<X509SecurityToken>(); 39 40 MetadataBase metadata = serializer.ReadMetadata(XmlReader.Create(stsMetadataAddress)); 41 42 EntityDescriptor entityDescriptor = (EntityDescriptor)metadata; 43 44 // get the signing certs. 45 signingTokens = ReadSigningCertsFromMetadata(entityDescriptor); 46 47 var vparms = new TokenValidationParameters 48 { 49 ValidIssuer = entityDescriptor.EntityId.Id, 50 IssuerSigningTokens = signingTokens, 51 ValidAudiences = Configuration.AudienceRestriction.AllowedAudienceUris.Select(s => s.ToString()) 52 }; 53 try 54 { 55 v2 = base.ValidateToken(jwt, vparms); 56 } 57 catch (Exception ex) 58 { 59 throw new ApplicationException("didnt validate", ex); 60 } 61 return v2; 62 } 63 64 //public override ClaimsPrincipal ValidateToken(JwtSecurityToken jwt, TokenValidationParameters validationParameters) 65 //{ 66 // // set up valid issuers 67 // if ((validationParameters.ValidIssuer == null) && 68 // (validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any())) 69 // { 70 // validationParameters.ValidIssuers = new List<string> { ValidIssuerString }; 71 // } 72 // // and signing token. 73 // if (validationParameters.IssuerSigningToken == null) 74 // { 75 // var resolver = (System.IdentityModel.Tokens.NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver; 76 // if (resolver.SecurityKeys != null) 77 // { 78 // IList<SecurityKey> skeys; 79 // if (resolver.SecurityKeys.TryGetValue(KeyName, out skeys)) 80 // { 81 // var tok = new NamedKeySecurityToken(KeyName, skeys); 82 // validationParameters.IssuerSigningToken = tok; 83 // } 84 // } 85 // } 86 // return base.ValidateToken(jwt, validationParameters); 87 //} 88 89 static List<X509SecurityToken> ReadSigningCertsFromMetadata(EntityDescriptor entityDescriptor) 90 { 91 List<X509SecurityToken> stsSigningTokens = new List<X509SecurityToken>(); 92 93 SecurityTokenServiceDescriptor stsd = entityDescriptor.RoleDescriptors.OfType<SecurityTokenServiceDescriptor>().First(); 94 95 if (stsd != null) 96 { 97 // read non-null X509Data keyInfo elements meant for Signing 98 IEnumerable<X509RawDataKeyIdentifierClause> x509DataClauses = stsd.Keys.Where(key => key.KeyInfo != null && (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified)). 99 Select(key => key.KeyInfo.OfType<X509RawDataKeyIdentifierClause>().First()); 100 101 stsSigningTokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData())))); 102 } 103 else 104 { 105 throw new InvalidOperationException("There is no RoleDescriptor of type SecurityTokenServiceType in the metadata"); 106 } 107 108 return stsSigningTokens; 109 } 110 } 111 }

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in office365. Bookmark the permalink.