System.IdentityModel.Tokens.Jwt

Helper class for adding DateTimes and Timespans.

Add a DateTime and a TimeSpan. The maximum time is DateTime.MaxTime. It is not an error if time + timespan > MaxTime. Just return MaxTime.

Initial value. to add. as the sum of time and timespan.

Gets the Maximum value for a DateTime specifying kind.

DateTimeKind to use. DateTime of specified kind.

Gets the Minimum value for a DateTime specifying kind.

DateTimeKind to use. DateTime of specified kind.

Error codes and messages

Serializes the list of strings into string as follows: 'str1','str2','str3' ...

The strings used to build a comma delimited string. The single .

Provides signing and verifying operations when working with an

This class defines the object model for types that provide signature services.

Produces a signature over the 'input'

bytes to sign. signed bytes

Verifies that a signature created over the 'input' matches the signature.

bytes to verify. signature to compare against. true if the computed signature matches the signature parameter, false otherwise.

Calls and

Can be over written in descendants to dispose of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer

Gets or sets a user context for a .

Initializes a new instance of the class used to create and verify signatures.

The that will be used for cryptographic operations. The signature algorithm to apply. If this is required to create signatures then set this to true. Creating signatures requires that the has access to a private key. Verifying signatures (the default), does not require access to the private key. 'key' is null. 'algorithm' is null. 'algorithm' contains only whitespace. willCreateSignatures is true and .KeySize is less than . .KeySize is less than . Note: this is always checked. Is thrown if the throws. Is thrown if the returns null. Is thrown if the throws. Is thrown if the returns null. Is thrown if the throws. Is thrown if the returns null. Is thrown if the throws. Is thrown if the throws.

Produces a signature over the 'input' using the and algorithm passed to .

bytes to be signed. a signature over the input. 'input' is null. 'input.Length' == 0. if has been called. if the internal is null. This can occur if the constructor parameter 'willBeUsedforSigning' was not 'true'. if the internal is null. This can occur if a derived type deletes it or does not create it.

Verifies that a signature over the' input' matches the signature.

the bytes to generate the signature over. the value to verify against. true if signature matches, false otherwise. 'input' is null. 'signature' is null. 'input.Length' == 0. 'signature.Length' == 0. if has been called. if the internal is null. This can occur if a derived type does not call the base constructor. if the internal is null. This can occur if a derived type deletes it or does not create it.

Calls to release this managed resources.

true, if called from Dispose(), false, if invoked inside a finalizer.

Encodes and Decodes strings as Base64Url encoding.

The following functions perform base64url encoding which differs from regular base64 encoding as follows * padding is skipped so the pad character '=' doesn't have to be percent encoded * the 62nd and 63rd regular base64 encoding characters ('+' and '/') are replace with ('-' and '_') The changes make the encoding alphabet file and URL safe.

string to encode. Base64Url encoding of the UTF8 bytes.

Converts a subset of an array of 8-bit unsigned integers to its equivalent string representation that is encoded with base-64-url digits. Parameters specify the subset as an offset in the input array, and the number of elements in the array to convert.

An array of 8-bit unsigned integers. An offset in inArray. The number of elements of inArray to convert. The string representation in base 64 url encodingof length elements of inArray, starting at position offset. 'inArray' is null. offset or length is negative OR offset plus length is greater than the length of inArray.

An array of 8-bit unsigned integers. The string representation in base 64 url encodingof length elements of inArray, starting at position offset. 'inArray' is null. offset or length is negative OR offset plus length is greater than the length of inArray.

Converts the specified string, which encodes binary data as base-64-url digits, to an equivalent 8-bit unsigned integer array.

base64Url encoded string. UTF8 bytes.

Decodes the string from Base64UrlEncoded to UTF8.

string to decode. UTF8 string.

Defines the inbound and outbound mapping for claim claim types from jwt to .net claim

Initializes static members of the class.

Gets the InboundClaimTypeMap used by JwtSecurityTokenHandler when producing claims from jwt.

Gets the OutboundClaimTypeMap is used by JwtSecurityTokenHandler to shorten claim types when creating a jwt.

Provides common code for services to use in generating diagnostics and taking actions.

Returns true if the provided exception matches any of a list of hard system faults that should be allowed through to outer exception handlers.

The exception to check. Typically this method is used when there is a need to catch all exceptions, but to ensure that .NET runtime and execution engine exceptions are not absorbed by the catch block. Use of this method also avoids FxCop warnings about not using general catch blocks. Please note that use of this method is expensive because of the amount of reflection it performs. If you can refactor your code to catch more specific exceptions than Exception to avoid using this method, you should. Example of use:


            try
            {
                // Code needing a full Exception catch block
            }
            catch (Exception ex)
            {
                if (DiagnosticUtility.IsFatal(ex))
                {
                    throw;
                }
                // Perform any needed logging and handling for absorbed exception.
            }

true if the exception should NOT be trapped

Returns the absolute DateTime or the Seconds since Unix Epoch, where Epoch is UTC 1970-01-01T0:0:0Z.

DateTime as UTV for UnixEpoch

Per JWT spec: Gets the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the desired date/time.

The DateTime to convert to seconds. if dateTimeUtc less than UnixEpoch, return 0 the number of seconds since Unix Epoch.

Creates a DateTime from epoch time.

Number of seconds. The DateTime in UTC.

ISecurityTokenValidator

Returns true if the token can be read, false otherwise.

Validates a token passed as a string using

Gets and sets the maximum size in bytes, that a will be processed.

Interface that defines a simple cache for tacking replaying of security tokens.

Try to add a securityToken.

the security token to add. the time when security token expires. true if the security token was successfully added.

Try to find securityToken

the security token to find. true if the security token is found.

Definition for a delegate that can be set on to control serialization of objects into JSON.

Object to serialize The serialized object.

Definition for a delegate that can be set on to control deserialization JSON into objects.

JSON to deserialize. type expected. The deserialized object.

Dictionary extensions for serializations

Serializes an object to JSON.

The object to serialize the object as JSON.

Deserialzes JSON into an instance of type T.

the object type. the JSON to deserialze. a new instance of type T.

Deserialzes JSON into an instance of .

the JSON to deserialze. a new instance .

Deserialzes JSON into an instance of .

the JSON to deserialze. a new instance .

Gets or sets a to use when serializing objects to JSON.

if 'value' is null.

Gets or sets a to use when deserializing objects from JSON.

if 'value' is null.

contains the element and attribute names used in config when parsing the JwtSecurityTokenHandler from XML.

Constants for Json Web tokens.

Short header type.

Long header type.

Short token type.

Long token type.

Token format: 'header.payload.signature'. Signature is optional, but '.' is required.

When mapping json to .Net Claim(s), if the value was not a string (or an enumeration of strings), the ClaimValue will serialized using the current JSON serializer, a property will be added with the .Net type and the ClaimTypeValue will be set to 'JsonClaimValueType'.

List of algorithms see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3

see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3

List of header parameter names see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5.

see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5

List of registered claims from different sources http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 http://openid.net/specs/openid-connect-core-1_0.html#IDToken

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4

http://openid.net/specs/openid-connect-core-1_0.html#IDToken

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4

http://openid.net/specs/openid-connect-core-1_0.html#IDToken

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4

Initializes a new instance of which contains JSON objects representing the cryptographic operations applied to the JWT and optionally any additional properties of the JWT. The member names within the JWT Header are referred to as Header Parameter Names. These names MUST be unique and the values must be (s). The corresponding values are referred to as Header Parameter Values.

Initializes a new instance of the class. Default string comparer .

Initializes a new instance of the class. With the Header Parameters as follows: { { typ, JWT }, { alg, Mapped( } } See: Algorithm Mapping below.

The that will be or were used to sign the . For each in signingCredentials.SigningKeyIdentifier if the clause is a Header Parameter { clause.Name, clause.Id } will be added. For example, if clause.Name == 'kid' and clause.Id == 'SecretKey99'. The JSON object { kid, SecretKey99 } would be added. In addition, if the is a the JSON object { x5t, Base64UrlEncoded( } will be added. This simplifies the common case where a X509Certificate is used. ================= Algorithm Mapping ================= describes the algorithm that is discoverable by the CLR runtime. The { alg, 'value' } placed in the header reflects the JWT specification. contains a signature mapping where the 'value' above will be translated according to this mapping. Current mapping is: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' => 'RS256' 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' => 'HS256'

Serializes this instance to JSON.

this instance as JSON. use to customize JSON serialization.

Encodes this instance as Base64UrlEncoded JSON.

Base64UrlEncoded JSON. use to customize JSON serialization.

Deserializes Base64UrlEncoded JSON into a instance.

base64url encoded JSON to deserialize. an instance of . use to customize JSON serialization.

Deserialzes JSON into a instance.

the JSON to deserialize. an instance of . use to customize JSON serialization.

Gets the signature algorithm that was used to create the signature.

If the signature algorithm is not found, null is returned.

Gets the passed in the constructor.

This value may be null.

Gets the mime type (Typ) of the token.

If the mime type is not found, null is returned.

Gets a that contains a for each key found.

Keys are identified by matching a 'Reserved Header Parameter Name' found in the in JSON Web Signature specification. Names recognized are: jku, jkw, kid, x5c, x5t, x5u 'x5t' adds a passing a the Base64UrlDecoded( Value ) to the constructor. 'jku', 'jkw', 'kid', 'x5u', 'x5c' each add a with the { Name, Value } passed to the . If no keys are found, an empty will be returned.

Initializes a new instance of which contains JSON objects representing the claims contained in the JWT. Each claim is a JSON object of the form { Name, Value }.

Initializes a new instance of the class with no claims. Default string comparer . Creates a empty

Initializes a new instance of the class with . Default string comparer . the claims to add.

Initializes a new instance of the class with claims added for each parameter specified. Default string comparer .

if this value is not null, a { iss, 'issuer' } claim will be added. if this value is not null, a { aud, 'audience' } claim will be added if this value is not null then for each a { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values. if notbefore.HasValue is 'true' a { nbf, 'value' } claim is added. if expires.HasValue is 'true' a { exp, 'value' } claim is added. Comparison is set to The 4 parameters: 'issuer', 'audience', 'notBefore', 'expires' take precednece over (s) in 'claims'. The values in 'claims' will be overridden. if 'expires' <= 'notbefore'.

Adds a JSON object representing the to the

{ 'Claim.Type', 'Claim.Value' } is added. If a JSON object is found with the name == then a { 'Claim.Type', List<object> } will be created to contain the duplicate values. See for details on how is applied. 'claim' is null.

Adds a number of to the as JSON { name, value } pairs.

for each a JSON pair { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values. Each added will have translated according to the mapping found in . Adding and removing to will affect the name component of the Json claim Any in the that is null, will be ignored. 'claims' is null.

Gets the DateTime using the number of seconds from 1970-01-01T0:0:0Z (UTC)

Claim in the payload that should map to an integer. If the claim is not found, the function returns: DateTime.MinValue if an overflow exception is thrown by the runtime. the DateTime representation of a claim.

Serializes this instance to JSON.

this instance as JSON. use to customize JSON serialization.

Encodes this instance as Base64UrlEncoded JSON.

Base64UrlEncoded JSON. use to customize JSON serialization.

Deserializes Base64UrlEncoded JSON into a instance.

base64url encoded JSON to deserialize. an instance of . use to customize JSON serialization.

Deserialzes JSON into a instance.

the JSON to deserialize. an instance of . use to customize JSON serialization.

Gets the 'value' of the 'actor' claim { actort, 'value' }.

If the 'actor' claim is not found, null is returned.

Gets the 'value' of the 'acr' claim { acr, 'value' }.

If the 'acr' claim is not found, null is returned.

Gets the 'value' of the 'amr' claim { amr, 'value' }.

If the 'amr' claim is not found, null is returned.

Gets the 'value' of the 'auth_time' claim { auth_time, 'value' }.

If the 'auth_time' claim is not found, null is returned.

Gets the 'value' of the 'audience' claim { aud, 'value' } as a list of strings.

If the 'audience' claim is not found, an empty enumerable is returned.

Gets the 'value' of the 'azp' claim { azp, 'value' }.

If the 'azp' claim is not found, null is returned.

Gets 'value' of the 'c_hash' claim { c_hash, 'value' }.

If the 'c_hash' claim is not found, null is returned.

Gets the 'value' of the 'expiration' claim { exp, 'value' }.

If the 'expiration' claim is not found OR could not be converted to , null is returned.

Gets the 'value' of the 'JWT ID' claim { jti, 'value' }.

If the 'JWT ID' claim is not found, null is returned.

Gets the 'value' of the 'Issued At' claim { iat, 'value' }.

If the 'Issued At' claim is not found OR cannot be converted to null is returned.

Gets 'value' of the 'issuer' claim { iss, 'value' }.

If the 'issuer' claim is not found, null is returned.

Gets the 'value' of the 'expiration' claim { nbf, 'value' }.

If the 'notbefore' claim is not found OR could not be converted to , null is returned.

Gets 'value' of the 'nonce' claim { nonce, 'value' }.

If the 'nonce' claim is not found, null is returned.

Gets "value" of the 'subject' claim { sub, 'value' }.

If the 'subject' claim is not found, null is returned.

Gets 'value' of the 'notbefore' claim { nbf, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).

If the 'notbefore' claim is not found, then is returned.

Gets 'value' of the 'expiration' claim { exp, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).

If the 'expiration' claim is not found, then is returned.

Gets a for each JSON { name, value }.

Each (s) returned will have the translated according to the mapping found in . Adding and removing to will affect the value of the . and will be set to the value of ( if null).

A designed for representing a JSON Web Token (JWT).

Initializes a new instance of from a string in JWS Compact serialized format.

A JSON Web Token that has been serialized in JWS Compact serialized format. 'jwtEncodedString' is null. 'jwtEncodedString' contains only whitespace. 'jwtEncodedString' is not in JWS Compact serialized format. The contents of this have not been validated, the JSON Web Token is simply decoded. Validation can be accomplished using

Initializes a new instance of the class where the contains the crypto algorithms applied to the encoded and . The jwtEncodedString is the result of those operations.

Contains JSON objects representing the cryptographic operations applied to the JWT and optionally any additional properties of the JWT Contains JSON objects representing the claims contained in the JWT. Each claim is a JSON object of the form { Name, Value } base64urlencoded JwtHeader base64urlencoded JwtPayload base64urlencoded JwtSignature 'header' is null. 'payload' is null. 'rawSignature' is null. 'rawHeader' or 'rawPayload' is null or whitespace.

Initializes a new instance of the class where the contains the crypto algorithms applied to the encoded and . The jwtEncodedString is the result of those operations.

Initializes a new instance of the class specifying optional parameters.

if this value is not null, a { iss, 'issuer' } claim will be added. if this value is not null, a { aud, 'audience' } claim will be added if this value is not null then for each a { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values. if expires.HasValue a { exp, 'value' } claim is added. if notbefore.HasValue a { nbf, 'value' } claim is added. The that will be used to sign the . See for details pertaining to the Header Parameter(s). if 'expires' <= 'notbefore'.

Decodes the and

A string containing the header and payload in JSON format

Decodes the string into the header, payload and signature

Base64Url encoded string.

Gets the 'value' of the 'actor' claim { actort, 'value' }.

If the 'actor' claim is not found, null is returned.

Gets the list of 'audience' claim { aud, 'value' }.

If the 'audience' claim is not found, enumeration will be empty.

Gets the (s) for this token.

(s) returned will NOT have the translated according to

Gets the Base64UrlEncoded associated with this instance.

Gets the associated with this instance.

Gets the 'value' of the 'JWT ID' claim { jti, ''value' }.

If the 'JWT ID' claim is not found, null is returned.

Gets the 'value' of the 'issuer' claim { iss, 'value' }.

If the 'issuer' claim is not found, null is returned.

Gets the associated with this instance.

Gets the original raw data of this instance when it was created.

The original JSON Compact serialized format passed to one of the two constructors or

Gets the original raw data of this instance when it was created.

The original JSON Compact serialized format passed to one of the two constructors or

Gets the original raw data of this instance when it was created.

The original JSON Compact serialized format passed to one of the two constructors or

Gets the original raw data of this instance when it was created.

The original JSON Compact serialized format passed to one of the two constructors or

Gets the s for this instance.

By default an empty collection is returned.

Gets the signature algorithm associated with this instance.

if there is a associated with this instance, a value will be returned. Null otherwise.

Gets the associated with this instance.

Gets or sets the that signed this instance.

.ValidateSignature(...) sets this value when a is used to successfully validate a signature.

Gets or sets the that contains a that signed this instance.

.ValidateSignature(...) sets this value when a is used to successfully validate a signature.

Gets "value" of the 'subject' claim { sub, 'value' }.

If the 'subject' claim is not found, null is returned.

Gets 'value' of the 'notbefore' claim { nbf, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).

If the 'notbefore' claim is not found, then is returned.

Gets 'value' of the 'expiration' claim { exp, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).

If the 'expiration' claim is not found, then is returned.

A designed for creating and validating Json Web Tokens. See http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-07.

Default lifetime of tokens created. When creating tokens, if 'expires' and 'notbefore' are both null, then a default will be set to: expires = DateTime.UtcNow, notbefore = DateTime.UtcNow + TimeSpan.FromMinutes(TokenLifetimeInMinutes).

Initializes a new instance of the class.

Obsolete method, use when processing tokens.

use . when processing tokens.

Determines if the is positioned on a well formed <BinarySecurityToken> element.

positioned at xml. 'true' if the reader is positioned at an element <BinarySecurityToken>. in the namespace: 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' With an attribute of 'valueType' equal to one of: "urn:ietf:params:oauth:token-type:jwt", "JWT" For example: <wsse:BinarySecurityToken valueType = "JWT"> ... 'false' otherwise. The 'EncodingType' attribute is optional, if it is set, it must be equal to: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary". 'reader' is null.

Determines if the string is a well formed Json Web token (see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-07)

string that should represent a valid JSON Web Token. Uses ( token, @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$" ). 'true' if the token is in JSON compact serialization format. 'false' if token.Length * 2 > . 'tokenString' is null.

Creating is not NotSupported.

to create a .

Creates a based on values found in the .

Contains the parameters used to create the token. A . If is not null, will be signed. 'tokenDescriptor' is null.

Uses the constructor, first creating the and . If is not null, will be signed.

the issuer of the token. the audience for this token. the source of the (s) for this token. the notbefore time for this token. the expiration time for this token. contains cryptographic material for generating a signature. optional . If is not null, then a claim { actort, 'value' } will be added to the payload. for details on how the value is created. See for details on how the HeaderParameters are added to the header. See for details on how the values are added to the payload. If signautureProvider is not null, then it will be used to create the signature and will not be called. A . if 'expires' <= 'notBefore'.

Gets the token type identifier(s) supported by this handler.

A collection of strings that identify the tokens this instance can handle. When receiving a wrapped inside a <wsse:BinarySecurityToken> element. The <wsse:BinarySecurityToken> element must have the ValueType attribute set to one of these values in order for this handler to recognize that it can read the token.

Reads a JSON web token wrapped inside a WS-Security BinarySecurityToken xml element.

The pointing at the jwt. An instance of First calls .CanReadToken The reader must be positioned at an element named: BinarySecurityToken'. in the namespace: 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' with a 'ValueType' attribute equal to one of: "urn:ietf:params:oauth:token-type:jwt", "JWT". For example <wsse:BinarySecurityToken valueType = "JWT"> ... The 'EncodingType' attribute is optional, if it is set, it must be equal to: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" 'reader' is null. if returns false.

Reads a token encoded in JSON Compact serialized format.

A 'JSON Web Token' (JWT) that has been encoded as a JSON object. May be signed using 'JSON Web Signature' (JWS). The JWT must be encoded using Base64Url encoding of the UTF-8 representation of the JWT: Header, Payload and Signature. The contents of the JWT returned are not validated in any way, the token is simply decoded. Use ValidateToken to validate the JWT. A

Obsolete method, use .

use .

Reads and validates a token encoded in JSON Compact serialized format.

A 'JSON Web Token' (JWT) that has been encoded as a JSON object. May be signed using 'JSON Web Signature' (JWS). Contains validation parameters for the . The that was validated. 'securityToken' is null or whitespace. 'validationParameters' is null. 'securityToken.Length' > . A from the jwt. Does not include the header claims.

Writes the wrapped in a WS-Security BinarySecurityToken using the .

used to write token. The that will be written. 'writer' is null. 'token' is null. 'token' is not a not . The current contents are encoded. If is not null, the encoding will contain a signature.

Writes the as a JSON Compact serialized format string.

to serialize. If the are not null, the encoding will contain a signature. 'token' is null. 'token' is not a not . The as a signed (if exist) encoded string.

Produces a signature over the 'input' using the and algorithm specified.

string to be signed the to use. the algorithm to use. if provided, the will be used to sign the token The signature over the bytes obtained from UTF8Encoding.GetBytes( 'input' ). The used to created the signature is obtained by calling . 'input' is null. returns null.

Validates that the signature, if found and / or required is valid.

A 'JSON Web Token' (JWT) that has been encoded as a JSON object. May be signed using 'JSON Web Signature' (JWS). that contains signing keys. thrown if 'token is null or whitespace. thrown if 'validationParameters is null. thrown if a signature is not found and is true. thrown if the 'token' has a key identifier and none of the (s) provided result in a validated signature. This can indicate that a key refresh is required. thrown if after trying all the (s), none result in a validated signture AND the 'token' does not have a key identifier. that has the signature validated if token was signed and is true. If the 'token' is signed, the signature is validated even if is false. If the 'token' signature is validated, then the will be set to the key that signed the 'token'.

Produces a readable string for a key, used in error messages.

Creates a from a .

The to use as a source. The value to set contains parameters for validating the token. A containing the .

Creates the 'value' for the actor claim: { actort, 'value' }

as actor. representing the actor. If is not null: if 'type' is 'string', return as string. if 'type' is 'BootstrapContext' and 'BootstrapContext.SecurityToken' is 'JwtSecurityToken' if 'JwtSecurityToken.RawData' != null, return RawData. else return . if 'BootstrapContext.Token' != null, return 'Token'. default: new ( ( actor.Claims ). 'actor' is null.

Determines if the audiences found in a are valid.

The audiences found in the . The being validated. required for validation. see for additional details.

Validates the lifetime of a .

The value of the 'nbf' claim if it exists in the 'jwt'. The value of the 'exp' claim if it exists in the 'jwt'. The being validated. required for validation. for additional details.

Determines if an issuer found in a is valid.

The issuer to validate The that is being validated. required for validation. The issuer to use when creating the (s) in the . for additional details.

Returns a to use when validating the signature of a token.

the representation of the token that is being validated. the that is being validated. the found in the token. A required for validation. Returns a to use for signature validation. if 'keyIdentifier' is null. if 'validationParameters' is null. If key fails to resolve, then null is returned

Validates the is an expected value.

The that signed the . The to validate. the current . If the is a then the X509Certificate2 will be validated using .

Gets or sets the used to map Inbound Cryptographic Algorithms.

Strings that describe Cryptographic Algorithms that are understood by the runtime are not necessarily the same values used in the JsonWebToken specification. When a signature is validated, the algorithm is obtained from the HeaderParameter { alg, 'value' }. The 'value' is translated according to this mapping and the translated 'value' is used when performing cryptographic operations. Default mapping is: RS256 => http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 HS256 => http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 'value' is null.

Gets or sets the used to map Outbound Cryptographic Algorithms.

Strings that describe Cryptographic Algorithms understood by the runtime are not necessarily the same in the JsonWebToken specification. This property contains mappings the will be used to when creating a and setting the HeaderParameter { alg, 'value' }. The 'value' set is translated according to this mapping. Default mapping is: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 => RS256 http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 => HS256 'value' is null.

Gets or sets the that is used when setting the for claims in the extracted when validating a . The is set to the JSON claim 'name' after translating using this mapping.

'value is null.

Gets or sets the that is used when creating a from (s). The JSON claim 'name' value is set to after translating using this mapping.

This mapping is applied only when using or . Adding values directly will not result in translation. 'value is null.

Gets or sets the used to filter claims when populating a claims form a . When a is validated, claims with types found in this will not be added to the .

'value' is null.

Gets or sets the property name of the will contain the original JSON claim 'name' if a mapping occurred when the (s) were created. See for more information.

if .IsIsNullOrWhiteSpace('value') is true.

Gets or sets the property name of the will contain .Net type that was recogninzed when JwtPayload.Claims serialized the value to JSON. See for more information.

if .IsIsNullOrWhiteSpace('value') is true.

Returns 'true' which indicates this instance can validate a .

Returns 'true', which indicates this instance can write .

Gets and sets the token lifetime in minutes.

'value' less than 1.

Gets and sets the maximum size in bytes, that a will be processed.

'value' less than 1.

Gets or sets the for creating (s).

This extensibility point can be used to insert custom (s). is called to obtain a (s) when needed. 'value' is null.

Gets the supported by this handler.

represents a collection of named sets of (s) that can be matched by a and return a that contains (s).

Initializes a new instance of the class.

Initializes a new instance of the class. Populates this instance with a named collection of (s) and an optional that will be called when a or cannot be resolved.

A named collection of (s). A to call when resolving fails, before calling base. if 'keys' is null an empty collection will be created. A named collection of (s) can be added by accessing the property .

Populates the from xml.

xml for processing. 'nodeList' is null. Only (s) with == 'securityKey' will be processed. Unprocessed nodes will added to a list and can be accessed using the property.

When processing xml in each that has = "securityKey' is passed here for processing.

contains xml to map to a named . A single is expected with up to three attributes: {'expected values'}. <securityKey symmetricKey {required} name {required} EncodingType or encodingType {optional} > </securityKey> If "EncodingType' type is specified only: 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' 'Base64Binary' 'base64Binary' are allowed and have the same meaning. When a symmetricKey is found, Convert.FromBase64String( value ) is applied to create the key. 'element' is null. attribute 'symmetricKey' is not found. value of 'symmetricKey' is empty or whitespace. attribute 'name' is not found. value of 'name' is empty or whitespace. value of 'encodingType' is not valid.

Finds the first in a named collection that match the .

The to resolve to a The resolved . If there is no match, then and 'base' are called in order. true if key resolved, false otherwise.

Finds a named collection of (s) that match the and returns a that contains the (s).

The to resolve to a The resolved . A can contain multiple (s). This method will return the named collection that matches the first If there is no match, then and 'base' are called in order. true is the keyIdentifier is resolved, false otherwise.

Finds a named collection of (s) that match the and returns a that contains the (s).

The to resolve to a The resolved . If there is no match, then and 'base' are called in order. true if token was resolved. if 'keyIdentifierClause' is null.

Gets the named collection of (s).

Gets or sets the to call when or fails to resolve, before calling base.

'value' is null. 'object.ReferenceEquals( this, value)' is true.

Gets the unprocessed (s) from .

processes only (s) that have the == 'securityKey'. Unprocessed (s) are accessible here.

A that can be used to match .

Initializes a new instance of the class. The 'name' for matching key identifiers found in the securityToken.

Used to identify a named collection of keys. Additional information for matching. if 'name' is null or whitespace. if 'id' is null or whitespace

Determines if a matches this instance.

The to match. true if: 1. keyIdentifierClause is a . 2. string.Equals( keyIdentifierClause.Name, this.Name, StringComparison.Ordinal). 2. string.Equals( keyIdentifierClause.Id, this.Id, StringComparison.Ordinal). Otherwise calls base.Matches( keyIdentifierClause ). 'keyIdentifierClause' is null.

Gets the name of the (s) this represents.

A that contains multiple that have a name.

Initializes a new instance of the class that contains a single .

A name for the . the identifier for this token. A if 'name' is null or whitespace. if 'id' is null or whitespace. if 'key' is null.

Initializes a new instance of the class that contains a (System.IdentityModel.Tokens.SecurityKey) that can be matched by name.

the identifier for this token. A name for the (System.IdentityModel.Tokens.SecurityKey). A collection of if 'name' is null or whitespace. if 'id' is null or whitespace. if 'keys' is null.

Gets the first that matches a

the to match. The first that matches the . null if there is no match. Only are matched. 'keyIdentifierClause' is null.

Answers if the is a match.

The true if matched. A successful match occurs when == . Only are matched. 'keyIdentifierClause' is null.

Gets the id of the security token.

Gets the Name of the security token.

Gets the creation time as a .

The default is: .

Gets the expiration time as a

The default is: .

Gets the (s).

This exception is thrown when 'audience' of a token was not valid.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when 'issuer' of a token was not valid.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when 'lifetime' of a token was not valid.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when a security is missing an ExpirationTime.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when an add to the TokenReplayCache fails.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when a security token contained a key identifier but the key was not found by the runtime.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Creates s by specifying a and algorithm. Supports both and .

This is the minimum .KeySize when creating signatures.

This is the minimum .KeySize when verifying signatures.

This is the minimum .KeySize when creating and verifying signatures.

Creates a that supports the and algorithm.

The to use for signing. The algorithm to use for signing. 'key' is null. 'algorithm' is null. 'algorithm' contains only whitespace. '' is smaller than . '' is smaller than . '' is not a or a . AsymmetricSignatureProviders require access to a PrivateKey for Signing. The .

Returns a instance supports the and algorithm.

The to use for signing. The algorithm to use for signing. 'key' is null. 'algorithm' is null. 'algorithm' contains only whitespace. '' is smaller than . '' is smaller than . '' is not a or a . The .

When finished with a call this method for cleanup. The default behavior is to call

to be released.

Gets or sets the minimum .KeySize"/>.

'value' is smaller than .

Gets or sets the minimum .KeySize for creating signatures.

'value' is smaller than .

Gets or sets the minimum .KeySize for verifying signatures. 'value' is smaller than .

Provides signing and verifying operations using a and specifying an algorithm.

Initializes a new instance of the class that uses an to create and / or verify signatures over a array of bytes.

The used for signing. The signature algorithm to use. 'key' is null. 'algorithm' is null. 'algorithm' contains only whitespace. '.KeySize' is smaller than . throws. returns null. throws.

Produces a signature over the 'input' using the and 'algorithm' passed to .

bytes to sign. signed bytes 'input' is null. 'input.Length' == 0. has been called. is null. This can occur if a derived type deletes it or does not create it.

Verifies that a signature created over the 'input' matches the signature. Using and 'algorithm' passed to .

bytes to verify. signature to compare against. true if computed signature matches the signature parameter, false otherwise. 'input' is null. 'signature' is null. 'input.Length' == 0. 'signature.Length' == 0. has been called. if the internal is null. This can occur if a derived type deletes it or does not create it.

Disposes of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer.

Compares two byte arrays for equality. Hash size is fixed normally it is 32 bytes. The attempt here is to take the same time if an attacker shortens the signature OR changes some of the signed contents.

One set of bytes to compare. The other set of bytes to compare with. true if the bytes are equal, false otherwise.

Definition for AudienceValidator.

The audiences found in the . The being validated. required for validation.

Definition for IssuerSigningKeyRetriever. When validating signatures, this method will return key to use.

the representation of the token that is being validated. the that is being validated. It may be null. the found in the token. It may be null. required for validation.

Definition for IssuerValidator.

The issuer to validate. The that is being validated. required for validation. The issuer to use when creating the "Claim"(s) in a "ClaimsIdentity".

Definition for LifetimeValidator.

The 'notBefore' time found in the . The 'expiration' time found in the . The being validated. required for validation.

Contains a set of parameters that are used by a when validating a .

Default for the maximm token size.

2 MB (mega bytes).

This is the fallback authenticationtype that a will use if nothing is set.

Default for the clock skew.

300 seconds (5 minutes).

Copy constructor for .

Initializes a new instance of the class.

Returns a new instance of with values copied from this object.

A new object copied from this object This is a shallow Clone.

Creates a using: 'NameClaimType' is calculated: If NameClaimTypeRetriever call that else use NameClaimType. If the result is a null or empty string, use . 'RoleClaimType' is calculated: If RoleClaimTypeRetriever call that else use RoleClaimType. If the result is a null or empty string, use .

A with Authentication, NameClaimType and RoleClaimType set.

Gets or sets a delegate that will be used to validate the audience of the tokens

Gets or sets the AuthenticationType when creating a during token validation.

if 'value' is null or whitespace.

Gets or sets the for validating X509Certificate2(s).

Gets or sets the that is to be used for decrypting inbound tokens.

if 'value' is null.

Gets or sets the clock skew to apply when validating times

if 'value' is less than 0.

Gets or sets the that is to be used for validating signed tokens.

Gets or sets a delegate that will be used to retreive (s) used for checking signatures.

Each will be used to check the signature. Returning multiple key can be helpful when the does not contain a key identifier. This can occur when the issuer has multiple keys available. This sometimes occurs during key rollover.

Gets or sets the that are to be used for validating signed tokens.

Gets or sets the that is used for validating signed tokens.

Gets or sets the that are to be used for validating signed tokens.

Gets or sets a delegate that will be used to validate the issuer of the token. The delegate returns the issuer to use.

Gets or sets a delegate that will be used to validate the lifetime of the token

Gets or sets the passed to .

Controls the value returns. It will return the first where the equals .

Gets or sets the passed to .

Controls the (s) returned from . Each returned will have a equal to .

Gets or sets a delegate that will be called to obtain the NameClaimType to use when creating a ClaimsIdentity when validating a token.

Gets or sets a value indicating whether tokens must have an 'expiration' value.

Gets or sets a value indicating whether a can be valid if not signed.

Gets or sets a delegate that will be called to obtain the RoleClaimType to use when creating a ClaimsIdentity when validating a token.

Gets or sets a boolean to control if the original token is saved when a session is created. ///

The SecurityTokenValidator will use this value to save the orginal string that was validated.

Gets or set the that will be checked to help in detecting that a token has been 'seen' before.

Gets or sets a value indicating whether the should be validated.

Gets or sets a boolean to control if the audience will be validated during token validation.

Gets or sets a boolean to control if the issuer will be validated during token validation.

Gets or sets a boolean to control if the lifetime will be validated during token validation.

Gets or sets a boolean that controls if validation of the that signed the securityToken is called.

Gets or sets a string that represents a valid audience that will be used during token validation.

Gets or sets the that contains valid audiences that will be used during token validation.

Gets or sets a that represents a valid issuer that will be used during token validation.

Gets or sets the that contains valid issuers that will be used during token validation.

AudienceValidator

Determines if the audiences found in a are valid.

The audiences found in the . The being validated. required for validation. if 'vaidationParameters' is null. if 'audiences' is null and is true. if is null or whitespace and is null. if none of the 'audiences' matched either or one of . An EXACT match is required.

Determines if an issuer found in a is valid.

The issuer to validate The that is being validated. required for validation. The issuer to use when creating the "Claim"(s) in a "ClaimsIdentity". if 'vaidationParameters' is null. if 'issuer' is null or whitespace and is true. if is null or whitespace and is null. if 'issuer' failed to matched either or one of . An EXACT match is required.

Validates the that signed a .

The that signed the . The being validated. required for validation. if 'vaidationParameters' is null.

Validates the lifetime of a .

The 'notBefore' time found in the . The 'expiration' time found in the . The being validated. required for validation. if 'vaidationParameters' is null. if 'expires.HasValue' is false and is true. if 'notBefore' is > 'expires'. if 'notBefore' is > DateTime.UtcNow. if 'expires' is < DateTime.UtcNow. All time comparisons apply .

Validates if a token has been replayed.

The being validated. When does the security token expire. required for validation. if 'securityToken' is null or whitespace. if 'validationParameters' is null or whitespace. if is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time. if the 'securityToken' is found in the cache. if the 'securityToken' could not be added to the .

Defines constants needed from WS-Security 1.0.

Defines constants needed from WS-SecureUtility standard schema.

This class also resets the chainPolicy.VerificationTime = DateTime.Now each time a certificate is validated otherwise certificates created after the validator is created will not chain.

Initializes a new instance of the class.

The certificate validation mode. The revocation mode. The trusted store location. thrown if the certificationValidationMode is custom or unknown.

Validates a .

The to validate.

Security key that allows access to cert

Instantiates a using a

cert to use.

Gets the .