-
Notifications
You must be signed in to change notification settings - Fork 471
Expand file tree
/
Copy pathJsonWebTokenHandler.ClaimsIdentity.cs
More file actions
157 lines (134 loc) · 6.86 KB
/
Copy pathJsonWebTokenHandler.ClaimsIdentity.cs
File metadata and controls
157 lines (134 loc) · 6.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
using System;
using System.Security.Claims;
using Microsoft.IdentityModel.Tokens;
using Microsoft.IdentityModel.Logging;
using Microsoft.IdentityModel.Tokens;
using System.Collections.Generic;
#nullable enable
namespace Microsoft.IdentityModel.JsonWebTokens
{
public partial class JsonWebTokenHandler
{
/// <summary>
/// Creates a <see cref="ClaimsIdentity"/> from a <see cref="JsonWebToken"/>.
/// </summary>
/// <param name="jwtToken">The <see cref="JsonWebToken"/> to use as a <see cref="Claim"/> source.</param>
/// <param name="validationParameters">The <see cref="ValidationParameters"/> to be used for validating the token.</param>
/// <returns>A <see cref="ClaimsIdentity"/> containing the <see cref="JsonWebToken.Claims"/>.</returns>
internal virtual ClaimsIdentity CreateClaimsIdentity(JsonWebToken? jwtToken, ValidationParameters validationParameters)
{
// TODO: Make protected once ValidationParameters is public.
_ = jwtToken ?? throw LogHelper.LogArgumentNullException(nameof(jwtToken));
return CreateClaimsIdentityPrivate(jwtToken, validationParameters, GetActualIssuer(jwtToken));
}
/// <summary>
/// Creates a <see cref="ClaimsIdentity"/> from a <see cref="JsonWebToken"/> with the specified issuer.
/// </summary>
/// <param name="jwtToken">The <see cref="JsonWebToken"/> to use as a <see cref="Claim"/> source.</param>
/// <param name="validationParameters">The <see cref="ValidationParameters"/> to be used for validating the token.</param>
/// <param name="issuer">Specifies the issuer for the <see cref="ClaimsIdentity"/>.</param>
/// <returns>A <see cref="ClaimsIdentity"/> containing the <see cref="JsonWebToken.Claims"/>.</returns>
internal virtual ClaimsIdentity CreateClaimsIdentity(
JsonWebToken? jwtToken,
ValidationParameters validationParameters,
string issuer)
{
// TODO: Make protected once ValidationParameters is public.
_ = jwtToken ?? throw LogHelper.LogArgumentNullException(nameof(jwtToken));
if (string.IsNullOrWhiteSpace(issuer))
issuer = GetActualIssuer(jwtToken);
if (MapInboundClaims)
return CreateClaimsIdentityWithMapping(jwtToken, validationParameters, issuer);
return CreateClaimsIdentityPrivate(jwtToken, validationParameters, issuer);
}
internal override ClaimsIdentity CreateClaimsIdentityInternal(
SecurityToken securityToken,
ValidationParameters validationParameters,
string issuer)
{
return CreateClaimsIdentity(securityToken as JsonWebToken, validationParameters, issuer);
}
private ClaimsIdentity CreateClaimsIdentityWithMapping(JsonWebToken jwtToken, ValidationParameters validationParameters, string issuer)
{
_ = validationParameters ?? throw LogHelper.LogArgumentNullException(nameof(validationParameters));
ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, issuer);
foreach (Claim jwtClaim in jwtToken.Claims)
{
bool wasMapped = _inboundClaimTypeMap.TryGetValue(jwtClaim.Type, out string? type);
string claimType = type ?? jwtClaim.Type;
if (claimType == ClaimTypes.Actor)
{
if (identity.Actor != null)
throw LogHelper.LogExceptionMessage(
new InvalidOperationException(
LogHelper.FormatInvariant(
LogMessages.IDX14112,
LogHelper.MarkAsNonPII(JwtRegisteredClaimNames.Actort),
jwtClaim.Value)));
if (CanReadToken(jwtClaim.Value))
{
JsonWebToken? actor = ReadToken(jwtClaim.Value) as JsonWebToken;
identity.Actor = CreateClaimsIdentity(actor, validationParameters);
}
}
if (wasMapped)
{
Claim claim = new Claim(claimType, jwtClaim.Value, jwtClaim.ValueType, issuer, issuer, identity);
if (jwtClaim.Properties.Count > 0)
{
foreach (var kv in jwtClaim.Properties)
{
claim.Properties[kv.Key] = kv.Value;
}
}
claim.Properties[ShortClaimTypeProperty] = jwtClaim.Type;
identity.AddClaim(claim);
}
else
{
identity.AddClaim(jwtClaim);
}
}
return identity;
}
private ClaimsIdentity CreateClaimsIdentityPrivate(JsonWebToken jwtToken, ValidationParameters validationParameters, string issuer)
{
_ = validationParameters ?? throw LogHelper.LogArgumentNullException(nameof(validationParameters));
ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, issuer);
foreach (Claim jwtClaim in jwtToken.Claims)
{
string claimType = jwtClaim.Type;
if (claimType == ClaimTypes.Actor)
{
if (identity.Actor != null)
throw LogHelper.LogExceptionMessage(
new InvalidOperationException(
LogHelper.FormatInvariant(
LogMessages.IDX14112,
LogHelper.MarkAsNonPII(JwtRegisteredClaimNames.Actort),
jwtClaim.Value)));
if (CanReadToken(jwtClaim.Value))
{
JsonWebToken? actor = ReadToken(jwtClaim.Value) as JsonWebToken;
identity.Actor = CreateClaimsIdentity(actor, validationParameters, issuer);
}
}
if (jwtClaim.Properties.Count == 0)
{
identity.AddClaim(new Claim(claimType, jwtClaim.Value, jwtClaim.ValueType, issuer, issuer, identity));
}
else
{
Claim claim = new(claimType, jwtClaim.Value, jwtClaim.ValueType, issuer, issuer, identity);
foreach (KeyValuePair<string, string> kv in jwtClaim.Properties)
claim.Properties[kv.Key] = kv.Value;
identity.AddClaim(claim);
}
}
return identity;
}
}
}
#nullable restore