Skip to content

Obtaining SecurityKeys for Validation Dynamically

BrentSchmaltz edited this page Oct 30, 2019 · 4 revisions

An easy way to do this is using a delegate on TokenValidationParameters.IssuerSigningKeyResolver. When validating the signature the runtime will call the delegate to obtain keys.

Here is what you need to set it up: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L53 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L347

Here is where it gets called in the runtime
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs#L1248

Your delegate will get passed:
string - the token being validated
SecurityToken - the clr class
string - the key identifier we found in the token (if any)
TokenValidationParameters - the parameters that will be used to validate

MODIFY TokenValidationParameters very carefully as this will be used the next validation. It can be reset between validations.

Simple example, but the function could be anything.

validationParametersSets.IssuerSigningKeyResolver = (token, securityToken, keyIdentifier, tvp) =>
{ return new List<SecurityKey> { issuerSigningKey }; };

Clone this wiki locally