-
Notifications
You must be signed in to change notification settings - Fork 417
Obtaining SecurityKeys for Validation Dynamically
An easy way to do this is using a delegate on TokenValidationParameters. Then when validating the signature, our runtime will call the delegate to obtain keys.
Here is what you need to set it up: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L53 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L347
Here is where it gets called in the runtime https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs#L1248
Your delegate will get passed: string token - the token being validated SecurityToken - the clr class that has been hydrated TokenValidationParameters - the parameters that will be used to validate MODIFY THIS VERY CAREFULLY
Simple example, but the function could be anything.
validationParametersSets.IssuerSigningKeyResolver = (token, securityToken, keyIdentifier, tvp) =>
{ return new List<SecurityKey> { issuerSigningKey }; };
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over