-
Notifications
You must be signed in to change notification settings - Fork 415
Obtaining SecurityKeys for Validation Dynamically
An easy way to do this is using a delegate on TokenValidationParameters.IssuerSigningKeyResolver. When validating the signature the runtime will call the delegate to obtain keys.
Here is what you need to set it up: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L53 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L347
Here is where it gets called in the runtime
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs#L1248
Your delegate will get passed:
string - the token being validated
SecurityToken - the clr class
string - the key identifier we found in the token (if any)
TokenValidationParameters - the parameters that will be used to validate
MODIFY TokenValidationParameters very carefully as this will be used the next validation. It can be reset between validations.
Simple example, but the function could be anything.
validationParametersSets.IssuerSigningKeyResolver = (token, securityToken, keyIdentifier, tvp) =>
{ return new List<SecurityKey> { issuerSigningKey }; };
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over