Skip to content

Commit 31474fd

Browse files
Merge pull request #63 from POORT8/codex/validate-token-and-throw-exception-if-invalid
Add TokenValidationResult checks
2 parents 28caf20 + 5301c85 commit 31474fd

2 files changed

Lines changed: 24 additions & 2 deletions

File tree

Poort8.Ishare.Core/AuthenticationService.cs

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,15 @@ public async Task ValidateToken(string token, string validIssuer, bool tokenRepl
5858
if (tokenReplayAllowed) tokenValidationParameters.ValidateTokenReplay = false;
5959

6060
var validationResult = await handler.ValidateTokenAsync(token, tokenValidationParameters);
61+
if (validationResult.IsValid == false)
62+
{
63+
logger.LogError(
64+
"Token validation error, for valid issuer {validIssuer} and token {token}. With message: {msg}",
65+
validIssuer,
66+
token,
67+
validationResult.Exception?.Message);
68+
throw validationResult.Exception ?? new Exception("Token validation failed");
69+
}
6170

6271
ValidateIssAndSub(token, validIssuer, validationResult);
6372
ValidateIatAndExp(token, validIssuer, validationResult);

Poort8.Ishare.Core/SatelliteService.cs

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,11 @@ private async Task<JsonWebToken> SatelliteTokenValidation(string token)
164164
{
165165
var handler = new JsonWebTokenHandler { MaximumTokenSizeInBytes = 1024 * 1024 * 2 };
166166

167+
var jsonWebToken = handler.ReadJsonWebToken(token);
168+
var chain = AuthenticationService.GetCertificateChain(jsonWebToken);
169+
var signingCertificate = new X509Certificate2(Convert.FromBase64String(chain[0]));
170+
var signingKey = new X509SecurityKey(signingCertificate);
171+
167172
//NOTE: As we trust the satellite and get the tokens from a predefined url over HTTPS we only do basic token validation.
168173
var tokenValidationParameters = new TokenValidationParameters()
169174
{
@@ -177,11 +182,19 @@ private async Task<JsonWebToken> SatelliteTokenValidation(string token)
177182
RequireExpirationTime = true,
178183
ClockSkew = TimeSpan.FromSeconds(10),
179184
RequireSignedTokens = true,
185+
IssuerSigningKey = signingKey,
186+
ValidateIssuerSigningKey = true
180187
};
181188

182-
await handler.ValidateTokenAsync(token, tokenValidationParameters);
189+
var validationResult = await handler.ValidateTokenAsync(token, tokenValidationParameters);
190+
if (validationResult.IsValid == false)
191+
{
192+
logger.LogError("Satellite token validation error: {msg}", validationResult.Exception?.Message);
193+
throw validationResult.Exception ?? new Exception("Satellite token validation failed");
194+
}
183195

184-
return handler.ReadJsonWebToken(token);
196+
logger.LogInformation("Satellite token validation successful");
197+
return jsonWebToken;
185198
}
186199

187200
private async Task SetAuthorizationHeader()

0 commit comments

Comments
 (0)