Microsoft.IdentityModel.Protocol.Extensions

base class for authentication protocol messages.

Initializes a default instance of the class.

Initializes an instance of class with a specific issuerAddress.

Builds a form post using the current IssuerAddress and the parameters that have been set.

html with head set to 'Title', body containing a hiden from with action = IssuerAddress.

Builds a Url using the current IssuerAddress and the parameters that have been set.

UrlEncoded string. Each parameter <Key, Value> is first transformed using .

Returns a parameter.

The parameter name. The value of the parameter or null if the parameter does not exists. parameter is null

Removes a parameter.

The parameter name. if 'parameter' is null or empty.

Sets a parameter to the Parameters Dictionary.

The parameter name. The value to be assigned to parameter. if 'parameterName' is null or empty. If null is passed as value and a parameter exists, that parameter is removed.

Sets a collection parameters.

Gets or sets the issuer address.

The 'value' is null.

Gets the message parameters as a Dictionary.

Gets or sets the title used when constructing the post string.

if the 'value' is null.

Gets or sets the script button text used when constructing the post string.

if the 'value' is null.

Gets or sets the text used when constructing the post string that will be displayed to used if script is disabled.

if the 'value' is null.

This type is for users that want a fixed and static Configuration. In this case, the configuration is obtained and passed to the constructor.

must be a class.

Interface that defines a model for retrieving configuration data.

must be class

Retrieve the current configuration, refreshing and/or caching as needed. This should throw if the configuration cannot be retrieved, instead of returning null.

Indicate that the configuration may be stale (as indicated by failing to process incoming tokens).

Initializes an new instance of with a Configuration instance.

Configuration of type or .

Obtains an updated version of Configuration.

. Configuration of type T.

For the this type, this is a no-op

Interface that defines a document retriever that returns the document as a string.

Obtains a document from an address.

location of document. . document as a string.

Interface that defines methods to retrieve configuration.

The type of the configuration metadata.

Retrieves a populated configuration given an address and an .

Address of the discovery document. The to use to read the discovery document. A cancellation token that can be used by other objects or threads to receive notice of cancellation. .

Represents a Json Web Key as defined in http://tools.ietf.org/html/draft-ietf-jose-json-web-key-25.

Initializes an new instance of .

Initializes an new instance of from a json string.

a string that contains JSON Web Key parameters in JSON format.

Creates an instance of .

that contains JSON Web Key parameters.

Gets or sets the 'alg' (KeyType).

Gets or sets the E 'e'

Gets or sets the 'key_ops' (Key Operations).

Gets or sets the 'kid' (Key ID).

Gets or sets the 'kty' (Key Type).

Gets or sets the modulus 'n'

Gets the 'x5c' collection (X.509 Certificate Chain).

Gets or sets the 'k5t' (X.509 Certificate SHA-1 thumbprint).

Gets or sets the 'x5u' (X.509 URL).

Gets or sets the 'use' (Public Key Use).

Manages the retrieval of Configuration data.

must be a class.

5 days is the default time interval that afterwards, will obtain new configuration.

30 seconds is the default time interval that must pass for to obtain a new configuration.

5 minutes is the minimum value for automatic refresh. can not be set less than this value.

1 second is the minimum time interval that must pass for to obtain new configuration.

Instantiaties a new that manages automatic and controls refreshing on configuration data.

the address to obtain configuration.

Instantiaties a new that manages automatic and controls refreshing on configuration data.

the address to obtain configuration. the client to use when obtaining configuration.

Instantiaties a new that manages automatic and controls refreshing on configuration data.

the address to obtain configuration. the that reaches out to obtain the configuration.

Instantiaties a new that manages automatic and controls refreshing on configuration data.

the address to obtain configuration. the the that reaches out to obtain the configuration.

Gets the current that is used to obtain configuration.

Configuration of type T.

Obtains an updated version of Configuration.

Configuration of type T. If the time since the last call is less than then is not called and the current Configuration is returned.

Obtains an updated version of Configuration.

CancellationToken Configuration of type T. If the time since the last call is less than then is not called and the current Configuration is returned.

Requests that then next call to obtain new configuration. if the last refresh was greater than then the next call to will retrieve new configuration. if == then this method is essentially an no-op.

Gets or sets the that controls how often an automatic metadata refresh should occur.

The minimum time between retrievals, in the event that a retrieval failed, or that a refresh was explicitly requested.

Retrieves a populated given an address.

Retrieves a populated given an address.

address of the discovery document. . A populated instance.

Retrieves a populated given an address and an .

address of the discovery document. the to use to read the discovery document. . A populated instance.

Retrieves a populated given an address and an .

address of the discovery document. the to use to read the discovery document . A populated instance.

Contains a collection of that can be populated from a json string.

provides support for http://tools.ietf.org/html/draft-ietf-jose-json-web-key-27#section-5

Initializes an new instance of .

Initializes an new instance of from a json string.

a json string containing values. if 'json' is null or whitespace.

Creates an instance of .

a dictionary containing a 'Keys' element which is a Dictionary of JsonWebKeys. if 'dictionary' is null.

Gets the Keys translated to .

A for each 'X5c' that is composed from a single certificate. A NamedKeySecurityToken for each raw rsa public key.

Gets the .

Defines a set of properties names

Property defined for 'check_session_iframe'.

Property defined for 'session state'

Well known endpoints for AzureActiveDirectory

Names for Json Web Key Values

Constants for JsonWebKeyUse (sec 4.2) http://tools.ietf.org/html/draft-ietf-jose-json-web-key-27#section-4

Constants for JsonWebAlgorithms "kty" Key Type (sec 6.1) http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-27#section-6.1

Parameter names for OpenIdConnect.

RequestTypes for OpenIdConnect.

Can be used to determine the message type.

Response modes for OpenIdConnect.

Response types for OpenIdConnect.

Specific scope values that are interesting to OpenID Connect. See http://openid.net/specs/openid-connect-messages-1_0.html#scopes

OpenIdProviderConfiguration Names http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Provides access to common OpenIdConnect request parameters.

Initializes a new instance of the class.

Initializes an instance of class with a specific issuerAddress.

Initializes a new instance of the class.

an to copy. if 'other' is null.

Initializes a new instance of the class.

Collection of key value pairs.

Initializes a new instance of the class.

Enumeration of key value pairs.

Returns a new instance of with values copied from this object.

A new object copied from this object This is a shallow Clone.

Creates an OpenIdConnect message using the current contents of this .

The uri to use for a redirect.

Creates a query string using the using the current contents of this .

The uri to use for a redirect.

Adds telemetry values to the message parameters.

Gets or sets the value for the AuthorizationEndpoint

Gets or sets 'access_Token'.

Gets or sets 'acr_values'.

Gets or sets 'claims_Locales'.

Gets or sets 'client_assertion'.

Gets or sets 'client_assertion_type'.

Gets or sets 'client_id'.

Gets or sets 'client_secret'.

Gets or sets 'code'.

Gets or sets 'display'.

Gets or sets 'domain_hint'.

Gets or sets whether parameters for the library and version are sent on the query string for this instance. This value is set to the value of EnableTelemetryParametersByDefault at message creation time.

Gets or sets whether parameters for the library and version are sent on the query string for all instances of .

Gets or sets 'error'.

Gets or sets 'error_description'.

Gets or sets 'error_uri'.

Gets or sets 'expires_in'.

Gets or sets 'grant_type'.

Gets or sets 'id_token'.

Gets or sets 'id_token_hint'.

Gets or sets 'identity_provider'.

Gets or sets 'iss'.

Gets or sets 'login_hint'.

Gets or sets 'max_age'.

Gets or sets 'nonce'.

Gets or sets 'password'.

Gets or sets 'post_logout_redirect_uri'.

Gets or sets 'prompt'.

Gets or sets 'redirect_uri'.

Gets or sets 'refresh_token'.

Gets or set the request type for this message

This is helpful when sending different messages through a common routine, when extra parameters need to be set or checked.

Gets or sets 'request_uri'.

Gets or sets 'response_mode'.

Gets or sets 'response_type'.

Gets or sets 'resource'

Gets or sets 'scope'.

Gets or sets 'session_state'.

Gets or sets 'state'.

Gets or sets 'target_link_uri'.

Gets or sets 'token'.

Gets or sets the value for the token endpoint.

Gets or sets 'token_type'.

Gets or sets 'ui_locales'.

Gets or sets 'user_id'.

Gets or sets 'username'.

Contains OpenIdConnect configuration that can be populated from a json string.

Initializes an new instance of .

Initializes an new instance of from a json string.

a json string containing the metadata if 'json' is null or whitespace.

Initializes an new instance of from an string.

a json containing the configuration data. if 'dictionary' is null.

Gets or sets the authorization endpoint.

Gets or sets the check_session_iframe.

Gets or sets the frontchannel_logout_session_supported.

Gets or sets the frontchannel_logout_supported.

Gets or sets the end session endpoint.

Gets the collection of 'id_token_signing_alg_values_supported'.

Gets or sets the 'issuer'.

Gets or sets the 'jwks_uri'

Gets or sets the

Gets the collection of 'response_types_supported'.

Gets the that the IdentityProvider indicates are to be used signing tokens.

Gets the that the IdentityProvider indicates are to be used signing tokens.

Gets the collection of 'subject_types_supported'.

Gets or sets the 'token_endpoint'.

Gets or sets the 'user_info_endpoint'.

This exception is thrown when an OpenIdConnect protocol handler encounters a protocol error.

Initializes a new instance of the class.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when an OpenIdConnect protocol handler encounters an invalid chash.

Initializes a new instance of the class.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when an OpenIdConnect protocol handler encounters an invalid nonce.

Initializes a new instance of the class.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

A context that is used by a when validating a JwtSecurityToken. to ensure it compliant with http://openid.net/specs/openid-connect-core-1_0.html#IDToken .

Creates an instance of

Gets or sets the 'authorizationcode'.

Gets or sets the 'nonce'

OpenIdConnectProtocolValidator can be used to ensure that a that was obtained using openidconnect is compliant with http://openid.net/specs/openid-connect-core-1_0.html#IDToken .

Default for the how long the nonce is valid.

default: 1 hour.

Creates a new instance of ,

Generates a value suitable to use as a nonce.

a nonce if is true then the 'nonce' will contain the Epoch time as the prefix, seperated by a '.'. for example: 635410359229176103.MjQxMzU0ODUtMTdiNi00NzAwLWE4MjYtNTE4NGExYmMxNTNlZmRkOGU4NjctZjQ5OS00MWIyLTljNTEtMjg3NmM0NzI4ZTc5

Validates that a is valid as per http://openid.net/specs/openid-connect-core-1_0.html

the to validate. the that contains expected values. if 'jwt' is null. if 'validationContext' is null. if the is missing any required claims as per: http://openid.net/specs/openid-connect-core-1_0.html#IDToken and will be validated if they are non-null.

Validates the 'authorizationCode' according to http://openid.net/specs/openid-connect-core-1_0.html section 3.3.2.10.

a with a 'c_hash' claim that must match . If is null, the check is not made. a that contains 'c_hash' to validate. if 'jwt' is null. if 'validationContext' is null. if the 'c_hash' claim does not match as per http://openid.net/specs/openid-connect-core-1_0.html#CodeValidation . if the hash algorithm defined in (default is JwtAlgorithms.RSA_SHA256) was unable to be created. if the creation of the hash algorithm return a null instance. if is null, then the 'c_hash' will not be validated.

Validates that the contains the nonce.

a with a 'nonce' claim that must match . a that contains the 'nonce' to validate. if 'jwt' is null. if 'validationContext' is null. if a'nonce' is not found in the and RequireNonce is true. if is null and RequireNonce is true. if the 'nonce' found in the doesn't match . if is true and a timestamp is not: found, well formed, negatire or expired. The timestamp is only validated if is true. If is not-null, then a matching 'nonce' must exist in the .

Gets the algorithm mapping between OpenIdConnect and .Net for Hash algorithms. a that contains mappings from the JWT namespace http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26 to .Net.

Gets or set the defining how long a nonce is valid.

if 'value' is less than or equal to 'TimeSpan.Zero'. if is true, then the nonce timestamp is bound by DateTime.UtcNow + NonceLifetime.

Gets or sets a value indicating if an 'acr' claim is required.

Gets or sets a value indicating if an 'amr' claim is required.

Gets or sets a value indicating if an 'auth_time' claim is required.

Gets or sets a value indicating if an 'azp' claim is required.

Get or sets if a nonce is required.

Gets or sets a value indicating if a 'sub' claim is required.

Gets or set logic to control if a nonce is prefixed with a timestamp.

if is true then: will return a 'nonce' with the Epoch time as the prefix, delimited with a '.'. will require that the 'nonce' has a valid time as the prefix.

Constants related to SAML Tokens.

A derived that implements ISecurityTokenValidator, which supports validating tokens passed as strings using .

Initializes a new instance of .

Gets the token type identifier(s) supported by this handler.

A collection of strings that identify the tokens this instance can handle.

Reads the string as XML and looks for the an element or with namespace .

The securitytoken. (, ) OR (, ).

Creates the security token reference when the token is not attached to the message.

The saml token. Boolean that indicates if a attached or unattached reference needs to be created. A .

Creates a from the Saml2 token.

The Saml2SecurityToken. the issuer value for each in the . contains parameters for validating the token. An IClaimIdentity.

Creates a based on a information contained in the .

The that has creation information. A instance. Thrown if 'tokenDescriptor' is null.

Not supported, use when processing tokens.

use . when processing tokens.

Obsolete method, use to read a .

not supported. use use to read a .

Obsolete method, use to read a .

not supported. use use to read a .

Reads a SAML 2.0 token from the XmlReader.

A reader positioned at a element. Contains data and information needed for reading the token. if 'reader' is null. if 'validationParameters' is null. An instance of a .

Obsolete method, use .

use .

Reads and validates a well fromed Saml2 token.

A Saml2 token. Contains data and information needed for validation. The that was validated. 'securityToken' is null or whitespace. 'validationParameters' is null. 'securityToken.Length' > . A generated from the claims in the Saml2 securityToken.

Determines if the audiences found in a are valid.

The audiences found in the . The being validated. required for validation. see for additional details.

Validates the lifetime of a .

The 'notBefore' time found in the . The 'expiration' time found in the . The being validated. required for validation. for additional details.

Determines if an issuer found in a is valid.

The issuer to validate The that is being validated. required for validation. The issuer to use when creating the (s) in the . for additional details.

Validates the was signed by a valid .

The that signed the . The to validate. the current .

Serializes to to a string.

A .

Serializes to XML a token of the type handled by this instance.

The XML writer. A token of type .

Gets the token type supported by this handler.

Gets a value indicating whether this handler supports validation of tokens handled by this instance.

v 'True' if the instance is capable of SecurityToken validation.

Gets a value indicating whether the class provides serialization functionality to serialize the token handled by this instance.

true if the WriteToken method can serialize this token.

Gets and sets the maximum size in bytes, that a will be processed.

'value' less than 1.

A derived that implements ISecurityTokenValidator, which supports validating tokens passed as strings using .

Initializes an instance of

Reads the string as XML and looks for the an element with namespace .

The securitytoken. (, ).

Creates claims from a Saml securityToken.

A that will be used to create the claims. the issuer value for each in the ./// contains parameters for validating the securityToken. A containing the claims from the .

Creates a based on a information contained in the .

The that has creation information. A instance. Thrown if 'tokenDescriptor' is null.

Creates the security securityToken reference when the securityToken is not attached to the message.

The saml securityToken. Boolean that indicates if a attached or unattached reference needs to be created. A .

Gets the token type identifier(s) supported by this handler.

A collection of strings that identify the tokens this instance can handle.

Not supported, use when processing tokens.

use . when processing tokens.

Obsolete method, use to read a .

not supported. use use to read a .

Obsolete method, use to read a .

no supported. use use to read a .

Reads a SAML 11 securityToken from the XmlReader.

A reader positioned at a element. Contains data and information needed for reading the securityToken. An instance of a .

Obsolete method, use .

use .

Reads and validates a well formed .

A string containing a well formed securityToken. Contains data and information needed for validation. The that was validated. 'securityToken' is null or whitespace. 'validationParameters' is null. 'securityToken.Length' > . A generated from the claims in the Saml securityToken.

Determines if the audiences found in a are valid.

The audiences found in the . The being validated. required for validation. see for additional details.

Determines if an issuer found in a is valid.

The issuer to validate The that is being validated. required for validation. The issuer to use when creating the (s) in the . for additional details.

Validates the was signed by a valid .

The 'notBefore' time found in the . The 'expiration' time found in the . The being validated. required for validation. for additional details.

Validates the was signed by a valid .

The that signed the . The to validate. the current .

Serializes to to a string.

A .

Serializes to XML a securityToken of the type handled by this instance.

The XML writer. A securityToken of type .

Gets a value indicating whether this handler supports validation of tokens handled by this instance.

v 'True' if the instance is capable of SecurityToken validation.

Gets a value indicating whether the class provides serialization functionality to serialize securityToken handled by this instance.

true if the WriteToken method can serialize this securityToken.

Gets the securityToken type supported by this handler.

Gets and sets the maximum size in bytes, that a will be processed.

'value' less than 1.

Resolves securitykeys, used when working with Saml1 and Saml2 tokens as the EnvelopingSignatureReader needs this to find keys.

Creates a new instance of

related security token. required for validation.

Returns a that matches the

clause to match. key to assign. true if matched.

Sets a that matches the

clause to match. token to assign. throws .

Sets a that matches the

keyidentifier to match. token to set. true if matched.

Extensions to that provide support for validating a security token passed as a string and using .

Validates a securityToken passed as a string using

uses extensions for (s) that can validate from a string. securityToken to validate. that contain necessary validation coordinates. a validated . 'tokenHandlers' is null. 'securityToken' is null. 'validationParameters' is null. A that represents the identity created when validating the securityToken.

Gets the default supported by this runtime.

A collection of

Serializes the list of strings into string as follows: 'str1','str2','str3' ...

The strings used to build a comma delimited string. The single .

Constants for WsFederation actions.

Constants defined for WsFederation.

Constants for WsFederation Fault codes.

Defines the WsFederation Constants

Provides access to common WsFederation message parameters.

Creates a from the contents of a query string.

query string to extract parameters. An instance of . If 'queryString' is null or whitespace, a default is returned. Parameters are parsed from .

Creates a from the contents of a .

uri string to extract parameters. An instance of . .IssuerAddress is NOT set/>. Parameters are parsed from .

Initializes a new instance of the class.

Initializes a new instance of the class.

The endpoint of the token issuer.

Initializes a new instance of the class.

message to copy.

Initializes a new instance of the class.

Enumeration of key value pairs.

Creates a 'wsignin1.0' message using the current contents of this .

The uri to use for a redirect.

Creates a 'wsignout1.0' message using the current contents of this .

The uri to use for a redirect.

Reads the 'wresult' and returns the embeded security token.

the 'SecurityToken'.

Gets a boolean representating if the is a 'sign-in-message'.

Gets a boolean representating if the is a 'sign-out-message'.

Gets or sets 'wa'.

Gets or sets 'wattr'.

Gets or sets 'wattrptr'.

Gets or sets 'wauth'.

Gets or sets 'Wct'.

Gets or sets 'wa'.

Gets or sets 'Wencoding'.

Gets or sets 'wfed'.

Gets or sets 'wfresh'.

Gets or sets 'whr'.

Gets or sets 'wp'.

Gets or sets 'wpseudo'.

Gets or sets 'wpseudoptr'.

Gets or sets 'wreply'.

Gets or sets 'wreq'.

Gets or sets 'wreqptr'.

Gets or sets 'wres'.

Gets or sets 'wresult'.

Gets or sets 'wresultptr'.

Gets or sets 'wtrealm'.

Contains WsFederation metadata that can be populated from a xml string.

Initializes an new instance of .

Gets or sets the token issuer.

Gets the that the IdentityProvider indicates are to be used signing tokens.

Gets or sets the Gets or sets the passive token endpoint.

Retrieves a populated given an address.

Retrieves a populated given an address.

address of the metadata document. . A populated instance.

Retrieves a populated given an address and an .

address of the metadata document. the to use to read the metadata document. . A populated instance.

Retrieves a populated given an address and an .

address of the metadata document. the to use to read the metadata document . A populated instance.