Microsoft.IdentityModel.Tokens

Base class for a Security Key that contains Asymmetric key material.

This must be overridden to get a bool indicating if a private key exists.

true if it has a private key; otherwise, false.

Gets the status of the private key.

'Exists' if private key exists for sure; 'DoesNotExist' if private key doesn't exist for sure; 'Unknown' if we cannot determine.

Enum for the existence of private key

private key exists for sure

private key doesn't exist for sure

unable to determine the existence of private key

Provides signing and verifying operations when working with an

Mapping from algorithm to minimum .KeySize when creating signatures.

Mapping from algorithm to minimum .KeySize when verifying signatures.

Initializes a new instance of the class used to create and verify signatures.

The that will be used for signature operations. The signature algorithm to apply.

Initializes a new instance of the class used to create and verify signatures.

The that will be used for signature operations. The signature algorithm to apply. Whether this is required to create signatures then set this to true. Creating signatures requires that the has access to a private key. Verifying signatures (the default), does not require access to the private key. 'key' is null. willCreateSignatures is true and .KeySize is less than the size corresponding to the given algorithm in . .KeySize is less than the size corresponding to the algorithm in . Note: this is always checked. If and algorithm pair are not supported. If the runtime is unable to create a suitable cryptographic provider.

Gets the mapping from algorithm to the minimum .KeySize for creating signatures.

Gets the mapping from algorithm to the minimum .KeySize for verifying signatures.

Returns the algorithm name.

The hash algorithm to use to create the hash value.

Produces a signature over the 'input' using the and algorithm passed to .

The bytes to be signed. A signature over the input. 'input' is null. 'input.Length' == 0. If has been called. If the internal is null. This can occur if the constructor parameter 'willBeUsedforSigning' was not 'true'. If the internal is null. This can occur if a derived type deletes it or does not create it.

Verifies that a signature over the' input' matches the signature.

The bytes to generate the signature over. The value to verify against. true if signature matches, false otherwise. 'input' is null. 'signature' is null. 'input.Length' == 0. 'signature.Length' == 0. If has been called. If the internal is null. This can occur if a derived type does not call the base constructor. If the internal is null. This can occur if a derived type deletes it or does not create it.

Validates that the asymmetric key size is more than the allowed minimum

The asymmetric key to validate Algorithm for which this key will be used Whether they key will be used for creating signatures

Calls to release this managed resources.

true, if called from Dispose(), false, if invoked inside a finalizer.

Encodes and Decodes strings as Base64Url encoding.

The following functions perform base64url encoding which differs from regular base64 encoding as follows * padding is skipped so the pad character '=' doesn't have to be percent encoded * the 62nd and 63rd regular base64 encoding characters ('+' and '/') are replace with ('-' and '_') The changes make the encoding alphabet file and URL safe.

string to encode. Base64Url encoding of the UTF8 bytes.

Converts a subset of an array of 8-bit unsigned integers to its equivalent string representation that is encoded with base-64-url digits. Parameters specify the subset as an offset in the input array, and the number of elements in the array to convert.

An array of 8-bit unsigned integers. An offset in inArray. The number of elements of inArray to convert. The string representation in base 64 url encodingof length elements of inArray, starting at position offset. 'inArray' is null. offset or length is negative OR offset plus length is greater than the length of inArray.

An array of 8-bit unsigned integers. The string representation in base 64 url encodingof length elements of inArray, starting at position offset. 'inArray' is null. offset or length is negative OR offset plus length is greater than the length of inArray.

Converts the specified string, which encodes binary data as base-64-url digits, to an equivalent 8-bit unsigned integer array.

base64Url encoded string. UTF8 bytes.

Decodes the string from Base64UrlEncoded to UTF8.

string to decode. UTF8 string.

Creates s by specifying a and algorithm. Supports both and .

Returns the default instance.

Extensibility point for custom crypto support application wide.

By default, if set, will be called before crypto operations. If true is returned, then this will be called for operations.

Static constructor that initializes the default .

Default constructor for .

Constructor that creates a deep copy of given object.

to copy from.

Answers if an algorithm is supported

the name of the crypto algorithm

Checks if an 'algorithm, key' pair is supported.

the algorithm to check. the . true if 'algorithm, key' pair is supported.

Creates an instance of for a specific <SecurityKey, Algorithm>.

the to use. the algorithm to use. an instance of 'key' is null. 'algorithm' is null or empty. 'key' is not a . 'algorithm, key' pair is not supported.

Creates an instance of for a specific <SecurityKey, Algorithm>.

the to use. the algorithm to use. an instance of 'key' is null. 'algorithm' is null or empty. If and algorithm pair are not supported. When finished with the call .

Creates an instance of for a specific <SecurityKey, Algorithm>.

the to use. the algorithm to use. an instance of 'key' is null. 'algorithm' is null or empty. If and algorithm pair are not supported. When finished with the call .

Creates a that supports the and algorithm.

The to use for signing. The algorithm to use for signing. 'key' is null. 'algorithm' is null or empty. ' is too small. is too small. is not a or a . AsymmetricSignatureProviders require access to a PrivateKey for Signing. When finished with the call .

Returns a instance supports the and algorithm.

The to use for signing. The algorithm to use for verifying. 'key' is null. 'algorithm' is null or empty. is too small. is too small. ' is not a or a . When finished with the call .

When finished with a call this method for cleanup. The default behavior is to call

to be released.

When finished with a call this method for cleanup. The default behavior is to call

to be released.

When finished with a call this method for cleanup."/>

to be released.

When finished with a call this method for cleanup."/>

to be released.

Returns a for a specific algorithm.

the name of the hash algorithm to create. A When finished with the call . 'algorithm' is null or empty. 'algorithm' is not supported.

Returns a for a specific algorithm.

the keyed hash algorithm to create. bytes to use to create the Keyed Hash A When finished with the call . 'algorithm' is null or empty. 'algorithm' is not supported.

Helper class for adding DateTimes and Timespans.

Add a DateTime and a TimeSpan. The maximum time is DateTime.MaxTime. It is not an error if time + timespan > MaxTime. Just return MaxTime.

Initial value. to add. as the sum of time and timespan.

Gets the Maximum value for a DateTime specifying kind.

DateTimeKind to use. DateTime of specified kind.

Gets the Minimum value for a DateTime specifying kind.

DateTimeKind to use. DateTime of specified kind.

Ensures that DataTime is UTC.

to convert.

Ensures that DateTime is UTC.

to convert.

Represents a ECDsa security key.

Returns a new instance of .

instance used to initialize the key.

Gets a bool indicating if a private key exists.

true if it has a private key; otherwise, false.

Gets an enum indicating if a private key exists.

'Exists' if private key exists for sure; 'DoesNotExist' if private key doesn't exist for sure; 'Unknown' if we cannot determine.

Gets key size.

A wrapper class for properties that are used for token encryption.

Initializes a new instance of the class.

The key encryption algorithm to apply. The encryption algorithm to apply.

Gets the algorithm which used for token encryption.

Users can override the default with this property. This factory will be used for creating encryition providers.

Gets the which used for signature valdiation.

Provides authenticated encryption and decryption services.

Initializes a new instance of the class used for encryption and decryption. The that will be used for crypto operations. The encryption algorithm to apply. 'key' is null. 'algorithm' is null or whitespace. key size is not large enough. 'algorithm' is not supported. a symmetricSignatureProvider is not created.

Gets the encryption algorithm that is being used.

Gets or sets a user context for a .

This is null by default. This can be used by runtimes or for extensibility scenarios.

Gets the that is being used.

Encrypts the 'plaintext'

the data to be encrypted. will be combined with iv and ciphertext to create an authenticationtag. containing ciphertext, iv, authenticationtag. plaintext is null or empty. authenticationData is null or empty. AES crypto operation threw. See inner exception for details.

Encrypts the 'plaintext'

the data to be encrypted. will be combined with iv and ciphertext to create an authenticationtag. initialization vector for encryption. containing ciphertext, iv, authenticationtag. plaintext is null or empty. authenticationData is null or empty. AES crypto operation threw. See inner exception for details.

Decrypts ciphertext into plaintext

the encrypted text to decrypt. the authenticateData that is used in verification. the initialization vector used when creating the ciphertext. the authenticationTag that was created during the encyption. decrypted ciphertext 'ciphertext' is null or empty. 'authenticatedData' is null or empty. 'iv' is null or empty. 'authenticationTag' is null or empty. signature over authenticationTag fails to verify. AES crypto operation threw. See inner exception.

Checks if an 'key, algorithm' pair is supported

the the algorithm to check. true if 'key, algorithm' pair is supported.

Called to obtain the byte[] needed to create a

that will be used to obtain the byte[]. [] that is used to populated the KeyedHashAlgorithm. if key is null. if a byte[] can not be obtained from SecurityKey. and are supported. For a .Key is returned For a Base64UrlEncoder.DecodeBytes is called with if == JsonWebAlgorithmsKeyTypes.Octet

Checks that the key has sufficient length

that contains bytes. the algorithm to apply. if 'key' is null. if 'algorithm' is null or empty.

Contains the results of operation.

Initializes a new

the used during protected text. the initialization vector used. the bytes that need be passed to .

Gets the .

Gets the Ciphertext.

Gets the initialization vector.

Gets the authentication tag

Provides Wrap key and Unwrap key services.

Gets the KeyWrap algorithm that is being used.

Gets or sets a user context for a .

This is null by default. This can be used by runtimes or for extensibility scenarios.

Gets the that is being used.

Calls and

Can be over written in descendants to dispose of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer

Unwrap a key.

key to unwrap. Unwrapped key.

Wrap a key.

the key to be wrapped wrapped key.

Provides RSA Wrap key and Unwrap key services.

Initializes a new instance of the class used for wrap key and unwrap key. The that will be used for crypto operations. The KeyWrap algorithm to apply. Whether this is required to create decrypts then set this to true. 'key' is null. 'algorithm' is null. The keysize doesn't match the algorithm. If and algorithm pair are not supported. Failed to create RSA algorithm with provided key and algorithm.

Gets the KeyWrap algorithm that is being used.

Gets or sets a user context for a .

This is null by default. This can be used by runtimes or for extensibility scenarios.

Gets the that is being used.

Disposes of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer.

Checks if an algorithm is supported.

The that will be used for crypto operations. The KeyWrap algorithm to apply. true if the algorithm is supported; otherwise, false.

Unwrap a key using RSA decryption.

the bytes to unwrap. Unwrapped key 'keyBytes' is null or length == 0. If has been called. Failed to unwrap the wrappedKey. If the internal RSA algorithm is null.

Wrap a key using RSA encryption.

the key to be wrapped A wrapped key 'keyBytes' is null or has length == 0. If has been called. Failed to wrap the 'keyBytes'. If the internal RSA algorithm is null.

Provides Wrap key and Unwrap key services.

Initializes a new instance of the class used for wrap key and unwrap key. The that will be used for crypto operations. The KeyWrap algorithm to apply. 'key' is null. 'algorithm' is null. If and algorithm pair are not supported. The cannot be converted to byte array The keysize doesn't match the algorithm. Failed to create symmetric algorithm with provided key and algorithm.

Gets the KeyWrap algorithm that is being used.

Gets or sets a user context for a .

This is null by default. This can be used by runtimes or for extensibility scenarios.

Gets the that is being used.

Disposes of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer.

Returns the .

The cannot be converted to byte array The keysize doesn't match the algorithm. Failed to create symmetric algorithm with provided key and algorithm.

Answers if an algorithm is supported

the the algorithm to use true if the algorithm is supported; otherwise, false.

Unwrap a key using Symmmetric decryption.

bytes to unwrap Unwraped key 'keyBytes' is null or length == 0. 'keyBytes' is not a multiple of 8. If has been called. Failed to unwrap the wrappedKey.

Wrap a key using Symmetric encryption.

the key to be wrapped The wrapped key result 'keyBytes' is null or has length 0. 'keyBytes' is not a multiple of 8. If has been called. Failed to wrap 'keyBytes'.

Returns the absolute DateTime or the Seconds since Unix Epoch, where Epoch is UTC 1970-01-01T0:0:0Z.

DateTime as UTV for UnixEpoch

Per JWT spec: Gets the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the desired date/time.

The DateTime to convert to seconds. if dateTimeUtc less than UnixEpoch, return 0 the number of seconds since Unix Epoch.

Creates a DateTime from epoch time.

Number of seconds. The DateTime in UTC.

Represents a security token exception when decryption failed.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

Represents a security token exception when encryption failed.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

This exception is thrown when a security token contained a key identifier but the key was not found by the runtime when decrypting a token.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Represents a security token exception.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

Throw this exception when a received Security Token has expiration time in the past.

Gets or sets the Expires value that created the validation exception.

Initializes a new instance of

This exception is thrown when 'audience' of a token was not valid.

Gets or sets the InvalidAudience that created the validation exception.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

This exception is thrown when 'issuer' of a token was not valid.

Gets or sets the InvalidIssuer that created the validation exception.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

This exception is thrown when 'lifetime' of a token was not valid.

Gets or sets the NotBefore value that created the validation exception.

Gets or sets the Expires value that created the validation exception.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

This exception is thrown when 'signature' of a token was not valid.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Throw this exception when a received Security Token has an invalid issuer signing key.

Gets or sets the SigningKey that was found invalid.

Initializes a new instance of

Represents a key wrap exception when encryption failed.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

This exception is thrown when a security is missing an ExpirationTime.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Throw this exception when a received Security token has an effective time in the future.

Gets or sets the NotBefore value that created the validation exception.

Initializes a new instance of

This exception is thrown when an add to the TokenReplayCache fails.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Throw this exception when a received Security Token has been replayed.

Initializes a new instance of

This exception is thrown when a security token contained a key identifier but the key was not found by the runtime.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Represents a security token validation exception.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

Crypto operations

Called to determine if a cryptoType is supported.

the algorithm that defines the crypto operator. the arguments required by the cryptoType. May be null. true if supported

returns an object of cryptoType.

the algorithm that defines the crypto operator. the arguments required by the cryptoType. May be null. call when finished with the object.

called to release the object returned from

the object returned from .

ISecurityTokenValidator

Returns true if the token can be read, false otherwise.

Returns true if a token can be validated.

Gets and sets the maximum size in bytes, that a will be processed.

Validates a token passed as a string using

Interface that defines a simple cache for tacking replaying of security tokens.

Try to add a securityToken.

the security token to add. the time when security token expires. true if the security token was successfully added.

Try to find securityToken

the security token to find. true if the security token is found.

Constants for JsonWebAlgorithms "kty" Key Type (sec 6.1) http://tools.ietf.org/html/rfc7518#section-6.1

Represents a JSON Web Key as defined in http://tools.ietf.org/html/rfc7517.

Magic numbers identifying ECDSA blob types

Returns a new instance of .

A string that contains JSON Web Key parameters in JSON format. If 'json' is null or empty. If 'json' fails to deserialize.

Initializes an new instance of .

Initializes an new instance of from a json string.

A string that contains JSON Web Key parameters in JSON format. If 'json' is null or empty. If 'json' fails to deserialize.

When deserializing from JSON any properties that are not defined will be placed here.

Gets or sets the 'alg' (KeyType)..

Gets or sets the 'crv' (ECC - Curve)..

Gets or sets the 'd' (ECC - Private Key OR RSA - Private Exponent)..

Value is formated as: Base64urlUInt

Gets or sets the 'dp' (RSA - First Factor CRT Exponent)..

Value is formated as: Base64urlUInt

Gets or sets the 'dq' (RSA - Second Factor CRT Exponent)..

Value is formated as: Base64urlUInt

Gets or sets the 'e' (RSA - Exponent)..

Gets or sets the 'k' (Symmetric - Key Value)..

Base64urlEncoding

Gets the 'key_ops' (Key Operations)..

Gets or sets the 'kid' (Key ID)..

Gets or sets the 'kty' (Key Type)..

Gets or sets the 'n' (RSA - Modulus)..

Value is formated as: Base64urlEncoding

Gets or sets the 'oth' (RSA - Other Primes Info)..

Gets or sets the 'p' (RSA - First Prime Factor)..

Value is formated as: Base64urlUInt

Gets or sets the 'q' (RSA - Second Prime Factor)..

Value is formated as: Base64urlUInt

Gets or sets the 'qi' (RSA - First CRT Coefficient)..

Value is formated as: Base64urlUInt

Gets or sets the 'use' (Public Key Use)..

Gets or sets the 'x' (ECC - X Coordinate)..

Value is formated as: Base64urlEncoding

Gets the 'x5c' collection (X.509 Certificate Chain)..

Gets or sets the 'x5t' (X.509 Certificate SHA-1 thumbprint)..

Gets or sets the 'x5t#S256' (X.509 Certificate SHA-1 thumbprint)..

Gets or sets the 'x5u' (X.509 URL)..

Gets or sets the 'y' (ECC - Y Coordinate)..

Value is formated as: Base64urlEncoding

Gets the key size of .

Gets a bool indicating if a private key exists.

true if it has a private key; otherwise, false.

Gets a bool that determines if the 'key_ops' (Key Operations) property should be serialized. This is used by Json.NET in order to conditionally serialize properties.

true if 'key_ops' (Key Operations) is not empty; otherwise, false.

Gets a bool that determines if the 'x5c' collection (X.509 Certificate Chain) property should be serialized. This is used by Json.NET in order to conditionally serialize properties.

true if 'x5c' collection (X.509 Certificate Chain) is not empty; otherwise, false.

Returns the size of key in bytes

Represents ecdsa curve -P256, P384, P521 Size of the key in bytes

Returns the magic value representing the curve corresponding to the curve id.

Represents ecdsa curve -P256, P384, P512 Whether the provider will create signatures or not Uint representing the magic number

Json web key converter

Convert security key into json web key.

Security Key json web key

Convert RSA security key into json web key.

RSA security key json web key

Convert X509 security key into json web key.

X509 security key json web key

Convert Symmetric security key into json web key.

Symmetric security key json web key

Constants for JsonWebKey Elliptical Curve Types https://tools.ietf.org/html/rfc7518#section-6.2.1.1

Names for Json Web Key Values

Contains a collection of that can be populated from a json string.

provides support for http://tools.ietf.org/html/rfc7517.

Returns a new instance of .

a string that contains JSON Web Key parameters in JSON format. If 'json' is null or empty. If 'json' fails to deserialize.

Initializes an new instance of .

Initializes an new instance of from a json string.

a json string containing values. If 'json' is null or empty. If 'json' fails to deserialize.

When deserializing from JSON any properties that are not defined will be placed here.

Gets the .

Returns the JsonWebKeys as a .

Names for Json Web Key Set Values

Constants for JsonWebKeyUse (sec 4.2) http://tools.ietf.org/html/rfc7517#section-4

Log messages and codes

The purpose of this class is to ensure that we obtain an RsaCryptoServiceProvider that supports SHA-256 signatures. If the original RsaCryptoServiceProvider doesn't support SHA-256, we create a new one using the same KeyContainer.

Initializes an new instance of .

Destructs the instance.

Releases all resources used by the current instance of the class.

Decrypts data with the System.Security.Cryptography.RSA algorithm.

The data to be decrypted. true to perform direct System.Security.Cryptography.RSA decryption using OAEP padding (only available on a computer running Microsoft Windows XP or later);o therwise, false to use PKCS#1 v1.5 padding.

Encrypts data with the System.Security.Cryptography.RSA algorithm.

The data to be encrypted. true to perform direct System.Security.Cryptography.RSA encryption using OAEP padding (only available on a computer running Microsoft Windows XP or later); otherwise, false to use PKCS#1 v1.5 padding.

Computes the hash value of the specified byte array using the specified hash algorithm, and signs the resulting hash value.

The input byte array for which to compute the hash. The hash algorithm to use to create the hash value. The Signature for the specified data.

Verifies that a digital signature is valid by determining the hash value in the signature using the provided public key and comparing it to the hash value of the provided data.

The input byte array. The hash algorithm to use to create the hash value. The signature byte array to be verified. true if the signature is valid; otherwise, false.

Represents a Rsa security key.

Initializes a new instance of the class.

Gets a bool indicating if a private key exists.

true if it has a private key; otherwise, false.

Gets an enum indicating if a private key exists.

'Exists' if private key exists for sure; 'DoesNotExist' if private key doesn't exist for sure; 'Unknown' if we cannot determine.

Gets RSA key size.

used to initialize the key.

instance used to initialize the key.

Constants for Security Algorithm.

Base class for Security Key.

This must be overridden to get the size of this .

Gets the key id of this .

Gets or sets .

Contains information about the keys inside the tokens.

Base class for security token.

This must be overridden to get the Id of this .

This must be overridden to get the issuer of this .

This must be overridden to get the .

This must be overridden to get or set the that signed this instance.

.ValidateToken(...) can this value when a is used to successfully validate a signature.

This must be overridden to get the time when this was Valid.

This must be overridden to get the time when this is no longer Valid.

Contains some information which used to create a security token.

Gets or sets the value of the 'audience' claim.

Gets or sets the used to create a encrypted security token.

Gets or sets the value of the 'expiration' claim.

Gets or sets the issuer of this .

Gets or sets the time the security token was issued.

Gets or sets the notbefore time for the security token.

Gets or sets the used to create a security token.

Gets or sets the .

Defines the interface for a Security Token Handler.

Creates an instance of

Returns .

true if attached; otherwise, false.

Returns .

Gets a value indicating whether this handler supports validation of tokens handled by this instance.

v 'True' if the instance is capable of SecurityToken validation.

Gets a value indicating whether the class provides serialization functionality to serialize token handled by this instance.

true if the WriteToken method can serialize this token.

This must be overridden to get the System.Type of the SecurityToken this instance handles.

Indicates whether the current token string can be read as a token of the type handled by this instance.

The token string thats needs to be read. 'True' if the ReadToken method can parse the token string.

Gets and sets the maximum token size in bytes that will be processed.

'value' less than 1.

Deserializes from string a token of the type handled by this instance.

The string to be deserialized. SecurityToken instance which represents the serialized token.

Gets security token.

. SecurityToken instance which represents the serialized token.

Serializes to string a token of the type handled by this instance.

A token of type TokenType. The serialized token.

This must be overridden to serialize to XML a token of the type handled by this instance.

The XML writer. A token of type .

This must be overridden to deserialize token with the provided .

. the current . SecurityToken instance which represents the serialized token.

This must be overridden to validate a token passed as a string using

A token of type . the current . The token of type that was validated.

Provides signature services, signing and verifying.

Initializes a new instance of the class used to create and verify signatures.

The that will be used for signature operations. The signature algorithm to apply. 'key' is null.

Gets or sets a user context for a .

Gets the .

Gets the signature algorithm.

This must be overridden to produce a signature over the 'input'.

bytes to sign. signed bytes

This must be overridden to verify a signature created over the 'input'.

bytes to verify. signature to compare against. true if the computed signature matches the signature parameter, false otherwise.

Calls and

Can be over written in descendants to dispose of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer

Defines the , algorithm and digest for digital signatures.

Initializes a new instance of the class.

. The signature algorithm to apply. the 'digest method' if needed may be implied from the algorithm. For example implies Sha256.

Initializes a new instance of the class.

. The signature algorithm to apply. The digest algorithm to apply.

Gets the algorithm used for signatures.

Gets the algorithm used for digests.

Users can override the default with this property. This factory will be used for creating signature providers.

This will have precedence over

Gets the which used for signature validation.

Gets the key id associated with .

Represents a symmetric security key.

Returns a new instance of instance.

The byte array of the key.

Gets the key size.

Gets the byte array of the key.

Provides signing and verifying operations using a and specifying an algorithm.

This is the minimum .KeySize when creating and verifying signatures.

Initializes a new instance of the class that uses an to create and / or verify signatures over a array of bytes.

The that will be used for signature operations. The signature algorithm to use. 'key' is null. If and algorithm pair are not supported. '.KeySize' is smaller than . throws. returns null.

Gets or sets the minimum .KeySize"/>.

'value' is smaller than .

Called to obtain the byte[] needed to create a

Returns the .

The hash algorithm to use to create the hash value. The byte array of the key.

Produces a signature over the 'input' using the and 'algorithm' passed to .

The bytes to sign. Signed bytes 'input' is null. 'input.Length' == 0. has been called. is null. This can occur if a derived type deletes it or does not create it.

Verifies that a signature created over the 'input' matches the signature. Using and 'algorithm' passed to .

The bytes to verify. signature to compare against. true if computed signature matches the signature parameter, false otherwise. 'input' is null. 'signature' is null. 'input.Length' == 0. 'signature.Length' == 0. has been called. If the internal is null. This can occur if a derived type deletes it or does not create it.

Verifies that a signature created over the 'input' matches the signature. Using and 'algorithm' passed to .

The bytes to verify. signature to compare against. number of bytes of signature to use. true if computed signature matches the signature parameter, false otherwise. 'input' is null. 'signature' is null. 'input.Length' == 0. 'signature.Length' == 0. 'length < 1' has been called. If the internal is null. This can occur if a derived type deletes it or does not create it.

Disposes of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer.

Definition for AudienceValidator.

The audiences found in the . The being validated. required for validation. true if the audience is considered valid.

Definition for IssuerSigningKeyResolver.

The representation of the token that is being validated. The that is being validated. It may be null. A key identifier. It may be null. required for validation. A to use when validating a signature.

Definition for IssuerSigningKeyValidator.

The that signed the . The being validated. required for validation.

Definition for IssuerValidator.

The issuer to validate. The that is being validated. required for validation. The issuer to use when creating the "Claim"(s) in a "ClaimsIdentity". The delegate should return a non null string that represents the 'issuer'. If null a default value will be used.

Definition for LifetimeValidator.

The 'notBefore' time found in the . The 'expiration' time found in the . The being validated. required for validation.

Definition for TokenReplayValidator.

The 'expiration' time found in the . The being validated. required for validation.

Definition for SignatureValidator.

A securityToken with a signature. required for validation.

Definition for TokenReader.

A securityToken with a signature. required for validation.

Definition for TokenDecryptionKeyResolver.

The representation of the token to be decrypted. The to be decrypted. The runtime by default passes null. A key identifier. It may be null. required for validation. A to use when decrypting the token.

Contains a set of parameters that are used by a when validating a .

This is the fallback authenticationtype that a will use if nothing is set.

Default for the clock skew.

300 seconds (5 minutes).

Default for the maximm token size.

2 MB (mega bytes).

Copy constructor for .

Initializes a new instance of the class.

Gets or sets .

Gets or sets a delegate that will be used to validate the audience.

If set, this delegate will be called to validate the 'audience' instead of normal processing. If is false, this delegate will not be called.

Gets or sets a delegate that will be used to read the token.

If set, this delegate will be called to read the token instead of normal processing.

Gets or sets the AuthenticationType when creating a .

If 'value' is null or whitespace.

Gets or sets the clock skew to apply when validating a time.

If 'value' is less than 0.

Returns a new instance of with values copied from this object.

A new object copied from this object This is a shallow Clone.

Creates a using: 'NameClaimType': If NameClaimTypeRetriever is set, call delegate, else call NameClaimType. If the result is a null or empty string, use . 'RoleClaimType': If RoleClaimTypeRetriever is set, call delegate, else call RoleClaimType. If the result is a null or empty string, use .

A with Authentication, NameClaimType and RoleClaimType set.

Users can override the default with this property. This factory will be used for creating signature providers.

Gets or sets the that is to be used for decryption.

Gets or sets a delegate that will be called to retreive a used for decryption.

This will be used to decrypt the token. This can be helpful when the does not contain a key identifier.

Gets or sets a delegate for validating the that signed the token.

If set, this delegate will be called to validate the that signed the token, instead of normal processing.

Gets or sets the that is to be used for signature validation.

Gets or sets a delegate that will be called to retreive a used for signature validation.

This will be used to check the signature. This can be helpful when the does not contain a key identifier.

Gets or sets an used for signature validation.

Gets or sets a delegate that will be used to validate the issuer of the token.

If set, this delegate will be called to validate the 'issuer' of the token, instead of normal processing. If is false, this delegate will not be called.

Gets or sets a delegate that will be used to validate the lifetime of the token

If set, this delegate will be called to validate the lifetime of the token, instead of normal processing. If is false, this delegate will not be called.

Gets or sets a delegate that will be used to validate the token replay of the token

If set, this delegate will be called to validate the token replay of the token, instead of normal processing. If is false, this delegate will not be called.

Gets or sets a that defines the .

Controls the value returns. It will return the first where the equals .

Gets or sets the that defines the .

Controls the results of . Each where == will be checked for a match against the 'string' passed to .

Gets or sets a delegate that will be called to obtain the NameClaimType to use when creating a ClaimsIdentity after validating a token.

Gets or sets a value indicating whether tokens must have an 'expiration' value.

Gets or sets a value indicating whether a can be considered valid if not signed.

Gets or sets a delegate that will be called to obtain the RoleClaimType to use when creating a ClaimsIdentity after validating a token.

Gets or sets a boolean to control if the original token should be saved after the security token is validated.

The runtime will consult this value and save the orginal token that was validated.

Gets or sets a delegate that will be used to validate the signature of the token.

If set, this delegate will be called to signature of the token, instead of normal processing.

Gets or sets the that is to be used for decrypting inbound tokens.

Gets or set the that store tokens that can be checked to help detect token replay.

If set, then tokens must have an expriation time or the runtime will fault.

Gets or sets a value indicating if an actor token is detected, whether it should be validated.

Gets or sets a boolean to control if the audience will be validated during token validation.

Validation of the audience, mitigates forwarding attacks. For example, a site that receives a token, could not replay it to another side. A forwarded token would contain the audience of the original site.

Gets or sets a boolean to control if the issuer will be validated during token validation.

Validation of the issuer mitigates forwarding attacks that can occur when an IdentityProvider represents multiple tenants and signs tokens with the same keys. It is possible that a token issued for the same audience could be from a different tenant. For example an application could accept users from contoso.onmicrosoft.com but not fabrikam.onmicrosoft.com, both valid tenants. A application that accepts tokens from fabrikam could forward them to the application that accepts tokens for contoso.

Gets or sets a boolean to control if the lifetime will be validated during token validation.

Gets or sets a boolean that controls if validation of the that signed the securityToken is called.

It is possible for tokens to contain the public key needed to check the signature. For example, X509Data can be hydrated into an X509Certificate, which can be used to validate the signature. In these cases it is important to validate the SigningKey that was used to validate the signature.

Gets or sets a boolean to control if the token replay will be validated during token validation.

Gets or sets a string that represents a valid audience that will be used to check against the token's audience.

Gets or sets the that contains valid audiences that will be used to check against the token's audience.

Gets or sets a that represents a valid issuer that will be used to check against the token's issuer.

Gets or sets the that contains valid issuers that will be used to check against the token's issuer.

Generates unique IDs.

Creates a unique ID suitable for use in an xml:id field. The value is not hard to guess but is unique.

The unique ID.

Creates a unique ID similar to that created by CreateNonRandomId, but instead of an underscore, the supplied prefix is used.

The prefix to use. The unique ID, with the given prefix.

Creates a unique, random ID suitable for use in an xml:id field. The value is hard to guess and unique.

The unique ID.

Creates a unique, random ID similar to that created by CreateRandomId, but instead of an underscore, the supplied prefix is used.

The prefix to use. The random URI.

Creates a unique, random ID suitable for use as a URI. The value is hard to guess and unique. The URI is in the urn:uuid: namespace.

The random URI.

Contains some utility methods.

A string with "empty" value.

A string with "null" value.

Creates a copy of the byte array.

The resource array. A copy of the byte array.

Serializes the list of strings into string as follows: 'str1','str2','str3' ...

The strings used to build a comma delimited string. The single .

Returns whether the input string is https.

The input string. true if the input string is https; otherwise, false.

Returns whether the input uri is https.

. true if the input uri is https; otherwise, false.

Compares two byte arrays for equality. Hash size is fixed normally it is 32 bytes. The attempt here is to take the same time if an attacker shortens the signature OR changes some of the signed contents.

One set of bytes to compare. The other set of bytes to compare with. true if the bytes are equal, false otherwise.

One set of bytes to compare. The other set of bytes to compare with. length of array to check true if the bytes are equal, false otherwise.

AudienceValidator

Determines if the audiences found in a are valid.

The audiences found in the . The being validated. required for validation. If 'vaidationParameters' is null. If 'audiences' is null and is true. If is null or whitespace and is null. If none of the 'audiences' matched either or one of . An EXACT match is required.

Determines if an issuer found in a is valid.

The issuer to validate The that is being validated. required for validation. The issuer to use when creating the "Claim"(s) in a "ClaimsIdentity". If 'vaidationParameters' is null. If 'issuer' is null or whitespace and is true. If is null or whitespace and is null. If 'issuer' failed to matched either or one of . An EXACT match is required.

Validates the that signed a .

The that signed the . The being validated. required for validation. if 'securityKey' is null and ValidateIssuerSigningKey is true. if 'securityToken' is null and ValidateIssuerSigningKey is true. if 'vaidationParameters' is null.

Validates the lifetime of a .

The 'notBefore' time found in the . The 'expiration' time found in the . The being validated. required for validation. If 'vaidationParameters' is null. If 'expires.HasValue' is false and is true. If 'notBefore' is > 'expires'. If 'notBefore' is > DateTime.UtcNow. If 'expires' is < DateTime.UtcNow. All time comparisons apply .

Validates if a token has been replayed.

When does the security token expire. The being validated. required for validation. If 'securityToken' is null or whitespace. If 'validationParameters' is null or whitespace. If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time. If the 'securityToken' is found in the cache. If the 'securityToken' could not be added to the .

Validates if a token has been replayed.

The being validated. When does the security token expire. required for validation. If 'securityToken' is null or whitespace. If 'validationParameters' is null or whitespace. If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time. If the 'securityToken' is found in the cache. If the 'securityToken' could not be added to the .

Security key that allows access to cert

Instantiates a using a

The cert to use.

Gets the key size.

Gets the X5t of this .

Returns the private key from the .

Gets the public key from the .

Gets a bool indicating if a private key exists.

true if it has a private key; otherwise, false.

Gets an enum indicating if a private key exists.

'Exists' if private key exists for sure; 'DoesNotExist' if private key doesn't exist for sure; 'Unknown' if we cannot determine.

Gets the .

Returns a bool indicating if this key is equivalent to another key.

true if the keys are equal; otherwise, false.

Returns an int hash code.

An int hash code