System.IdentityModel.Tokens.Jwt
Constants for Json Web tokens.
A URI that represents the JSON XML data type.
When mapping json to .Net Claim(s), if the value was not a string (or an enumeration of strings), the ClaimValue will serialized using the current JSON serializer, a property will be added with the .Net type and the ClaimTypeValue will be set to 'JsonClaimValueType'.
A URI that represents the JSON array XML data type.
When mapping json to .Net Claim(s), if the value was not a string (or an enumeration of strings), the ClaimValue will serialized using the current JSON serializer, a property will be added with the .Net type and the ClaimTypeValue will be set to 'JsonClaimValueType'.
A URI that represents the JSON null data type
When mapping json to .Net Claim(s), we use empty string to represent the claim value and set the ClaimValueType to JsonNull
Delegate that can be set on to control serialization of objects into JSON.
Object to serialize
The serialized object.
Delegate that can be set on to control deserialization JSON into objects.
JSON to deserialize.
Type expected.
The deserialized object.
Dictionary extensions for serializations
Gets or sets a to use when serializing objects to JSON.
If 'value' is null.
Gets or sets a to use when deserializing objects from JSON.
If 'value' is null.
Serializes an object to JSON.
The object to serialize
The object as JSON.
Deserialzes JSON into an instance of type T.
The object type.
The JSON to deserialze.
A new instance of type T.
Deserialzes JSON into an instance of .
The JSON to deserialze.
A new instance .
Deserialzes JSON into an instance of .
The JSON to deserialze.
A new instance .
Constants for Json Web tokens.
Short header type.
Long header type.
Short token type.
Long token type.
JWS - Token format: 'header.payload.signature'. Signature is optional, but '.' is required.
JWE - Token format: 'protectedheader.encryptedkey.iv.cyphertext.authenticationtag'.
The number of parts in a JWE token.
The number of parts in a JWS token.
The maximum number of parts in a JWT.
JWE header alg indicating a shared symmetric key is directly used as CEK.
Initializes a new instance of which contains JSON objects representing the cryptographic operations applied to the JWT and optionally any additional properties of the JWT.
The member names within the JWT Header are referred to as Header Parameter Names.
These names MUST be unique and the values must be (s). The corresponding values are referred to as Header Parameter Values.
Initializes a new instance of the class. Default string comparer .
Initializes a new instance of .
With the Header Parameters:
{ { typ, JWT }, { alg, SigningCredentials.Algorithm } }
used creating a JWS Compact JSON.
Initializes a new instance of .
With the Header Parameters:
{ { typ, JWT }, { alg, EncryptingCredentials.Alg }, { enc, EncryptingCredentials.Enc } }
used creating a JWE Compact JSON.
If 'encryptingCredentials' is null.
Initializes a new instance of .
With the Header Parameters:
{ { typ, JWT }, { alg, SigningCredentials.Algorithm } }
used when creating a JWS Compact JSON.
provides a mapping for the 'alg' value so that values are within the JWT namespace.
Initializes a new instance of .
With the Header Parameters:
{ { typ, JWT }, { alg, SigningCredentials.Algorithm } }
used when creating a JWS Compact JSON.
provides a mapping for the 'alg' value so that values are within the JWT namespace.
will be added as the value for the 'typ' claim in the header. If it is null or empty will be used as token type
Initializes a new instance of .
With the Header Parameters:
{ { typ, JWT }, { alg, SigningCredentials.Algorithm } }
used when creating a JWS Compact JSON.
provides a mapping for the 'alg' value so that values are within the JWT namespace.
will be added as the value for the 'typ' claim in the header. If it is null or empty will be used as token type
Defines the dictionary containing any custom header claims that need to be added to the inner JWT token header.
Initializes a new instance of .
With the Header Parameters:
{ { typ, JWT }, { alg, EncryptingCredentials.Algorithm } }
used when creating a JWS Compact JSON.
provides a mapping for the 'alg' value so that values are within the JWT namespace.
If 'encryptingCredentials' is null.
Initializes a new instance of .
With the Header Parameters:
{ { typ, JWT }, { alg, EncryptingCredentials.Algorithm } }
used when creating a JWS Compact JSON.
provides a mapping for the 'alg' value so that values are within the JWT namespace.
provides the token type
If 'encryptingCredentials' is null.
Initializes a new instance of .
With the Header Parameters:
{ { typ, JWT }, { alg, EncryptingCredentials.Algorithm } }
used when creating a JWS Compact JSON.
provides a mapping for the 'alg' value so that values are within the JWT namespace.
provides the token type
Defines the dictionary containing any custom header claims that need to be added to the outer JWT token header.
If 'encryptingCredentials' is null.
Gets the signature algorithm that was used to create the signature.
If the signature algorithm is not found, null is returned.
Gets the content mime type (Cty) of the token.
If the content mime type is not found, null is returned.
Gets the encryption algorithm (Enc) of the token.
If the content mime type is not found, null is returned.
Gets the passed in the constructor.
This value may be null.
Gets the iv of symmetric key wrap.
Gets the key identifier for the security key used to sign the token
Gets the passed in the constructor.
This value may be null.
Gets the mime type (Typ) of the token.
If the mime type is not found, null is returned.
Gets the thumbprint of the certificate used to sign the token
Gets the certificate used to sign the token
If the 'x5c' claim is not found, null is returned.
Gets the 'value' of the 'zip' claim { zip, 'value' }.
If the 'zip' claim is not found, null is returned.
Deserializes Base64UrlEncoded JSON into a instance.
Base64url encoded JSON to deserialize.
An instance of .
Use to customize JSON serialization.
Encodes this instance as Base64UrlEncoded JSON.
Base64UrlEncoded JSON.
Use to customize JSON serialization.
Deserialzes JSON into a instance.
The JSON to deserialize.
An instance of .
Use to customize JSON serialization.
Gets a standard claim from the header.
A standard claim is either a string or a value of another type serialized in JSON format.
The key of the claim.
The standard claim string; or null if not found.
Serializes this instance to JSON.
This instance as JSON.
Use to customize JSON serialization.
List of header parameter names see: https://datatracker.ietf.org/doc/html/rfc7519#section-5.
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.1
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.10
Also: https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
See: https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.2
See: https://datatracker.ietf.org/doc/html/rfc7518#section-4.7.1.1
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.2
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.3
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9
Also: https://datatracker.ietf.org/doc/html/rfc7519#section-5.1
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6
See: https://datatracker.ietf.org/doc/html/rfc7515#page-12
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.5
See: https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.3
See: https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.1
See: https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.2
See: https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.3
Initializes a new instance of which contains JSON objects representing the claims contained in the JWT. Each claim is a JSON object of the form { Name, Value }.
Initializes a new instance of the class with no claims. Default string comparer .
Creates a empty
Initializes a new instance of the class with . Default string comparer .
The claims to add.
Initializes a new instance of the class with claims added for each parameter specified. Default string comparer .
If this value is not null, a { iss, 'issuer' } claim will be added, overwriting any 'iss' claim in 'claims' if present.
If this value is not null, a { aud, 'audience' } claim will be added, appending to any 'aud' claims in 'claims' if present.
If this value is not null then for each a { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values.
If notbefore.HasValue a { nbf, 'value' } claim is added, overwriting any 'nbf' claim in 'claims' if present.
If expires.HasValue a { exp, 'value' } claim is added, overwriting any 'exp' claim in 'claims' if present.
Initializes a new instance of the class with claims added for each parameter specified. Default string comparer .
If this value is not null, a { iss, 'issuer' } claim will be added, overwriting any 'iss' claim in 'claims' if present.
If this value is not null, a { aud, 'audience' } claim will be added, appending to any 'aud' claims in 'claims' if present.
If this value is not null then for each a { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values.
If notbefore.HasValue a { nbf, 'value' } claim is added, overwriting any 'nbf' claim in 'claims' if present.
If expires.HasValue a { exp, 'value' } claim is added, overwriting any 'exp' claim in 'claims' if present.
If issuedAt.HasValue is 'true' a { iat, 'value' } claim is added, overwriting any 'iat' claim in 'claims' if present.
Comparison is set to
The 4 parameters: 'issuer', 'audience', 'notBefore', 'expires' take precedence over (s) in 'claims'. The values will be overridden.
If 'expires' <= 'notbefore'.
Initializes a new instance of the class with claims added for each parameter specified. Default string comparer .
If this value is not null, a { iss, 'issuer' } claim will be added, overwriting any 'iss' claim in 'claims' and 'claimCollection' if present.
If this value is not null, a { aud, 'audience' } claim will be added, appending to any 'aud' claims in 'claims' or 'claimCollection' if present.
If this value is not null then for each a { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values.
If both and are not null then the values in claims will be combined with the values in claimsCollection. The values found in claimCollection take precedence over those found in claims, so any duplicate
values will be overridden.
If notbefore.HasValue a { nbf, 'value' } claim is added, overwriting any 'nbf' claim in 'claims' and 'claimcollection' if present.
If expires.HasValue a { exp, 'value' } claim is added, overwriting any 'exp' claim in 'claims' and 'claimcollection' if present.
If issuedAt.HasValue is 'true' a { iat, 'value' } claim is added, overwriting any 'iat' claim in 'claims' and 'claimcollection' if present.
Comparison is set to
The 4 parameters: 'issuer', 'audience', 'notBefore', 'expires' take precedence over (s) in 'claims' and 'claimcollection'. The values will be overridden.
If 'expires' <= 'notbefore'.
Adds Nbf, Exp, Iat, Iss and Aud claims to payload
If this value is not null, a { iss, 'issuer' } claim will be added, overwriting any 'iss' claim in instance.
If this value is not null, a { aud, 'audience' } claim will be added, appending to any 'aud' claims in instance.
If notbefore.HasValue a { nbf, 'value' } claim is added, overwriting any 'nbf' claim in instance.
If expires.HasValue a { exp, 'value' } claim is added, overwriting any 'exp' claim in instance.
If issuedAt.HasValue is 'true' a { iat, 'value' } claim is added, overwriting any 'iat' claim in instance.
Gets the 'value' of the 'actor' claim { actort, 'value' }.
If the 'actor' claim is not found, null is returned.
Gets the 'value' of the 'acr' claim { acr, 'value' }.
If the 'acr' claim is not found, null is returned.
Gets the 'value' of the 'amr' claim { amr, 'value' } as list of strings.
If the 'amr' claim is not found, an empty enumerable is returned.
Gets the 'value' of the 'auth_time' claim { auth_time, 'value' }.
If the 'auth_time' claim is not found OR could not be converted to , null is returned.
Gets the 'value' of the 'audience' claim { aud, 'value' } as a list of strings.
If the 'audience' claim is not found, an empty enumerable is returned.
Gets the 'value' of the 'azp' claim { azp, 'value' }.
If the 'azp' claim is not found, null is returned.
Gets 'value' of the 'c_hash' claim { c_hash, 'value' }.
If the 'c_hash' claim is not found, null is returned.
Gets the 'value' of the 'expiration' claim { exp, 'value' }.
If the 'expiration' claim is not found OR could not be converted to , null is returned.
Gets the 'value' of the 'JWT ID' claim { jti, 'value' }.
If the 'JWT ID' claim is not found, null is returned.
Gets the 'value' of the 'Issued At' claim { iat, 'value' }.
If the 'Issued At' claim is not found OR cannot be converted to null is returned.
Gets the 'value' of the 'issuer' claim { iss, 'value' }.
If the 'issuer' claim is not found, null is returned.
Gets the 'value' of the 'expiration' claim { nbf, 'value' }.
If the 'notbefore' claim is not found OR could not be converted to , null is returned.
Gets the 'value' of the 'nonce' claim { nonce, 'value' }.
If the 'nonce' claim is not found, null is returned.
Gets the 'value' of the 'subject' claim { sub, 'value' }.
If the 'subject' claim is not found, null is returned.
Gets the 'value' of the 'notbefore' claim { nbf, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).
If the 'notbefore' claim is not found, then is returned. Time is returned as UTC.
Gets the 'value' of the 'expiration' claim { exp, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).
If the 'expiration' claim is not found, then is returned.
Gets the 'value' of the 'issued at' claim { iat, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).
If the 'issued at' claim is not found, then is returned.
Gets a for each JSON { name, value }.
Each (s) returned will have the translated according to the mapping found in . Adding and removing to will affect the value of the .
and will be set to the value of ( if null).
Adds a JSON object representing the to the
{ 'Claim.Type', 'Claim.Value' } is added. If a JSON object is found with the name == then a { 'Claim.Type', List<object> } will be created to contain the duplicate values.
See For details on how is applied.
'claim' is null.
Adds a number of to the as JSON { name, value } pairs.
For each a JSON pair { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values.
Any in the that is null, will be ignored.
is null.
Adds claims from dictionary.
A dictionary of claims.
If a key is already present in target dictionary, its value is overridden by the value of the key in claimsCollection.
Gets the DateTime using the number of seconds from 1970-01-01T0:0:0Z (UTC)
Claim in the payload that should map to an integer.
If the claim is not found, the function returns: DateTime.MinValue
If an overflow exception is thrown by the runtime.
The DateTime representation of a claim.
Serializes this instance to JSON.
This instance as JSON.
Use to customize JSON serialization.
Encodes this instance as Base64UrlEncoded JSON.
Base64UrlEncoded JSON.
Use to customize JSON serialization.
Deserializes Base64UrlEncoded JSON into a instance.
base64url encoded JSON to deserialize.
An instance of .
Use to customize JSON serialization.
Deserialzes JSON into a instance.
The JSON to deserialize.
An instance of .
Use to customize JSON serialization.
List of registered claims from different sources
https://datatracker.ietf.org/doc/html/rfc7519#section-4
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
https://datatracker.ietf.org/doc/html/rfc7519#section-4
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken
http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
https://datatracker.ietf.org/doc/html/rfc7519#section-4
http://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://datatracker.ietf.org/doc/html/rfc7519#section-5
A designed for representing a JSON Web Token (JWT).
Initializes a new instance of from a string in JWS Compact serialized format.
A JSON Web Token that has been serialized in JWS Compact serialized format.
'jwtEncodedString' is null or contains only whitespace.
'jwtEncodedString' contains only whitespace.
'jwtEncodedString' is not in JWE format.
'jwtEncodedString' is not in JWS or JWE format.
The contents of this have not been validated, the JSON Web Token is simply decoded. Validation can be accomplished using
Initializes a new instance of the class where the contains the crypto algorithms applied to the encoded and . The jwtEncodedString is the result of those operations.
Contains JSON objects representing the cryptographic operations applied to the JWT and optionally any additional properties of the JWT
Contains JSON objects representing the claims contained in the JWT. Each claim is a JSON object of the form { Name, Value }
base64urlencoded JwtHeader
base64urlencoded JwtPayload
base64urlencoded JwtSignature
'header' is null.
'payload' is null.
'rawSignature' is null.
'rawHeader' or 'rawPayload' is null or whitespace.
Initializes an instance of where the contains the crypto algorithms applied to the innerToken .
Defines cryptographic operations applied to the 'innerToken'.
base64urlencoded key
base64urlencoded JwtHeader
base64urlencoded initialization vector.
base64urlencoded encrypted innerToken
base64urlencoded authentication tag.
'header' is null.
'innerToken' is null.
'rawHeader' is null.
'rawEncryptedKey' is null.
'rawInitialVector' is null or empty.
'rawCiphertext' is null or empty.
'rawAuthenticationTag' is null or empty.
Initializes a new instance of the class where the contains the crypto algorithms applied to the encoded and . The jwtEncodedString is the result of those operations.
Contains JSON objects representing the cryptographic operations applied to the JWT and optionally any additional properties of the JWT
Contains JSON objects representing the claims contained in the JWT. Each claim is a JSON object of the form { Name, Value }
'header' is null.
'payload' is null.
Initializes a new instance of the class specifying optional parameters.
If this value is not null, a { iss, 'issuer' } claim will be added, overwriting any 'iss' claim in 'claims' if present.
If this value is not null, a { aud, 'audience' } claim will be added, appending to any 'aud' claims in 'claims' if present.
If this value is not null then for each a { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values.
If expires.HasValue a { exp, 'value' } claim is added, overwriting any 'exp' claim in 'claims' if present.
If notbefore.HasValue a { nbf, 'value' } claim is added, overwriting any 'nbf' claim in 'claims' if present.
The that will be used to sign the . See for details pertaining to the Header Parameter(s).
If 'expires' <= 'notbefore'.
Gets the 'value' of the 'actor' claim { actort, 'value' }.
If the 'actor' claim is not found, null is returned.
Gets the list of 'audience' claim { aud, 'value' }.
If the 'audience' claim is not found, enumeration will be empty.
Gets the (s) for this token.
If this is a JWE token, this property only returns the encrypted claims;
the unencrypted claims should be read from the header seperately.
(s) returned will NOT have the translated according to
Gets the Base64UrlEncoded associated with this instance.
Gets the Base64UrlEncoded associated with this instance.
Gets the associated with this instance if the token is signed.
Gets the 'value' of the 'JWT ID' claim { jti, 'value' }.
If the 'JWT ID' claim is not found, an empty string is returned.
Gets the 'value' of the 'issuer' claim { iss, 'value' }.
If the 'issuer' claim is not found, an empty string is returned.
Gets the associated with this instance.
Note that if this JWT is nested ( != null, this property represents the payload of the most inner token.
This property can be null if the content type of the most inner token is unrecognized, in that case
the content of the token is the string returned by PlainText property.
Gets the associated with this instance.
Gets the original raw data of this instance when it was created.
The original JSON Compact serialized format passed to one of the two constructors
or
Gets the original raw data of this instance when it was created.
The original JSON Compact serialized format passed to one of the two constructors
or
Gets the original raw data of this instance when it was created.
The original JSON Compact serialized format passed to one of the two constructors
or
Gets the original raw data of this instance when it was created.
The original JSON Compact serialized format passed to one of the two constructors
or
Gets the original raw data of this instance when it was created.
The original JSON Compact serialized format passed to one of the two constructors
or
Gets the original raw data of this instance when it was created.
The original JSON Compact serialized format passed to one of the two constructors
or
Gets the original raw data of this instance when it was created.
The original JSON Compact serialized format passed to one of the two constructors
or
Gets the original raw data of this instance when it was created.
The original JSON Compact serialized format passed to one of the two constructors
or
Gets the s for this instance.
Gets the signature algorithm associated with this instance.
If there is a associated with this instance, a value will be returned. Null otherwise.
Gets the to use when writing this token.
Gets the to use when writing this token.
Gets or sets the that signed this instance.
.ValidateSignature(...) sets this value when a is used to successfully validate a signature.
Gets the "value" of the 'subject' claim { sub, 'value' }.
If the 'subject' claim is not found, null is returned.
Gets the 'value' of the 'notbefore' claim { nbf, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).
If the 'notbefore' claim is not found, then is returned.
Gets the 'value' of the 'expiration' claim { exp, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).
If the 'expiration' claim is not found, then is returned.
Gets the 'value' of the 'issued at' claim { iat, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).
If the 'issued at' claim is not found, then is returned.
Serializes the and
A string containing the header and payload in JSON format.
Decodes the string into the header, payload and signature.
the tokenized string.
the original token.
Decodes the payload and signature from the JWS parts.
Parts of the JWS including the header.
Assumes Header has already been set.
Decodes the payload and signature from the JWE parts.
Parts of the JWE including the header.
Assumes Header has already been set.
A designed for creating and validating Json Web Tokens. See: https://datatracker.ietf.org/doc/html/rfc7519 and http://www.rfc-editor.org/info/rfc7515
Default claim type mapping for inbound claims.
Default value for the flag that determines whether or not the InboundClaimTypeMap is used.
Default claim type mapping for outbound claims.
Default claim type filter list.
Default JwtHeader algorithm mapping
Static initializer for a new object. Static initializers run before the first instance of the type is created.
Initializes a new instance of the class.
Gets or sets the property which is used when determining whether or not to map claim types that are extracted when validating a .
If this is set to true, the is set to the JSON claim 'name' after translating using this mapping. Otherwise, no mapping occurs.
The default value is true.
Gets or sets the which is used when setting the for claims in the extracted when validating a .
The is set to the JSON claim 'name' after translating using this mapping.
The default value is ClaimTypeMapping.InboundClaimTypeMap.
'value' is null.
Gets or sets the which is used when creating a from (s).
The JSON claim 'name' value is set to after translating using this mapping.
The default value is ClaimTypeMapping.OutboundClaimTypeMap
This mapping is applied only when using or . Adding values directly will not result in translation.
'value' is null.
Gets the outbound algorithm map that is passed to the constructor.
Gets or sets the used to filter claims when populating a claims form a .
When a is validated, claims with types found in this will not be added to the .
The default value is ClaimTypeMapping.InboundClaimFilter.
'value' is null.
Gets or sets the property name of the will contain the original JSON claim 'name' if a mapping occurred when the (s) were created.
See for more information.
If .IsNullOrWhiteSpace('value') is true.
Gets or sets the property name of the will contain .Net type that was recognized when serialized the value to JSON.
See for more information.
If .IsNullOrWhiteSpace('value') is true.
Returns a value that indicates if this handler can validate a .
'true', indicating this instance can validate a .
Gets the value that indicates if this instance can write a .
'true', indicating this instance can write a .
Gets the type of the .
The type of
Determines if the string is a well formed Json Web Token (JWT).
See: https://datatracker.ietf.org/doc/html/rfc7519
String that should represent a valid JWT.
Uses matching one of:
JWS: @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$"
JWE: (dir): @"^[A-Za-z0-9-_]+\.\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$"
JWE: (wrappedkey): @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]$"
'false' if the token is null or whitespace.
'false' if token.Length is greater than .
'true' if the token is in JSON compact serialization format.
Returns a Json Web Token (JWT).
A that contains details of contents of the token.
A JWS and JWE can be returned.
If is provided, then a JWE will be created.
If is provided then a JWS will be created.
If both are provided then a JWE with an embedded JWS will be created.
Creates a JWT in 'Compact Serialization Format'.
The issuer of the token.
The audience for this token.
The source of the (s) for this token.
The notbefore time for this token.
The expiration time for this token.
The issue time for this token.
Contains cryptographic material for generating a signature.
If is not null, then a claim { actort, 'value' } will be added to the payload. See for details on how the value is created.
See for details on how the HeaderParameters are added to the header.
See for details on how the values are added to the payload.
Each in the will map by applying . Modifying could change the outbound JWT.
If is provided, then a JWS will be created.
A Base64UrlEncoded string in 'Compact Serialization Format'.
Creates a JWT in 'Compact Serialization Format'.
The issuer of the token.
The audience for this token.
The source of the (s) for this token.
Translated into 'epoch time' and assigned to 'nbf'.
Translated into 'epoch time' and assigned to 'exp'.
Translated into 'epoch time' and assigned to 'iat'.
Contains cryptographic material for signing.
Contains cryptographic material for encrypting.
If is not null, then a claim { actort, 'value' } will be added to the payload. for details on how the value is created.
See for details on how the HeaderParameters are added to the header.
See for details on how the values are added to the payload.
Each in the will map by applying . Modifying could change the outbound JWT.
A Base64UrlEncoded string in 'Compact Serialization Format'.
If 'expires' <= 'notBefore'.
Creates a JWT in 'Compact Serialization Format'.
The issuer of the token.
The audience for this token.
The source of the (s) for this token.
Translated into 'epoch time' and assigned to 'nbf'.
Translated into 'epoch time' and assigned to 'exp'.
Translated into 'epoch time' and assigned to 'iat'.
Contains cryptographic material for signing.
Contains cryptographic material for encrypting.
A collection of (key,value) pairs representing (s) for this token.
If is not null, then a claim { actort, 'value' } will be added to the payload. for details on how the value is created.
See for details on how the HeaderParameters are added to the header.
See for details on how the values are added to the payload.
Each in the will map by applying . Modifying could change the outbound JWT.
A Base64UrlEncoded string in 'Compact Serialization Format'.
If 'expires' <= 'notBefore'.
Creates a Json Web Token (JWT).
A that contains details of contents of the token.
is used to sign .
Creates a
The issuer of the token.
The audience for this token.
The source of the (s) for this token.
The notbefore time for this token.
The expiration time for this token.
The issue time for this token.
Contains cryptographic material for generating a signature.
Contains cryptographic material for encrypting the token.
If is not null, then a claim { actort, 'value' } will be added to the payload. for details on how the value is created.
See for details on how the HeaderParameters are added to the header.
See for details on how the values are added to the payload.
Each on the added will have translated according to the mapping found in
. Adding and removing to will affect the name component of the Json claim.
is used to sign .
is used to encrypt or .
A .
If <= .
Creates a
The issuer of the token.
The audience for this token.
The source of the (s) for this token.
The notbefore time for this token.
The expiration time for this token.
The issue time for this token.
Contains cryptographic material for generating a signature.
Contains cryptographic material for encrypting the token.
A collection of (key,value) pairs representing (s) for this token.
If is not null, then a claim { actort, 'value' } will be added to the payload. for details on how the value is created.
See for details on how the HeaderParameters are added to the header.
See for details on how the values are added to the payload.
Each on the added will have translated according to the mapping found in
. Adding and removing to will affect the name component of the Json claim.
is used to sign .
is used to encrypt or .
A .
If <= .
Creates a
The issuer of the token.
The audience for this token.
The source of the (s) for this token.
The notbefore time for this token.
The expiration time for this token.
The issue time for this token.
Contains cryptographic material for generating a signature.
If is not null, then a claim { actort, 'value' } will be added to the payload. for details on how the value is created.
See for details on how the HeaderParameters are added to the header.
See for details on how the values are added to the payload.
Each on the added will have translated according to the mapping found in
. Adding and removing to will affect the name component of the Json claim.
is used to sign .
A .
If <= .
Creates a Json Web Token (JWT).
A that contains details of contents of the token.
is used to sign .
Converts a string into an instance of .
A 'JSON Web Token' (JWT) in JWS or JWE Compact Serialization Format.
A
is null or empty.
'token.Length' is greater than .
If the is in JWE Compact Serialization format, only the protected header will be deserialized.
This method is unable to decrypt the payload. Use to obtain the payload.
The token is NOT validated and no security decisions should be made about the contents.
Use to ensure the token is acceptable.
Converts a string into an instance of .
A 'JSON Web Token' (JWT) in JWS or JWE Compact Serialization Format.
A
is null or empty.
'token.Length' is greater than .
If the is in JWE Compact Serialization format, only the protected header will be deserialized.
This method is unable to decrypt the payload. Use to obtain the payload.
The token is NOT validated and no security decisions should be made about the contents.
Use to ensure the token is acceptable.
Deserializes token with the provided .
.
The current .
The
This method is not current supported.
Reads and validates a 'JSON Web Token' (JWT) encoded as a JWS or JWE in Compact Serialized Format.
the JWT encoded as JWE or JWS
Contains validation parameters for the .
The that was validated.
is null or whitespace.
is null.
.Length is greater than .
does not have 3 or 5 parts.
returns false.
was a JWE was not able to be decrypted.
'kid' header claim is not null AND decryption fails.
'enc' header claim is null or empty.
'exp' claim is < DateTime.UtcNow.
is null or whitespace and is null. Audience is not validated if is set to false.
'aud' claim did not match either or one of .
'nbf' claim is > 'exp' claim.
.signature is not properly formatted.
'exp' claim is missing and is true.
is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time.
'nbf' claim is > DateTime.UtcNow.
could not be added to the .
is found in the cache.
A from the JWT. Does not include claims found in the JWT header.
Many of the exceptions listed above are not thrown directly from this method. See to examine the call graph.
Private method for token validation, responsible for:
(1) Obtaining a configuration from the .
(2) Revalidating using the Last Known Good Configuration (if present), and obtaining a refreshed configuration (if necessary) and revalidating using it.
The JWS string, or the decrypted token if the token is a JWE.
If the token being validated is a JWE, this is the that represents the outer token.
If the token is a JWS, the value of this parameter is .
The to be used for validation.
The that was validated.
A from the JWT. Does not include claims found in the JWT header.
Validates the JSON payload of a .
The token to validate.
Contains validation parameters for the .
A from the jwt. Does not include the header claims.
Serializes a into a JWT in Compact Serialization Format.
to serialize.
The JWT will be serialized as a JWE or JWS.
will be used to create the JWT. If there is an inner token, the inner token's payload will be used.
If either or .SigningCredentials are set, the JWT will be signed.
If is set, a JWE will be created using the JWT above as the plaintext.
is null.
'token' is not a not .
both and are set.
both and .EncryptingCredentials are set.
if is set and is not set.
A JWE or JWS in 'Compact Serialization Format'.
Obtains a and validates the signature.
Bytes to validate.
Signature to compare against.
to use.
Crypto algorithm to use.
The being validated.
Priority will be given to over .
'true' if signature is valid.
Validates that the signature, if found or required, is valid.
A JWS token.
that contains signing keys.
If is null or whitespace.
If is null.
If a signature is not found and is true.
If the has a key identifier and none of the (s) provided result in a validated signature.
This can indicate that a key refresh is required.
If after trying all the (s), none result in a validated signature AND the does not have a key identifier.
A that has the signature validated if token was signed.
If the is signed, the signature is validated even if is false.
If the signature is validated, then the will be set to the key that signed the 'token'.It is the responsibility of to set the
Creates a from a .
The to use as a source.
The value to set
Contains parameters for validating the token.
A containing the .
Creates the 'value' for the actor claim: { actort, 'value' }
as actor.
representing the actor.
If is not null:
If 'type' is 'string', return as string.
if 'type' is 'BootstrapContext' and 'BootstrapContext.SecurityToken' is 'JwtSecurityToken'
if 'JwtSecurityToken.RawData' != null, return RawData.
else return .
if 'BootstrapContext.Token' != null, return 'Token'.
default: new ( ( actor.Claims ).
'actor' is null.
Determines if the audiences found in a are valid.
The audiences found in the .
The being validated.
required for validation.
See for additional details.
Validates the lifetime of a .
The value of the 'nbf' claim if it exists in the 'jwtToken'.
The value of the 'exp' claim if it exists in the 'jwtToken'.
The being validated.
required for validation.
for additional details.
Determines if the issuer found in a is valid.
The issuer to validate
The that is being validated.
required for validation.
The issuer to use when creating the (s) in the .
for additional details.
Determines if a is already validated.
The value of the 'exp' claim if it exists in the '.
The that is being validated.
required for validation.
Returns a to use when validating the signature of a token.
The representation of the token that is being validated.
The that is being validated.
A required for validation.
Returns a to use for signature validation.
If key fails to resolve, then null is returned
Returns a to use when decryption a JWE.
The the token that is being decrypted.
The that is being decrypted.
A required for validation.
Returns a to use for signature validation.
If key fails to resolve, then null is returned
Decrypts a JWE and returns the clear text
the JWE that contains the cypher text.
contains crypto material.
the decoded / cleartext contents of the JWE.
if is null.
if is null.
if 'jwtToken.Header.enc' is null or empty.
if 'jwtToken.Header.kid' is not null AND decryption fails.
if the JWE was not able to be decrypted.
Validates the is an expected value.
The that signed the .
The to validate.
The current .
If the is a then the X509Certificate2 will be validated using the CertificateValidator.
Serializes to XML a token of the type handled by this instance.
The XML writer.
A token of type .
Log messages and codes