diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Validators.Algorithm.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.Algorithm.cs
new file mode 100644
index 0000000000..7b03368139
--- /dev/null
+++ b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.Algorithm.cs
@@ -0,0 +1,46 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Linq;
+using Microsoft.IdentityModel.Logging;
+
+namespace Microsoft.IdentityModel.Tokens
+{
+ public static partial class Validators
+ {
+ ///
+ /// Validates if a given algorithm for a is valid.
+ ///
+ /// The algorithm to be validated.
+ /// The that signed the .
+ /// The being validated.
+ /// required for validation.
+ public static void ValidateAlgorithm(string algorithm, SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters)
+ {
+ if (validationParameters == null)
+ throw LogHelper.LogArgumentNullException(nameof(validationParameters));
+
+ if (validationParameters.AlgorithmValidator != null)
+ {
+ if (!validationParameters.AlgorithmValidator(algorithm, securityKey, securityToken, validationParameters))
+ {
+ throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAlgorithmException(LogHelper.FormatInvariant(LogMessages.IDX10697, LogHelper.MarkAsNonPII(algorithm), securityKey))
+ {
+ InvalidAlgorithm = algorithm,
+ });
+ }
+
+ return;
+ }
+
+ if (validationParameters.ValidAlgorithms != null && validationParameters.ValidAlgorithms.Any() && !validationParameters.ValidAlgorithms.Contains(algorithm, StringComparer.Ordinal))
+ {
+ throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAlgorithmException(LogHelper.FormatInvariant(LogMessages.IDX10696, LogHelper.MarkAsNonPII(algorithm)))
+ {
+ InvalidAlgorithm = algorithm,
+ });
+ }
+ }
+ }
+}
diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSecurityKey.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSecurityKey.cs
new file mode 100644
index 0000000000..1a50cb9d45
--- /dev/null
+++ b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSecurityKey.cs
@@ -0,0 +1,108 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.IdentityModel.Abstractions;
+using Microsoft.IdentityModel.Logging;
+
+namespace Microsoft.IdentityModel.Tokens
+{
+ public static partial class Validators
+ {
+ ///
+ /// Validates the that signed a .
+ ///
+ /// The that signed the .
+ /// The being validated.
+ /// required for validation.
+ /// if 'securityKey' is null and ValidateIssuerSigningKey is true.
+ /// if 'securityToken' is null and ValidateIssuerSigningKey is true.
+ /// if 'validationParameters' is null.
+ public static void ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters)
+ {
+ ValidateIssuerSecurityKey(securityKey, securityToken, validationParameters, null);
+ }
+
+ ///
+ /// Validates the that signed a .
+ ///
+ /// The that signed the .
+ /// The being validated.
+ /// required for validation.
+ /// The required for issuer and signing key validation.
+ /// if 'securityKey' is null and ValidateIssuerSigningKey is true.
+ /// if 'securityToken' is null and ValidateIssuerSigningKey is true.
+ /// if 'validationParameters' is null.
+ internal static void ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
+ {
+ if (validationParameters == null)
+ throw LogHelper.LogArgumentNullException(nameof(validationParameters));
+
+ if (validationParameters.IssuerSigningKeyValidatorUsingConfiguration != null)
+ {
+ if (!validationParameters.IssuerSigningKeyValidatorUsingConfiguration(securityKey, securityToken, validationParameters, configuration))
+ throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, securityKey)) { SigningKey = securityKey });
+
+ return;
+ }
+
+ if (validationParameters.IssuerSigningKeyValidator != null)
+ {
+ if (!validationParameters.IssuerSigningKeyValidator(securityKey, securityToken, validationParameters))
+ throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, securityKey)) { SigningKey = securityKey });
+
+ return;
+ }
+
+ if (!validationParameters.ValidateIssuerSigningKey)
+ {
+ LogHelper.LogVerbose(LogMessages.IDX10237);
+ return;
+ }
+
+ if (!validationParameters.RequireSignedTokens && securityKey == null)
+ {
+ LogHelper.LogInformation(LogMessages.IDX10252);
+ return;
+ }
+ else if (securityKey == null)
+ {
+ throw LogHelper.LogExceptionMessage(new ArgumentNullException(nameof(securityKey), LogMessages.IDX10253));
+ }
+
+ if (securityToken == null)
+ throw LogHelper.LogArgumentNullException(nameof(securityToken));
+
+ ValidateIssuerSigningKeyLifeTime(securityKey, validationParameters);
+ }
+
+ ///
+ /// Given a signing key, when it's derived from a certificate, validates that the certificate is already active and non-expired
+ ///
+ /// The that signed the .
+ /// The that are used to validate the token.
+ internal static void ValidateIssuerSigningKeyLifeTime(SecurityKey securityKey, TokenValidationParameters validationParameters)
+ {
+ X509SecurityKey x509SecurityKey = securityKey as X509SecurityKey;
+ if (x509SecurityKey?.Certificate is X509Certificate2 cert)
+ {
+ DateTime utcNow = DateTime.UtcNow;
+ var notBeforeUtc = cert.NotBefore.ToUniversalTime();
+ var notAfterUtc = cert.NotAfter.ToUniversalTime();
+
+ if (notBeforeUtc > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew))
+ throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10248, LogHelper.MarkAsNonPII(notBeforeUtc), LogHelper.MarkAsNonPII(utcNow))));
+
+ if (LogHelper.IsEnabled(EventLogLevel.Informational))
+ LogHelper.LogInformation(LogMessages.IDX10250, LogHelper.MarkAsNonPII(notBeforeUtc), LogHelper.MarkAsNonPII(utcNow));
+
+ if (notAfterUtc < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate()))
+ throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10249, LogHelper.MarkAsNonPII(notAfterUtc), LogHelper.MarkAsNonPII(utcNow))));
+
+ if (LogHelper.IsEnabled(EventLogLevel.Informational))
+ LogHelper.LogInformation(LogMessages.IDX10251, LogHelper.MarkAsNonPII(notAfterUtc), LogHelper.MarkAsNonPII(utcNow));
+ }
+ }
+ }
+}
diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenReplay.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenReplay.cs
new file mode 100644
index 0000000000..82d761c314
--- /dev/null
+++ b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenReplay.cs
@@ -0,0 +1,82 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Linq;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.IdentityModel.Abstractions;
+using Microsoft.IdentityModel.Logging;
+
+namespace Microsoft.IdentityModel.Tokens
+{
+ public static partial class Validators
+ {
+ ///
+ /// Validates if a token has been replayed.
+ ///
+ /// When does the security token expire.
+ /// The being validated.
+ /// required for validation.
+ /// If 'securityToken' is null or whitespace.
+ /// If 'validationParameters' is null or whitespace.
+ /// If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time.
+ /// If the 'securityToken' is found in the cache.
+ /// If the 'securityToken' could not be added to the .
+ public static void ValidateTokenReplay(DateTime? expirationTime, string securityToken, TokenValidationParameters validationParameters)
+ {
+ if (string.IsNullOrWhiteSpace(securityToken))
+ throw LogHelper.LogArgumentNullException(nameof(securityToken));
+
+ if (validationParameters == null)
+ throw LogHelper.LogArgumentNullException(nameof(validationParameters));
+
+ if (validationParameters.TokenReplayValidator != null)
+ {
+ if (!validationParameters.TokenReplayValidator(expirationTime, securityToken, validationParameters))
+ throw LogHelper.LogExceptionMessage(new SecurityTokenReplayDetectedException(
+ LogHelper.FormatInvariant(
+ LogMessages.IDX10228,
+ LogHelper.MarkAsUnsafeSecurityArtifact(securityToken, t => t.ToString()))));
+ return;
+ }
+
+ if (!validationParameters.ValidateTokenReplay)
+ {
+ LogHelper.LogVerbose(LogMessages.IDX10246);
+ return;
+ }
+
+ // check if token if replay cache is set, then there must be an expiration time.
+ if (validationParameters.TokenReplayCache != null)
+ {
+ if (!expirationTime.HasValue)
+ throw LogHelper.LogExceptionMessage(new SecurityTokenNoExpirationException(LogHelper.FormatInvariant(LogMessages.IDX10227, securityToken)));
+
+ if (validationParameters.TokenReplayCache.TryFind(securityToken))
+ throw LogHelper.LogExceptionMessage(new SecurityTokenReplayDetectedException(LogHelper.FormatInvariant(LogMessages.IDX10228, securityToken)));
+
+ if (!validationParameters.TokenReplayCache.TryAdd(securityToken, expirationTime.Value))
+ throw LogHelper.LogExceptionMessage(new SecurityTokenReplayAddFailedException(LogHelper.FormatInvariant(LogMessages.IDX10229, securityToken)));
+ }
+
+ // if it reaches here, that means no token replay is detected.
+ LogHelper.LogInformation(LogMessages.IDX10240);
+ }
+
+ ///
+ /// Validates if a token has been replayed.
+ ///
+ /// The being validated.
+ /// When does the security token expire.
+ /// required for validation.
+ /// If 'securityToken' is null or whitespace.
+ /// If 'validationParameters' is null or whitespace.
+ /// If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time.
+ /// If the 'securityToken' is found in the cache.
+ /// If the 'securityToken' could not be added to the .
+ public static void ValidateTokenReplay(string securityToken, DateTime? expirationTime, TokenValidationParameters validationParameters)
+ {
+ ValidateTokenReplay(expirationTime, securityToken, validationParameters);
+ }
+ }
+}
diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenType.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenType.cs
new file mode 100644
index 0000000000..6fd744fd9d
--- /dev/null
+++ b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenType.cs
@@ -0,0 +1,61 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Linq;
+using Microsoft.IdentityModel.Abstractions;
+using Microsoft.IdentityModel.Logging;
+
+namespace Microsoft.IdentityModel.Tokens
+{
+ public static partial class Validators
+ {
+ ///
+ /// Validates the type of the token.
+ ///
+ /// The token type or null if it couldn't be resolved (e.g from the 'typ' header for a JWT).
+ /// The that is being validated.
+ /// required for validation.
+ /// If is null.
+ /// If is null.
+ /// If is null or whitespace and is not null.
+ /// If failed to match .
+ /// An EXACT match is required. (case sensitive) is used for comparing against .
+ /// The actual token type, that may be the same as or a different value if the token type was resolved from a different location.
+ public static string ValidateTokenType(string type, SecurityToken securityToken, TokenValidationParameters validationParameters)
+ {
+ if (securityToken == null)
+ throw new ArgumentNullException(nameof(securityToken));
+
+ if (validationParameters == null)
+ throw LogHelper.LogArgumentNullException(nameof(validationParameters));
+
+ if (validationParameters.TypeValidator == null && (validationParameters.ValidTypes == null || !validationParameters.ValidTypes.Any()))
+ {
+ LogHelper.LogVerbose(LogMessages.IDX10255);
+ return type;
+ }
+
+ if (validationParameters.TypeValidator != null)
+ return validationParameters.TypeValidator(type, securityToken, validationParameters);
+
+ // Note: don't throw an exception for a null or empty token type when a user-defined delegate is set
+ // to allow it to extract the actual token type from a different location (e.g from the claims).
+ if (string.IsNullOrEmpty(type))
+ throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidTypeException(LogMessages.IDX10256) { InvalidType = null });
+
+ if (!validationParameters.ValidTypes.Contains(type, StringComparer.Ordinal))
+ {
+ throw LogHelper.LogExceptionMessage(
+ new SecurityTokenInvalidTypeException(LogHelper.FormatInvariant(LogMessages.IDX10257, LogHelper.MarkAsNonPII(type), Utility.SerializeAsSingleCommaDelimitedString(validationParameters.ValidTypes)))
+ { InvalidType = type });
+ }
+
+ // if it reaches here, token type was succcessfully validated.
+ if (LogHelper.IsEnabled(EventLogLevel.Informational))
+ LogHelper.LogInformation(LogMessages.IDX10258, LogHelper.MarkAsNonPII(type));
+
+ return type;
+ }
+ }
+}
diff --git a/src/Microsoft.IdentityModel.Tokens/Validators.cs b/src/Microsoft.IdentityModel.Tokens/Validators.cs
deleted file mode 100644
index 000ba4c617..0000000000
--- a/src/Microsoft.IdentityModel.Tokens/Validators.cs
+++ /dev/null
@@ -1,262 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-using System;
-using System.Linq;
-using System.Security.Cryptography.X509Certificates;
-using Microsoft.IdentityModel.Abstractions;
-using Microsoft.IdentityModel.Logging;
-
-namespace Microsoft.IdentityModel.Tokens
-{
- ///
- /// AudienceValidator
- ///
- public static partial class Validators
- {
- ///
- /// Validates if a given algorithm for a is valid.
- ///
- /// The algorithm to be validated.
- /// The that signed the .
- /// The being validated.
- /// required for validation.
- public static void ValidateAlgorithm(string algorithm, SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters)
- {
- if (validationParameters == null)
- throw LogHelper.LogArgumentNullException(nameof(validationParameters));
-
- if (validationParameters.AlgorithmValidator != null)
- {
- if (!validationParameters.AlgorithmValidator(algorithm, securityKey, securityToken, validationParameters))
- {
- throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAlgorithmException(LogHelper.FormatInvariant(LogMessages.IDX10697, LogHelper.MarkAsNonPII(algorithm), securityKey))
- {
- InvalidAlgorithm = algorithm,
- });
- }
-
- return;
- }
-
- if (validationParameters.ValidAlgorithms != null && validationParameters.ValidAlgorithms.Any() && !validationParameters.ValidAlgorithms.Contains(algorithm, StringComparer.Ordinal))
- {
- throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAlgorithmException(LogHelper.FormatInvariant(LogMessages.IDX10696, LogHelper.MarkAsNonPII(algorithm)))
- {
- InvalidAlgorithm = algorithm,
- });
- }
- }
-
- ///
- /// Validates the that signed a .
- ///
- /// The that signed the .
- /// The being validated.
- /// required for validation.
- /// if 'securityKey' is null and ValidateIssuerSigningKey is true.
- /// if 'securityToken' is null and ValidateIssuerSigningKey is true.
- /// if 'validationParameters' is null.
- public static void ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters)
- {
- ValidateIssuerSecurityKey(securityKey, securityToken, validationParameters, null);
- }
-
- ///
- /// Validates the that signed a .
- ///
- /// The that signed the .
- /// The being validated.
- /// required for validation.
- /// The required for issuer and signing key validation.
- /// if 'securityKey' is null and ValidateIssuerSigningKey is true.
- /// if 'securityToken' is null and ValidateIssuerSigningKey is true.
- /// if 'validationParameters' is null.
- internal static void ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
- {
- if (validationParameters == null)
- throw LogHelper.LogArgumentNullException(nameof(validationParameters));
-
- if (validationParameters.IssuerSigningKeyValidatorUsingConfiguration != null)
- {
- if (!validationParameters.IssuerSigningKeyValidatorUsingConfiguration(securityKey, securityToken, validationParameters, configuration))
- throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, securityKey)) { SigningKey = securityKey });
-
- return;
- }
-
- if (validationParameters.IssuerSigningKeyValidator != null)
- {
- if (!validationParameters.IssuerSigningKeyValidator(securityKey, securityToken, validationParameters))
- throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, securityKey)) { SigningKey = securityKey });
-
- return;
- }
-
- if (!validationParameters.ValidateIssuerSigningKey)
- {
- LogHelper.LogVerbose(LogMessages.IDX10237);
- return;
- }
-
- if (!validationParameters.RequireSignedTokens && securityKey == null)
- {
- LogHelper.LogInformation(LogMessages.IDX10252);
- return;
- }
- else if (securityKey == null)
- {
- throw LogHelper.LogExceptionMessage(new ArgumentNullException(nameof(securityKey), LogMessages.IDX10253));
- }
-
- if (securityToken == null)
- throw LogHelper.LogArgumentNullException(nameof(securityToken));
-
- ValidateIssuerSigningKeyLifeTime(securityKey, validationParameters);
- }
-
- ///
- /// Given a signing key, when it's derived from a certificate, validates that the certificate is already active and non-expired
- ///
- /// The that signed the .
- /// The that are used to validate the token.
- internal static void ValidateIssuerSigningKeyLifeTime(SecurityKey securityKey, TokenValidationParameters validationParameters)
- {
- X509SecurityKey x509SecurityKey = securityKey as X509SecurityKey;
- if (x509SecurityKey?.Certificate is X509Certificate2 cert)
- {
- DateTime utcNow = DateTime.UtcNow;
- var notBeforeUtc = cert.NotBefore.ToUniversalTime();
- var notAfterUtc = cert.NotAfter.ToUniversalTime();
-
- if (notBeforeUtc > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew))
- throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10248, LogHelper.MarkAsNonPII(notBeforeUtc), LogHelper.MarkAsNonPII(utcNow))));
-
- if (LogHelper.IsEnabled(EventLogLevel.Informational))
- LogHelper.LogInformation(LogMessages.IDX10250, LogHelper.MarkAsNonPII(notBeforeUtc), LogHelper.MarkAsNonPII(utcNow));
-
- if (notAfterUtc < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate()))
- throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10249, LogHelper.MarkAsNonPII(notAfterUtc), LogHelper.MarkAsNonPII(utcNow))));
-
- if (LogHelper.IsEnabled(EventLogLevel.Informational))
- LogHelper.LogInformation(LogMessages.IDX10251, LogHelper.MarkAsNonPII(notAfterUtc), LogHelper.MarkAsNonPII(utcNow));
- }
- }
-
- ///
- /// Validates if a token has been replayed.
- ///
- /// When does the security token expire.
- /// The being validated.
- /// required for validation.
- /// If 'securityToken' is null or whitespace.
- /// If 'validationParameters' is null or whitespace.
- /// If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time.
- /// If the 'securityToken' is found in the cache.
- /// If the 'securityToken' could not be added to the .
- public static void ValidateTokenReplay(DateTime? expirationTime, string securityToken, TokenValidationParameters validationParameters)
- {
- if (string.IsNullOrWhiteSpace(securityToken))
- throw LogHelper.LogArgumentNullException(nameof(securityToken));
-
- if (validationParameters == null)
- throw LogHelper.LogArgumentNullException(nameof(validationParameters));
-
- if (validationParameters.TokenReplayValidator != null)
- {
- if (!validationParameters.TokenReplayValidator(expirationTime, securityToken, validationParameters))
- throw LogHelper.LogExceptionMessage(new SecurityTokenReplayDetectedException(
- LogHelper.FormatInvariant(
- LogMessages.IDX10228,
- LogHelper.MarkAsUnsafeSecurityArtifact(securityToken, t => t.ToString()))));
- return;
- }
-
- if (!validationParameters.ValidateTokenReplay)
- {
- LogHelper.LogVerbose(LogMessages.IDX10246);
- return;
- }
-
- // check if token if replay cache is set, then there must be an expiration time.
- if (validationParameters.TokenReplayCache != null)
- {
- if (!expirationTime.HasValue)
- throw LogHelper.LogExceptionMessage(new SecurityTokenNoExpirationException(LogHelper.FormatInvariant(LogMessages.IDX10227, securityToken)));
-
- if (validationParameters.TokenReplayCache.TryFind(securityToken))
- throw LogHelper.LogExceptionMessage(new SecurityTokenReplayDetectedException(LogHelper.FormatInvariant(LogMessages.IDX10228, securityToken)));
-
- if (!validationParameters.TokenReplayCache.TryAdd(securityToken, expirationTime.Value))
- throw LogHelper.LogExceptionMessage(new SecurityTokenReplayAddFailedException(LogHelper.FormatInvariant(LogMessages.IDX10229, securityToken)));
- }
-
- // if it reaches here, that means no token replay is detected.
- LogHelper.LogInformation(LogMessages.IDX10240);
- }
-
- ///
- /// Validates if a token has been replayed.
- ///
- /// The being validated.
- /// When does the security token expire.
- /// required for validation.
- /// If 'securityToken' is null or whitespace.
- /// If 'validationParameters' is null or whitespace.
- /// If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time.
- /// If the 'securityToken' is found in the cache.
- /// If the 'securityToken' could not be added to the .
- public static void ValidateTokenReplay(string securityToken, DateTime? expirationTime, TokenValidationParameters validationParameters)
- {
- ValidateTokenReplay(expirationTime, securityToken, validationParameters);
- }
-
- ///
- /// Validates the type of the token.
- ///
- /// The token type or null if it couldn't be resolved (e.g from the 'typ' header for a JWT).
- /// The that is being validated.
- /// required for validation.
- /// If is null.
- /// If is null.
- /// If is null or whitespace and is not null.
- /// If failed to match .
- /// An EXACT match is required. (case sensitive) is used for comparing against .
- /// The actual token type, that may be the same as or a different value if the token type was resolved from a different location.
- public static string ValidateTokenType(string type, SecurityToken securityToken, TokenValidationParameters validationParameters)
- {
- if (securityToken == null)
- throw new ArgumentNullException(nameof(securityToken));
-
- if (validationParameters == null)
- throw LogHelper.LogArgumentNullException(nameof(validationParameters));
-
- if (validationParameters.TypeValidator == null && (validationParameters.ValidTypes == null || !validationParameters.ValidTypes.Any()))
- {
- LogHelper.LogVerbose(LogMessages.IDX10255);
- return type;
- }
-
- if (validationParameters.TypeValidator != null)
- return validationParameters.TypeValidator(type, securityToken, validationParameters);
-
- // Note: don't throw an exception for a null or empty token type when a user-defined delegate is set
- // to allow it to extract the actual token type from a different location (e.g from the claims).
- if (string.IsNullOrEmpty(type))
- throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidTypeException(LogMessages.IDX10256) { InvalidType = null });
-
- if (!validationParameters.ValidTypes.Contains(type, StringComparer.Ordinal))
- {
- throw LogHelper.LogExceptionMessage(
- new SecurityTokenInvalidTypeException(LogHelper.FormatInvariant(LogMessages.IDX10257, LogHelper.MarkAsNonPII(type), Utility.SerializeAsSingleCommaDelimitedString(validationParameters.ValidTypes)))
- { InvalidType = type });
- }
-
- // if it reaches here, token type was succcessfully validated.
- if (LogHelper.IsEnabled(EventLogLevel.Informational))
- LogHelper.LogInformation(LogMessages.IDX10258, LogHelper.MarkAsNonPII(type));
-
- return type;
- }
- }
-}