joonaszure/CreateAndValidateWithCertificates.cs

## CreateAndValidateWithCertificates.cs
var vaultUri = new Uri("https://your-key-vault.vault.azure.net/");
var credential = new AzureCliCredential(new AzureCliCredentialOptions
{
    TenantId = "your-aad-tenant-id"
});

var certificateClient = new CertificateClient(vaultUri, credential);

static string GetKeyId(X509Certificate2 certificate)
{
	using var rsa = certificate.PublicKey.GetRSAPublicKey();
	var rsaKey = new RsaSecurityKey(rsa);
	var thumbprint = rsaKey.ComputeJwkThumbprint();
	return Base64UrlEncoder.Encode(thumbprint);
}

var signingCertificate = await certificateClient.DownloadCertificateAsync("TestSigningCertificate", "abcad05bc22b4da8b3c4469719aa5c06");
var signingKey = new X509SecurityKey(signingCertificate.Value, GetKeyId(signingCertificate.Value));
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256);

var encryptionCertificate = await certificateClient.DownloadCertificateAsync("TestEncryptionCertificate", "204838aebf3c4bc093342ea4e8d1d986");
var encryptionKey = new X509SecurityKey(encryptionCertificate.Value, GetKeyId(encryptionCertificate.Value));
var encryptingCredentials = new EncryptingCredentials(encryptionKey, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256);

var handler = new JsonWebTokenHandler();
var encryptedToken = handler.CreateToken(
    JsonConvert.SerializeObject(new
    {
        sub = "test-user-id",
        aud = "TestApp",
        iss = "https://zure.com",
        iat = (long)(DateTime.UtcNow - DateTime.UnixEpoch).TotalSeconds,
        nbf = (long)(DateTime.UtcNow - DateTime.UnixEpoch).TotalSeconds,
        exp = (long)(DateTime.UtcNow.AddDays(1) - DateTime.UnixEpoch).TotalSeconds,
    }),
    signingCredentials,
    encryptingCredentials);

var validationResult = await handler.ValidateTokenAsync(encryptedToken, new TokenValidationParameters
{
	IssuerSigningKeys = new List<SecurityKey>
	{
		signingKey
	},
	TokenDecryptionKeys = new List<SecurityKey>
	{
		encryptionKey
	},
	TryAllIssuerSigningKeys = false,
	ValidAudience = "TestApp",
	ValidIssuer = "https://zure.com",
	ClockSkew = TimeSpan.Zero,
	ValidAlgorithms = new List<string>
	{
		SecurityAlgorithms.RsaSha256,
		SecurityAlgorithms.Aes128CbcHmacSha256,
	},
	ValidateAudience = true,
	ValidateIssuer = true,
	ValidateIssuerSigningKey = true,
	ValidateLifetime = true,
});

bool isValid = validationResult.IsValid;
if (!isValid)
{
    // Check validationResult.Exception
}

IDictionary<string, object> claims = validationResult.Claims;
	var vaultUri = new Uri("https://your-key-vault.vault.azure.net/");
	var credential = new AzureCliCredential(new AzureCliCredentialOptions
	{
	TenantId = "your-aad-tenant-id"
	});

	var certificateClient = new CertificateClient(vaultUri, credential);

	static string GetKeyId(X509Certificate2 certificate)
	{
	using var rsa = certificate.PublicKey.GetRSAPublicKey();
	var rsaKey = new RsaSecurityKey(rsa);
	var thumbprint = rsaKey.ComputeJwkThumbprint();
	return Base64UrlEncoder.Encode(thumbprint);
	}

	var signingCertificate = await certificateClient.DownloadCertificateAsync("TestSigningCertificate", "abcad05bc22b4da8b3c4469719aa5c06");
	var signingKey = new X509SecurityKey(signingCertificate.Value, GetKeyId(signingCertificate.Value));
	var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256);

	var encryptionCertificate = await certificateClient.DownloadCertificateAsync("TestEncryptionCertificate", "204838aebf3c4bc093342ea4e8d1d986");
	var encryptionKey = new X509SecurityKey(encryptionCertificate.Value, GetKeyId(encryptionCertificate.Value));
	var encryptingCredentials = new EncryptingCredentials(encryptionKey, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256);

	var handler = new JsonWebTokenHandler();
	var encryptedToken = handler.CreateToken(
	JsonConvert.SerializeObject(new
	{
	sub = "test-user-id",
	aud = "TestApp",
	iss = "https://zure.com",
	iat = (long)(DateTime.UtcNow - DateTime.UnixEpoch).TotalSeconds,
	nbf = (long)(DateTime.UtcNow - DateTime.UnixEpoch).TotalSeconds,
	exp = (long)(DateTime.UtcNow.AddDays(1) - DateTime.UnixEpoch).TotalSeconds,
	}),
	signingCredentials,
	encryptingCredentials);

	var validationResult = await handler.ValidateTokenAsync(encryptedToken, new TokenValidationParameters
	{
	IssuerSigningKeys = new List<SecurityKey>
	{
	signingKey
	},
	TokenDecryptionKeys = new List<SecurityKey>
	{
	encryptionKey
	},
	TryAllIssuerSigningKeys = false,
	ValidAudience = "TestApp",
	ValidIssuer = "https://zure.com",
	ClockSkew = TimeSpan.Zero,
	ValidAlgorithms = new List<string>
	{
	SecurityAlgorithms.RsaSha256,
	SecurityAlgorithms.Aes128CbcHmacSha256,
	},
	ValidateAudience = true,
	ValidateIssuer = true,
	ValidateIssuerSigningKey = true,
	ValidateLifetime = true,
	});

	bool isValid = validationResult.IsValid;
	if (!isValid)
	{
	// Check validationResult.Exception
	}

	IDictionary<string, object> claims = validationResult.Claims;