Created
September 26, 2023 09:40
-
-
Save joonaszure/448e9c38e29a6ca8c1fa66a8722093b5 to your computer and use it in GitHub Desktop.
Using Azure Key Vault certificates for signing and encrypting JSON Web Tokens
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var vaultUri = new Uri("https://your-key-vault.vault.azure.net/"); | |
var credential = new AzureCliCredential(new AzureCliCredentialOptions | |
{ | |
TenantId = "your-aad-tenant-id" | |
}); | |
var certificateClient = new CertificateClient(vaultUri, credential); | |
static string GetKeyId(X509Certificate2 certificate) | |
{ | |
using var rsa = certificate.PublicKey.GetRSAPublicKey(); | |
var rsaKey = new RsaSecurityKey(rsa); | |
var thumbprint = rsaKey.ComputeJwkThumbprint(); | |
return Base64UrlEncoder.Encode(thumbprint); | |
} | |
var signingCertificate = await certificateClient.DownloadCertificateAsync("TestSigningCertificate", "abcad05bc22b4da8b3c4469719aa5c06"); | |
var signingKey = new X509SecurityKey(signingCertificate.Value, GetKeyId(signingCertificate.Value)); | |
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256); | |
var encryptionCertificate = await certificateClient.DownloadCertificateAsync("TestEncryptionCertificate", "204838aebf3c4bc093342ea4e8d1d986"); | |
var encryptionKey = new X509SecurityKey(encryptionCertificate.Value, GetKeyId(encryptionCertificate.Value)); | |
var encryptingCredentials = new EncryptingCredentials(encryptionKey, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256); | |
var handler = new JsonWebTokenHandler(); | |
var encryptedToken = handler.CreateToken( | |
JsonConvert.SerializeObject(new | |
{ | |
sub = "test-user-id", | |
aud = "TestApp", | |
iss = "https://zure.com", | |
iat = (long)(DateTime.UtcNow - DateTime.UnixEpoch).TotalSeconds, | |
nbf = (long)(DateTime.UtcNow - DateTime.UnixEpoch).TotalSeconds, | |
exp = (long)(DateTime.UtcNow.AddDays(1) - DateTime.UnixEpoch).TotalSeconds, | |
}), | |
signingCredentials, | |
encryptingCredentials); | |
var validationResult = await handler.ValidateTokenAsync(encryptedToken, new TokenValidationParameters | |
{ | |
IssuerSigningKeys = new List<SecurityKey> | |
{ | |
signingKey | |
}, | |
TokenDecryptionKeys = new List<SecurityKey> | |
{ | |
encryptionKey | |
}, | |
TryAllIssuerSigningKeys = false, | |
ValidAudience = "TestApp", | |
ValidIssuer = "https://zure.com", | |
ClockSkew = TimeSpan.Zero, | |
ValidAlgorithms = new List<string> | |
{ | |
SecurityAlgorithms.RsaSha256, | |
SecurityAlgorithms.Aes128CbcHmacSha256, | |
}, | |
ValidateAudience = true, | |
ValidateIssuer = true, | |
ValidateIssuerSigningKey = true, | |
ValidateLifetime = true, | |
}); | |
bool isValid = validationResult.IsValid; | |
if (!isValid) | |
{ | |
// Check validationResult.Exception | |
} | |
IDictionary<string, object> claims = validationResult.Claims; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment