Microsoft.IdentityModel.Tokens

This adapter abstracts the 'RSA' differences between versions of .Net targets.

Calls and

Base class for a Security Key that contains Asymmetric key material.

Default constructor

This must be overridden to get a bool indicating if a private key exists.

true if it has a private key; otherwise, false.

Gets the status of the private key.

'Exists' if private key exists for sure; 'DoesNotExist' if private key doesn't exist for sure; 'Unknown' if we cannot determine.

Enum for the existence of private key

private key exists for sure

private key doesn't exist for sure

unable to determine the existence of private key

Provides signature and verification operations for Asymmetric Algorithms using a .

Mapping from algorithm to minimum .KeySize when creating signatures.

Mapping from algorithm to minimum .KeySize when verifying signatures.

Initializes a new instance of the class used to create and verify signatures.

The that will be used for signature operations. The signature algorithm to apply.

Initializes a new instance of the class used to create and verify signatures.

The that will be used for signature operations. The signature algorithm to apply. If this is required to create signatures then set this to true. Creating signatures requires that the has access to a private key. Verifying signatures (the default), does not require access to the private key. is null. is null or empty. is true and there is no private key. If and algorithm pair are not supported. willCreateSignatures is true and .KeySize is less than the size corresponding to the given algorithm in . .KeySize is less than the size corresponding to the algorithm in . Note: this is always checked. If the runtime is unable to create a suitable cryptographic provider.

Gets the mapping from algorithm to the minimum .KeySize for creating signatures.

Gets the mapping from algorithm to the minimum .KeySize for verifying signatures.

Creating a Signature requires the use of a . This method returns the that describes the to use when generating a Signature.

The SignatureAlgorithm in use. The to use. if is null or whitespace. if is not supported.

For testing purposes

Produces a signature over the 'input' using the and algorithm passed to .

The bytes to be signed. A signature over the input. if is null. if .Length == 0. If has been called. Sign is thread safe.

Validates that an asymmetric key size is of sufficient size for a SignatureAlgorithm.

The asymmetric key to validate. Algorithm for which this key will be used. Whether they key will be used for creating signatures. if is null. if is null or empty. if .KeySize is less than the minimum acceptable size. for minimum signing sizes. for minimum verifying sizes.

Verifies that the over using the and specified by this are consistent.

The bytes to generate the signature over. The value to verify against. true if signature matches, false otherwise. is null or has length == 0. is null or has length == 0. If has been called. Verify is thread safe.

Calls to release managed resources.

true, if called from Dispose(), false, if invoked inside a finalizer.

Encodes and Decodes strings as Base64Url encoding.

The following functions perform base64url encoding which differs from regular base64 encoding as follows * padding is skipped so the pad character '=' doesn't have to be percent encoded * the 62nd and 63rd regular base64 encoding characters ('+' and '/') are replace with ('-' and '_') The changes make the encoding alphabet file and URL safe.

string to encode. Base64Url encoding of the UTF8 bytes.

Converts a subset of an array of 8-bit unsigned integers to its equivalent string representation which is encoded with base-64-url digits. Parameters specify the subset as an offset in the input array, and the number of elements in the array to convert.

An array of 8-bit unsigned integers. An offset in inArray. The number of elements of inArray to convert. The string representation in base 64 url encoding of length elements of inArray, starting at position offset. 'inArray' is null. offset or length is negative OR offset plus length is greater than the length of inArray.

Converts a subset of an array of 8-bit unsigned integers to its equivalent string representation which is encoded with base-64-url digits.

An array of 8-bit unsigned integers. The string representation in base 64 url encoding of length elements of inArray, starting at position offset. 'inArray' is null. offset or length is negative OR offset plus length is greater than the length of inArray.

Converts the specified string, base-64-url encoded to utf8 bytes.

base64Url encoded string. UTF8 bytes.

Decodes the string from Base64UrlEncoded to UTF8.

string to decode. UTF8 string.

Base64 encode/decode implementation for as per https://tools.ietf.org/html/rfc4648#section-5. Uses ArrayPool[T] to minimize memory usage.

Decodes a Base64UrlEncoded string into a byte array.

The string to decode. Decoded bytes.

Decodes a Base64UrlEncoded string into a byte array.

String to decode. Index of char in to start decode operation. Number of chars in to decode. Decoded bytes.

Decodes a Base64UrlEncoded string and then performs an action.

String to decode. Index of char in to start decode operation. Number of chars in to decode from . Input parameter to action. Action to perform on decoded bytes. Output type of decoding action. Type of Input parameter to action. Instance of {T}. The buffer for the decode operation uses shared memory pool to avoid allocations. The length of the rented array of bytes may be larger than the decoded bytes, therefore the action needs to know the actual length to use. The result of is passed to the action.

Decodes a Base64UrlEncoded string and then performs an action.

The string to decode. Index of char in to start decode operation from. Count of char in to decode. Action to perform on decoded bytes. Return type of operation. Instance of {T}. The buffer for the decode operation uses shared memory pool to avoid allocations. The length of the rented array of bytes may be larger than the decoded bytes, therefore the action needs to know the actual length to use. The result of is passed to the action.

Decodes a Base64UrlEncoded string and then performs an action.

The string to decode. Index of char in to start decode operation from. Count of char in to decode. Input parameter 1 to action. Input parameter 2 to action. Input parameter 3 to action. Action to perform on decoded bytes. Output type of decoding action. Type of Input parameter 1 to action. Type of Input parameter 2 to action. Type of Input parameter 3 to action. Instance of {T}. The buffer for the decode operation uses shared memory pool to avoid allocations. The length of the rented array of bytes may be larger than the decoded bytes, therefore the action needs to know the actual length to use. The result of is passed to the action.

Decodes a Base64UrlEncoded string into a byte array.

String to decode. Index of char in to start decode operation. Number of chars in to decode. byte array to place results. Changes from Base64UrlEncoder implementation 1. Padding is optional. 2. '+' and '-' are treated the same. 3. '/' and '_' are treated the same.

Encode byte array to Base64UrlEncoded string.

Bytes to encode. Base64Url encoded string.

Encode byte array to Base64UrlEncoded string.

Bytes to encode. Index into to start encode operation. Number of bytes in to encode, starting from offset. Base64Url encoded string.

Validates the input string for decode operation.

String to validate. Index of char in to start decode operation. Number of chars in to decode, starting from offset. Size of the decoded bytes arrays.

Represents a generic metadata configuration which is applicable for both XML and JSON based configurations.

Gets the issuer specified via the metadata endpoint.

Gets the that the IdentityProvider indicates are to be used in order to sign tokens.

Gets or sets the token endpoint specified via the metadata endpoint. This is the fed:PassiveRequestorEndpoint in WS-Federation, https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#:~:text=fed%3ASecurityTokenServiceType/fed%3APassiveRequestorEndpoint Or the token_endpoint in the OIDC metadata.

Gets or sets the token endpoint specified via the metadata endpoint. This is the fed:SecurityTokenServiceType in WS-Federation, http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#:~:text=fed%3ASecurityTokenSerivceEndpoint

Gets the that the IdentityProvider indicates are to be used in order to decrypt tokens.

Comparison class for a .

Represents a generic configuration manager.

Gets or sets the that controls how often an automatic metadata refresh should occur.

12 hours is the default time interval that afterwards will obtain new configuration.

1 hour is the default time interval that a last known good configuration will last for.

5 minutes is the default time interval that must pass for to obtain a new configuration.

The default constructor.

Constructor.

The event queue task creation option.

Obtains an updated version of if the appropriate refresh interval has passed. This method may return a cached version of the configuration.

CancellationToken Configuration of type Configuration. This method on the base class throws a as it is meant to be overridden by the class that extends it.

Gets all valid last known good configurations.

A collection of all valid last known good configurations.

The last known good configuration or LKG (a configuration retrieved in the past that we were able to successfully validate a token against).

The length of time that a last known good configuration is valid for.

The metadata address to retrieve the configuration from.

5 minutes is the minimum value for automatic refresh. can not be set less than this value.

1 second is the minimum time interval that must pass for to obtain new configuration.

The minimum time between retrievals, in the event that a retrieval failed, or that a refresh was explicitly requested.

Indicates whether the last known good feature should be used, true by default.

Indicates whether the last known good configuration is still fresh, depends on when the LKG was first used and it's lifetime.

Indicate that the configuration may be stale (as indicated by failing to process incoming tokens).

An opaque context used to store work when working with authentication artifacts.

Instantiates a new with a default activityId.

Instantiates a new with an activityId.

A class which contains useful methods for processing collections.

Checks whether is null or empty.

The type of the . The to be checked. True if is null or empty, false otherwise.

Constants for compression algorithms.

Compression provider factory for compression and decompression.

Static constructor that initializes the default .

Default constructor for .

Constructor that creates a deep copy of given object.

to copy from.

Returns the default instance.

Extensibility point for custom compression support application wide.

Answers if an algorithm is supported.

the name of the crypto algorithm. true if the algorithm is supported, false otherwise.

Returns a for a specific algorithm.

the decompression algorithm. a .

Defines the options which can be used to configure the internal LKG configuration cache. See for more details.

10 is the default size limit of the cache (in number of items) for last known good configuration.

Gets or sets the BaseConfgiurationComparer that to compare .

The size limit of the cache (in number of items) for last known good configuration.

The event queue task creation option, default to None instead of LongRunning as LongRunning will always start a task on a new thread instead of a thread from ThreadPool.

Whether or not to remove expired items.

Definition of cache for crypto providers

Returns the cache key to use when looking up an entry into the cache for a

the to create the key for. the cache key to use for finding a .

Returns the 'key' that will be used to find a crypto provider in this cache.

the key that is used to by the crypto provider. the algorithm that is used by the crypto provider. the typeof the crypto provider obtained by calling object.GetType(). the cache key to use for finding a crypto provider.

Trys to adds a to this cache.

to cache. true if the was added, false if the cache already contained the

Trys to find a in this cache.

the key that is used to by the crypto provider. the algorithm that is used by the crypto provider. the typeof the crypto provider obtained by calling object.GetType(). a bool to indicate if the will be used to sign. the if found. true if a was found, false otherwise.

Trys to remove a from this cache.

to remove. true if the was removed, false if the was not found.

Specifies the CryptoProviderCacheOptions which can be used to configure the internal cryptoprovider cache. We are using our own simple LRU caching implementation across all targets. See for more details.

Default value for .

Gets or sets the size of the cache (in number of items). 20% of the cache will be evicted whenever the cache gets to 95% of this size. Items will be evicted from least recently used to most recently used.

Creates cryptographic operators by specifying a 's and algorithms.

Returns the default instance.

Gets or sets the default value for caching of 's.

Gets or sets the maximum size of the object pool used by the SignatureProvider that are used for crypto objects.

Static constructor that initializes the default .

Default constructor for .

Initializes an instance of a .

The cache to use for caching CryptoProviders

Constructor that creates a deep copy of given object.

to copy from.

Gets the

Extensibility point for creating custom cryptographic operators.

By default, if set, will be called before creating cryptographic operators. If true is returned, then will be called. The will throw if the Cryptographic operator returned is not of the correct type.

Gets or sets a bool controlling if should be cached.

Gets or sets the maximum size of the object pool used by the SignatureProvider that are used for crypto objects.

Creates an instance of for a specific <SecurityKey, Algorithm>.

the to use. the algorithm to use. thrown if is null. thrown if is null or empty. thrown if and algorithm pair are not supported. thrown if returns a type that is not assignable from . If is set and returns true. is called to obtain the . When finished with the call . an instance of

Creates an instance of for a specific <SecurityKey, Algorithm>.

the to use. the algorithm to use. thrown if is null. thrown if is null or empty. thrown if and algorithm pair are not supported. thrown if returns a type not assignable from . If is set and returns true. is called to obtain the . When finished with the call . an instance of

Creates an instance of for a specific <SecurityKey, Algorithm>.

Creates a that creates a signature with the algorithm and .

the to use for signing. the algorithm to use for signing. thrown if is null. thrown if is null or empty. thrown if is too small. thrown if is not assignable from or . thrown if the key / algorithm is not supported. thrown if returns a type that is not assignable from . AsymmetricSignatureProviders require access to a PrivateKey for Signing. When finished with the call . If is set and returns true. is called to obtain the . A that can be used to create a signature using the and algorithm.

Creates a that creates a signature with the algorithm and .

the to use for signing. the algorithm to use for signing. indicates if the should be cached for reuse. thrown if is null. thrown if is null or empty. thrown if is too small. thrown if is not assignable from or . thrown if the key / algorithm is not supported. thrown if returns a type that is not assignable from . AsymmetricSignatureProviders require access to a PrivateKey for Signing. When finished with the call . If is set and returns true. is called to obtain the . A that can be used to create a signature using the and algorithm.

Creates a that supports the and algorithm.

The to use for signature verification. The algorithm to use for verifying. thrown if is null. thrown if is null or empty. thrown if is too small. thrown if is not assignable from or . thrown if the key / algorithm is not supported. thrown if returns a type that is not assignable from . When finished with the call . If is set and returns true. is called to obtain the . A that can be used to validate a signature using the and algorithm.

Creates a that supports the and algorithm.

The to use for signature verification. The algorithm to use for verifying. should the be cached. thrown if is null. thrown if is null or empty. thrown if is too small. thrown if is not assignable from or . thrown if the key / algorithm is not supported. thrown if returns a type that is not assignable from . When finished with the call . If is set and returns true. is called to obtain the . A that can be used to validate a signature using the and algorithm.

Creates a for a specific algorithm.

the name of the hash algorithm to create. thrown if is null or empty. thrown if returns a type that is not assignable from . thrown if is not supported. When finished with the call . If is set and returns true. is called to obtain the . A .

Creates a for a specific algorithm.

Returns a for a specific algorithm.

bytes to use to create the Keyed Hash. the name of the keyed hash algorithm to create. thrown if is null. thrown if is null or empty. thrown if returns a type that is not assignable from . is not supported. When finished with the call . If is set and returns true. is called to obtain the . A .

For some security key types, in some runtimes, it's not possible to extract public key material and create an . In these cases, will be an empty string, and these keys should not be cached.

to be examined. True if should be cached, false otherwise.

Checks if an algorithm is supported.

the name of the Hash algorithm. Only considers known Hash algorithms. true if: If is set and returns true. The algorithm is supported.

Checks if the algorithm and is supported.

the security algorithm to apply. the . Algorithms are supported for specific key types. For example: and will return true. and will return false. true if: If is set and returns true. The algorithm / key pair is supported.

When finished with a call this method for cleanup. The default behavior is to call

to be released. thrown if is null.

When finished with a call this method for cleanup."/>

to be released. thrown if is null.

When finished with a call this method for cleanup."/>

to be released. thrown if is null.

When finished with a call this method for cleanup. The default behavior is to call

to be released. thrown if is null.

Helper class for adding DateTimes and Timespans.

Add a DateTime and a TimeSpan. The maximum time is DateTime.MaxTime. It is not an error if time + timespan > MaxTime. Just return MaxTime.

Initial value. to add. as the sum of time and timespan.

Gets the Maximum value for a DateTime specifying kind.

DateTimeKind to use. DateTime of specified kind.

Gets the Minimum value for a DateTime specifying kind.

DateTimeKind to use. DateTime of specified kind.

Ensures that DataTime is UTC.

to convert.

Ensures that DateTime is UTC.

to convert.

A compression provider that supports compression and decompression using the algorithm.

Initializes a new instance of the class used to compress and decompress used the algorithm.

Initializes a new instance of the class used to compress and decompress used the algorithm. The compression level to use when compressing.

Gets the compression algorithm.

Specifies whether compression should emphasize speed or compression size. Set to by default.

Decompress the value using DEFLATE algorithm.

the bytes to decompress. the decompressed bytes.

Compress the value using the DEFLATE algorithm.

the bytes to compress. the compressed bytes.

Answers if a compression algorithm is supported.

the name of the compression algorithm. true if the compression algorithm is supported, false otherwise.

This adapter abstracts the differences between versions of .Net targets.

Initializes a new instance of the class.

creation is not supported by some platforms. For more details, see https://aka.ms/IdentityModel/create-ecdsa.

Creates an ECDsa object using the and .

Returns the size of key in bytes

Represents ecdsa curve -P256, P384, P521 Size of the key in bytes

Magic numbers identifying ECDSA blob types

Returns the magic value representing the curve corresponding to the curve id.

Represents ecdsa curve -P256, P384, P512 Whether the provider will create signatures or not Uint representing the magic number

Tests if user's runtime platform supports operations using .

True if operations using are supported on user's runtime platform, false otherwise.

Creates an ECDsa object using the and . 'ECParameters' structure is available in .NET Framework 4.7+, .NET Standard 1.6+, and .NET Core 1.0+.

Returns the elliptic curve corresponding to the curve id.

Represents ecdsa curve -P256, P384, P512

Tests if user application's runtime supports structure.

True if structure is supported, false otherwise.

Throws during runtime if user application's runtime doesn't support structure.

Represents a ECDsa security key.

Returns a new instance of .

instance used to initialize the key.

Gets a bool indicating if a private key exists.

true if it has a private key; otherwise, false.

Gets an enum indicating if a private key exists.

'Exists' if private key exists for sure; 'DoesNotExist' if private key doesn't exist for sure; 'Unknown' if we cannot determine.

Gets key size.

Determines whether the can compute a JWK thumbprint.

true if JWK thumbprint can be computed; otherwise, false. https://datatracker.ietf.org/doc/html/rfc7638

Computes a sha256 hash over the .

A JWK thumbprint. https://datatracker.ietf.org/doc/html/rfc7638

Collection of text encoding related helper methods.

Obtains bytes from a string using the Encoding and then performs an action.

String to process. Encoding used to obtain bytes. Operation to invoke with result which is byte array and length of useful data in array with offset as 0. Return type of operation. Instance of {T}. The encoding operation uses shared memory pool to avoid allocations. The length of the rented array of bytes may be larger than the decoded bytes, therefore the action needs to know the actual length to use. is passed to the action.

Obtains bytes from a string using the Encoding and then performs an action.

String to process. Index to start from in . Length of characters to operate in from . Encoding used to obtain bytes. Operation to invoke with result which is byte array and length of useful data in array with offset as 0. Return type of operation. Instance of {T}. The encoding operation uses shared memory pool to avoid allocations. The length of the rented array of bytes may be larger than the decoded bytes, therefore the action needs to know the actual length to use. is passed to the action.

Obtains bytes from a string using the Encoding and then performs an action.

String to process. Index to start from in . Length of characters to operate in from . Encoding used to obtain bytes. Input parameter 1 to action. Input parameter 2 to action. Input parameter 3 to action. Action to perform with bytes. Return type of operation. Type of Input parameter 1 to action. Type of Input parameter 2 to action. Type of Input parameter 3 to action. Instance of {T}. The encoding operation uses shared memory pool to avoid allocations. The length of the rented array of bytes may be larger than the decoded bytes, therefore the action needs to know the actual length to use. is passed to the action.

Encodes the string using given Encoding, and invokes the operation with the result.

Return type of operation. Input parameter to operation. String to process. Encoding used to obtain bytes. Additional operation parameter. Operation to invoke with result which is byte array and length of useful data in array with offset as 0. Result of operation. The encoding operation uses shared memory pool to avoid allocations. The length of the rented array of bytes may be larger than the decoded bytes, therefore the action needs to know the actual length to use. is passed to the action.

Obtains bytes from a string using the Encoding and then performs an action.

String to process. Index to start from in . Length of characters to operate in from . Encoding used to obtain bytes. Additional operation parameter. Operation to invoke with result which is byte array and length of useful data in array with offset as 0. Return type of operation. Input parameter to operation. Instance of {T}. The encoding operation uses shared memory pool to avoid allocations. The length of the rented array of bytes may be larger than the decoded bytes, therefore the action needs to know the actual length to use. is passed to the action.

A class for properties that are used for token encryption.

Initializes a new instance of the class.

. A key wrap algorithm to use when encrypting a session key. Data encryption algorithm to apply. if 'certificate' is null. if 'alg' is null or empty. if 'enc' is null or empty.

Initializes a new instance of the class.

to use when encrypting a session key. A key wrap algorithm to use when encrypting a session key. Data encryption algorithm to apply. if 'key' is null. if 'alg' is null or empty. if 'enc' is null or empty.

Initializes a new instance of the class.

Used in scenarios when a key represents a 'shared' symmetric key. For example, SAML 2.0 Assertion will be encrypted using a provided symmetric key which won't be serialized to a SAML token. to apply. Data encryption algorithm to apply. If the is not a . if 'enc' is null or empty.

Gets the key wrap algorithm used for session key encryption.

Gets the data encryption algorithm.

Public key used in Key Agreement Algorithms

Users can override the default with this property. This factory will be used for creating encryption providers.

Gets or sets a bool that controls if the encrypted token creation will set default 'cty' if not specified. Applies to only JWT tokens.

Gets the used for encryption.

Provides authenticated encryption and decryption services.

Initializes a new instance of the class used for encryption and decryption.

The that will be used for crypto operations. The encryption algorithm to apply. 'key' is null. 'algorithm' is null or whitespace. key size is not large enough. 'algorithm' is not supported. a symmetricSignatureProvider is not created.

Gets the encryption algorithm that is being used.

Gets or sets a user context for a .

This is null by default. This can be used by applications for extensibility scenarios.

Gets the that is being used.

Encrypts the 'plaintext'

the data to be encrypted. will be combined with iv and ciphertext to create an authenticationtag. containing ciphertext, iv, authenticationtag. plaintext is null or empty. authenticationData is null or empty. AES crypto operation threw. See inner exception for details.

Encrypts the 'plaintext'

the data to be encrypted. will be combined with iv and ciphertext to create an authenticationtag. initialization vector for encryption. containing ciphertext, iv, authenticationtag. is null or empty. is null or empty. Thrown if the AES crypto operation threw. See inner exception for details. Thrown if the internal is disposed.

Decrypts ciphertext into plaintext

the encrypted text to decrypt. the authenticateData that is used in verification. the initialization vector used when creating the ciphertext. the authenticationTag that was created during the encyption. decrypted ciphertext is null or empty. is null or empty. is null or empty. is null or empty. Thrown if the signature over the authenticationTag fails to verify. Thrown if the AES crypto operation threw. See inner exception. Thrown if the internal is disposed.

Calls and

Releases managed resources.

true, if called from Dispose(), false, if invoked inside a finalizer.

Checks if an 'key, algorithm' pair is supported

the the algorithm to check. true if 'key, algorithm' pair is supported.

The algorithm parameter logically defines a HMAC algorithm. This method returns the HMAC to use.

Called to obtain the byte[] needed to create a

that will be used to obtain the byte[]. [] that is used to populated the KeyedHashAlgorithm. if is null. if a byte[] can not be obtained from SecurityKey. and are supported. For a .Key is returned For a Base64UrlEncoder.DecodeBytes is called with if == JsonWebAlgorithmsKeyTypes.Octet

Checks that the key has sufficient length

that contains bytes. the algorithm to apply. if is null. if is null or empty. if is not a supported algorithm.

Contains the results of operation.

Initializes a new

the used during protected text. the initialization vector used. the bytes that need be passed to .

Gets the .

Gets the Ciphertext.

Gets the initialization vector.

Gets the authentication tag

Provides a Security Key that can be used as Content Encryption Key (CEK) for use with a JWE

Number of bits in the desired output key

Initializes a new instance of used for CEKs The that will be used for cryptographic operations and represents the private key. The that will be used for cryptographic operations and represents the public key. alg header parameter value. enc header parameter value.

Generates the KDF

Agreement PartyUInfo (optional). When used, the PartyVInfo value contains information about the producer, represented as a base64url-encoded string. Agreement PartyVInfo (optional). When used, the PartyUInfo value contains information about the recipient, represented as a base64url-encoded string. Returns that represents the key generated

Provides Wrap key and Unwrap key services.

Gets the KeyWrap algorithm that is being used.

Gets or sets a user context for a .

This is null by default. This can be used by runtimes or for extensibility scenarios.

Gets the that is being used.

Calls and

Can be over written in descendants to dispose of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer

Unwrap a key.

key to unwrap. Unwrapped key.

Wrap a key.

the key to be wrapped wrapped key.

Provides RSA Wrap key and Unwrap key services.

Initializes a new instance of used for wrapping and un-wrappping keys. These keys are usually symmetric session keys that are wrapped using the recipients public key. The that will be used for cryptographic operations. The KeyWrap algorithm to apply. Whether this is required to un-wrap keys. If true, the private key is required. 'key' is null. 'algorithm' is null. The key size doesn't match the algorithm. If and algorithm pair are not supported. Failed to create RSA algorithm with provided key and algorithm.

Gets the KeyWrap algorithm that is being used.

Gets or sets a user context for a .

This is null by default. This is for use by the application and not used by this SDK.

Gets the that is being used.

Disposes of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer.

Checks if an algorithm is supported.

The that will be used for crypto operations. The KeyWrap algorithm to apply. true if the algorithm is supported; otherwise, false.

Unwrap a key using RSA decryption.

the bytes to unwrap. Unwrapped key 'keyBytes' is null or length == 0. If has been called. Failed to unwrap the wrappedKey. If the internal RSA algorithm is null.

Wrap a key using RSA encryption.

the key to be wrapped A wrapped key 'keyBytes' is null or has length == 0. If has been called. Failed to wrap the 'keyBytes'. If the internal RSA algorithm is null.

Provides Wrap key and Unwrap key services.

Initializes a new instance of the class used for wrap key and unwrap key. The that will be used for crypto operations. The KeyWrap algorithm to apply. 'key' is null. 'algorithm' is null. If and algorithm pair are not supported. The cannot be converted to byte array The keysize doesn't match the algorithm. Failed to create symmetric algorithm with provided key and algorithm.

Gets the KeyWrap algorithm that is being used.

Gets or sets a user context for a .

This is null by default. This can be used by runtimes or for extensibility scenarios.

Gets the that is being used.

Disposes of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer.

Returns the .

The cannot be converted to byte array The keysize doesn't match the algorithm. Failed to create symmetric algorithm with provided key and algorithm.

Answers if an algorithm is supported

the the algorithm to use true if the algorithm is supported; otherwise, false.

Unwrap a key using Symmetric decryption.

bytes to unwrap Unwraped key 'keyBytes' is null or length == 0. 'keyBytes' is not a multiple of 8. If has been called. Failed to unwrap the wrappedKey.

Wrap a key using Symmetric encryption.

the key to be wrapped The wrapped key result 'keyBytes' is null or has length 0. 'keyBytes' is not a multiple of 8. If has been called. Failed to wrap 'keyBytes'.

Returns the absolute DateTime or the Seconds since Unix Epoch, where Epoch is UTC 1970-01-01T0:0:0Z.

DateTime as UTV for UnixEpoch

Per JWT spec: Gets the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the desired date/time.

The DateTime to convert to seconds. if dateTimeUtc less than UnixEpoch, return 0 the number of seconds since Unix Epoch.

Creates a DateTime from epoch time.

Number of seconds. The DateTime in UTC.

This is an LRU cache implementation that relies on an event queue rather than locking to achieve thread safety. This approach has been decided on in order to optimize the performance of the get and set operations on the cache. This cache contains a doubly linked list in order to maintain LRU order, as well as a dictionary (map) to keep track of keys and expiration times. The linked list (a structure which is not thread-safe) is NEVER modified directly inside an API call (e.g. get, set, remove); it is only ever modified sequentially by a background thread. On the other hand, the map is a which may be modified directly inside an API call or through eventual processing of the event queue. This implementation relies on the principle of 'eventual consistency': though the map and it's corresponding linked list may be out of sync at any given point in time, they will eventually line up. See here for more details: https://aka.ms/identitymodel/caching

The key type to be used by the cache. The value type to be used by the cache

Constructor.

The capacity of the cache, used to determine if experiencing overflow. The event queue task creation option, default to None instead of LongRunning as LongRunning will always start a task on a new thread instead of ThreadPool. The equality comparison implementation to be used by the map when comparing keys. Whether or not to remove expired items. The period to wait to remove expired items, in seconds. Whether or not to maintain items in a LRU fashion, moving to front of list when accessed in the cache.

Occurs when the application is ready to exit.

The sender of the event. The event argument.

Occurs when an AppDomain is about to be unloaded.

The sender of the event. The event argument.

Stop the event queue task. This is provided mainly for users who have unit tests that check for running task(s) to stop the task at the end of each test.

Stop the event queue task immediately if it is running. This allows the task/thread to terminate gracefully. Currently there is no unmanaged resource, if any is added in the future it should be disposed of in this method.

This is the delegate for the event queue task.

Remove all expired cache items from _doubleLinkedList and _map.

Number of items removed.

Remove all expired cache items from the _map ONLY. This is called for the non-LRU (_maintainLRU = false) scenaro. The enumerator returned from the dictionary is safe to use concurrently with reads and writes to the dictionary, according to the MS document.

Number of items removed.

Remove items from the LinkedList by the desired compaction percentage. This should be a private method.

Remove items from the Dictionary by the desired compaction percentage. Since _map does not have LRU order, items are simply removed from using FirstOrDefault().

When the cache is at _maxCapacityPercentage, it needs to be compacted by _compactionPercentage. This method calculates the new size of the cache after being compacted.

The new target cache size after compaction.

This is the method that determines the end time for the event queue task. The goal is to be able to track the incoming events and predict how long the task should run in order to avoid a long running task and reduce the overhead costs of restarting tasks. For example, maybe we can track the last three events' time and set the _eventQueueRunDurationInSeconds = 2 * average_time_between_events. Note: tasks are based on thread pool so the overhead should not be huge but we should still try to minimize it.

the time when the event queue task should end

This method is called after an item is added to the event queue. It will start the event queue task if one is not already running (_eventQueueTaskState != EventQueueTaskRunning). Using CompareExchange to set the _eventQueueTaskState prevents multiple tasks from being started.

Each time a node gets accessed, it gets moved to the beginning (head) of the list if the _maintainLRU == true Removes a particular key from the cache.

FOR TESTING ONLY.

FOR TESTING PURPOSES ONLY. This is for tests to verify all tasks exit at the end of tests if the queue is empty.

FOR TESTING PURPOSES ONLY.

Throw this exception when a received has invalid arguments.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Thrown when JWE compression fails.

Initializes a new instance of

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Thrown when JWE decompression fails.

Initializes a new instance of

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Represents a security token exception when decryption failed.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Represents a security token exception when encryption failed.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when a security token contained a key identifier but the key was not found by the runtime when decrypting a token.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Represents a security token exception.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

When overridden in a derived class, sets the System.Runtime.Serialization.SerializationInfo with information about the exception.

The that holds the serialized object data about the exception being thrown. The that contains contextual information about the source or destination. thrown if is null.

Throw this exception when a received Security Token has expiration time in the past.

Gets or sets the Expires value that created the validation exception. This value is always in UTC.

Initializes a new instance of

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when a cryptographic algorithm is invalid.

Gets or sets the invalid algorithm that created the validation exception.

Initializes a new instance of the class.

Additional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Additional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when 'audience' of a token was not valid.

Gets or sets the InvalidAudience that created the validation exception.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when 'issuer' of a token was not valid.

Gets or sets the InvalidIssuer that created the validation exception.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when 'lifetime' of a token was not valid.

Gets or sets the NotBefore value that created the validation exception. This value is always in UTC.

Gets or sets the Expires value that created the validation exception. This value is always in UTC.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when 'signature' of a token was not valid.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Throw this exception when a received Security Token has an invalid issuer signing key.

Gets or sets the SigningKey that was found invalid.

Initializes a new instance of

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when the token type ('typ' header claim) of a JWT token is invalid.

Gets or sets the invalid type that created the validation exception.

Initializes a new instance of the class.

Additional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Additional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Represents a key wrap exception when encryption failed.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Represents a exception when the token is malformed.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when a security is missing an ExpirationTime.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Throw this exception when a received Security token has an effective time in the future.

Gets or sets the NotBefore value that created the validation exception. This value is always in UTC.

Initializes a new instance of

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when an add to the TokenReplayCache fails.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Throw this exception when a received Security Token has been replayed.

Initializes a new instance of

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when a security token contained a key identifier but the key was not found by the runtime.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

This exception is thrown when a security token contained a key identifier but the key was not found by the runtime and when validation errors exist over the security token. This exception is not intended to be used as a signal to refresh keys.

This exception type is now considered obsolete and will be removed in the next major version (7.0.0).

Indicates the type of the validation failure.

Initializes a new instance of the class.

The validation failures. Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user.

Initializes a new instance of the class.

Addtional information to be included in the exception and displayed to user. A that represents the root cause of the exception.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

Represents a security token validation exception.

Initializes a new instance of the class.

Initializes a new instance of the class with a specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class with a specified error message and a reference to the inner exception that is the cause of this exception.

The error message that explains the reason for the exception. The that is the cause of the current exception, or a null reference if no inner exception is specified.

Initializes a new instance of the class.

the that holds the serialized object data. The contextual information about the source or destination.

The reason for being unable to validate

Indicates no validation failures

Indicates that the lifetime was invalid

Indicates that the issuer was invalid

Compression provider interface.

Gets the compression algorithm.

Called to determine if an algorithm is supported.

the algorithm that defines the compression method. true if supported

Decompress.

the value to decompress.

Compress.

the value to decompress.

Provides extensibility for cryptographic operators. If custom operators are needed for then can be set to return these operators. will be before each creation.

Called to determine if a cryptographic operation is supported.

the algorithm that defines the cryptographic operator. the arguments required by the cryptographic operator. May be null. true if supported

returns a cryptographic operator that supports the algorithm.

the algorithm that defines the cryptographic operator. the arguments required by the cryptographic operator. May be null. call when finished with the object.

called to release the object returned from

the object returned from .

Defines a cache for crypto providers. Current support is limited to only.

Creates a new instance of using the default .

Creates a new instance of using the specified .

The options used to configure the .

Creates a new instance of using the specified .

The options used to configure the . Options used to create the event queue thread. The time used in ms for the timeout interval of the event queue. Defaults to 500 ms.

Returns the cache key to use when looking up an entry into the cache for a

the to create the key for. if signatureProvider is null. the cache key to use for finding a .

Returns the 'key' that will be used to find a crypto provider in this cache.

the key that is used to by the crypto provider. the algorithm that is used by the crypto provider. the typeof the crypto provider obtained by calling object.GetType(). if securityKey is null. if algorithm is null or empty string. if typeofProvider is null or empty string. the cache key to use for finding a crypto provider.

Trys to adds a to this cache.

to cache. if signatureProvider is null. true if the was added, false if the cache already contained the or if should not be cached. if the is added will be set to 'this'.

Trys to find a to this cache.

Trys to remove a from this cache.

to remove. if signatureProvider is null. true if the was removed, false if the was not found. if the is removed will be set to null.

Calls and Note: the EventBasedLRUCache is no longer being disposed of, but since this is a public class and can be used as base class of custom cache implementations, we need to keep it as some implementations may override Dispose().

If is true, this method disposes of and .

True if called from the method, false otherwise.

FOR TESTING ONLY.

FOR TESTING PURPOSES ONLY.

Validators meant to be kept internal

Called after signature validation has failed to avoid a metadata refresh

ISecurityTokenValidator

Returns true if the token can be read, false otherwise.

Returns true if a token can be validated.

Gets and sets the maximum size in bytes, that a will be processed.

Validates a token passed as a string using

Interface that defines a simple cache for tacking replaying of security tokens.

Try to add a securityToken.

the security token to add. the time when security token expires. true if the security token was successfully added.

Try to find securityToken

the security token to find. true if the security token is found.

Constants for JsonWebAlgorithms "kty" Key Type (sec 6.1) https://datatracker.ietf.org/doc/html/rfc7518#section-6.1

Represents a JSON Web Key as defined in https://datatracker.ietf.org/doc/html/rfc7517.

Initializes an new instance of .

Returns a new instance of .

A string that contains JSON Web Key parameters in JSON format. If 'json' is null or empty. If 'json' fails to deserialize.

Initializes an new instance of from a json string.

A string that contains JSON Web Key parameters in JSON format. If 'json' is null or empty. If 'json' fails to deserialize.

If this was converted to or from a SecurityKey, this field will be set.

If this was failed converted to a SecurityKey, this field will be set.

When deserializing from JSON any properties that are not defined will be placed here.

Gets or sets the 'alg' (KeyType).

Gets or sets the 'crv' (ECC - Curve).

Gets or sets the 'd' (ECC - Private Key OR RSA - Private Exponent).

Value is formated as: Base64urlUInt

Gets or sets the 'dp' (RSA - First Factor CRT Exponent).

Value is formated as: Base64urlUInt

Gets or sets the 'dq' (RSA - Second Factor CRT Exponent).

Value is formated as: Base64urlUInt

Gets or sets the 'e' (RSA - Exponent).

Gets or sets the 'k' (Symmetric - Key Value).

Base64urlEncoding

Gets the key id of this .

Gets the 'key_ops' (Key Operations).

Gets or sets the 'kid' (Key ID)..

Gets or sets the 'kty' (Key Type).

Gets or sets the 'n' (RSA - Modulus).

Value is formatted as: Base64urlEncoding

Gets or sets the 'oth' (RSA - Other Primes Info).

Gets or sets the 'p' (RSA - First Prime Factor)..

Value is formatted as: Base64urlUInt

Gets or sets the 'q' (RSA - Second Prime Factor)..

Value is formatted as: Base64urlUInt

Gets or sets the 'qi' (RSA - First CRT Coefficient)..

Value is formatted as: Base64urlUInt

Gets or sets the 'use' (Public Key Use)..

Gets or sets the 'x' (ECC - X Coordinate)..

Value is formatted as: Base64urlEncoding

Gets the 'x5c' collection (X.509 Certificate Chain)..

Gets or sets the 'x5t' (X.509 Certificate SHA-1 thumbprint)..

Gets or sets the 'x5t#S256' (X.509 Certificate SHA-256 thumbprint)..

Gets or sets the 'x5u' (X.509 URL)..

Gets or sets the 'y' (ECC - Y Coordinate)..

Value is formatted as: Base64urlEncoding

Gets the key size of .

Gets a bool indicating if a private key exists.

true if it has a private key; otherwise, false.

Determines whether the can compute a JWK thumbprint.

true if JWK thumbprint can be computed; otherwise, false. https://datatracker.ietf.org/doc/html/rfc7638

Computes the JWK thumprint per spec: https://datatracker.ietf.org/doc/html/rfc7638 />.

A the JWK thumbprint.

Creates a JsonWebKey representation of an asymmetric public key.

JsonWebKey representation of an asymmetric public key. https://datatracker.ietf.org/doc/html/rfc7800#section-3.2

Returns the formatted string: GetType(), Use: 'value', Kid: 'value', Kty: 'value', InternalId: 'value'.

string

Converts a into a Supports: converting to a from one of: , , and .

Converts a into a

a to convert. a if is null. if is not a supported type. Supports: , and .

Converts a into a

a to convert. a if is null.

Converts a into a

a to convert. a if is null.

Converts a into a .

a to convert. true to represent the as an , false to represent the as an , using the "x5c" parameter. a . if is null.

Converts a into a

a to convert. a if is null.

Converts a into a

an to convert. a if is null.

Constants for JsonWebKey Elliptical Curve Types https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.1

JsonWebKey parameter names see: https://datatracker.ietf.org/doc/html/rfc7517

JsonWebKey parameter names as UTF8 bytes Used by UTF8JsonReader/Writer for performance gains.

Contains a collection of that can be populated from a json string.

provides support for https://datatracker.ietf.org/doc/html/rfc7517.

Returns a new instance of .

a string that contains JSON Web Key parameters in JSON format. If 'json' is null or empty. If 'json' fails to deserialize.

Initializes an new instance of .

Initializes an new instance of from a json string.

a json string containing values. If 'json' is null or empty. If 'json' fails to deserialize.

When deserializing from JSON any properties that are not defined will be placed here.

Gets the .

Default value for the flag that controls whether unresolved JsonWebKeys will be included in the resulting collection of method.

Flag that controls whether unresolved JsonWebKeys will be included in the resulting collection of method.

Returns the JsonWebKeys as a .

To include unresolved JsonWebKeys in the resulting collection, set to false.

Names for Json Web Key Set Values

Constants for JsonWebKeyUse (sec 4.2) https://datatracker.ietf.org/doc/html/rfc7517#section-4.2

Creates a JsonException that provides information on what went wrong

the . the type the reader was expecting to find. the name of the type being read. the property name being read. inner exception if any.

This method is called when deserializing a property value as an object. Normally we put the object into a Dictionary[string, object].

the the property name that is being read the type that is being deserialized if true reader.Read() will be called.

Writes an 'object' as a JsonProperty. This was written to support what IdentityModel6x supported and is not meant to be a general object serializer. If a user needs to serialize a special value, then serialize the value into a JsonElement.

Writes values into an array. Assumes the writer.StartArray() has been called.

Reads a JsonWebKey. see: https://datatracker.ietf.org/doc/html/rfc7517

a pointing at a StartObject. A .

Reads a JsonWebKey. see: https://datatracker.ietf.org/doc/html/rfc7517

a pointing at a StartObject. A .

This method will be used when reading OIDC metadata

Log messages and codes

Generic implementation of object pooling pattern with predefined pool size limit. The main purpose is that limited number of frequently used objects can be kept in the pool for further recycling. Notes: 1) it is not the goal to keep all returned objects. Pool is not meant for storage. If there is no space in the pool, extra returned objects will be dropped. 2) it is implied that if object was obtained from a pool, the caller will return it back in a relatively short time. Keeping checked out objects for long durations is ok, but reduces usefulness of pooling. Just new up your own. Not returning objects to the pool in not detrimental to the pool's work, but is a bad practice. Rationale: If there is no intent for reusing the object, do not use pool - just use "new".

Produces an instance.

Search strategy is a simple linear probing which is chosen for it cache-friendliness. Note that Free will try to store recycled objects close to the start thus statistically reducing how far we will typically search.

Returns objects to the pool.

Returns a string message for the specified Win32 error code.

The purpose of this class is to ensure that we obtain an RsaCryptoServiceProvider that supports SHA-256 signatures. If the original RsaCryptoServiceProvider doesn't support SHA-256, we create a new one using the same KeyContainer.

There is no support for and on non-Windows platforms which makes a Windows-specific class.

Gets the SignatureAlgorithm

Gets the KeyExchangeAlgorithm

Initializes an new instance of .

if is null.

Decrypts data with the System.Security.Cryptography.RSA algorithm.

The data to be decrypted. true to perform direct System.Security.Cryptography.RSA decryption using OAEP padding (only available on a computer running Microsoft Windows XP or later) otherwise, false to use PKCS#1 v1.5 padding. decrypted bytes. if is null or has Length == 0.

Decrypts the input.

the bytes to decrypt. decrypted bytes if is null or Length == 0.

Encrypts data with the System.Security.Cryptography.RSA algorithm.

The data to be encrypted. true to perform direct System.Security.Cryptography.RSA encryption using OAEP padding (only available on a computer running Microsoft Windows XP or later); otherwise, false to use PKCS#1 v1.5 padding. encrypted bytes. if is null or has Length == 0.

Encrypts the input.

the bytes to encrypt. encrypted bytes. if is null or Length == 0.

Computes the hash value of the specified byte array using the specified hash algorithm, and signs the resulting hash value.

The input byte array for which to compute the hash. The hash algorithm to use to create the hash value. The Signature for the specified data. if is null or Length == 0. if is null.

Verifies that a digital signature is valid by determining the hash value in the signature using the provided public key and comparing it to the hash value of the provided data.

The input byte array. The hash algorithm to use to create the hash value. The signature byte array to be verified. true if the signature is valid; otherwise, false. if is null or Length == 0. if is null. if is null or Length == 0.

Verifies that a digital signature is valid by determining the hash value in the signature using the provided public key and comparing it to the hash value of the provided data.

Exports rsa parameters as

flag to control is private parameters are included.

Imports rsa parameters as

to import.

Calls to release managed resources.

true, if called from Dispose(), false, if invoked inside a finalizer.

Represents a Rsa security key.

Initializes a new instance of the class.

Gets a bool indicating if a private key exists.

true if it has a private key; otherwise, false.

Gets an enum indicating if a private key exists.

'Exists' if private key exists for sure; 'DoesNotExist' if private key doesn't exist for sure; 'Unknown' if we cannot determine.

Gets RSA key size.

used to initialize the key.

instance used to initialize the key.

Determines whether the can compute a JWK thumbprint.

true if JWK thumbprint can be computed; otherwise, false. https://datatracker.ietf.org/doc/html/rfc7638

Computes a sha256 hash over the .

A JWK thumbprint. https://datatracker.ietf.org/doc/html/rfc7638

Constants for Security Algorithm.

Base class for Security Key.

Default constructor

This must be overridden to get the size of this .

Gets the key id of this .

Gets or sets .

Returns the formatted string: GetType(), KeyId: 'value', InternalId: 'value'.

string

Determines whether the can compute a JWK thumbprint.

true if JWK thumbprint can be computed; otherwise, false. https://datatracker.ietf.org/doc/html/rfc7638

Computes a sha256 hash over the .

A JWK thumbprint. https://datatracker.ietf.org/doc/html/rfc7638

Checks if can perform the cryptographic operation specified by the with this .

the algorithm to apply. true if can perform the cryptographic operation sepecified by the with this .

Contains information about the keys inside the tokens.

Base class for security token.

This must be overridden to get the Id of this .

This must be overridden to get the issuer of this .

This must be overridden to get the .

This must be overridden to get or set the that signed this instance.

.ValidateToken(...) can this value when a is used to successfully validate a signature.

This must be overridden to get the time when this was Valid.

This must be overridden to get the time when this is no longer Valid.

Contains some information which used to create a security token.

Gets or sets the value of the 'audience' claim.

Defines the compression algorithm that will be used to compress the JWT token payload.

Gets or sets the used to create a encrypted security token.

Gets or sets the value of the 'expiration' claim. This value should be in UTC.

Gets or sets the issuer of this .

Gets or sets the time the security token was issued. This value should be in UTC.

Gets or sets the notbefore time for the security token. This value should be in UTC.

Gets or sets the token type. If provided, this will be added as the value for the 'typ' header parameter. In the case of a JWE, this will be added to both the inner (JWS) and the outer token (JWE) header. By default, the value used is 'JWT'. If also contains 'typ' header claim value, it will override the TokenType provided here. This value is used only for JWT tokens and not for SAML/SAML2 tokens

Gets or sets the which represents the claims that will be used when creating a security token. If both and are set, the claim values in Subject will be combined with the values in Claims. The values found in Claims take precedence over those found in Subject, so any duplicate values will be overridden.

Gets or sets the which contains any custom header claims that need to be added to the JWT token header. The 'alg', 'kid', 'x5t', 'enc', and 'zip' claims are added by default based on the , , and/or provided and SHOULD NOT be included in this dictionary as this will result in an exception being thrown. These claims are only added to the outer header (in case of a JWE).

Gets or sets the which contains any custom header claims that need to be added to the inner JWT token header. The 'alg', 'kid', 'x5t', 'enc', and 'zip' claims are added by default based on the , , and/or provided and SHOULD NOT be included in this dictionary as this will result in an exception being thrown. For JsonWebTokenHandler, these claims are merged with while adding to the inner JWT header.

Gets or sets the used to create a security token.

Gets or sets the . If both and are set, the claim values in Subject will be combined with the values in Claims. The values found in Claims take precedence over those found in Subject, so any duplicate values will be overridden.

Defines the interface for a Security Token Handler.

Creates an instance of

Returns .

true if attached; otherwise, false.

Returns .

Gets a value indicating whether this handler supports validation of tokens handled by this instance.

v 'True' if the instance is capable of SecurityToken validation.

Gets a value indicating whether the class provides serialization functionality to serialize token handled by this instance.

true if the WriteToken method can serialize this token.

This must be overridden to get the System.Type of the SecurityToken this instance handles.

Indicates whether the is positioned at an element that can be read.

An reader positioned at a start element. The reader should not be advanced. 'true' if the token can be read.

Indicates whether the current token string can be read as a token of the type handled by this instance.

The token string thats needs to be read. 'True' if the ReadToken method can parse the token string.

Gets security token.

. SecurityToken instance which represents the serialized token.

Serializes to string a token of the type handled by this instance.

A token of type TokenType. The serialized token.

This must be overridden to serialize to XML a token of the type handled by this instance.

The XML writer. A token of type .

This must be overridden to deserialize token with the provided .

. the current . SecurityToken instance which represents the serialized token.

This must be overridden to validate a token passed as a string using

A token of type . the current . The token of type that was validated.

Reads and validates a token using a xmlReader and

A pointing at the start element of the token. Contains data and information needed for validation. The that was validated.

Provides signature services, signing and verifying.

Maintains the number of external references see: , ,

Initializes a new instance of the class used to create and verify signatures.

The that will be used for signature operations. The signature algorithm to apply. is null. is null or empty.

Gets the signature algorithm.

Gets or sets a user context for a .

This is null by default. This is for use by the application and not used by this SDK.

Gets or sets the that is associated with this

Calls and

Can be over written in descendants to dispose of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer

Gets the .

For testing purposes

This must be overridden to produce a signature over the 'input'.

bytes to sign. signed bytes Verifies that the over using the and specified by this are consistent. the bytes that were signed. signature to compare against. true if the computed signature matches the signature parameter, false otherwise.

Verifies that a signature created over the 'input' matches the signature. Using and 'algorithm' passed to .

The bytes to verify. offset in to input bytes to caculate hash. number of bytes of signature to use. signature to compare against. offset into signature array. how many bytes to verfiy. true if computed signature matches the signature parameter, false otherwise. 'input' is null. 'signature' is null. 'input.Length' == 0. 'signature.Length' == 0. 'length < 1' 'offset + length > input.Length' has been called.

Gets or sets a bool indicating if this is expected to create signatures.

Defines the , algorithm and digest for digital signatures.

Initializes a new instance of the class.

that will be used for signing. Algorithm will be set to . the 'digest method' if needed may be implied from the algorithm. For example implies Sha256. if 'key' is null. if 'algorithm' is null or empty.

Initializes a new instance of the class.

that will be used for signing. The signature algorithm to apply. the 'digest method' if needed may be implied from the algorithm. For example implies Sha256. if 'certificate' is null. if 'algorithm' is null or empty.

Initializes a new instance of the class.

. The signature algorithm to apply. the 'digest method' if needed may be implied from the algorithm. For example implies Sha256. if 'key' is null. if 'algorithm' is null or empty.

Initializes a new instance of the class.

. The signature algorithm to apply. The digest algorithm to apply. if 'key' is null. if 'algorithm' is null or empty. if 'digest' is null or empty.

Gets the signature algorithm.

if 'value' is null or empty.

Gets the digest algorithm.

Users can override the default with this property. This factory will be used for creating signature providers.

This will have precedence over

Gets the used for signature creation or validation.

Gets the key id associated with .

Defines the default set of algorithms this library supports

Creating a Signature requires the use of a . This method returns the that describes the to use when generating a Signature.

The SignatureAlgorithm in use. The to use. if is null or whitespace. if is not supported.

Creating a Signature requires the use of a . This method returns the HashAlgorithm string that is associated with a SignatureAlgorithm.

The SignatureAlgorithm of interest. if is null or whitespace. if is not supported.

Checks if an 'algorithm, key' pair is supported.

the algorithm to check. the . true if 'algorithm, key' pair is supported.

Represents a symmetric security key.

Returns a new instance of instance.

The byte array of the key.

Gets the key size.

Gets the byte array of the key.

Determines whether the can compute a JWK thumbprint.

true if JWK thumbprint can be computed; otherwise, false. https://datatracker.ietf.org/doc/html/rfc7638

Computes a sha256 hash over the .

A JWK thumbprint. https://datatracker.ietf.org/doc/html/rfc7638

Provides signing and verifying operations using a and specifying an algorithm.

Mapping from algorithm to the expected signature size in bytes.

This is the minimum .KeySize when creating and verifying signatures.

Initializes a new instance of the class that uses an to create and / or verify signatures over a array of bytes.

The that will be used for signature operations. The signature algorithm to use. 'key' is null. 'algorithm' is null or empty. If and algorithm pair are not supported. '.KeySize' is smaller than .

Initializes a new instance of the class that uses an to create and / or verify signatures over a array of bytes.

The that will be used for signature operations. The signature algorithm to use. indicates if this will be used to create signatures. 'key' is null. 'algorithm' is null or empty. If and algorithm pair are not supported. '.KeySize' is smaller than .

Gets or sets the minimum .KeySize"/>.

'value' is smaller than .

Called to obtain the byte[] needed to create a

that will be used to obtain the byte[]. [] that is used to populated the KeyedHashAlgorithm. if key is null. if a byte[] can not be obtained from SecurityKey. and are supported. For a .Key is returned For a Base64UrlEncoder.DecodeBytes is called with if == JsonWebAlgorithmsKeyTypes.Octet

Returns a . This method is called just before a cryptographic operation. This provides the opportunity to obtain the from an object pool. If this method is overridden, it is importont to override if custom releasing of the is desired.

The hash algorithm to use to create the hash value. The byte array of the key. An instance of

For testing purposes

This method is called just after the cryptographic operation. If was overridden this method can be overridden for any custom handling such as returning the to an object pool.

The " in use.

Produces a signature over the 'input' using the and 'algorithm' passed to .

The bytes to sign. Signed bytes 'input' is null. 'input.Length' == 0. has been called. is null. This can occur if a derived type deletes it or does not create it. Sign is thread safe.

Verifies that a signature created over the 'input' matches the signature. Using and 'algorithm' passed to .

The bytes to verify. signature to compare against. true if computed signature matches the signature parameter, false otherwise. 'input' is null. 'signature' is null. 'input.Length' == 0. 'signature.Length' == 0. has been called. If the internal is null. This can occur if a derived type deletes it or does not create it. Verify is thread safe.

Verifies that a signature created over the 'input' matches the signature. Using and 'algorithm' passed to .

The bytes to verify. signature to compare against. number of bytes of signature to use. true if computed signature matches the signature parameter, false otherwise. 'input' is null. 'signature' is null. 'input.Length' == 0. 'signature.Length' == 0. 'length < 1' has been called. If the internal is null. This can occur if a derived type deletes it or does not create it.

This internal method is called from the AuthenticatedEncryptionProvider which passes in the algorithm that defines the size expected for the signature. The reason is the way the AuthenticationTag is validated. For example when "A128CBC-HS256" is specified, SHA256 will used to create the HMAC and 32 bytes will be generated, but only the first 16 will be validated.

The bytes to verify. offset in to input bytes to caculate hash. number of bytes of signature to use. signature to compare against. offset into signature array. how many bytes to verfiy. algorithm passed by AuthenticatedEncryptionProvider. true if computed signature matches the signature parameter, false otherwise.

Disposes of internal components.

true, if called from Dispose(), false, if invoked inside a finalizer.

An opaque context used to store work when working with authentication artifacts.

Instantiates a new with a default activity ID.

Instantiates a new with an activity ID.

Defines properties shared across all security token handlers.

Default lifetime of tokens created. When creating tokens, if 'expires', 'notbefore' or 'issuedat' are null, then a default will be set to: issuedat = DateTime.UtcNow, notbefore = DateTime.UtcNow, expires = DateTime.UtcNow + TimeSpan.FromMinutes(TokenLifetimeInMinutes).

See: for configuration.

Gets and sets the maximum token size in bytes that will be processed.

'value' less than 1.

Gets or sets a bool that controls if token creation will set default 'exp', 'nbf' and 'iat' if not specified.

See: for configuration.

Gets or sets the token lifetime in minutes.

Used during token creation to set the default expiration ('exp'). 'value' less than 1.

Validates a token. On a validation failure, no exception will be thrown; instead, the exception will be set in the returned TokenValidationResult.Exception property. Callers should always check the TokenValidationResult.IsValid property to verify the validity of the result.

The token to be validated. A required for validation. A

The to be validated. A required for validation. A

Converts a string into an instance of .

The string to be deserialized. is null or empty. 'token.Length' is greater than . A .

Called by base class to create a . Currently only used by the JsonWebTokenHandler to allow for a Lazy creation.

the that has the Claims. the that was used to validate the token. the 'issuer' to use by default when creating a Claim. A .

A class which contains useful methods for processing tokens.

A URI that represents the JSON XML data type.

When mapping json to .Net Claim(s), if the value was not a string (or an enumeration of strings), the ClaimValue will serialized using the current JSON serializer, a property will be added with the .Net type and the ClaimTypeValue will be set to 'JsonClaimValueType'.

A URI that represents the JSON array XML data type.

A URI that represents the JSON null data type

When mapping json to .Net Claim(s), we use empty string to represent the claim value and set the ClaimValueType to JsonNull

Creates a dictionary from a list of Claim's.

A list of claims. A Dictionary representing claims.

Returns all provided in and .

The that contains signing keys used for validation. A required for validation. Returns all provided in provided in and .

Merges claims. If a claim with same type exists in both and , the one in claims will be kept.

Collection of 's. Collection of 's. A Merged list of 's.

Check whether the given exception type is recoverable by LKG.

The exception to check. true if the exception is certain types of exceptions otherwise, false.

Check whether the given configuration is recoverable by LKG.

The kid from token."/> The to check. The LKG exception to check. The exception to check. true if the configuration is recoverable otherwise, false.

Definition for AlgorithmValidator

The algorithm to validate. The that signed the . The being validated. required for validation. true if the algorithm is considered valid

Definition for AudienceValidator.

The audiences found in the . The being validated. required for validation. true if the audience is considered valid.

Definition for IssuerSigningKeyResolver.

The representation of the token that is being validated. The that is being validated. It may be null. A key identifier. It may be null. required for validation. A to use when validating a signature. If both and are set, IssuerSigningKeyResolverUsingConfiguration takes priority.

Definition for IssuerSigningKeyResolverUsingConfiguration.

The representation of the token that is being validated. The that is being validated. It may be null. A key identifier. It may be null. required for validation. required for validation. A to use when validating a signature. If both and are set, IssuerSigningKeyResolverUsingConfiguration takes priority.

Definition for IssuerSigningKeyValidator.

The that signed the . The being validated. required for validation. If both and are set, IssuerSigningKeyResolverUsingConfiguration takes priority.

Definition for IssuerSigningKeyValidatorUsingConfiguration.

The that signed the . The being validated. required for validation. required for validation. If both and are set, IssuerSigningKeyResolverUsingConfiguration takes priority.

Definition for IssuerValidator.

The issuer to validate. The that is being validated. required for validation. The issuer to use when creating the "Claim"(s) in a "ClaimsIdentity". The delegate should return a non null string that represents the 'issuer'. If null a default value will be used. If both and are set, IssuerValidatorUsingConfiguration takes priority.

Definition for IssuerValidatorUsingConfiguration.

The issuer to validate. The that is being validated. required for validation. required for validation. The issuer to use when creating the "Claim"(s) in a "ClaimsIdentity". The delegate should return a non null string that represents the 'issuer'. If null a default value will be used. If both and are set, IssuerValidatorUsingConfiguration takes priority.

Definition for IssuerValidatorAsync. Left internal for now while we work out the details of async validation for all delegates.

Definition for LifetimeValidator.

The 'notBefore' time found in the . The 'expiration' time found in the . The being validated. required for validation.

Definition for TokenReplayValidator.

The 'expiration' time found in the . The being validated. required for validation.

Definition for SignatureValidator.

A securityToken with a signature. required for validation.

Definition for SignatureValidator.

A securityToken with a signature. required for validation. The that is required for validation.

Definition for TokenReader.

A securityToken with a signature. required for validation.

Definition for TokenDecryptionKeyResolver.

The representation of the token to be decrypted. The to be decrypted. The runtime by default passes null. A key identifier. It may be null. required for validation. A to use when decrypting the token.

Definition for TypeValidator.

The token type to validate. The that is being validated. required for validation. The actual token type, that may be the same as or a different value if the token type was resolved from a different location.

Definition for TransformBeforeSignatureValidation.

The that is being validated. required for validation. A transformed .

Contains a set of parameters that are used by a when validating a .

This is the default value of when creating a . The value is "AuthenticationTypes.Federation". To change the value, set to a different value.

Default for the clock skew.

300 seconds (5 minutes).

Default for the maximum token size.

250 KB (kilobytes).

Copy constructor for .

Initializes a new instance of the class.

Gets or sets .

Gets or sets a delegate used to validate the cryptographic algorithm used.

If set, this delegate will validate the cryptographic algorithm used and the algorithm will not be checked against .

Gets or sets a delegate that will be used to validate the audience.

If set, this delegate will be called to validate the 'audience', instead of default processing. This means that no default 'audience' validation will occur. Even if is false, this delegate will still be called.

Gets or sets the AuthenticationType when creating a .

If 'value' is null or whitespace.

Gets or sets the clock skew to apply when validating a time.

If 'value' is less than 0. The default is 300 seconds (5 minutes).

Returns a new instance of with values copied from this object.

A new object copied from this object This is a shallow Clone.

Creates a using: 'NameClaimType': If NameClaimTypeRetriever is set, call delegate, else call NameClaimType. If the result is a null or empty string, use . 'RoleClaimType': If RoleClaimTypeRetriever is set, call delegate, else call RoleClaimType. If the result is a null or empty string, use .

A with Authentication, NameClaimType and RoleClaimType set.

If set, this property will be used to obtain the issuer and signing keys associated with the metadata endpoint of . The obtained issuer and signing keys will then be used along with those present on the TokenValidationParameters for validation of the incoming token.

Users can override the default with this property. This factory will be used for creating signature providers.

Gets or sets a string that helps with setting breakpoints when debugging.

Gets or sets a boolean that controls if a '/' is significant at the end of the audience. The default is true.

Gets or sets the flag that indicates whether to include the when the validation fails.

Gets or sets a delegate for validating the that signed the token.

If set, this delegate will be called to validate the that signed the token, instead of default processing. This means that no default validation will occur. Even if is false, this delegate will still be called. This delegate should be used if properties from the configuration retrieved from the authority are necessary to validate the issuer signing key. If both and are set, IssuerSigningKeyValidatorUsingConfiguration takes priority.

Gets a that is unique to this instance. Calling will result in a new instance of this IDictionary.

Gets a value indicating if was called to obtain this instance.

Gets or sets the that is to be used for signature validation.

Gets or sets a delegate that will be called to retrieve a used for signature validation.

This will be used to check the signature. This can be helpful when the does not contain a key identifier. If both and are set, IssuerSigningKeyResolverUsingConfiguration takes priority.

Gets or sets a delegate that will be called to retrieve a used for signature validation using the and .

This will be used to check the signature. This can be helpful when the does not contain a key identifier. This delegate should be used if properties from the configuration retrieved from the authority are necessary to resolve the issuer signing key. If both and are set, IssuerSigningKeyResolverUsingConfiguration takes priority.

Gets or sets an used for signature validation.

Gets or sets a delegate that will be used to validate the issuer of the token.

If set, this delegate will be called to validate the 'issuer' of the token, instead of default processing. This means that no default 'issuer' validation will occur. Even if is false, this delegate will still be called. This delegate should be used if properties from the configuration retrieved from the authority are necessary to validate the issuer. If both and are set, IssuerValidatorUsingConfiguration takes priority.

Gets or sets a delegate that will be called to transform a token to a supported format before validation.

Gets or sets a delegate that will be used to validate the lifetime of the token

If set, this delegate will be called to validate the lifetime of the token, instead of default processing. This means that no default lifetime validation will occur. Even if is false, this delegate will still be called.

Gets or sets a that will decide if the token identifier claim needs to be logged. Default value is true.

Gets or sets a that will decide if validation failure needs to be logged as an error. Default value is true for backward compatibility of the behavior. If set to false, validation failures are logged as Information and then thrown.

Gets or sets a that defines the .

Controls the value returns. It will return the first where the equals . The default is .

Gets or sets a delegate that will be called to set the property after validating a token.

The function will be passed: The that is being validated. The issuer associated with the token. Returns the value that will set the property .

Gets or sets the that contains a collection of custom key/value pairs. This allows addition of parameters that could be used in custom token validation scenarios.

Gets or sets a boolean to control if configuration required to be refreshed before token validation.

The default is false.

Gets or sets a value indicating whether SAML tokens must have at least one AudienceRestriction. The default is true.

Gets or sets a value indicating whether tokens must have an 'expiration' value. The default is true.

Gets or sets a value indicating whether a can be considered valid if not signed. The default is true.

Gets or sets the that defines the .

Controls the results of . Each where == will be checked for a match against the 'string' passed to . The default is .

Gets or sets a delegate that will be called to set the property after validating a token.

The function will be passed: The that is being validated. The issuer associated with the token. Returns the value that will set the property .

Gets or sets a boolean to control if the original token should be saved after the security token is validated.

The runtime will consult this value and save the original token that was validated. The default is false.

Gets or sets a delegate that will be used to validate the signature of the token.

If set, this delegate will be called to signature of the token, instead of default processing.

Gets or sets a delegate that will be used to validate the signature of the token using the and the .

If set, this delegate will be called to signature of the token, instead of default processing.

Gets or sets the that is to be used for decryption.

Gets or sets a delegate that will be called to retreive a used for decryption.

This will be used to decrypt the token. This can be helpful when the does not contain a key identifier.

Gets or sets the that is to be used for decrypting inbound tokens.

Gets or sets a delegate that will be used to read the token.

If set, this delegate will be called to read the token instead of default processing.

Gets or set the that store tokens that can be checked to help detect token replay.

If set, then tokens must have an expiration time or the runtime will fault.

Gets or sets a delegate that will be used to validate the token replay of the token

If set, this delegate will be called to validate the token replay of the token, instead of default processing. This means no default token replay validation will occur. Even if is false, this delegate will still be called.

Gets or sets a value indicating whether all should be tried during signature validation when a key is not matched to token kid or if token kid is empty. The default is true.

Gets or sets a delegate that will be used to validate the type of the token. If the token type cannot be validated, an exception MUST be thrown by the delegate. Note: the 'type' parameter may be null if it couldn't be extracted from its usual location. Implementations that need to resolve it from a different location can use the 'token' parameter.

If set, this delegate will be called to validate the 'type' of the token, instead of default processing. This means that no default 'type' validation will occur.

Gets or sets a value indicating if an actor token is detected, whether it should be validated. The default is false.

Gets or sets a boolean to control if the audience will be validated during token validation.

Validation of the audience, mitigates forwarding attacks. For example, a site that receives a token, could not replay it to another side. A forwarded token would contain the audience of the original site. This boolean only applies to default audience validation. If is set, it will be called regardless of whether this property is true or false. The default is true.

Gets or sets a boolean to control if the issuer will be validated during token validation.

Validation of the issuer mitigates forwarding attacks that can occur when an IdentityProvider represents multiple tenants and signs tokens with the same keys. It is possible that a token issued for the same audience could be from a different tenant. For example an application could accept users from contoso.onmicrosoft.com but not fabrikam.onmicrosoft.com, both valid tenants. An application that accepts tokens from fabrikam could forward them to the application that accepts tokens for contoso. This boolean only applies to default issuer validation. If is set, it will be called regardless of whether this property is true or false. The default is true.

Gets or sets a boolean to control if the LKG configuration will be used for token validation.

The default is false.

Gets or sets a boolean that controls if validation of the that signed the securityToken is called.

It is possible for tokens to contain the public key needed to check the signature. For example, X509Data can be hydrated into an X509Certificate, which can be used to validate the signature. In these cases it is important to validate the SigningKey that was used to validate the signature. This boolean only applies to default signing key validation. If is set, it will be called regardless of whether this property is true or false. The default is false.

Gets or sets a boolean to control if the lifetime will be validated during token validation.

This boolean only applies to default lifetime validation. If is set, it will be called regardless of whether this property is true or false. The default is true.

Gets or sets a boolean that controls the validation order of the payload and signature during token validation.

If is set to true, it will validate payload ahead of signature. The default is false.

Gets or sets a boolean to control if the token replay will be validated during token validation.

This boolean only applies to default token replay validation. If is set, it will be called regardless of whether this property is true or false. The default is false.

Gets or sets the valid algorithms for cryptographic operations.

If set to a non-empty collection, only the algorithms listed will be considered valid. The default is null.

Gets or sets a string that represents a valid audience that will be used to check against the token's audience. The default is null.

Gets or sets the that contains valid audiences that will be used to check against the token's audience. The default is null.

Gets or sets a that represents a valid issuer that will be used to check against the token's issuer. The default is null.

Gets or sets the that contains valid issuers that will be used to check against the token's issuer. The default is null.

Gets or sets the that contains valid types that will be used to check against the JWT header's 'typ' claim. If this property is not set, the 'typ' header claim will not be validated and all types will be accepted. In the case of a JWE, this property will ONLY apply to the inner token header. The default is null.

Contains artifacts obtained when a SecurityToken is validated. A SecurityTokenHandler returns an instance that captures the results of validating a token.

Creates an instance of

This ctor is used by the JsonWebTokenHandler as part of delaying creation of ClaimsIdentity.

The created from the validated security token.

Gets or sets the without synchronization. All accesses must either be protected or used when the caller knows access is serialized.

Gets the object to use in for double-checked locking.

Gets or sets the that occurred during validation.

Gets or sets the issuer that was found in the token.

True if the token was successfully validated, false otherwise.

Gets or sets the that contains a collection of custom key/value pairs. This allows addition of data that could be used in custom scenarios. This uses for case-sensitive comparison of keys.

Gets or sets the that was validated.

The to be returned when validation fails.

Gets or sets the that contains call information.

Gets or sets the token type of the that was validated. When a is registered, the type returned by the delegate is used to populate this property. Otherwise, the type is resolved from the token itself, if available (e.g for a JSON Web Token, from the "typ" header).

Generates unique IDs.

Creates a unique ID suitable for use in an xml:id field. The value is not hard to guess but is unique.

The unique ID.

Creates a unique ID similar to that created by CreateNonRandomId, but instead of an underscore, the supplied prefix is used.

The prefix to use. The unique ID, with the given prefix.

Creates a unique, random ID suitable for use in an xml:id field. The value is hard to guess and unique.

The unique ID.

Creates a unique, random ID similar to that created by CreateRandomId, but instead of an underscore, the supplied prefix is used.

The prefix to use. The random URI.

Creates a unique, random ID suitable for use as a URI. The value is hard to guess and unique. The URI is in the urn:uuid: namespace.

The random URI.

Contains some utility methods.

A string with "empty" value.

A string with "null" value.

Creates a copy of the byte array.

The resource array. A copy of the byte array.

Serializes the list of strings into string as follows: 'str1','str2','str3' ...

The strings used to build a comma delimited string. The single .

Returns whether the input string is https.

The input string. true if the input string is https; otherwise, false.

Returns whether the input uri is https.

. true if the input uri is https; otherwise, false.

Compares two byte arrays for equality. Hash size is fixed normally it is 32 bytes. The attempt here is to take the same time if an attacker shortens the signature OR changes some of the signed contents.

One set of bytes to compare. The other set of bytes to compare with. true if the bytes are equal, false otherwise.

Compares two byte spans for equality. Hash size is fixed normally it is 32 bytes. The attempt here is to take the same time if an attacker shortens the signature OR changes some of the signed contents.

One set of bytes to compare. The other set of bytes to compare with. length of spans to check true if the bytes are equal, false otherwise.

AudienceValidator

Validates if a given algorithm for a is valid.

The algorithm to be validated. The that signed the . The being validated. required for validation.

Determines if the audiences found in a are valid.

The audiences found in the . The being validated. required for validation. If 'validationParameters' is null. If 'audiences' is null and is true. If is null or whitespace and is null. If none of the 'audiences' matched either or one of . An EXACT match is required.

Determines if an issuer found in a is valid.

The issuer to validate The that is being validated. required for validation. The issuer to use when creating the "Claim"(s) in a "ClaimsIdentity". If 'validationParameters' is null. If 'issuer' is null or whitespace and is true. If is null or whitespace and is null. If 'issuer' failed to matched either or one of . An EXACT match is required.

Determines if an issuer found in a is valid.

The issuer to validate The that is being validated. required for validation. The required for issuer and signing key validation. The issuer to use when creating the "Claim"(s) in a "ClaimsIdentity". If 'validationParameters' is null. If 'issuer' is null or whitespace and is true. If ' configuration' is null. If is null or whitespace and is null and is null. If 'issuer' failed to matched either or one of or . An EXACT match is required.

Determines if an issuer found in a is valid.

Validates the that signed a .

The that signed the . The being validated. required for validation. if 'securityKey' is null and ValidateIssuerSigningKey is true. if 'securityToken' is null and ValidateIssuerSigningKey is true. if 'validationParameters' is null.

Validates the that signed a .

The that signed the . The being validated. required for validation. The required for issuer and signing key validation. if 'securityKey' is null and ValidateIssuerSigningKey is true. if 'securityToken' is null and ValidateIssuerSigningKey is true. if 'validationParameters' is null.

Given a signing key, when it's derived from a certificate, validates that the certificate is already active and non-expired

The that signed the . The that are used to validate the token.

Validates the lifetime of a .

The 'notBefore' time found in the . The 'expiration' time found in the . The being validated. required for validation. If 'validationParameters' is null. If 'expires.HasValue' is false and is true. If 'notBefore' is > 'expires'. If 'notBefore' is > DateTime.UtcNow. If 'expires' is < DateTime.UtcNow. All time comparisons apply .

Validates if a token has been replayed.

When does the security token expire. The being validated. required for validation. If 'securityToken' is null or whitespace. If 'validationParameters' is null or whitespace. If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time. If the 'securityToken' is found in the cache. If the 'securityToken' could not be added to the .

Validates if a token has been replayed.

The being validated. When does the security token expire. required for validation. If 'securityToken' is null or whitespace. If 'validationParameters' is null or whitespace. If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time. If the 'securityToken' is found in the cache. If the 'securityToken' could not be added to the .

Validates the type of the token.

The token type or null if it couldn't be resolved (e.g from the 'typ' header for a JWT). The that is being validated. required for validation. If is null. If is null. If is null or whitespace and is not null. If failed to match . An EXACT match is required. (case sensitive) is used for comparing against . The actual token type, that may be the same as or a different value if the token type was resolved from a different location.

An designed to construct based on a x509 certificate.

Designed to construct based on a x509 certificate.

A will be used as the key wrap algorithm will be used as the data encryption algorithm if 'certificate' is null.

Designed to construct based on the x509 certificate, a key wrap algorithm, and data encryption algorithm.

A A key wrap algorithm Data encryption algorithm if 'certificate' is null. if 'keyWrapAlgorithm' is null or empty. if 'dataEncryptionAlgorithm' is null or empty.

Gets the used by this instance.

An that is backed by a

Instantiates a using a

The to use. if is null.

Instantiates a using a .

The to use. The value to set for the KeyId if is null. if is null or empty.

Gets the key size.

Gets the X5t of this .

Returns the private key from the .

Gets the public key from the .

Gets a bool indicating if a private key exists.

true if it has a private key; otherwise, false.

Gets an enum indicating if a private key exists.

'Exists' if private key exists for sure; 'DoesNotExist' if private key doesn't exist for sure; 'Unknown' if we cannot determine.

Gets the .

Determines whether the can compute a JWK thumbprint.

true if JWK thumbprint can be computed; otherwise, false. https://datatracker.ietf.org/doc/html/rfc7638

Computes a sha256 hash over the .

A JWK thumbprint. https://datatracker.ietf.org/doc/html/rfc7638

Returns a bool indicating if this key is equivalent to another key.

true if the keys are equal; otherwise, false.

Returns an int hash code.

An int hash code

Defines the , algorithm and digest for digital signatures.

Initializes a new instance of the class.

that will be used for signing. Algorithm will be set to . the 'digest method' if needed may be implied from the algorithm. For example implies Sha256. if 'certificate' is null.

Initializes a new instance of the class.

A that will be used for signing. The signature algorithm to apply. the 'digest method' if needed may be implied from the algorithm. For example implies Sha256. if 'certificate' is null. if 'algorithm' is null or empty.

Gets the used by this instance.