Microsoft.IdentityModel.JsonWebTokens
Constants for Json Web tokens.
A URI that represents the JSON XML data type.
When mapping json to .Net Claim(s), if the value was not a string (or an enumeration of strings), the ClaimValue will serialized using the current JSON serializer, a property will be added with the .Net type and the ClaimTypeValue will be set to 'JsonClaimValueType'.
A URI that represents the JSON array XML data type.
When mapping json to .Net Claim(s), if the value was not a string (or an enumeration of strings), the ClaimValue will serialized using the current JSON serializer, a property will be added with the .Net type and the ClaimTypeValue will be set to 'JsonClaimValueType'.
A URI that represents the JSON null data type
When mapping json to .Net Claim(s), we use empty string to represent the claim value and set the ClaimValueType to JsonNull
A designed for representing a JSON Web Token (JWT).
Initializes a new instance of from a string in JWS or JWE Compact serialized format.
A JSON Web Token that has been serialized in JWS or JWE Compact serialized format.
'jwtEncodedString' is null or empty.
'jwtEncodedString' is not in JWS or JWE Compact serialization format.
The contents of the returned have not been validated, the JSON Web Token is simply decoded. Validation can be accomplished using the validation methods in
Initializes a new instance of the class where the header contains the crypto algorithms applied to the encoded header and payload.
A string containing JSON which represents the cryptographic operations applied to the JWT and optionally any additional properties of the JWT.
A string containing JSON which represents the claims contained in the JWT. Each claim is a JSON object of the form { Name, Value }.
'header' is null.
'payload' is null.
Gets the 'value' of the 'actort' claim { actort, 'value' }.
If the 'actort' claim is not found, an empty string is returned.
Gets the 'value' of the 'alg' claim { alg, 'value' }.
If the 'alg' claim is not found, an empty string is returned.
Gets the list of 'aud' claim { aud, 'value' }.
If the 'aud' claim is not found, enumeration will be empty.
Gets the AuthenticationTag from the original raw data of this instance when it was created.
The original JSON Compact serialized format passed into the constructor.
Gets the Ciphertext from the original raw data of this instance when it was created.
The original JSON Compact serialized format passed into the constructor.
Gets a for each JSON { name, value }.
Gets the 'value' of the 'cty' claim { cty, 'value' }.
If the 'cty' claim is not found, an empty string is returned.
Gets the 'value' of the 'enc' claim { enc, 'value' }.
If the 'enc' value is not found, an empty string is returned.
Gets the EncryptedKey from the original raw data of this instance when it was created.
The original JSON Compact serialized format passed into the constructor.
Represents the cryptographic operations applied to the JWT and optionally any additional properties of the JWT.
Gets the 'value' of the 'jti' claim { jti, ''value' }.
If the 'jti' claim is not found, an empty string is returned.
Gets the InitializationVector from the original raw data of this instance when it was created.
The original JSON Compact serialized format passed into the constructor.
Gets the associated with this instance.
Gets the 'value' of the 'iat' claim { iat, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).
If the 'iat' claim is not found, then is returned.
Gets the 'value' of the 'iss' claim { iss, 'value' }.
If the 'iss' claim is not found, an empty string is returned.
Gets the 'value' of the 'kid' claim { kid, 'value' }.
If the 'kid' claim is not found, an empty string is returned.
Represents the JSON payload.
Gets the EncodedHeader from the original raw data of this instance when it was created.
The original JSON Compact serialized format passed into the constructor.
Gets the EncodedPayload from the original raw data of this instance when it was created.
The original JSON Compact serialized format passed into the constructor.
Gets the EncodedSignature from the original raw data of this instance when it was created.
The original JSON Compact serialized format passed into the constructor.
Gets the original raw data of this instance when it was created.
Not implemented.
Not implemented.
Gets the 'value' of the 'sub' claim { sub, 'value' }.
If the 'sub' claim is not found, an empty string is returned.
Gets the 'value' of the 'typ' claim { typ, 'value' }.
If the 'typ' claim is not found, an empty string is returned.
Gets the 'value' of the 'nbf' claim { nbf, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).
If the 'nbf' claim is not found, then is returned.
Gets the 'value' of the 'exp' claim { exp, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z).
If the 'exp' claim is not found, then is returned.
Gets the 'value' of the 'x5t' claim { x5t, 'value' }.
If the 'x5t' claim is not found, an empty string is returned.
Gets the 'value' of the 'zip' claim { zip, 'value' }.
If the 'zip' claim is not found, an empty string is returned.
Decodes the string into the header, payload and signature.
the tokenized string.
the original token.
Decodes the payload and signature from the JWE parts.
Parts of the JWE including the header.
Assumes Header has already been set.
According to the JWE documentation (https://datatracker.ietf.org/doc/html/rfc7516#section-2), it is possible for the EncryptedKey, InitializationVector, and AuthenticationTag to be empty strings.
Decodes the payload and signature from the JWS parts.
Parts of the JWS including the header.
Assumes Header has already been set.
Gets a representing the { key, 'value' } pair corresponding to the provided .
If the key has no corresponding value, this method will throw.
Gets the 'value' corresponding to the provided key from the JWT payload { key, 'value' }.
If the key has no corresponding value, this method will throw.
Tries to get the representing the { key, 'value' } pair corresponding to the provided .
If the key has no corresponding value, returns false. Otherwise returns true.
Tries to get the 'value' corresponding to the provided key from the JWT payload { key, 'value' }.
If the key has no corresponding value, returns false. Otherwise returns true.
Gets the 'value' corresponding to the provided key from the JWT header { key, 'value' }.
If the key has no corresponding value, this method will throw.
Tries to get the value corresponding to the provided key from the JWT header { key, 'value' }.
If the key has no corresponding value, returns false. Otherwise returns true.
A designed for creating and validating Json Web Tokens.
See: https://datatracker.ietf.org/doc/html/rfc7519 and http://www.rfc-editor.org/info/rfc7515.
Gets the Base64Url encoded string representation of the following JWT header:
{ , }.
The Base64Url encoded string representation of the unsigned JWT header.
Gets the type of the .
The type of
Determines if the string is a well formed Json Web Token (JWT).
See: https://datatracker.ietf.org/doc/html/rfc7519
String that should represent a valid JWT.
Uses matching:
JWS: @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$"
JWE: (dir): @"^[A-Za-z0-9-_]+\.\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$"
JWE: (wrappedkey): @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]$"
'false' if the token is null or whitespace.
'false' if token.Length is greater than .
'true' if the token is in JSON compact serialization format.
Returns a value that indicates if this handler can validate a .
'true', indicating this instance can validate a .
Creates an unsigned JWS (Json Web Signature).
A string containing JSON which represents the JWT token payload.
if is null.
A JWS in Compact Serialization Format.
Creates an unsigned JWS (Json Web Signature).
A string containing JSON which represents the JWT token payload.
Defines the dictionary containing any custom header claims that need to be added to the JWT token header.
if is null.
if is null.
A JWS in Compact Serialization Format.
Creates a JWS (Json Web Signature).
A string containing JSON which represents the JWT token payload.
Defines the security key and algorithm that will be used to sign the JWS.
if is null.
if is null.
A JWS in Compact Serialization Format.
Creates a JWS (Json Web Signature).
A string containing JSON which represents the JWT token payload.
Defines the security key and algorithm that will be used to sign the JWS.
Defines the dictionary containing any custom header claims that need to be added to the JWT token header.
if is null.
if is null.
if is null.
if ,
, , and/or
are present inside of .
A JWS in Compact Serialization Format.
Creates a JWS(Json Web Signature).
A that contains details of contents of the token.
A JWS in Compact Serialization Format.
Creates a JWE (Json Web Encryption).
A string containing JSON which represents the JWT token payload.
Defines the security key and algorithm that will be used to encrypt the JWT.
A JWE in compact serialization format.
Creates a JWE (Json Web Encryption).
A string containing JSON which represents the JWT token payload.
Defines the security key and algorithm that will be used to encrypt the JWT.
Defines the dictionary containing any custom header claims that need to be added to the outer JWT token header.
if is null.
if is null.
if is null.
if ,
, , and/or
are present inside of .
A JWS in Compact Serialization Format.
Creates a JWE (Json Web Encryption).
A string containing JSON which represents the JWT token payload.
Defines the security key and algorithm that will be used to sign the JWT.
Defines the security key and algorithm that will be used to encrypt the JWT.
if is null.
if is null.
if is null.
A JWE in compact serialization format.
Creates a JWE (Json Web Encryption).
A string containing JSON which represents the JWT token payload.
Defines the security key and algorithm that will be used to sign the JWT.
Defines the security key and algorithm that will be used to encrypt the JWT.
Defines the dictionary containing any custom header claims that need to be added to the outer JWT token header.
if is null.
if is null.
if is null.
if is null.
if ,
, , and/or
are present inside of .
A JWE in compact serialization format.
Creates a JWE (Json Web Encryption).
A string containing JSON which represents the JWT token payload.
Defines the security key and algorithm that will be used to encrypt the JWT.
Defines the compression algorithm that will be used to compress the JWT token payload.
A JWE in compact serialization format.
Creates a JWE (Json Web Encryption).
A string containing JSON which represents the JWT token payload.
Defines the security key and algorithm that will be used to sign the JWT.
Defines the security key and algorithm that will be used to encrypt the JWT.
Defines the compression algorithm that will be used to compress the JWT token payload.
if is null.
if is null.
if is null.
if is null.
A JWE in compact serialization format.
Creates a JWE (Json Web Encryption).
A string containing JSON which represents the JWT token payload.
Defines the security key and algorithm that will be used to sign the JWT.
Defines the security key and algorithm that will be used to encrypt the JWT.
Defines the compression algorithm that will be used to compress the JWT token payload.
Defines the dictionary containing any custom header claims that need to be added to the outer JWT token header.
Defines the dictionary containing any custom header claims that need to be added to the inner JWT token header.
if is null.
if is null.
if is null.
if is null.
if is null.
if ,
, , and/or
are present inside of .
A JWE in compact serialization format.
Creates a JWE (Json Web Encryption).
A string containing JSON which represents the JWT token payload.
Defines the security key and algorithm that will be used to sign the JWT.
Defines the security key and algorithm that will be used to encrypt the JWT.
Defines the compression algorithm that will be used to compress the JWT token payload.
Defines the dictionary containing any custom header claims that need to be added to the outer JWT token header.
if is null.
if is null.
if is null.
if is null.
if is null.
if ,
, , and/or
are present inside of .
A JWE in compact serialization format.
Compress a JWT token string.
if is null.
if is null.
if the compression algorithm is not supported.
Compressed JWT token bytes.
Creates a from a .
The to use as a source.
Contains parameters for validating the token.
A containing the .
Decrypts a JWE and returns the clear text
the JWE that contains the cypher text.
contains crypto material.
the decoded / cleartext contents of the JWE.
if is null.
if is null.
if ' .Enc' is null or empty.
if decompression failed.
if ' .Kid' is not null AND decryption fails.
if the JWE was not able to be decrypted.
Encrypts a JWS.
A 'JSON Web Token' (JWT) in JWS Compact Serialization Format.
Defines the security key and algorithm that will be used to encrypt the .
if is null or empty.
if is null.
if both and . are null.
if the CryptoProviderFactory being used does not support the (algorithm), pair.
if unable to create a token encryption provider for the (algorithm), pair.
if encryption fails using the (algorithm), pair.
if not using one of the supported content encryption key (CEK) algorithms: 128, 384 or 512 AesCbcHmac (this applies in the case of key wrap only, not direct encryption).
Encrypts a JWS.
A 'JSON Web Token' (JWT) in JWS Compact Serialization Format.
Defines the security key and algorithm that will be used to encrypt the .
Defines the dictionary containing any custom header claims that need to be added to the outer JWT token header.
if is null or empty.
if is null.
if is null.
if both and . are null.
if the CryptoProviderFactory being used does not support the (algorithm), pair.
if unable to create a token encryption provider for the (algorithm), pair.
if encryption fails using the (algorithm), pair.
if not using one of the supported content encryption key (CEK) algorithms: 128, 384 or 512 AesCbcHmac (this applies in the case of key wrap only, not direct encryption).
Encrypts a JWS.
A 'JSON Web Token' (JWT) in JWS Compact Serialization Format.
Defines the security key and algorithm that will be used to encrypt the .
Defines the compression algorithm that will be used to compress the 'innerJwt'.
if is null or empty.
if is null.
if is null or empty.
if both and . are null.
if the CryptoProviderFactory being used does not support the (algorithm), pair.
if unable to create a token encryption provider for the (algorithm), pair.
if compression using fails.
if encryption fails using the (algorithm), pair.
if not using one of the supported content encryption key (CEK) algorithms: 128, 384 or 512 AesCbcHmac (this applies in the case of key wrap only, not direct encryption).
Encrypts a JWS.
A 'JSON Web Token' (JWT) in JWS Compact Serialization Format.
Defines the security key and algorithm that will be used to encrypt the .
Defines the compression algorithm that will be used to compress the
Defines the dictionary containing any custom header claims that need to be added to the outer JWT token header.
if is null or empty.
if is null.
if is null or empty.
if is null or empty.
if both and . are null.
if the CryptoProviderFactory being used does not support the (algorithm), pair.
if unable to create a token encryption provider for the (algorithm), pair.
if compression using 'algorithm' fails.
if encryption fails using the (algorithm), pair.
if not using one of the supported content encryption key (CEK) algorithms: 128, 384 or 512 AesCbcHmac (this applies in the case of key wrap only, not direct encryption).
Returns a to use when decrypting a JWE.
The the token that is being decrypted.
The that is being decrypted.
A required for validation.
Returns a to use for signature validation.
If key fails to resolve, then null is returned
Converts a string into an instance of .
A 'JSON Web Token' (JWT) in JWS or JWE Compact Serialization Format.
A
is null or empty.
'token.Length' is greater than .
If the is in JWE Compact Serialization format, only the protected header will be deserialized.
This method is unable to decrypt the payload. Use to obtain the payload.
Converts a string into an instance of .
A 'JSON Web Token' (JWT) in JWS or JWE Compact Serialization Format.
A
is null or empty.
'token.Length' is greater than .
Validates a JWS or a JWE.
A 'JSON Web Token' (JWT) in JWS or JWE Compact Serialization Format.
A required for validation.
A
Private method for token validation, responsible for:
(1) Obtaining a configuration from the .
(2) Revalidating using the Last Known Good Configuration (if present), and obtaining a refreshed configuration (if necessary) and revalidating using it.
The JWS string, only to be supplied if the token is a JWS.
The outer token of the JWE, only to be supplied if the token is a JWE.
The inner decrypted token of the JWE, only to be supplied if the token is a JWE.
The to be used for validation.
Validates the JWT signature.
Obtains a and validates the signature.
Bytes to validate.
Signature to compare against.
to use.
Crypto algorithm to use.
The being validated.
Priority will be given to over .
'true' if signature is valid.
Constants for Json Web Tokens.
Short header type.
Long header type.
Short token type.
Long token type.
JWS - Token format: 'header.payload.signature'. Signature is optional, but '.' is required.
JWE - Token format: 'protectedheader.encryptedkey.iv.cyphertext.authenticationtag'.
The number of parts in a JWE token.
The number of parts in a JWS token.
The maximum number of parts in a JWT.
JWE header alg indicating a shared symmetric key is directly used as CEK.
List of header parameter names see: https://datatracker.ietf.org/doc/html/rfc7519#section-5.
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.1
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.10
Also: https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
See: https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.2
See: https://datatracker.ietf.org/doc/html/rfc7518#section-4.7.1.1
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.2
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.3
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9
Also: https://datatracker.ietf.org/doc/html/rfc7519#section-5.1
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6
See: https://datatracker.ietf.org/doc/html/rfc7515#page-12
See: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.5
See: https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.3
See: https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.1
See: https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.2
See: https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.3
List of registered claims from different sources
https://datatracker.ietf.org/doc/html/rfc7519#section-4
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
https://datatracker.ietf.org/doc/html/rfc7519#section-4
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken
http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
http://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout
https://datatracker.ietf.org/doc/html/rfc7519#section-4
https://datatracker.ietf.org/doc/html/rfc7519#section-5
Represents the parameters needed to decrypt a JSON Web Token
Gets or sets signature algorithm that was used to create the signature.
Gets or sets the AuthenticationTag from the original raw data of this instance when it was created.
Gets or sets the Ciphertext from the original raw data of this instance when it was created.
Gets or sets the function used to attempt decompression with.
Gets or sets the encryption algorithm (Enc) of the token.
Gets the EncodedHeader from the original raw data of this instance when it was created.
Gets or sets the EncodedHeader from the original raw data of this instance when it was created.
Gets or sets the InitializationVector from the original raw data of this instance when it was created.
Gets or sets the collection of s to attempt to decrypt with.
Gets or sets the 'value' of the 'zip' claim.
A class which contains useful methods for processing JWT tokens.
Regex that is used to figure out if a token is in JWS format.
Regex that is used to figure out if a token is in JWE format.
Produces a signature over the .
String to be signed
The that contain crypto specs used to sign the token.
The bse64urlendcoded signature over the bytes obtained from UTF8Encoding.GetBytes( 'input' ).
'input' or 'signingCredentials' is null.
Produces a signature over the .
String to be signed
The that contain crypto specs used to sign the token.
should the be cached.
The bse64urlendcoded signature over the bytes obtained from UTF8Encoding.GetBytes( 'input' ).
or is null.
Decompress JWT token bytes.
if is null.
if is null.
if the decompression is not supported.
if decompression using fails.
Decompressed JWT token
Decrypts a Json Web Token.
The Json Web Token
The validation parameters containing cryptographic material.
The decryption parameters container.
The decrypted, and if the 'zip' claim is set, decompressed string representation of the token.
Generates key bytes.
Gets all decryption keys.
Gets the using the number of seconds from 1970-01-01T0:0:0Z (UTC)
Claim in the payload that should map to an integer, float, or string.
The payload that contains the desired claim value.
If the claim is not found, the function returns:
If the value of the claim cannot be parsed into a long.
The representation of a claim.
Returns a to use when validating the signature of a token.
The kid field of the token being validated
The x5t field of the token being validated
A required for validation.
The that will be used along with the to resolve the signing key
Returns a to use for signature validation.
If key fails to resolve, then null is returned
Returns a to use when validating the signature of a token.
The kid field of the token being validated
The x5t field of the token being validated
A required for validation.
Returns a to use for signature validation.
If key fails to resolve, then null is returned
Log messages and codes