TokenValidationParameters Class

Definition

Contains a set of parameters that are used by a SecurityTokenHandler when validating a SecurityToken.

public class TokenValidationParameters
type TokenValidationParameters = class
Public Class TokenValidationParameters
Inheritance
TokenValidationParameters

Constructors

TokenValidationParameters()

Initializes a new instance of the TokenValidationParameters class.

TokenValidationParameters(TokenValidationParameters)

Copy constructor for TokenValidationParameters.

Fields

DefaultAuthenticationType

This is the default value of AuthenticationType when creating a ClaimsIdentity. The value is "AuthenticationTypes.Federation". To change the value, set AuthenticationType to a different value.

DefaultClockSkew

Default for the clock skew.

DefaultMaximumTokenSizeInBytes

Default for the maximum token size.

Properties

ActorValidationParameters

Gets or sets TokenValidationParameters.

AlgorithmValidator

Gets or sets a delegate used to validate the cryptographic algorithm used.

AudienceValidator

Gets or sets a delegate that will be used to validate the audience.

AuthenticationType

Gets or sets the AuthenticationType when creating a ClaimsIdentity.

ClockSkew

Gets or sets the clock skew to apply when validating a time.

ConfigurationManager

If set, this property will be used to obtain the issuer and signing keys associated with the metadata endpoint of Issuer. The obtained issuer and signing keys will then be used along with those present on the TokenValidationParameters for validation of the incoming token.

CryptoProviderFactory

Users can override the default CryptoProviderFactory with this property. This factory will be used for creating signature providers.

DebugId

Gets or sets a string that helps with setting breakpoints when debugging.

IgnoreTrailingSlashWhenValidatingAudience

Gets or sets a boolean that controls if a '/' is significant at the end of the audience. The default is true.

IncludeTokenOnFailedValidation

Gets or sets the flag that indicates whether to include the SecurityToken when the validation fails.

InstancePropertyBag

Gets a IDictionary<TKey,TValue> that is unique to this instance. Calling Clone() will result in a new instance of this IDictionary.

IsClone

Gets a value indicating if Clone() was called to obtain this instance.

IssuerSigningKey

Gets or sets the SecurityKey that is to be used for signature validation.

IssuerSigningKeyResolver

Gets or sets a delegate that will be called to retrieve a SecurityKey used for signature validation.

IssuerSigningKeyResolverUsingConfiguration

Gets or sets a delegate that will be called to retrieve a SecurityKey used for signature validation using the TokenValidationParameters and BaseConfiguration.

IssuerSigningKeys

Gets or sets an IEnumerable<T> used for signature validation.

IssuerSigningKeyValidator

Gets or sets a delegate for validating the SecurityKey that signed the token.

IssuerSigningKeyValidatorUsingConfiguration

Gets or sets a delegate for validating the SecurityKey that signed the token.

IssuerValidator

Gets or sets a delegate that will be used to validate the issuer of the token.

IssuerValidatorUsingConfiguration

Gets or sets a delegate that will be used to validate the issuer of the token.

LifetimeValidator

Gets or sets a delegate that will be used to validate the lifetime of the token

LogTokenId

Gets or sets a Boolean that will decide if the token identifier claim needs to be logged. Default value is true.

LogValidationExceptions

Gets or sets a Boolean that will decide if validation failure needs to be logged as an error. Default value is true for backward compatibility of the behavior. If set to false, validation failures are logged as Information and then thrown.

NameClaimType

Gets or sets a String that defines the NameClaimType.

NameClaimTypeRetriever

Gets or sets a delegate that will be called to set the property NameClaimType after validating a token.

PropertyBag

Gets or sets the IDictionary<TKey,TValue> that contains a collection of custom key/value pairs. This allows addition of parameters that could be used in custom token validation scenarios.

RefreshBeforeValidation

Gets or sets a boolean to control if configuration required to be refreshed before token validation.

RequireAudience

Gets or sets a value indicating whether SAML tokens must have at least one AudienceRestriction. The default is true.

RequireExpirationTime

Gets or sets a value indicating whether tokens must have an 'expiration' value. The default is true.

RequireSignedTokens

Gets or sets a value indicating whether a SecurityToken can be considered valid if not signed. The default is true.

RoleClaimType

Gets or sets the String that defines the RoleClaimType.

RoleClaimTypeRetriever

Gets or sets a delegate that will be called to set the property RoleClaimType after validating a token.

SaveSigninToken

Gets or sets a boolean to control if the original token should be saved after the security token is validated.

SignatureValidator

Gets or sets a delegate that will be used to validate the signature of the token.

SignatureValidatorUsingConfiguration

Gets or sets a delegate that will be used to validate the signature of the token using the TokenValidationParameters and the BaseConfiguration.

TokenDecryptionKey

Gets or sets the SecurityKey that is to be used for decryption.

TokenDecryptionKeyResolver

Gets or sets a delegate that will be called to retreive a SecurityKey used for decryption.

TokenDecryptionKeys

Gets or sets the IEnumerable<T> that is to be used for decrypting inbound tokens.

TokenReader

Gets or sets a delegate that will be used to read the token.

TokenReplayCache

Gets or set the ITokenReplayCache that store tokens that can be checked to help detect token replay.

TokenReplayValidator

Gets or sets a delegate that will be used to validate the token replay of the token

TransformBeforeSignatureValidation

Gets or sets a delegate that will be called to transform a token to a supported format before validation.

TryAllIssuerSigningKeys

Gets or sets a value indicating whether all IssuerSigningKeys should be tried during signature validation when a key is not matched to token kid or if token kid is empty. The default is true.

TypeValidator

Gets or sets a delegate that will be used to validate the type of the token. If the token type cannot be validated, an exception MUST be thrown by the delegate. Note: the 'type' parameter may be null if it couldn't be extracted from its usual location. Implementations that need to resolve it from a different location can use the 'token' parameter.

ValidAlgorithms

Gets or sets the valid algorithms for cryptographic operations.

ValidateActor

Gets or sets a value indicating if an actor token is detected, whether it should be validated. The default is false.

ValidateAudience

Gets or sets a boolean to control if the audience will be validated during token validation.

ValidateIssuer

Gets or sets a boolean to control if the issuer will be validated during token validation.

ValidateIssuerSigningKey

Gets or sets a boolean that controls if validation of the SecurityKey that signed the securityToken is called.

ValidateLifetime

Gets or sets a boolean to control if the lifetime will be validated during token validation.

ValidateSignatureLast

Gets or sets a boolean that controls the validation order of the payload and signature during token validation.

ValidateTokenReplay

Gets or sets a boolean to control if the token replay will be validated during token validation.

ValidateWithLKG

Gets or sets a boolean to control if the LKG configuration will be used for token validation.

ValidAudience

Gets or sets a string that represents a valid audience that will be used to check against the token's audience. The default is null.

ValidAudiences

Gets or sets the IEnumerable<T> that contains valid audiences that will be used to check against the token's audience. The default is null.

ValidIssuer

Gets or sets a String that represents a valid issuer that will be used to check against the token's issuer. The default is null.

ValidIssuers

Gets or sets the IEnumerable<T> that contains valid issuers that will be used to check against the token's issuer. The default is null.

ValidTypes

Gets or sets the IEnumerable<T> that contains valid types that will be used to check against the JWT header's 'typ' claim. If this property is not set, the 'typ' header claim will not be validated and all types will be accepted. In the case of a JWE, this property will ONLY apply to the inner token header. The default is null.

Methods

Clone()

Returns a new instance of TokenValidationParameters with values copied from this object.

CreateClaimsIdentity(SecurityToken, String)

Creates a ClaimsIdentity using:

AuthenticationType

'NameClaimType': If NameClaimTypeRetriever is set, call delegate, else call NameClaimType. If the result is a null or empty string, use DefaultNameClaimType

.

'RoleClaimType': If RoleClaimTypeRetriever is set, call delegate, else call RoleClaimType. If the result is a null or empty string, use DefaultRoleClaimType

.

Extension Methods

EnableAadSigningKeyIssuerValidation(TokenValidationParameters)

Enables the validation of the issuer of the signing keys used by the Microsoft identity platform (AAD) against the issuer of the token.

EnableEntraIdSigningKeyCloudInstanceValidation(TokenValidationParameters)

Enables validation of the cloud instance of the Microsoft Entra ID token signing keys.

Applies to