TokenValidationParameters Class
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Contains a set of parameters that are used by a SecurityTokenHandler when validating a SecurityToken.
public class TokenValidationParameterstype TokenValidationParameters = classPublic Class TokenValidationParameters- Inheritance
-
TokenValidationParameters
Constructors
| TokenValidationParameters() |
Initializes a new instance of the TokenValidationParameters class. |
| TokenValidationParameters(TokenValidationParameters) |
Copy constructor for TokenValidationParameters. |
Fields
| DefaultAuthenticationType |
This is the default value of AuthenticationType when creating a ClaimsIdentity.
The value is |
| DefaultClockSkew |
Default for the clock skew. |
| DefaultMaximumTokenSizeInBytes |
Default for the maximum token size. |
Properties
| ActorValidationParameters |
Gets or sets TokenValidationParameters. |
| AlgorithmValidator |
Gets or sets a delegate used to validate the cryptographic algorithm used. |
| AudienceValidator |
Gets or sets a delegate that will be used to validate the audience. |
| AuthenticationType |
Gets or sets the AuthenticationType when creating a ClaimsIdentity. |
| ClockSkew |
Gets or sets the clock skew to apply when validating a time. |
| ConfigurationManager |
If set, this property will be used to obtain the issuer and signing keys associated with the metadata endpoint of Issuer. The obtained issuer and signing keys will then be used along with those present on the TokenValidationParameters for validation of the incoming token. |
| CryptoProviderFactory |
Users can override the default CryptoProviderFactory with this property. This factory will be used for creating signature providers. |
| DebugId |
Gets or sets a string that helps with setting breakpoints when debugging. |
| IgnoreTrailingSlashWhenValidatingAudience |
Gets or sets a boolean that controls if a '/' is significant at the end of the audience.
The default is |
| IncludeTokenOnFailedValidation |
Gets or sets the flag that indicates whether to include the SecurityToken when the validation fails. |
| InstancePropertyBag |
Gets a IDictionary<TKey,TValue> that is unique to this instance. Calling Clone() will result in a new instance of this IDictionary. |
| IsClone |
Gets a value indicating if Clone() was called to obtain this instance. |
| IssuerSigningKey |
Gets or sets the SecurityKey that is to be used for signature validation. |
| IssuerSigningKeyResolver |
Gets or sets a delegate that will be called to retrieve a SecurityKey used for signature validation. |
| IssuerSigningKeyResolverUsingConfiguration |
Gets or sets a delegate that will be called to retrieve a SecurityKey used for signature validation using the TokenValidationParameters and BaseConfiguration. |
| IssuerSigningKeys |
Gets or sets an IEnumerable<T> used for signature validation. |
| IssuerSigningKeyValidator |
Gets or sets a delegate for validating the SecurityKey that signed the token. |
| IssuerSigningKeyValidatorUsingConfiguration |
Gets or sets a delegate for validating the SecurityKey that signed the token. |
| IssuerValidator |
Gets or sets a delegate that will be used to validate the issuer of the token. |
| IssuerValidatorUsingConfiguration |
Gets or sets a delegate that will be used to validate the issuer of the token. |
| LifetimeValidator |
Gets or sets a delegate that will be used to validate the lifetime of the token |
| LogTokenId |
Gets or sets a Boolean that will decide if the token identifier claim needs to be logged.
Default value is |
| LogValidationExceptions |
Gets or sets a Boolean that will decide if validation failure needs to be logged as an error.
Default value is |
| NameClaimType |
Gets or sets a String that defines the NameClaimType. |
| NameClaimTypeRetriever |
Gets or sets a delegate that will be called to set the property NameClaimType after validating a token. |
| PropertyBag |
Gets or sets the IDictionary<TKey,TValue> that contains a collection of custom key/value pairs. This allows addition of parameters that could be used in custom token validation scenarios. |
| RefreshBeforeValidation |
Gets or sets a boolean to control if configuration required to be refreshed before token validation. |
| RequireAudience |
Gets or sets a value indicating whether SAML tokens must have at least one AudienceRestriction.
The default is |
| RequireExpirationTime |
Gets or sets a value indicating whether tokens must have an 'expiration' value.
The default is |
| RequireSignedTokens |
Gets or sets a value indicating whether a SecurityToken can be considered valid if not signed.
The default is |
| RoleClaimType |
Gets or sets the String that defines the RoleClaimType. |
| RoleClaimTypeRetriever |
Gets or sets a delegate that will be called to set the property RoleClaimType after validating a token. |
| SaveSigninToken |
Gets or sets a boolean to control if the original token should be saved after the security token is validated. |
| SignatureValidator |
Gets or sets a delegate that will be used to validate the signature of the token. |
| SignatureValidatorUsingConfiguration |
Gets or sets a delegate that will be used to validate the signature of the token using the TokenValidationParameters and the BaseConfiguration. |
| TokenDecryptionKey |
Gets or sets the SecurityKey that is to be used for decryption. |
| TokenDecryptionKeyResolver |
Gets or sets a delegate that will be called to retreive a SecurityKey used for decryption. |
| TokenDecryptionKeys |
Gets or sets the IEnumerable<T> that is to be used for decrypting inbound tokens. |
| TokenReader |
Gets or sets a delegate that will be used to read the token. |
| TokenReplayCache |
Gets or set the ITokenReplayCache that store tokens that can be checked to help detect token replay. |
| TokenReplayValidator |
Gets or sets a delegate that will be used to validate the token replay of the token |
| TransformBeforeSignatureValidation |
Gets or sets a delegate that will be called to transform a token to a supported format before validation. |
| TryAllIssuerSigningKeys |
Gets or sets a value indicating whether all IssuerSigningKeys should be tried during signature validation when a key is not matched to token kid or if token kid is empty.
The default is |
| TypeValidator |
Gets or sets a delegate that will be used to validate the type of the token. If the token type cannot be validated, an exception MUST be thrown by the delegate. Note: the 'type' parameter may be null if it couldn't be extracted from its usual location. Implementations that need to resolve it from a different location can use the 'token' parameter. |
| ValidAlgorithms |
Gets or sets the valid algorithms for cryptographic operations. |
| ValidateActor |
Gets or sets a value indicating if an actor token is detected, whether it should be validated.
The default is |
| ValidateAudience |
Gets or sets a boolean to control if the audience will be validated during token validation. |
| ValidateIssuer |
Gets or sets a boolean to control if the issuer will be validated during token validation. |
| ValidateIssuerSigningKey |
Gets or sets a boolean that controls if validation of the SecurityKey that signed the securityToken is called. |
| ValidateLifetime |
Gets or sets a boolean to control if the lifetime will be validated during token validation. |
| ValidateSignatureLast |
Gets or sets a boolean that controls the validation order of the payload and signature during token validation. |
| ValidateTokenReplay |
Gets or sets a boolean to control if the token replay will be validated during token validation. |
| ValidateWithLKG |
Gets or sets a boolean to control if the LKG configuration will be used for token validation. |
| ValidAudience |
Gets or sets a string that represents a valid audience that will be used to check against the token's audience.
The default is |
| ValidAudiences |
Gets or sets the IEnumerable<T> that contains valid audiences that will be used to check against the token's audience.
The default is |
| ValidIssuer |
Gets or sets a String that represents a valid issuer that will be used to check against the token's issuer.
The default is |
| ValidIssuers |
Gets or sets the IEnumerable<T> that contains valid issuers that will be used to check against the token's issuer.
The default is |
| ValidTypes |
Gets or sets the IEnumerable<T> that contains valid types that will be used to check against the JWT header's 'typ' claim.
If this property is not set, the 'typ' header claim will not be validated and all types will be accepted.
In the case of a JWE, this property will ONLY apply to the inner token header.
The default is |
Methods
| Clone() |
Returns a new instance of TokenValidationParameters with values copied from this object. |
| CreateClaimsIdentity(SecurityToken, String) |
Creates a ClaimsIdentity using: 'NameClaimType': If NameClaimTypeRetriever is set, call delegate, else call NameClaimType. If the result is a null or empty string, use DefaultNameClaimType .'RoleClaimType': If RoleClaimTypeRetriever is set, call delegate, else call RoleClaimType. If the result is a null or empty string, use DefaultRoleClaimType . |
Extension Methods
| EnableAadSigningKeyIssuerValidation(TokenValidationParameters) |
Enables the validation of the issuer of the signing keys used by the Microsoft identity platform (AAD) against the issuer of the token. |
Applies to
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for