TokenValidationParameters Class

Reference

Definition

Namespace:: Microsoft.IdentityModel.Tokens

Assembly:: Microsoft.IdentityModel.Tokens.dll

Package:: Microsoft.IdentityModel.Tokens v8.1.2

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Contains a set of parameters that are used by a SecurityTokenHandler when validating a SecurityToken.

public class TokenValidationParameters

type TokenValidationParameters = class

Public Class TokenValidationParameters

Inheritance: Object
TokenValidationParameters

Constructors

TokenValidationParameters()	Initializes a new instance of the TokenValidationParameters class.
TokenValidationParameters(TokenValidationParameters)	Copy constructor for TokenValidationParameters.

Fields

DefaultAuthenticationType	This is the default value of AuthenticationType when creating a ClaimsIdentity. The value is `"AuthenticationTypes.Federation"`. To change the value, set AuthenticationType to a different value.
DefaultClockSkew	Default for the clock skew.
DefaultMaximumTokenSizeInBytes	Default for the maximum token size.

Properties

ActorValidationParameters	Gets or sets TokenValidationParameters.
AlgorithmValidator	Gets or sets a delegate used to validate the cryptographic algorithm used.
AudienceValidator	Gets or sets a delegate that will be used to validate the audience.
AuthenticationType	Gets or sets the AuthenticationType when creating a ClaimsIdentity.
ClockSkew	Gets or sets the clock skew to apply when validating a time.
ConfigurationManager	If set, this property will be used to obtain the issuer and signing keys associated with the metadata endpoint of Issuer. The obtained issuer and signing keys will then be used along with those present on the TokenValidationParameters for validation of the incoming token.
CryptoProviderFactory	Users can override the default CryptoProviderFactory with this property. This factory will be used for creating signature providers.
DebugId	Gets or sets a string that helps with setting breakpoints when debugging.
IgnoreTrailingSlashWhenValidatingAudience	Gets or sets a boolean that controls if a '/' is significant at the end of the audience. The default is `true`.
IncludeTokenOnFailedValidation	Gets or sets the flag that indicates whether to include the SecurityToken when the validation fails.
InstancePropertyBag	Gets a IDictionary<TKey,TValue> that is unique to this instance. Calling Clone() will result in a new instance of this IDictionary.
IsClone	Gets a value indicating if Clone() was called to obtain this instance.
IssuerSigningKey	Gets or sets the SecurityKey that is to be used for signature validation.
IssuerSigningKeyResolver	Gets or sets a delegate that will be called to retrieve a SecurityKey used for signature validation.
IssuerSigningKeyResolverUsingConfiguration	Gets or sets a delegate that will be called to retrieve a SecurityKey used for signature validation using the TokenValidationParameters and BaseConfiguration.
IssuerSigningKeys	Gets or sets an IEnumerable<T> used for signature validation.
IssuerSigningKeyValidator	Gets or sets a delegate for validating the SecurityKey that signed the token.
IssuerSigningKeyValidatorUsingConfiguration	Gets or sets a delegate for validating the SecurityKey that signed the token.
IssuerValidator	Gets or sets a delegate that will be used to validate the issuer of the token.
IssuerValidatorUsingConfiguration	Gets or sets a delegate that will be used to validate the issuer of the token.
LifetimeValidator	Gets or sets a delegate that will be used to validate the lifetime of the token
LogTokenId	Gets or sets a Boolean that will decide if the token identifier claim needs to be logged. Default value is `true`.
LogValidationExceptions	Gets or sets a Boolean that will decide if validation failure needs to be logged as an error. Default value is `true` for backward compatibility of the behavior. If set to false, validation failures are logged as Information and then thrown.
NameClaimType	Gets or sets a String that defines the NameClaimType.
NameClaimTypeRetriever	Gets or sets a delegate that will be called to set the property NameClaimType after validating a token.
PropertyBag	Gets or sets the IDictionary<TKey,TValue> that contains a collection of custom key/value pairs. This allows addition of parameters that could be used in custom token validation scenarios.
RefreshBeforeValidation	Gets or sets a boolean to control if configuration required to be refreshed before token validation.
RequireAudience	Gets or sets a value indicating whether SAML tokens must have at least one AudienceRestriction. The default is `true`.
RequireExpirationTime	Gets or sets a value indicating whether tokens must have an 'expiration' value. The default is `true`.
RequireSignedTokens	Gets or sets a value indicating whether a SecurityToken can be considered valid if not signed. The default is `true`.
RoleClaimType	Gets or sets the String that defines the RoleClaimType.
RoleClaimTypeRetriever	Gets or sets a delegate that will be called to set the property RoleClaimType after validating a token.
SaveSigninToken	Gets or sets a boolean to control if the original token should be saved after the security token is validated.
SignatureValidator	Gets or sets a delegate that will be used to validate the signature of the token.
SignatureValidatorUsingConfiguration	Gets or sets a delegate that will be used to validate the signature of the token using the TokenValidationParameters and the BaseConfiguration.
TokenDecryptionKey	Gets or sets the SecurityKey that is to be used for decryption.
TokenDecryptionKeyResolver	Gets or sets a delegate that will be called to retreive a SecurityKey used for decryption.
TokenDecryptionKeys	Gets or sets the IEnumerable<T> that is to be used for decrypting inbound tokens.
TokenReader	Gets or sets a delegate that will be used to read the token.
TokenReplayCache	Gets or set the ITokenReplayCache that store tokens that can be checked to help detect token replay.
TokenReplayValidator	Gets or sets a delegate that will be used to validate the token replay of the token
TransformBeforeSignatureValidation	Gets or sets a delegate that will be called to transform a token to a supported format before validation.
TryAllIssuerSigningKeys	Gets or sets a value indicating whether all IssuerSigningKeys should be tried during signature validation when a key is not matched to token kid or if token kid is empty. The default is `true`.
TypeValidator	Gets or sets a delegate that will be used to validate the type of the token. If the token type cannot be validated, an exception MUST be thrown by the delegate. Note: the 'type' parameter may be null if it couldn't be extracted from its usual location. Implementations that need to resolve it from a different location can use the 'token' parameter.
ValidAlgorithms	Gets or sets the valid algorithms for cryptographic operations.
ValidateActor	Gets or sets a value indicating if an actor token is detected, whether it should be validated. The default is `false`.
ValidateAudience	Gets or sets a boolean to control if the audience will be validated during token validation.
ValidateIssuer	Gets or sets a boolean to control if the issuer will be validated during token validation.
ValidateIssuerSigningKey	Gets or sets a boolean that controls if validation of the SecurityKey that signed the securityToken is called.
ValidateLifetime	Gets or sets a boolean to control if the lifetime will be validated during token validation.
ValidateSignatureLast	Gets or sets a boolean that controls the validation order of the payload and signature during token validation.
ValidateTokenReplay	Gets or sets a boolean to control if the token replay will be validated during token validation.
ValidateWithLKG	Gets or sets a boolean to control if the LKG configuration will be used for token validation.
ValidAudience	Gets or sets a string that represents a valid audience that will be used to check against the token's audience. The default is `null`.
ValidAudiences	Gets or sets the IEnumerable<T> that contains valid audiences that will be used to check against the token's audience. The default is `null`.
ValidIssuer	Gets or sets a String that represents a valid issuer that will be used to check against the token's issuer. The default is `null`.
ValidIssuers	Gets or sets the IEnumerable<T> that contains valid issuers that will be used to check against the token's issuer. The default is `null`.
ValidTypes	Gets or sets the IEnumerable<T> that contains valid types that will be used to check against the JWT header's 'typ' claim. If this property is not set, the 'typ' header claim will not be validated and all types will be accepted. In the case of a JWE, this property will ONLY apply to the inner token header. The default is `null`.

Methods

Clone()

Returns a new instance of TokenValidationParameters with values copied from this object.

CreateClaimsIdentity(SecurityToken, String)

Creates a ClaimsIdentity using:

AuthenticationType

'NameClaimType': If NameClaimTypeRetriever is set, call delegate, else call NameClaimType. If the result is a null or empty string, use DefaultNameClaimType

'RoleClaimType': If RoleClaimTypeRetriever is set, call delegate, else call RoleClaimType. If the result is a null or empty string, use DefaultRoleClaimType

Extension Methods

EnableAadSigningKeyIssuerValidation(TokenValidationParameters)	Enables the validation of the issuer of the signing keys used by the Microsoft identity platform (AAD) against the issuer of the token.
EnableEntraIdSigningKeyCloudInstanceValidation(TokenValidationParameters)	Enables validation of the cloud instance of the Microsoft Entra ID token signing keys.

Applies to

Share via