1 //----------------------------------------------------------------------- 2 // <copyright file="SecurityTokenHandlerConfiguration.cs" company="Microsoft"> 3 // Copyright (c) Microsoft Corporation. All rights reserved. 4 // </copyright> 5 //----------------------------------------------------------------------- 6 7 namespace System.IdentityModel.Tokens 8 { 9 using System; 10 using System.IdentityModel; 11 using System.IdentityModel.Configuration; 12 using System.IdentityModel.Selectors; 13 using System.Security.Cryptography.X509Certificates; 14 using System.ServiceModel.Security; 15 16 /// <summary> 17 /// Configuration common to all SecurityTokenHandlers. 18 /// </summary> 19 public class SecurityTokenHandlerConfiguration 20 { 21 // 22 23 #pragma warning disable 1591 24 /// <summary> 25 /// Gets a value indicating whether or not to detect replay tokens by default. 26 /// </summary> 27 public static readonly bool DefaultDetectReplayedTokens; // false 28 29 /// <summary> 30 /// Gets the default issuer name registry. 31 /// </summary> 32 public static readonly IssuerNameRegistry DefaultIssuerNameRegistry = new ConfigurationBasedIssuerNameRegistry(); 33 34 /// <summary> 35 /// Gets the default issuer token resolver. 36 /// </summary> 37 public static readonly SecurityTokenResolver DefaultIssuerTokenResolver = System.IdentityModel.Tokens.IssuerTokenResolver.DefaultInstance; 38 39 /// <summary> 40 /// Gets the default maximum clock skew. 41 /// </summary> 42 public static readonly TimeSpan DefaultMaxClockSkew = new TimeSpan(0, 5, 0); // 5 minutes 43 44 /// <summary> 45 /// Gets a value indicating whether or not to save bootstrap tokens by default. 46 /// </summary> 47 public static readonly bool DefaultSaveBootstrapContext; // false; 48 49 /// <summary> 50 /// Gets the default token replay cache expiration period. 51 /// </summary> 52 public static readonly TimeSpan DefaultTokenReplayCacheExpirationPeriod = TimeSpan.MaxValue; 53 54 // The below 3 defaults were moved from IdentityConfiguration class as we can not have service configuration in IdentityModel. 55 56 /// <summary> 57 /// Gets the default X.509 certificate validation mode. 58 /// </summary> 59 public static readonly X509CertificateValidationMode DefaultCertificateValidationMode = IdentityConfiguration.DefaultCertificateValidationMode; 60 61 /// <summary> 62 /// Gets the default X.509 certificate revocation validation mode. 63 /// </summary> 64 public static readonly X509RevocationMode DefaultRevocationMode = IdentityConfiguration.DefaultRevocationMode; 65 66 /// <summary> 67 /// Gets the default X.509 certificate trusted store location. 68 /// </summary> 69 public static readonly StoreLocation DefaultTrustedStoreLocation = IdentityConfiguration.DefaultTrustedStoreLocation; 70 71 StoreLocation trustedStoreLocation = DefaultTrustedStoreLocation; 72 X509RevocationMode revocationMode = DefaultRevocationMode; 73 X509CertificateValidationMode certificateValidationMode = DefaultCertificateValidationMode; 74 75 /// <summary> 76 /// Gets the default X.509 certificate validator instance. 77 /// </summary> 78 public static readonly X509CertificateValidator DefaultCertificateValidator = X509Util.CreateCertificateValidator(DefaultCertificateValidationMode, DefaultRevocationMode, DefaultTrustedStoreLocation); 79 #pragma warning restore 1591 80 81 private AudienceRestriction audienceRestriction = new AudienceRestriction(); 82 private X509CertificateValidator certificateValidator = DefaultCertificateValidator; 83 private bool detectReplayedTokens = DefaultDetectReplayedTokens; 84 private IssuerNameRegistry issuerNameRegistry = DefaultIssuerNameRegistry; 85 private SecurityTokenResolver issuerTokenResolver = DefaultIssuerTokenResolver; 86 private TimeSpan maxClockSkew = DefaultMaxClockSkew; 87 private bool saveBootstrapContext = DefaultSaveBootstrapContext; 88 private SecurityTokenResolver serviceTokenResolver = EmptySecurityTokenResolver.Instance; 89 private TimeSpan tokenReplayCacheExpirationPeriod = DefaultTokenReplayCacheExpirationPeriod; 90 private IdentityModelCaches caches = new IdentityModelCaches(); 91 92 /// <summary> 93 /// Creates an instance of <see cref="SecurityTokenHandlerConfiguration"/> 94 /// </summary> SecurityTokenHandlerConfiguration()95 public SecurityTokenHandlerConfiguration() 96 { 97 } 98 99 /// <summary> 100 /// Gets or sets the AudienceRestriction. 101 /// </summary> 102 public AudienceRestriction AudienceRestriction 103 { 104 get 105 { 106 return this.audienceRestriction; 107 } 108 109 set 110 { 111 if (value == null) 112 { 113 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value"); 114 } 115 116 this.audienceRestriction = value; 117 } 118 } 119 120 /// <summary> 121 /// Gets or sets the certificate validator used by handlers to validate issuer certificates 122 /// </summary> 123 public X509CertificateValidator CertificateValidator 124 { 125 get 126 { 127 return this.certificateValidator; 128 } 129 130 set 131 { 132 if (value == null) 133 { 134 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value"); 135 } 136 137 this.certificateValidator = value; 138 } 139 } 140 141 public X509RevocationMode RevocationMode 142 { 143 get { return revocationMode; } 144 set { revocationMode = value; } 145 } 146 147 /// <summary> 148 /// Gets or sets the trusted store location used by handlers to validate issuer certificates 149 /// </summary> 150 public StoreLocation TrustedStoreLocation 151 { 152 get { return trustedStoreLocation; } 153 set { trustedStoreLocation = value; } 154 } 155 156 /// <summary> 157 /// Gets or sets the certificate validation mode used by handlers to validate issuer certificates 158 /// </summary> 159 public X509CertificateValidationMode CertificateValidationMode 160 { 161 get { return certificateValidationMode; } 162 set { certificateValidationMode = value; } 163 } 164 165 /// <summary> 166 /// Gets or sets a value indicating whether to detect replaying of tokens by handlers in this configuration. 167 /// </summary> 168 public bool DetectReplayedTokens 169 { 170 get { return this.detectReplayedTokens; } 171 set { this.detectReplayedTokens = value; } 172 } 173 174 /// <summary> 175 /// Gets or sets the IssuerNameRegistry. 176 /// </summary> 177 public IssuerNameRegistry IssuerNameRegistry 178 { 179 get 180 { 181 return this.issuerNameRegistry; 182 } 183 184 set 185 { 186 if (value == null) 187 { 188 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value"); 189 } 190 191 this.issuerNameRegistry = value; 192 } 193 } 194 195 /// <summary> 196 /// Gets or sets the IssuerTokenResolver. 197 /// </summary> 198 public SecurityTokenResolver IssuerTokenResolver 199 { 200 get 201 { 202 return this.issuerTokenResolver; 203 } 204 205 set 206 { 207 if (value == null) 208 { 209 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value"); 210 } 211 212 this.issuerTokenResolver = value; 213 } 214 } 215 216 /// <summary> 217 /// Gets or sets the maximum clock skew for handlers using this config. 218 /// </summary> 219 public TimeSpan MaxClockSkew 220 { 221 get 222 { 223 return this.maxClockSkew; 224 } 225 226 set 227 { 228 if (value < TimeSpan.Zero) 229 { 230 throw DiagnosticUtility.ThrowHelperArgumentOutOfRange("value", value, SR.GetString(SR.ID2070)); 231 } 232 233 this.maxClockSkew = value; 234 } 235 } 236 237 /// <summary> 238 /// Gets or sets a value indicating whether BootstrapContext is saved in the ClaimsIdentity and Sessions after token validation. 239 /// </summary> 240 public bool SaveBootstrapContext 241 { 242 get { return this.saveBootstrapContext; } 243 set { this.saveBootstrapContext = value; } 244 } 245 246 /// <summary> 247 /// Gets or sets the TokenResolver that resolves Service tokens. 248 /// </summary> 249 public SecurityTokenResolver ServiceTokenResolver 250 { 251 get 252 { 253 return this.serviceTokenResolver; 254 } 255 256 set 257 { 258 if (value == null) 259 { 260 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value"); 261 } 262 263 this.serviceTokenResolver = value; 264 } 265 } 266 267 /// <summary> 268 /// Gets or sets the Caches that are used. 269 /// </summary> 270 public IdentityModelCaches Caches 271 { 272 get 273 { 274 return this.caches; 275 } 276 277 set 278 { 279 if (value == null) 280 { 281 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value"); 282 } 283 284 this.caches = value; 285 } 286 } 287 288 /// <summary> 289 /// Gets or sets the expiration period for items placed in the TokenReplayCache. 290 /// </summary> 291 public TimeSpan TokenReplayCacheExpirationPeriod 292 { 293 get 294 { 295 return this.tokenReplayCacheExpirationPeriod; 296 } 297 298 set 299 { 300 if (value <= TimeSpan.Zero) 301 { 302 throw DiagnosticUtility.ThrowHelperArgumentOutOfRange("value", value, SR.GetString(SR.ID0016)); 303 } 304 305 this.tokenReplayCacheExpirationPeriod = value; 306 } 307 } 308 } 309 } 310