How to override the certificate resolver

In this article

    To override the default behavior of JWT security token validation is required when you deploy your application in a restricted environment where you have no access to the certificate store. This is the case when you deploy to a cloud application server.

    When you override the security token validation routine, you need only 1 certificate, SuperOfficeFederatedLogin.crt. If you use the default PeerTrust validation, you need all 3 certificates.

    This override short-circuits the PeerTrust validation, or certificate dependencies, by setting the CertificateValidator property to None.

    tokenHandler.CertificateValidator = X509CertificateValidator.None;

    This allows the certificate routines to bypass certificate validation, and directly validate the JWT security token with the provided certificate.


    • Your application has an App_Data folder containing the SuperOfficeFederatedLogin.crt certificate.
    • CertificateValidator property is set to None.
    • The certificate type must be X509Certificate2.

    For JWT security tokens, the application must override the JwtIssuerSigningCertificate property.

    The  X509Certificate2 constructor accepts a file name argument and is the file name of the certificate that will be used to validate the security token.

    The full path to the  App_Data folder containing SuperOfficeFederatedLogin.crt is passed to the constructor.

    public SuperIdToken ValidateToken(string token)
        var tokenHandler = new SuperIdTokenHandler();
        tokenHandler.JwtIssuerSigningCertificate = new X509Certificate2(
           HttpContext.Current.Server.MapPath("~/App_Data/") + "SuperOfficeFederatedLogin.crt"
        // Change subdomain for correct environment (sod, stage, online).
        tokenHandler.ValidIssuer = "";
        tokenHandler.CertificateValidator = X509CertificateValidator.None;
        return tokenHandler.ValidateToken(token, TokenType.Jwt);

    The ValidateToken method will return a SuperIdToken populated with all the claims returned by SuperOffice CRM Online.

    This operation will fail if the token is not JWT or if the certificate is missing.