To override the default behavior of JWT security token validation is required when you deploy your application in a restricted environment where you have no access to the certificate store. This is the case when you deploy to a cloud application server.
When you override the security token validation routine, you need only 1 certificate, SuperOfficeFederatedLogin.crt. If you use the default PeerTrust validation, you need all 3 certificates.
This override short-circuits the PeerTrust validation, or certificate dependencies, by setting the CertificateValidator property to None
.
tokenHandler.CertificateValidator = X509CertificateValidator.None;
This allows the certificate routines to bypass certificate validation, and directly validate the JWT security token with the provided certificate.
Pre-requisites:
- Your application has an App_Data folder containing the SuperOfficeFederatedLogin.crt certificate.
- CertificateValidator property is set to
None
.
- The certificate type must be X509Certificate2.
For JWT security tokens, the application must override the JwtIssuerSigningCertificate property.
The X509Certificate2 constructor accepts a file name argument and is the file name of the certificate that will be used to validate the security token.
The full path to the App_Data folder containing SuperOfficeFederatedLogin.crt is passed to the constructor.
public SuperIdToken ValidateToken(string token)
{
var tokenHandler = new SuperIdTokenHandler();
tokenHandler.JwtIssuerSigningCertificate = new X509Certificate2(
HttpContext.Current.Server.MapPath("~/App_Data/") + "SuperOfficeFederatedLogin.crt"
);
// Change subdomain for correct environment (sod, stage, online).
tokenHandler.ValidIssuer = "https://sod.superoffice.com";
tokenHandler.CertificateValidator = X509CertificateValidator.None;
return tokenHandler.ValidateToken(token, TokenType.Jwt);
}
The ValidateToken method will return a SuperIdToken populated with all the claims returned by SuperOffice CRM Online.
This operation will fail if the token is not JWT or if the certificate is missing.