Updated to use Json Web Keys support which is part of Azure Media Services .NET SDK 3.3.0.0 release

Author: gtrifonov

MediaLibraryWebApp/Controllers/MediaLibraryController.cs

@@ -19,21 +19,18 @@
 using System.IdentityModel.Tokens;
 using System.Linq;
 using System.Security.Cryptography;
-using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
+using System.Web;
 using System.Web.Mvc;
-using System.Xml;
-using System.Xml.XPath;
 using MediaLibraryWebApp.Models;
+using MediaLibraryWebApp.Utils;
+using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using Microsoft.Owin;
+using Microsoft.Owin.Security.OpenIdConnect;
 using Microsoft.WindowsAzure.MediaServices.Client;
 using Microsoft.WindowsAzure.MediaServices.Client.ContentKeyAuthorization;
 using Microsoft.WindowsAzure.MediaServices.Client.DynamicEncryption;
 using WebGrease.Css.Extensions;
-using System.Web;
-using Microsoft.IdentityModel.Clients.ActiveDirectory;
-using MediaLibraryWebApp.Utils;
-using Microsoft.Owin;
-using Microsoft.Owin.Security.OpenIdConnect;
 using AuthenticationContext = Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext;
 
 namespace MediaLibraryWebApp.Controllers
@@ -237,12 +234,13 @@ public IContentKey AddAuthorizationPolicyToContentKey(string assetID, CloudMedia
 
                 List<ContentKeyAuthorizationPolicyRestriction> restrictions = new List<ContentKeyAuthorizationPolicyRestriction>();
 
-                List<X509Certificate2> certs = GetX509Certificate2FromADMetadataEndpoint();
+               
 
                 TokenRestrictionTemplate template = new TokenRestrictionTemplate();
                 template.TokenType = TokenType.JWT;
-                template.PrimaryVerificationKey = new X509CertTokenVerificationKey(certs[0]);
-                certs.GetRange(1, certs.Count - 1).ForEach(c => template.AlternateVerificationKeys.Add(new X509CertTokenVerificationKey(c)));
+                //Using Active Directory Open ID discovery spec to use Json Web Keys during token verification
+                template.OpenIdConnectDiscoveryDocument = new OpenIdConnectDiscoveryDocument("https://login.windows.net/common/.well-known/openid-configuration");
+              
 
 
                 //Ignore Empty claims
@@ -287,7 +285,7 @@ private JwtSecurityToken GetJwtSecurityToken()
             string userObjectID = owinContext.Authentication.User.Claims.First(c => c.Type == Configuration.ClaimsObjectidentifier).Value;
             NaiveSessionCache cache = new NaiveSessionCache(userObjectID);
             AuthenticationContext authContext = new AuthenticationContext(Configuration.Authority, cache);
-            TokenCacheItem kdAPITokenCache = authContext.TokenCache.ReadItems().Where(c => c.Resource == MediaLibraryWebApp.Configuration.KdResourceId).FirstOrDefault();
+            TokenCacheItem kdAPITokenCache = authContext.TokenCache.ReadItems().Where(c => c.Resource == Configuration.KdResourceId).FirstOrDefault();
 
             if (kdAPITokenCache == null)
             {
@@ -314,32 +312,6 @@ private JwtSecurityToken GetJwtSecurityToken()
 
         }
 
-        private static List<X509Certificate2> GetX509Certificate2FromADMetadataEndpoint()
-        {
-            List<X509Certificate2> certs = new List<X509Certificate2>();
-            XPathDocument xmlReader = new XPathDocument(Configuration.MetadataUri);
-            XPathNavigator navigator = xmlReader.CreateNavigator();
-            XmlNamespaceManager manager = new XmlNamespaceManager(navigator.NameTable);
-            manager.AddNamespace("", "urn:oasis:names:tc:SAML:2.0:metadata");
-            manager.AddNamespace("ns1", "urn:oasis:names:tc:SAML:2.0:metadata");
-            manager.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
-            manager.PushScope();
-
-            //Reading all certs since AD periodically do cert rollover
-            XPathNodeIterator nodes =
-                navigator.Select(
-                    "//ns1:EntityDescriptor/ns1:RoleDescriptor/ns1:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
-                    manager);
-            while (nodes.MoveNext())
-            {
-                XPathNavigator nodesNavigator = nodes.Current;
-                //Cert body is base64 encoded in metadata doc
-                certs.Add(new X509Certificate2(Convert.FromBase64String(nodesNavigator.InnerXml)));
-            }
-
-            
-            return certs;
-        }
 
 
         static public IContentKey CreateEnvelopeTypeContentKey(IAsset asset,CloudMediaContext context)

MediaLibraryWebApp/MediaLibraryWebApp.csproj

@@ -62,17 +62,17 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\packages\Microsoft.Data.Services.Client.5.6.4\lib\net40\Microsoft.Data.Services.Client.dll</HintPath>
     </Reference>
-    <Reference Include="Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.15.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\packages\Microsoft.IdentityModel.Clients.ActiveDirectory.2.15.204151539\lib\net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll</HintPath>
+    <Reference Include="Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.16.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\packages\Microsoft.IdentityModel.Clients.ActiveDirectory.2.16.204221202\lib\net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll</HintPath>
+      <Private>True</Private>
     </Reference>
-    <Reference Include="Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms, Version=2.15.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\packages\Microsoft.IdentityModel.Clients.ActiveDirectory.2.15.204151539\lib\net45\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll</HintPath>
+    <Reference Include="Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms, Version=2.16.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\packages\Microsoft.IdentityModel.Clients.ActiveDirectory.2.16.204221202\lib\net45\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll</HintPath>
+      <Private>True</Private>
     </Reference>
-    <Reference Include="Microsoft.IdentityModel.Protocol.Extensions, Version=1.0.2.28, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\packages\Microsoft.IdentityModel.Protocol.Extensions.1.0.2.202250711\lib\net45\Microsoft.IdentityModel.Protocol.Extensions.dll</HintPath>
+    <Reference Include="Microsoft.IdentityModel.Protocol.Extensions, Version=1.0.2.31, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\packages\Microsoft.IdentityModel.Protocol.Extensions.1.0.2.205111437\lib\net45\Microsoft.IdentityModel.Protocol.Extensions.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
@@ -102,7 +102,7 @@
       <HintPath>..\packages\Microsoft.WindowsAzure.ConfigurationManager.3.1.0\lib\net40\Microsoft.WindowsAzure.Configuration.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.WindowsAzure.MediaServices.Client">
-      <HintPath>..\packages\windowsazure.mediaservices.3.2.0.0\lib\net45\Microsoft.WindowsAzure.MediaServices.Client.dll</HintPath>
+      <HintPath>..\packages\windowsazure.mediaservices.3.3.0.0\lib\net45\Microsoft.WindowsAzure.MediaServices.Client.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.WindowsAzure.Storage, Version=4.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
@@ -121,9 +121,9 @@
     <Reference Include="System.Data.Services.Client" />
     <Reference Include="System.Drawing" />
     <Reference Include="System.IdentityModel" />
-    <Reference Include="System.IdentityModel.Tokens.Jwt, Version=4.0.2.28, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\packages\System.IdentityModel.Tokens.Jwt.4.0.2.202250711\lib\net45\System.IdentityModel.Tokens.Jwt.dll</HintPath>
+    <Reference Include="System.IdentityModel.Tokens.Jwt, Version=4.0.20511.1437, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\packages\System.IdentityModel.Tokens.Jwt.4.0.2.205111437\lib\net45\System.IdentityModel.Tokens.Jwt.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="System.Runtime.Serialization" />
     <Reference Include="System.Security" />
@@ -237,9 +237,9 @@
     <None Include="Scripts\jquery-1.10.2.intellisense.js" />
     <Content Include="Scripts\bootstrap.js" />
     <Content Include="Scripts\bootstrap.min.js" />
-    <None Include="Scripts\jquery-2.1.3.intellisense.js" />
-    <Content Include="Scripts\jquery-2.1.3.js" />
-    <Content Include="Scripts\jquery-2.1.3.min.js" />
+    <None Include="Scripts\jquery-2.1.4.intellisense.js" />
+    <Content Include="Scripts\jquery-2.1.4.js" />
+    <Content Include="Scripts\jquery-2.1.4.min.js" />
     <Content Include="Scripts\modernizr-2.6.2.js" />
     <Content Include="Scripts\modernizr-2.8.3.js" />
     <Content Include="Scripts\npm.js" />
@@ -267,7 +267,7 @@
     <Content Include="Views\Shared\_LoginPartial.cshtml" />
     <Content Include="Views\MediaLibrary\Index.cshtml" />
     <Content Include="Views\UserProfile\Index.cshtml" />
-    <Content Include="Scripts\jquery-2.1.3.min.map" />
+    <Content Include="Scripts\jquery-2.1.4.min.map" />
     <None Include="Web.Test.config">
       <DependentUpon>Web.config</DependentUpon>
     </None>

MediaLibraryWebApp/Scripts/_references.js

@@ -1,5 +1,5 @@
 /*!
- * jQuery JavaScript Library v2.1.3
+ * jQuery JavaScript Library v2.1.4
  * http://jquery.com/
  *
  * Includes Sizzle.js
@@ -9,7 +9,7 @@
  * Released under the MIT license
  * http://jquery.org/license
  *
- * Date: 2014-12-18T15:11Z
+ * Date: 2015-04-28T16:01Z
  */
 
 (function( global, factory ) {
@@ -67,7 +67,7 @@ var
 	// Use the correct document accordingly with window argument (sandbox)
 	document = window.document,
 
-	version = "2.1.3",
+	version = "2.1.4",
 
 	// Define a local copy of jQuery
 	jQuery = function( selector, context ) {
@@ -531,7 +531,12 @@ jQuery.each("Boolean Number String Function Array Date RegExp Object Error".spli
 });
 
 function isArraylike( obj ) {
-	var length = obj.length,
+
+	// Support: iOS 8.2 (not reproducible in simulator)
+	// `in` check used to prevent JIT error (gh-2145)
+	// hasOwn isn't used here due to false negatives
+	// regarding Nodelist length in IE
+	var length = "length" in obj && obj.length,
 		type = jQuery.type( obj );
 
 	if ( type === "function" || jQuery.isWindow( obj ) ) {

MediaLibraryWebApp/Scripts/jquery-2.1.3.min.js

@@ -41,9 +41,6 @@
 {
     <div class="bs-callout bs-callout-info"><h4>Admin access</h4><p>As member of Admin Group you need to specify which video will be displayed for which user group. Look into profile page to see ObjectIDs of user group. In ClaimType textbox put value as 'group' and in claimValue put ObjectID of AD Group. Only users belonging to this group will be able to obtain content key to decrypt video. </p></div>
 
-    <div class="bs-callout bs-callout-warning"><h4>Signing Keys and Azure AD certificates rollover</h4><p>For following example Azure Media Services stores copy of Azure Active Directory signing certificates in order to validate JWT token signature. After Azure Active Directory signing cretificate rotation it is up to application to implement logic to update sertificates within Azure Media Services content key auth policies. Read more about Azure AD certificates rollover at http://technet.microsoft.com/en-us/library/jj933264.aspx </p></div>
-
-
     using (Html.BeginForm("CleanAllPermissions", "MediaLibrary"))
     {
         @Html.ActionLink("Clear All Content Keys, Auth and Delivery Policies", "CleanAllPermissions", "MediaLibrary", null, new { @class = "saveButton btn btn-primary", onclick = "return false;" })