Support Token Replay configuration.

Author: Revsgaard

src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs

@@ -5,6 +5,11 @@
 using System.ServiceModel.Security;
 using System.IdentityModel.Selectors;
 using System.Security.Cryptography.Xml;
+#if NETFULL
+using System.IdentityModel.Configuration;
+#else
+using Microsoft.IdentityModel.Tokens;
+#endif
 
 namespace ITfoxtec.Identity.Saml2
 {
@@ -36,10 +41,19 @@ public class Saml2Configuration
         public X509RevocationMode RevocationMode { get; set; } = X509RevocationMode.Online;
         public X509CertificateValidator CustomCertificateValidator { get; set; }
 #if NETFULL
-        public SecurityTokenResolver CustomIssuerTokenResolver { get; set; }
+        public IdentityModelCaches TokenReplayCache { get; set; }
+        public TimeSpan? TokenReplayCacheExpirationPeriod { get; set; }
+#else
+        public ITokenReplayCache TokenReplayCache { get; set; }
 #endif
         public bool SaveBootstrapContext { get; set; } = false;
 
+#if NETFULL
+#else
+        /// <summary>
+        /// By default no replayed validation is performed. Validation requires that TokenReplayCache has been set.
+        /// </summary>
+#endif
         public bool DetectReplayedTokens { get; set; } = false;
 
         public bool AudienceRestricted { get; set; } = true;

src/ITfoxtec.Identity.Saml2/Configuration/Saml2IdentityConfiguration.cs

@@ -37,19 +37,29 @@ public static Saml2IdentityConfiguration GetIdentityConfiguration(Saml2Configura
             configuration.IssuerNameRegistry = new Saml2ResponseIssuerNameRegistry();
             configuration.CertificateValidationMode = config.CertificateValidationMode;
             configuration.RevocationMode = config.RevocationMode;
-            configuration.DetectReplayedTokens = config.DetectReplayedTokens;
             SetCustomCertificateValidator(configuration, config);
-            if (config.CustomIssuerTokenResolver != null)
+
+            configuration.DetectReplayedTokens = config.DetectReplayedTokens;
+            if (config.TokenReplayCache != null)
+            {
+                configuration.Caches = config.TokenReplayCache;
+            }
+            if (config.TokenReplayCacheExpirationPeriod.HasValue)
             {
-                configuration.IssuerTokenResolver = config.CustomIssuerTokenResolver;
+                configuration.TokenReplayCacheExpirationPeriod = config.TokenReplayCacheExpirationPeriod.Value;
             }
             configuration.Initialize();
 #else
             configuration.SaveSigninToken = config.SaveBootstrapContext;
             configuration.ValidateAudience = config.AudienceRestricted;
             configuration.ValidAudiences = config.AllowedAudienceUris.Select(a => a);
             configuration.ValidIssuer = config.AllowedIssuer;
+
             configuration.ValidateTokenReplay = config.DetectReplayedTokens;
+            if (config.TokenReplayCache != null)
+            {
+                configuration.TokenReplayCache = config.TokenReplayCache;
+            }
 
             configuration.NameClaimType = ClaimTypes.NameIdentifier;
 

src/ITfoxtec.Identity.Saml2/Tokens/Saml2ResponseSecurityTokenHandler.cs

@@ -38,7 +38,8 @@ public static Saml2ResponseSecurityTokenHandler GetSaml2SecurityTokenHandler(Sam
                 RevocationMode = configuration.RevocationMode,
                 CertificateValidator = configuration.CertificateValidator,
                 DetectReplayedTokens = configuration.DetectReplayedTokens,
-                IssuerTokenResolver = configuration.IssuerTokenResolver
+                Caches = configuration.Caches,
+                TokenReplayCacheExpirationPeriod = configuration.TokenReplayCacheExpirationPeriod
             };
 
             handler.SamlSecurityTokenRequirement.NameClaimType = ClaimTypes.NameIdentifier;