Skip to content

Commit

Permalink
Revert changes in https://github.com/AzureAD/azure-activedirectory-id…
Browse files Browse the repository at this point in the history 
…entitymodel-extensions-for-dotnet/pull/1996/files (#2021)

Return on actor token validation failure
  • Loading branch information
@sruke
sruke authored Feb 8, 2023
1 parent fb6b968 commit 6217459
Showing 1 changed file with 15 additions and 24 deletions.
39 changes: 15 additions & 24 deletions src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1219,7 +1219,7 @@ private async Task<TokenValidationResult> ValidateTokenAsync(JsonWebToken jsonWe
}
}

TokenValidationResult tokenValidationResult = await ValidateTokenAsync(jsonWebToken, validationParameters, currentConfiguration).ConfigureAwait(false);
TokenValidationResult tokenValidationResult = ValidateToken(jsonWebToken, validationParameters, currentConfiguration);
if (validationParameters.ConfigurationManager != null)
{
if (tokenValidationResult.IsValid)
Expand All @@ -1243,12 +1243,12 @@ private async Task<TokenValidationResult> ValidateTokenAsync(JsonWebToken jsonWe
validationParameters.ConfigurationManager.RequestRefresh();
validationParameters.RefreshBeforeValidation = true;
var lastConfig = currentConfiguration;
currentConfiguration = await validationParameters.ConfigurationManager.GetBaseConfigurationAsync(CancellationToken.None).ConfigureAwait(false);
currentConfiguration = validationParameters.ConfigurationManager.GetBaseConfigurationAsync(CancellationToken.None).GetAwaiter().GetResult();

// Only try to re-validate using the newly obtained config if it doesn't reference equal the previously used configuration.
if (lastConfig != currentConfiguration)
{
tokenValidationResult = await ValidateTokenAsync(jsonWebToken, validationParameters, currentConfiguration).ConfigureAwait(false);
tokenValidationResult = ValidateToken(jsonWebToken, validationParameters, currentConfiguration);

if (tokenValidationResult.IsValid)
{
Expand All @@ -1262,7 +1262,7 @@ private async Task<TokenValidationResult> ValidateTokenAsync(JsonWebToken jsonWe
{
validationParameters.RefreshBeforeValidation = false;
validationParameters.ValidateWithLKG = true;
tokenValidationResult = await ValidateTokenAsync(jsonWebToken, validationParameters, currentConfiguration).ConfigureAwait(false);
tokenValidationResult = ValidateToken(jsonWebToken, validationParameters, currentConfiguration);

if (tokenValidationResult.IsValid)
return tokenValidationResult;
Expand All @@ -1273,21 +1273,15 @@ private async Task<TokenValidationResult> ValidateTokenAsync(JsonWebToken jsonWe
return tokenValidationResult;
}

private async Task<TokenValidationResult> ValidateTokenAsync(
JsonWebToken jsonWebToken,
TokenValidationParameters validationParameters,
BaseConfiguration configuration)
private TokenValidationResult ValidateToken(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
{
if (jsonWebToken.IsEncrypted)
return await ValidateJWEAsync(jsonWebToken, validationParameters, configuration).ConfigureAwait(false);
return ValidateJWE(jsonWebToken, validationParameters, configuration);

return await ValidateJWSAsync(jsonWebToken, validationParameters, configuration).ConfigureAwait(false);
return ValidateJWS(jsonWebToken, validationParameters, configuration);
}

private async Task<TokenValidationResult> ValidateJWSAsync(
JsonWebToken jsonWebToken,
TokenValidationParameters validationParameters,
BaseConfiguration configuration)
private TokenValidationResult ValidateJWS(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
{
try
{
Expand All @@ -1298,21 +1292,21 @@ private async Task<TokenValidationResult> ValidateJWSAsync(
if (validationParameters.SignatureValidator != null || validationParameters.SignatureValidatorUsingConfiguration != null)
{
var validatedToken = ValidateSignatureUsingDelegates(jsonWebToken.EncodedToken, validationParameters, configuration);
tokenValidationResult = await ValidateTokenPayloadAsync(validatedToken, validationParameters, configuration).ConfigureAwait(false);
tokenValidationResult = ValidateTokenPayload(validatedToken, validationParameters, configuration);
Validators.ValidateIssuerSecurityKey(validatedToken.SigningKey, validatedToken, validationParameters, configuration);
}
else
{
if (validationParameters.ValidateSignatureLast)
{
tokenValidationResult = await ValidateTokenPayloadAsync(jsonWebToken, validationParameters, configuration).ConfigureAwait(false);
tokenValidationResult = ValidateTokenPayload(jsonWebToken, validationParameters, configuration);
if (tokenValidationResult.IsValid)
tokenValidationResult.SecurityToken = ValidateSignatureAndIssuerSecurityKey(jsonWebToken, validationParameters, configuration);
}
else
{
var validatedToken = ValidateSignatureAndIssuerSecurityKey(jsonWebToken, validationParameters, configuration);
tokenValidationResult = await ValidateTokenPayloadAsync(validatedToken, validationParameters, configuration).ConfigureAwait(false);
tokenValidationResult = ValidateTokenPayload(validatedToken, validationParameters, configuration);
}
}

Expand All @@ -1331,10 +1325,7 @@ private async Task<TokenValidationResult> ValidateJWSAsync(
}
}

private async Task<TokenValidationResult> ValidateJWEAsync(
JsonWebToken jwtToken,
TokenValidationParameters validationParameters,
BaseConfiguration configuration)
private TokenValidationResult ValidateJWE(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
{
try
{
Expand All @@ -1343,7 +1334,7 @@ private async Task<TokenValidationResult> ValidateJWEAsync(
if (!readTokenResult.IsValid)
return readTokenResult;

TokenValidationResult tokenValidationResult = await ValidateJWSAsync(readTokenResult.SecurityToken as JsonWebToken, validationParameters, configuration).ConfigureAwait(false);
TokenValidationResult tokenValidationResult = ValidateJWS(readTokenResult.SecurityToken as JsonWebToken, validationParameters, configuration);
if (!tokenValidationResult.IsValid)
return tokenValidationResult;

Expand Down Expand Up @@ -1406,7 +1397,7 @@ private static JsonWebToken ValidateSignatureAndIssuerSecurityKey(JsonWebToken j
return validatedToken;
}

private async Task<TokenValidationResult> ValidateTokenPayloadAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
private TokenValidationResult ValidateTokenPayload(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
{
var expires = jsonWebToken.HasPayloadClaim(JwtRegisteredClaimNames.Exp) ? (DateTime?)jsonWebToken.ValidTo : null;
var notBefore = jsonWebToken.HasPayloadClaim(JwtRegisteredClaimNames.Nbf) ? (DateTime?)jsonWebToken.ValidFrom : null;
Expand All @@ -1424,7 +1415,7 @@ private async Task<TokenValidationResult> ValidateTokenPayloadAsync(JsonWebToken
// and (since issuer validation occurs first) came from a trusted authority.
// NOTE: More than one nested actor token should not be considered a valid token, but if we somehow encounter one,
// this code will still work properly.
TokenValidationResult tokenValidationResult = await ValidateTokenAsync(jsonWebToken.Actor, validationParameters.ActorValidationParameters ?? validationParameters).ConfigureAwait(false);
TokenValidationResult tokenValidationResult = ValidateToken(jsonWebToken.Actor, validationParameters.ActorValidationParameters ?? validationParameters);
if (!tokenValidationResult.IsValid)
return tokenValidationResult;
}
Expand Down

0 comments on commit 6217459

Please sign in to comment.