Merged PR 10643: Fix ZIP issue

* Set version to 5.7.0 (instead of existing 5.7.1) as latest release was 5.6.0
* Updated Newtonsoft to a safe version
* Ported ZIP related changes and tests from 6x (there are differences in the code structure in 5x and 6x so it was not a clean port)
* Refactored some tests dealing with expired hardcoded tokens to be green

----
#### AI description
This pull request includes changes across multiple files, primarily related to updating dependencies and adding new tests. Here's a summary:

In **dependencies.props** and **dependenciesTest.props**, the version of `JsonNet` has been updated from `10.0.1` to `13.0.1`.

In **buildConfiguration.xml**, the `assemblyVersion` has been downgraded from `5.7.1` to `5.7.0`.

In **JwtSecurityTokenHandlerTests.cs**, a new `using` directive has been added for `System.Threading.Tasks`. Several new test methods and related data have been added, including `JWEDecompressionSizeTest`, `JweDecompressSizeTheoryData`, and others. Some existing test data has been modified or removed.

In **Default.cs**, new properties `Expired` and `ExpiredString` have been added, and the `ExpiresString` has been updated.

In **Microsoft.IdentityModel.Protocols.OpenIdConnect.Tests.csproj**, a `PackageReference` to `xunit.runner.console` has been removed.

In **SamlSecurityTokenTests.cs**, the condition for a test assertion has been updated to allow for a larger time difference.

In **JwtTokenUtilities.cs**, **DeflateCompressionProvider.cs**, **JwtSecurityTokenHandler.cs**, **JsonWebTokenHandler.cs**, and other files, changes have been made related to token compression and decompression, including updates to method signatures and the addition of new properties and methods.

In **LogMessages.cs**, a new log message `IDX10814` has been added.

In **dependencies.props**, the `JsonNetVersion` has been updated from `10.0.1` to `13.0.1`.

Overall, these changes seem to be aimed at improving token handling, particularly with regard to compression and decompression, and updating dependencies. The addition of new tests suggests an effort to ensure these changes are well-validated. Please review the changes carefully to ensure they align with project requirements.

NuGet.Config

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
-    <add key="dotnet-core" value="https://dotnetfeed.blob.core.windows.net/dotnet-core/index.json" />
+    <clear />
+    <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" />
   </packageSources>
 </configuration>

build/apiCompat.props

@@ -11,7 +11,7 @@
 	</PropertyGroup>
 
 	<ItemGroup>
-		<PackageReference Include="Microsoft.DotNet.ApiCompat" Version="5.0.0-beta.19626.1" PrivateAssets="All" />
+		<PackageReference Include="Microsoft.DotNet.ApiCompat" Version="1.0.0-beta.19225.5" PrivateAssets="All" />
 	</ItemGroup>
 
 	<ItemGroup>

build/dependencies.props

@@ -1,9 +1,9 @@
 <Project>
   <PropertyGroup>
-    <JsonNetVersion>10.0.1</JsonNetVersion>
+    <JsonNetVersion>13.0.1</JsonNetVersion>
     <MicrosoftAzureKeyVaultVersion>3.0.0</MicrosoftAzureKeyVaultVersion>
     <MicrosoftAzureServicesAppAuthenticationVersion>1.0.3</MicrosoftAzureServicesAppAuthenticationVersion>
-    <MicrosoftSourceLinkGitHubVersion>1.0.0-beta2-18618-05</MicrosoftSourceLinkGitHubVersion>
+    <MicrosoftSourceLinkGitHubVersion>1.1.1</MicrosoftSourceLinkGitHubVersion>
     <NetStandardVersion>2.0.3</NetStandardVersion>
     <SystemCollectionsSpecializedVersion>4.3.0</SystemCollectionsSpecializedVersion>
     <SystemDiagnosticsContractsVersion>4.3.0</SystemDiagnosticsContractsVersion>

build/dependenciesTest.props

@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <JsonNetVersion>10.0.1</JsonNetVersion>
+    <JsonNetVersion>13.0.1</JsonNetVersion>
     <NetStandardVersion>2.0.3</NetStandardVersion>
     <MicrosoftAzureKeyVaultCryptographyVersion>2.0.5</MicrosoftAzureKeyVaultCryptographyVersion>
     <MicrosoftDotNetXUnitExtensionsVersion>2.4.0-prerelease-63213-02</MicrosoftDotNetXUnitExtensionsVersion>

buildConfiguration.xml

@@ -2,7 +2,7 @@
   <dotnetArchitecture>x64</dotnetArchitecture>
   <nugetVersion>3.5.0-rc-1285</nugetVersion>
   <runtimes>net45,net451,net461,netstandard1.4,netstandard2.0</runtimes>
-  <assemblyVersion>5.7.1</assemblyVersion>
+  <assemblyVersion>5.7.0</assemblyVersion>
   <nugetSuffix>preview</nugetSuffix>
   <projects>
     <src>

prototypes/AsyncTokenSample/NuGet.Config

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="localpackages" value=".\localpackages" />
-    <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
+    <clear />
+    <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" />
   </packageSources>
 </configuration>

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs

@@ -671,7 +671,7 @@ protected string DecryptToken(JsonWebToken jwtToken, TokenValidationParameters v
 
             try
             {
-                return JwtTokenUtilities.DecompressToken(decryptedTokenBytes, jwtToken.Zip);
+                return JwtTokenUtilities.DecompressToken(decryptedTokenBytes, jwtToken.Zip, MaximumTokenSizeInBytes);
             }
             catch (Exception ex)
             {

src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.cs

@@ -131,12 +131,13 @@ public static string CreateEncodedSignature(string input, SigningCredentials sig
         /// </summary>
         /// <param name="tokenBytes"></param>
         /// <param name="algorithm"></param>
+        /// <param name="maximumDeflateSize">maximum number of chars that will be decompressed.</param>
         /// <exception cref="ArgumentNullException">if <paramref name="tokenBytes"/> is null.</exception>
         /// <exception cref="ArgumentNullException">if <paramref name="algorithm"/> is null.</exception>
         /// <exception cref="NotSupportedException">if the decompression <paramref name="algorithm"/> is not supported.</exception>
         /// <exception cref="SecurityTokenDecompressionFailedException">if decompression using <paramref name="algorithm"/> fails.</exception>
         /// <returns>Decompressed JWT token</returns>
-        internal static string DecompressToken(byte[] tokenBytes, string algorithm)
+        internal static string DecompressToken(byte[] tokenBytes, string algorithm, int maximumDeflateSize)
         {
             if (tokenBytes == null)
                 throw LogHelper.LogArgumentNullException(nameof(tokenBytes));
@@ -147,7 +148,7 @@ internal static string DecompressToken(byte[] tokenBytes, string algorithm)
             if (!CompressionProviderFactory.Default.IsSupportedAlgorithm(algorithm))
                 throw LogHelper.LogExceptionMessage(new NotSupportedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10682, algorithm)));
 
-            var compressionProvider = CompressionProviderFactory.Default.CreateCompressionProvider(algorithm);
+            var compressionProvider = CompressionProviderFactory.Default.CreateCompressionProvider(algorithm, maximumDeflateSize);
 
             var decompressedBytes = compressionProvider.Decompress(tokenBytes);
 

src/Microsoft.IdentityModel.Tokens/CompressionProviderFactory.cs

@@ -102,15 +102,26 @@ private bool IsSupportedCompressionAlgorithm(string algorithm)
         /// <param name="algorithm">the decompression algorithm.</param>
         /// <returns>a <see cref="ICompressionProvider"/>.</returns>
         public ICompressionProvider CreateCompressionProvider(string algorithm)
+        {
+            return CreateCompressionProvider(algorithm, TokenValidationParameters.DefaultMaximumTokenSizeInBytes);
+        }
+
+        /// <summary>
+        /// Returns a <see cref="ICompressionProvider"/> for a specific algorithm.
+        /// </summary>
+        /// <param name="algorithm">the decompression algorithm.</param>
+        /// <param name="maximumDeflateSize">the maximum deflate size in chars that will be processed.</param>
+        /// <returns>a <see cref="ICompressionProvider"/>.</returns>
+        public ICompressionProvider CreateCompressionProvider(string algorithm, int maximumDeflateSize)
         {
             if (string.IsNullOrEmpty(algorithm))
                 throw LogHelper.LogArgumentNullException(nameof(algorithm));
 
             if (CustomCompressionProvider != null && CustomCompressionProvider.IsSupportedAlgorithm(algorithm))
                 return CustomCompressionProvider;
 
-            if (algorithm.Equals(CompressionAlgorithms.Deflate, StringComparison.Ordinal))
-                return new DeflateCompressionProvider();
+            if (algorithm.Equals(CompressionAlgorithms.Deflate))
+                return new DeflateCompressionProvider { MaximumDeflateSize = maximumDeflateSize };
 
             throw LogHelper.LogExceptionMessage(new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10652, algorithm)));
         }

src/Microsoft.IdentityModel.Tokens/DeflateCompressionProvider.cs

@@ -38,6 +38,8 @@ namespace Microsoft.IdentityModel.Tokens
     /// </summary>
     public class DeflateCompressionProvider : ICompressionProvider
     {
+        private int _maximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
+
         /// <summary>
         /// Initializes a new instance of the <see cref="DeflateCompressionProvider"/> class used to compress and decompress used the <see cref="CompressionAlgorithms.Deflate"/> algorithm.
         /// </summary>
@@ -59,6 +61,16 @@ public DeflateCompressionProvider(CompressionLevel compressionLevel)
         /// </summary>
         public string Algorithm => CompressionAlgorithms.Deflate;
 
+        /// <summary>
+        /// Gets and sets the maximum deflate size in chars that will be processed.
+        /// </summary>
+        /// <exception cref="ArgumentOutOfRangeException">'value' less than 1.</exception>
+        public int MaximumDeflateSize
+        {
+            get => _maximumTokenSizeInBytes;
+            set => _maximumTokenSizeInBytes = (value < 1) ? throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(value), LogHelper.FormatInvariant(LogMessages.IDX10101, value))) : value;
+        }
+
         /// <summary>
         /// Specifies whether compression should emphasize speed or compression size.
         /// Set to <see cref="CompressionLevel.Optimal"/> by default.
@@ -75,13 +87,26 @@ public byte[] Decompress(byte[] value)
             if (value == null)
                 throw LogHelper.LogArgumentNullException(nameof(value));
 
+            char[] chars = new char[MaximumDeflateSize];
+
             using (var inputStream = new MemoryStream(value))
             {
                 using (var deflateStream = new DeflateStream(inputStream, CompressionMode.Decompress))
                 {
                     using (var reader = new StreamReader(deflateStream, Encoding.UTF8))
                     {
-                        return Encoding.UTF8.GetBytes(reader.ReadToEnd());
+                        // if there is one more char to read, then the token is too large.
+                        int bytesRead = reader.Read(chars, 0, MaximumDeflateSize);
+                        if (reader.Peek() != -1)
+                        {
+                            throw LogHelper.LogExceptionMessage(
+                                new SecurityTokenDecompressionFailedException(
+                                    LogHelper.FormatInvariant(
+                                        LogMessages.IDX10814,
+                                        MaximumDeflateSize)));
+                        }
+
+                        return Encoding.UTF8.GetBytes(chars, 0, bytesRead);
                     }
                 }
             }

src/Microsoft.IdentityModel.Tokens/LogMessages.cs

@@ -216,6 +216,7 @@ internal static class LogMessages
         //public const string IDX10811 = "IDX10811:"
         public const string IDX10812 = "IDX10812: Unable to create a {0} from the properties found in the JsonWebKey: '{1}'.";
         public const string IDX10813 = "IDX10813: Unable to create a {0} from the properties found in the JsonWebKey: '{1}', Exception '{2}'.";
+        public const string IDX10814 = "IDX10814: Decompressing would result in a token with a size greater than allowed. Maximum size allowed: '{0}'.";
 
 #pragma warning restore 1591
     }

src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs

@@ -1324,7 +1324,7 @@ protected string DecryptToken(JwtSecurityToken jwtToken, TokenValidationParamete
 
             try
             {
-                return JwtTokenUtilities.DecompressToken(decryptedTokenBytes, jwtToken.Header.Zip);
+                return JwtTokenUtilities.DecompressToken(decryptedTokenBytes, jwtToken.Header.Zip, MaximumTokenSizeInBytes);
             }
             catch (Exception ex)
             {