From 62174594cd51825ee0b333b6acd91756d4dc45eb Mon Sep 17 00:00:00 2001 From: sruthikeerthi <73967733+sruke@users.noreply.github.com> Date: Wed, 8 Feb 2023 09:40:25 -0800 Subject: [PATCH] Revert changes in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1996/files (#2021) Return on actor token validation failure --- .../JsonWebTokenHandler.cs | 39 +++++++------------ 1 file changed, 15 insertions(+), 24 deletions(-) diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs index 0742dbdd58..7094ad3194 100644 --- a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs +++ b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs @@ -1219,7 +1219,7 @@ private async Task ValidateTokenAsync(JsonWebToken jsonWe } } - TokenValidationResult tokenValidationResult = await ValidateTokenAsync(jsonWebToken, validationParameters, currentConfiguration).ConfigureAwait(false); + TokenValidationResult tokenValidationResult = ValidateToken(jsonWebToken, validationParameters, currentConfiguration); if (validationParameters.ConfigurationManager != null) { if (tokenValidationResult.IsValid) @@ -1243,12 +1243,12 @@ private async Task ValidateTokenAsync(JsonWebToken jsonWe validationParameters.ConfigurationManager.RequestRefresh(); validationParameters.RefreshBeforeValidation = true; var lastConfig = currentConfiguration; - currentConfiguration = await validationParameters.ConfigurationManager.GetBaseConfigurationAsync(CancellationToken.None).ConfigureAwait(false); + currentConfiguration = validationParameters.ConfigurationManager.GetBaseConfigurationAsync(CancellationToken.None).GetAwaiter().GetResult(); // Only try to re-validate using the newly obtained config if it doesn't reference equal the previously used configuration. if (lastConfig != currentConfiguration) { - tokenValidationResult = await ValidateTokenAsync(jsonWebToken, validationParameters, currentConfiguration).ConfigureAwait(false); + tokenValidationResult = ValidateToken(jsonWebToken, validationParameters, currentConfiguration); if (tokenValidationResult.IsValid) { @@ -1262,7 +1262,7 @@ private async Task ValidateTokenAsync(JsonWebToken jsonWe { validationParameters.RefreshBeforeValidation = false; validationParameters.ValidateWithLKG = true; - tokenValidationResult = await ValidateTokenAsync(jsonWebToken, validationParameters, currentConfiguration).ConfigureAwait(false); + tokenValidationResult = ValidateToken(jsonWebToken, validationParameters, currentConfiguration); if (tokenValidationResult.IsValid) return tokenValidationResult; @@ -1273,21 +1273,15 @@ private async Task ValidateTokenAsync(JsonWebToken jsonWe return tokenValidationResult; } - private async Task ValidateTokenAsync( - JsonWebToken jsonWebToken, - TokenValidationParameters validationParameters, - BaseConfiguration configuration) + private TokenValidationResult ValidateToken(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) { if (jsonWebToken.IsEncrypted) - return await ValidateJWEAsync(jsonWebToken, validationParameters, configuration).ConfigureAwait(false); + return ValidateJWE(jsonWebToken, validationParameters, configuration); - return await ValidateJWSAsync(jsonWebToken, validationParameters, configuration).ConfigureAwait(false); + return ValidateJWS(jsonWebToken, validationParameters, configuration); } - private async Task ValidateJWSAsync( - JsonWebToken jsonWebToken, - TokenValidationParameters validationParameters, - BaseConfiguration configuration) + private TokenValidationResult ValidateJWS(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) { try { @@ -1298,21 +1292,21 @@ private async Task ValidateJWSAsync( if (validationParameters.SignatureValidator != null || validationParameters.SignatureValidatorUsingConfiguration != null) { var validatedToken = ValidateSignatureUsingDelegates(jsonWebToken.EncodedToken, validationParameters, configuration); - tokenValidationResult = await ValidateTokenPayloadAsync(validatedToken, validationParameters, configuration).ConfigureAwait(false); + tokenValidationResult = ValidateTokenPayload(validatedToken, validationParameters, configuration); Validators.ValidateIssuerSecurityKey(validatedToken.SigningKey, validatedToken, validationParameters, configuration); } else { if (validationParameters.ValidateSignatureLast) { - tokenValidationResult = await ValidateTokenPayloadAsync(jsonWebToken, validationParameters, configuration).ConfigureAwait(false); + tokenValidationResult = ValidateTokenPayload(jsonWebToken, validationParameters, configuration); if (tokenValidationResult.IsValid) tokenValidationResult.SecurityToken = ValidateSignatureAndIssuerSecurityKey(jsonWebToken, validationParameters, configuration); } else { var validatedToken = ValidateSignatureAndIssuerSecurityKey(jsonWebToken, validationParameters, configuration); - tokenValidationResult = await ValidateTokenPayloadAsync(validatedToken, validationParameters, configuration).ConfigureAwait(false); + tokenValidationResult = ValidateTokenPayload(validatedToken, validationParameters, configuration); } } @@ -1331,10 +1325,7 @@ private async Task ValidateJWSAsync( } } - private async Task ValidateJWEAsync( - JsonWebToken jwtToken, - TokenValidationParameters validationParameters, - BaseConfiguration configuration) + private TokenValidationResult ValidateJWE(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) { try { @@ -1343,7 +1334,7 @@ private async Task ValidateJWEAsync( if (!readTokenResult.IsValid) return readTokenResult; - TokenValidationResult tokenValidationResult = await ValidateJWSAsync(readTokenResult.SecurityToken as JsonWebToken, validationParameters, configuration).ConfigureAwait(false); + TokenValidationResult tokenValidationResult = ValidateJWS(readTokenResult.SecurityToken as JsonWebToken, validationParameters, configuration); if (!tokenValidationResult.IsValid) return tokenValidationResult; @@ -1406,7 +1397,7 @@ private static JsonWebToken ValidateSignatureAndIssuerSecurityKey(JsonWebToken j return validatedToken; } - private async Task ValidateTokenPayloadAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) + private TokenValidationResult ValidateTokenPayload(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) { var expires = jsonWebToken.HasPayloadClaim(JwtRegisteredClaimNames.Exp) ? (DateTime?)jsonWebToken.ValidTo : null; var notBefore = jsonWebToken.HasPayloadClaim(JwtRegisteredClaimNames.Nbf) ? (DateTime?)jsonWebToken.ValidFrom : null; @@ -1424,7 +1415,7 @@ private async Task ValidateTokenPayloadAsync(JsonWebToken // and (since issuer validation occurs first) came from a trusted authority. // NOTE: More than one nested actor token should not be considered a valid token, but if we somehow encounter one, // this code will still work properly. - TokenValidationResult tokenValidationResult = await ValidateTokenAsync(jsonWebToken.Actor, validationParameters.ActorValidationParameters ?? validationParameters).ConfigureAwait(false); + TokenValidationResult tokenValidationResult = ValidateToken(jsonWebToken.Actor, validationParameters.ActorValidationParameters ?? validationParameters); if (!tokenValidationResult.IsValid) return tokenValidationResult; }