remove reference to SecurityTokenUnableToValidateException as it is n…

…ot used
AzureAD · Mar 28, 2023 · 6d4c2ee · 6d4c2ee
1 parent 5d49e7c
commit 6d4c2ee
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 18 deletions.
diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs
@@ -1230,8 +1230,6 @@ private async Task<TokenValidationResult> ValidateTokenAsync(JsonWebToken jsonWe
 
                     return tokenValidationResult;
                 }
-                // using 'GetType()' instead of 'is' as SecurityTokenUnableToValidException (and others) extend SecurityTokenInvalidSignatureException
-                // we want to make sure that the clause for SecurityTokenUnableToValidateException is hit so that the ValidationFailure is checked
                 else if (TokenUtilities.IsRecoverableException(tokenValidationResult.Exception))
                 {
                     // If we were still unable to validate, attempt to refresh the configuration and validate using it

diff --git a/src/Microsoft.IdentityModel.Tokens/TokenUtilities.cs b/src/Microsoft.IdentityModel.Tokens/TokenUtilities.cs
@@ -187,13 +187,9 @@ internal static IEnumerable<Claim> MergeClaims(IEnumerable<Claim> claims, IEnume
         /// <returns><c>true</c> if the exception is certain types of exceptions otherwise, <c>false</c>.</returns>
         internal static bool IsRecoverableException(Exception exception)
         {
-            // using 'GetType()' instead of 'is' as SecurityTokenUnableToValidException (and others) extend SecurityTokenInvalidSignatureException
-            // we want to make sure that the clause for SecurityTokenUnableToValidateException is hit so that the ValidationFailure is checked
-            return exception.GetType().Equals(typeof(SecurityTokenInvalidSignatureException))
-                   || exception is SecurityTokenInvalidIssuerException
-                   // we should not try to revalidate with the LKG or request a refresh if the token has an invalid lifetime
-                   || (exception as SecurityTokenUnableToValidateException)?.ValidationFailure != ValidationFailure.InvalidLifetime
-                   || exception is SecurityTokenSignatureKeyNotFoundException;
+            return   exception is SecurityTokenInvalidSignatureException
+                  || exception is SecurityTokenInvalidIssuerException
+                  || exception is SecurityTokenSignatureKeyNotFoundException;
         }
 
         /// <summary>
@@ -217,11 +213,7 @@ internal static bool IsRecoverableConfiguration(string kid, BaseConfiguration cu
             {
                 return isRecoverableSigningKey.Value;
             }
-            else if ((currentException as SecurityTokenUnableToValidateException)?.ValidationFailure == ValidationFailure.InvalidIssuer)
-            {
-                return isRecoverableIssuer.Value && isRecoverableSigningKey.Value;
-            }
-            else if (currentException.GetType().Equals(typeof(SecurityTokenInvalidSignatureException)))
+            else if (currentException is SecurityTokenInvalidSignatureException)
             {
                 SecurityKey currentSigningKey = currentConfiguration.SigningKeys.FirstOrDefault(x => x.KeyId == kid);
                 if (currentSigningKey == null)

diff --git a/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs b/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs
@@ -1271,10 +1271,6 @@ private static bool ValidateSignature(byte[] encodedBytes, byte[] signature, Sec
         /// If the <paramref name="token"/> has a key identifier and none of the <see cref="SecurityKey"/>(s) provided result in a validated signature.
         /// This can indicate that a key refresh is required.
         /// </exception>
-        /// <exception cref="SecurityTokenUnableToValidateException">
-        /// If the <paramref name="token"/> has a key identifier and none of the <see cref="SecurityKey"/>(s) provided result in a validated signature as well as the token
-        /// had validation errors or lifetime or issuer. This is not intended to be a signal to refresh keys.
-        /// </exception>
         /// <exception cref="SecurityTokenInvalidSignatureException">If after trying all the <see cref="SecurityKey"/>(s), none result in a validated signature AND the <paramref name="token"/> does not have a key identifier.</exception>
         /// <returns>A <see cref="JwtSecurityToken"/> that has the signature validated if token was signed.</returns>
         /// <remarks><para>If the <paramref name="token"/> is signed, the signature is validated even if <see cref="TokenValidationParameters.RequireSignedTokens"/> is false.</para>