diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs index eddf8f4f4a..49b4c84ebf 100644 --- a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs +++ b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs @@ -1230,8 +1230,6 @@ private async Task ValidateTokenAsync(JsonWebToken jsonWe return tokenValidationResult; } - // using 'GetType()' instead of 'is' as SecurityTokenUnableToValidException (and others) extend SecurityTokenInvalidSignatureException - // we want to make sure that the clause for SecurityTokenUnableToValidateException is hit so that the ValidationFailure is checked else if (TokenUtilities.IsRecoverableException(tokenValidationResult.Exception)) { // If we were still unable to validate, attempt to refresh the configuration and validate using it diff --git a/src/Microsoft.IdentityModel.Tokens/TokenUtilities.cs b/src/Microsoft.IdentityModel.Tokens/TokenUtilities.cs index 971c5788e1..260d21cd76 100644 --- a/src/Microsoft.IdentityModel.Tokens/TokenUtilities.cs +++ b/src/Microsoft.IdentityModel.Tokens/TokenUtilities.cs @@ -187,13 +187,9 @@ internal static IEnumerable MergeClaims(IEnumerable claims, IEnume /// true if the exception is certain types of exceptions otherwise, false. internal static bool IsRecoverableException(Exception exception) { - // using 'GetType()' instead of 'is' as SecurityTokenUnableToValidException (and others) extend SecurityTokenInvalidSignatureException - // we want to make sure that the clause for SecurityTokenUnableToValidateException is hit so that the ValidationFailure is checked - return exception.GetType().Equals(typeof(SecurityTokenInvalidSignatureException)) - || exception is SecurityTokenInvalidIssuerException - // we should not try to revalidate with the LKG or request a refresh if the token has an invalid lifetime - || (exception as SecurityTokenUnableToValidateException)?.ValidationFailure != ValidationFailure.InvalidLifetime - || exception is SecurityTokenSignatureKeyNotFoundException; + return exception is SecurityTokenInvalidSignatureException + || exception is SecurityTokenInvalidIssuerException + || exception is SecurityTokenSignatureKeyNotFoundException; } /// @@ -217,11 +213,7 @@ internal static bool IsRecoverableConfiguration(string kid, BaseConfiguration cu { return isRecoverableSigningKey.Value; } - else if ((currentException as SecurityTokenUnableToValidateException)?.ValidationFailure == ValidationFailure.InvalidIssuer) - { - return isRecoverableIssuer.Value && isRecoverableSigningKey.Value; - } - else if (currentException.GetType().Equals(typeof(SecurityTokenInvalidSignatureException))) + else if (currentException is SecurityTokenInvalidSignatureException) { SecurityKey currentSigningKey = currentConfiguration.SigningKeys.FirstOrDefault(x => x.KeyId == kid); if (currentSigningKey == null) diff --git a/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs b/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs index 2f830bc746..8da9918013 100644 --- a/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs +++ b/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs @@ -1271,10 +1271,6 @@ private static bool ValidateSignature(byte[] encodedBytes, byte[] signature, Sec /// If the has a key identifier and none of the (s) provided result in a validated signature. /// This can indicate that a key refresh is required. /// - /// - /// If the has a key identifier and none of the (s) provided result in a validated signature as well as the token - /// had validation errors or lifetime or issuer. This is not intended to be a signal to refresh keys. - /// /// If after trying all the (s), none result in a validated signature AND the does not have a key identifier. /// A that has the signature validated if token was signed. /// If the is signed, the signature is validated even if is false.