From 721154d975ff2707e47345416b9a2a0c425368d9 Mon Sep 17 00:00:00 2001
From: Kelly Song <kellysong@microsoft.com>
Date: Tue, 26 Mar 2024 14:18:34 -0700
Subject: [PATCH 1/4] move some validate lifetime logic

---
 .../ValidatorUtilities.cs                     | 48 +++++++++++++++++++
 .../Validators.cs                             | 19 +-------
 2 files changed, 49 insertions(+), 18 deletions(-)
 create mode 100644 src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs

diff --git a/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs b/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
new file mode 100644
index 0000000000..37d9bcb50b
--- /dev/null
+++ b/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
@@ -0,0 +1,48 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using Microsoft.IdentityModel.Logging;
+
+namespace Microsoft.IdentityModel.Tokens
+{
+    /// <summary>
+    /// Internal Validator
+    /// </summary>
+    internal static class ValidatorUtilities
+    {
+        /// <summary>
+        /// Validates the lifetime of a <see cref="SecurityToken"/>.
+        /// <param name="notBefore">The 'notBefore' time found in the <see cref="SecurityToken"/>.</param>
+        /// <param name="expires">The 'expiration' time found in the <see cref="SecurityToken"/>.</param>
+        /// <param name="securityToken">The <see cref="SecurityToken"/> being validated.</param>
+        /// <param name="validationParameters"><see cref="TokenValidationParameters"/> required for validation.</param>
+        /// <exception cref="SecurityTokenNoExpirationException">If 'expires.HasValue' is false and <see cref="TokenValidationParameters.RequireExpirationTime"/> is true.</exception>
+        /// <exception cref="SecurityTokenInvalidLifetimeException">If 'notBefore' is &gt; 'expires'.</exception>
+        /// <exception cref="SecurityTokenNotYetValidException">If 'notBefore' is &gt; DateTime.UtcNow.</exception>
+        /// <exception cref="SecurityTokenExpiredException">If 'expires' is &lt; DateTime.UtcNow.</exception>
+        /// <remarks>All time comparisons apply <see cref="TokenValidationParameters.ClockSkew"/>.</remarks>
+        /// </summary>
+        public static void ValidateLifetime(DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
+        {
+            if (!expires.HasValue && validationParameters.RequireExpirationTime)
+                throw LogHelper.LogExceptionMessage(new SecurityTokenNoExpirationException(LogHelper.FormatInvariant(LogMessages.IDX10225, LogHelper.MarkAsNonPII(securityToken == null ? "null" : securityToken.GetType().ToString()))));
+
+            if (notBefore.HasValue && expires.HasValue && (notBefore.Value > expires.Value))
+                throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidLifetimeException(LogHelper.FormatInvariant(LogMessages.IDX10224, LogHelper.MarkAsNonPII(notBefore.Value), LogHelper.MarkAsNonPII(expires.Value)))
+                { NotBefore = notBefore, Expires = expires });
+
+            DateTime utcNow = DateTime.UtcNow;
+            if (notBefore.HasValue && (notBefore.Value > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew)))
+                throw LogHelper.LogExceptionMessage(new SecurityTokenNotYetValidException(LogHelper.FormatInvariant(LogMessages.IDX10222, LogHelper.MarkAsNonPII(notBefore.Value), LogHelper.MarkAsNonPII(utcNow)))
+                { NotBefore = notBefore.Value });
+
+            if (expires.HasValue && (expires.Value < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate())))
+                throw LogHelper.LogExceptionMessage(new SecurityTokenExpiredException(LogHelper.FormatInvariant(LogMessages.IDX10223, LogHelper.MarkAsNonPII(expires.Value), LogHelper.MarkAsNonPII(utcNow)))
+                { Expires = expires.Value });
+
+            // if it reaches here, that means lifetime of the token is valid
+            LogHelper.LogInformation(LogMessages.IDX10239);
+        }
+    }
+}
diff --git a/src/Microsoft.IdentityModel.Tokens/Validators.cs b/src/Microsoft.IdentityModel.Tokens/Validators.cs
index 5bb7e07530..ff9a762e12 100644
--- a/src/Microsoft.IdentityModel.Tokens/Validators.cs
+++ b/src/Microsoft.IdentityModel.Tokens/Validators.cs
@@ -455,24 +455,7 @@ public static void ValidateLifetime(DateTime? notBefore, DateTime? expires, Secu
                 return;
             }
 
-            if (!expires.HasValue && validationParameters.RequireExpirationTime)
-                throw LogHelper.LogExceptionMessage(new SecurityTokenNoExpirationException(LogHelper.FormatInvariant(LogMessages.IDX10225, LogHelper.MarkAsNonPII(securityToken == null ? "null" : securityToken.GetType().ToString()))));
-
-            if (notBefore.HasValue && expires.HasValue && (notBefore.Value > expires.Value))
-                throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidLifetimeException(LogHelper.FormatInvariant(LogMessages.IDX10224, LogHelper.MarkAsNonPII(notBefore.Value), LogHelper.MarkAsNonPII(expires.Value)))
-                { NotBefore = notBefore, Expires = expires });
-
-            DateTime utcNow = DateTime.UtcNow;
-            if (notBefore.HasValue && (notBefore.Value > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew)))
-                throw LogHelper.LogExceptionMessage(new SecurityTokenNotYetValidException(LogHelper.FormatInvariant(LogMessages.IDX10222, LogHelper.MarkAsNonPII(notBefore.Value), LogHelper.MarkAsNonPII(utcNow)))
-                    { NotBefore = notBefore.Value });
- 
-            if (expires.HasValue && (expires.Value < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate())))
-                throw LogHelper.LogExceptionMessage(new SecurityTokenExpiredException(LogHelper.FormatInvariant(LogMessages.IDX10223, LogHelper.MarkAsNonPII(expires.Value), LogHelper.MarkAsNonPII(utcNow)))
-                    { Expires = expires.Value });
-
-            // if it reaches here, that means lifetime of the token is valid
-            LogHelper.LogInformation(LogMessages.IDX10239);
+            ValidatorUtilities.ValidateLifetime(notBefore, expires, securityToken, validationParameters);
         }
 
         /// <summary>

From 4458861ac282336a1e4cea2f37de1e8603d228d2 Mon Sep 17 00:00:00 2001
From: Kelly Song <kellysong@microsoft.com>
Date: Wed, 3 Apr 2024 14:33:00 -0700
Subject: [PATCH 2/4] change method to internal

---
 src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs b/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
index 37d9bcb50b..479e2dd7ac 100644
--- a/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
+++ b/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
@@ -23,7 +23,7 @@ internal static class ValidatorUtilities
         /// <exception cref="SecurityTokenExpiredException">If 'expires' is &lt; DateTime.UtcNow.</exception>
         /// <remarks>All time comparisons apply <see cref="TokenValidationParameters.ClockSkew"/>.</remarks>
         /// </summary>
-        public static void ValidateLifetime(DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
+        internal static void ValidateLifetime(DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
         {
             if (!expires.HasValue && validationParameters.RequireExpirationTime)
                 throw LogHelper.LogExceptionMessage(new SecurityTokenNoExpirationException(LogHelper.FormatInvariant(LogMessages.IDX10225, LogHelper.MarkAsNonPII(securityToken == null ? "null" : securityToken.GetType().ToString()))));

From 399ee2cade12bbd795c88297f26850733973044e Mon Sep 17 00:00:00 2001
From: Kelly Song <kellysong@microsoft.com>
Date: Wed, 3 Apr 2024 14:49:06 -0700
Subject: [PATCH 3/4] fix method description

---
 src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs b/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
index 479e2dd7ac..eb00ee5841 100644
--- a/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
+++ b/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
@@ -7,12 +7,13 @@
 namespace Microsoft.IdentityModel.Tokens
 {
     /// <summary>
-    /// Internal Validator
+    /// Internal Validator Utilities
     /// </summary>
     internal static class ValidatorUtilities
     {
         /// <summary>
         /// Validates the lifetime of a <see cref="SecurityToken"/>.
+        /// </summary>
         /// <param name="notBefore">The 'notBefore' time found in the <see cref="SecurityToken"/>.</param>
         /// <param name="expires">The 'expiration' time found in the <see cref="SecurityToken"/>.</param>
         /// <param name="securityToken">The <see cref="SecurityToken"/> being validated.</param>
@@ -22,7 +23,6 @@ internal static class ValidatorUtilities
         /// <exception cref="SecurityTokenNotYetValidException">If 'notBefore' is &gt; DateTime.UtcNow.</exception>
         /// <exception cref="SecurityTokenExpiredException">If 'expires' is &lt; DateTime.UtcNow.</exception>
         /// <remarks>All time comparisons apply <see cref="TokenValidationParameters.ClockSkew"/>.</remarks>
-        /// </summary>
         internal static void ValidateLifetime(DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
         {
             if (!expires.HasValue && validationParameters.RequireExpirationTime)

From c79125d647d50ee5c854b9d1baedc754e2f23f8f Mon Sep 17 00:00:00 2001
From: Kelly Song <kellysong@microsoft.com>
Date: Wed, 3 Apr 2024 14:55:51 -0700
Subject: [PATCH 4/4] formatting updates

---
 .../ValidatorUtilities.cs                           | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs b/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
index eb00ee5841..482f2f3d37 100644
--- a/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
+++ b/src/Microsoft.IdentityModel.Tokens/ValidatorUtilities.cs
@@ -30,16 +30,23 @@ internal static void ValidateLifetime(DateTime? notBefore, DateTime? expires, Se
 
             if (notBefore.HasValue && expires.HasValue && (notBefore.Value > expires.Value))
                 throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidLifetimeException(LogHelper.FormatInvariant(LogMessages.IDX10224, LogHelper.MarkAsNonPII(notBefore.Value), LogHelper.MarkAsNonPII(expires.Value)))
-                { NotBefore = notBefore, Expires = expires });
+                {
+                    NotBefore = notBefore,
+                    Expires = expires
+                });
 
             DateTime utcNow = DateTime.UtcNow;
             if (notBefore.HasValue && (notBefore.Value > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew)))
                 throw LogHelper.LogExceptionMessage(new SecurityTokenNotYetValidException(LogHelper.FormatInvariant(LogMessages.IDX10222, LogHelper.MarkAsNonPII(notBefore.Value), LogHelper.MarkAsNonPII(utcNow)))
-                { NotBefore = notBefore.Value });
+                {
+                    NotBefore = notBefore.Value
+                });
 
             if (expires.HasValue && (expires.Value < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate())))
                 throw LogHelper.LogExceptionMessage(new SecurityTokenExpiredException(LogHelper.FormatInvariant(LogMessages.IDX10223, LogHelper.MarkAsNonPII(expires.Value), LogHelper.MarkAsNonPII(utcNow)))
-                { Expires = expires.Value });
+                {
+                    Expires = expires.Value
+                });
 
             // if it reaches here, that means lifetime of the token is valid
             LogHelper.LogInformation(LogMessages.IDX10239);