From fa4db377e15f07a339274754b3166204bd00978f Mon Sep 17 00:00:00 2001 From: Franco Fung Date: Mon, 21 Oct 2024 08:01:00 -0700 Subject: [PATCH 1/6] Initial changes to include Issuer validation to Saml2SecurityTokenHandler --- .../InternalAPI.Unshipped.txt | 1 + .../Saml/SamlTokenUtilities.cs | 30 +++ ...rityTokenHandler.ValidateToken.Internal.cs | 24 +- ...lerTests.ValidateTokenAsyncTests.Issuer.cs | 220 ++++++++++++++++++ 4 files changed, 270 insertions(+), 5 deletions(-) create mode 100644 test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt b/src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt index c3a63e3044..4ead7095d9 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt +++ b/src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt @@ -1,5 +1,6 @@ Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateTokenAsync(Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken samlToken, Microsoft.IdentityModel.Tokens.ValidationParameters validationParameters, Microsoft.IdentityModel.Tokens.CallContext callContext, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task> +static Microsoft.IdentityModel.Tokens.Saml.SamlTokenUtilities.PopulateValidationParametersWithCurrentConfigurationAsync(Microsoft.IdentityModel.Tokens.ValidationParameters validationParameters, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.AssertionConditionsNull -> System.Diagnostics.StackFrame static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.AssertionNull -> System.Diagnostics.StackFrame static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.AudienceValidationFailed -> System.Diagnostics.StackFrame diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlTokenUtilities.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlTokenUtilities.cs index 31ded481de..d4bbfcf97d 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlTokenUtilities.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlTokenUtilities.cs @@ -154,5 +154,35 @@ internal static async Task PopulateValidationParamete return validationParametersCloned; } + + /// + /// Fetches current configuration from the ConfigurationManager of + /// and populates ValidIssuers and IssuerSigningKeys. + /// + /// the token validation parameters to update. + /// + /// New ValidationParameters with ValidIssuers and IssuerSigningKeys updated. + internal static async Task PopulateValidationParametersWithCurrentConfigurationAsync( + ValidationParameters validationParameters, + CancellationToken cancellationToken) + { + if (validationParameters.ConfigurationManager == null) + { + return validationParameters; + } + + var currentConfiguration = await validationParameters.ConfigurationManager.GetBaseConfigurationAsync(cancellationToken).ConfigureAwait(false); + var validationParametersCloned = validationParameters.Clone(); + + validationParametersCloned.ValidIssuers.Add(currentConfiguration.Issuer); + + foreach (SecurityKey key in currentConfiguration.SigningKeys) + { + validationParametersCloned.IssuerSigningKeys.Add(key); + } + + return validationParametersCloned; + + } } } diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs index 239c9b66ae..63d6ce4a90 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs @@ -5,6 +5,7 @@ using System.Diagnostics; using System.Threading; using System.Threading.Tasks; +using Microsoft.IdentityModel.Tokens.Saml; #nullable enable namespace Microsoft.IdentityModel.Tokens.Saml2 @@ -14,15 +15,11 @@ namespace Microsoft.IdentityModel.Tokens.Saml2 /// public partial class Saml2SecurityTokenHandler : SecurityTokenHandler { -#pragma warning disable CS1998 // Async method lacks 'await' operators and will run synchronously internal async Task> ValidateTokenAsync( -#pragma warning restore CS1998 // Async method lacks 'await' operators and will run synchronously Saml2SecurityToken samlToken, ValidationParameters validationParameters, CallContext callContext, -#pragma warning disable CA1801 // Review unused parameters CancellationToken cancellationToken) -#pragma warning restore CA1801 // Review unused parameters { if (samlToken is null) { @@ -40,13 +37,30 @@ internal async Task> ValidateTokenAsync( StackFrames.TokenValidationParametersNull); } - var conditionsResult = ValidateConditions(samlToken, validationParameters, callContext); + validationParameters = await SamlTokenUtilities.PopulateValidationParametersWithCurrentConfigurationAsync(validationParameters, cancellationToken).ConfigureAwait(false); + + var conditionsResult = ValidateConditions( + samlToken, + validationParameters, + callContext); if (!conditionsResult.IsValid) { return conditionsResult.UnwrapError().AddStackFrame(new StackFrame(true)); } + Task> validatedIssuerResult = validationParameters.IssuerValidatorAsync( + samlToken.Issuer, + samlToken, + validationParameters, + callContext, + cancellationToken); + + if (!(await validatedIssuerResult.ConfigureAwait(false)).IsValid) + { + return (await validatedIssuerResult.ConfigureAwait(false)).UnwrapError().AddStackFrame(new StackFrame(true)); + } + return new ValidatedToken(samlToken, this, validationParameters); } diff --git a/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs b/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs new file mode 100644 index 0000000000..d2fa42276e --- /dev/null +++ b/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs @@ -0,0 +1,220 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. + +using System.Threading; +using System.Threading.Tasks; +using Microsoft.IdentityModel.Protocols.OpenIdConnect; +using Microsoft.IdentityModel.TestUtils; +using Microsoft.IdentityModel.Tokens.Saml2; +using Xunit; + +namespace Microsoft.IdentityModel.Tokens.Saml.Tests +{ +#nullable enable + public partial class Saml2SecurityTokenHandlerTests + { + [Theory, MemberData(nameof(ValidateTokenAsync_IssuerTestCases), DisableDiscoveryEnumeration = true)] + public async Task ValidateTokenAsync_IssuerComparison(ValidateTokenAsyncIssuerTheoryData theoryData) + { + var context = TestUtilities.WriteHeader($"{this}.ValidateTokenAsync_IssuerComparison", theoryData); + + var saml2Token = CreateTokenWithIssuer(theoryData.TokenIssuer); + + var tokenValidationParameters = CreateTokenValidationParametersForIssuerValidationOnly( + saml2Token, + theoryData.NullTokenValidationParameters, + theoryData.ValidationParametersIssuer, + theoryData.ConfigurationIssuer); + + Saml2SecurityTokenHandler saml2TokenHandler = new Saml2SecurityTokenHandler(); + + // Validate token using TokenValidationParameters + TokenValidationResult tokenValidationResult = + await saml2TokenHandler.ValidateTokenAsync(saml2Token.Assertion.CanonicalString, tokenValidationParameters); + + // Validate token using ValidationParameters. + ValidationResult validationResult = + await saml2TokenHandler.ValidateTokenAsync( + saml2Token, + theoryData.ValidationParameters!, + theoryData.CallContext, + CancellationToken.None); + + // Ensure validity of the results match the expected result. + if (tokenValidationResult.IsValid != validationResult.IsValid) + { + context.AddDiff($"tokenValidationResult.IsValid != validationResult.IsSuccess"); + theoryData.ExpectedExceptionValidationParameters!.ProcessException(validationResult.UnwrapError().GetException(), context); + theoryData.ExpectedException.ProcessException(tokenValidationResult.Exception, context); + } + else + { + if (tokenValidationResult.IsValid) + { + // Verify validated tokens from both paths match. + ValidatedToken validatedToken = validationResult.UnwrapResult(); + IdentityComparer.AreEqual(validatedToken.SecurityToken, tokenValidationResult.SecurityToken, context); + } + else + { + // Verify the exception provided by both paths match. + var tokenValidationResultException = tokenValidationResult.Exception; + theoryData.ExpectedException.ProcessException(tokenValidationResult.Exception, context); + var validationResultException = validationResult.UnwrapError().GetException(); + theoryData.ExpectedExceptionValidationParameters!.ProcessException(validationResult.UnwrapError().GetException(), context); + } + + TestUtilities.AssertFailIfErrors(context); + } + } + + public static TheoryData ValidateTokenAsync_IssuerTestCases + { + get + { + var theoryData = new TheoryData(); + + theoryData.Add(new ValidateTokenAsyncIssuerTheoryData("Valid_IssuerIsValidIssuer") + { + TokenIssuer = Default.Issuer, + ValidationParametersIssuer = Default.Issuer, + ValidationParameters = CreateValidationParameters(validIssuer: Default.Issuer), + }); + + theoryData.Add(new ValidateTokenAsyncIssuerTheoryData("Valid_IssuerIsConfigurationIssuer") + { + TokenIssuer = Default.Issuer, + ConfigurationIssuer = Default.Issuer, + ValidationParameters = CreateValidationParameters(configurationIssuer: Default.Issuer), + }); + + theoryData.Add(new ValidateTokenAsyncIssuerTheoryData("Invalid_IssuerIsNotValid") + { + TokenIssuer = "InvalidIssuer", + ValidationParametersIssuer = Default.Issuer, + ValidationParameters = CreateValidationParameters(validIssuer: Default.Issuer), + ExpectedIsValid = false, + ExpectedException = new ExpectedException(typeof(SecurityTokenInvalidIssuerException), "IDX10205:"), + ExpectedExceptionValidationParameters = new ExpectedException(typeof(SecurityTokenInvalidIssuerException), "IDX10212:") + }); + + theoryData.Add(new ValidateTokenAsyncIssuerTheoryData("Invalid_IssuerIsNull") + { + TokenIssuer = null, + ValidationParametersIssuer = Default.Issuer, + ValidationParameters = CreateValidationParameters(validIssuer: Default.Issuer), + ExpectedIsValid = false, + ExpectedException = new ExpectedException(typeof(SecurityTokenInvalidIssuerException), "IDX10211:") + }); + + theoryData.Add(new ValidateTokenAsyncIssuerTheoryData("Invalid_IssuerIsEmpty") + { + TokenIssuer = string.Empty, + ValidationParametersIssuer = Default.Issuer, + ValidationParameters = CreateValidationParameters(validIssuer: Default.Issuer), + ExpectedIsValid = false, + ExpectedException = new ExpectedException(typeof(SecurityTokenInvalidIssuerException), "IDX10211:") + }); + + theoryData.Add(new ValidateTokenAsyncIssuerTheoryData("Invalid_NoValidIssuersProvided") + { + TokenIssuer = Default.Issuer, + ValidationParametersIssuer = string.Empty, + ValidationParameters = CreateValidationParameters(), + ExpectedIsValid = false, + ExpectedException = new ExpectedException(typeof(SecurityTokenInvalidIssuerException), "IDX10204:"), + ExpectedExceptionValidationParameters = new ExpectedException(typeof(SecurityTokenInvalidIssuerException), "IDX10211:") + }); + + return theoryData; + + static ValidationParameters CreateValidationParameters( + string? validIssuer = null, + string? configurationIssuer = null) + { + ValidationParameters validationParameters = new ValidationParameters(); + + // Skip all validations except issuer + validationParameters.AlgorithmValidator = SkipValidationDelegates.SkipAlgorithmValidation; + validationParameters.AudienceValidator = SkipValidationDelegates.SkipAudienceValidation; + validationParameters.LifetimeValidator = SkipValidationDelegates.SkipLifetimeValidation; + validationParameters.IssuerSigningKeyValidator = SkipValidationDelegates.SkipIssuerSigningKeyValidation; + validationParameters.SignatureValidator = SkipValidationDelegates.SkipSignatureValidation; + + return validationParameters; + } + } + } + + public class ValidateTokenAsyncIssuerTheoryData : TheoryDataBase + { + public ValidateTokenAsyncIssuerTheoryData(string testId) : base(testId) { } + + internal ValidationParameters? ValidationParameters { get; set; } + + internal ExpectedException? ExpectedExceptionValidationParameters { get; set; } = ExpectedException.NoExceptionExpected; + + internal bool ExpectedIsValid { get; set; } = true; + + public bool NullTokenValidationParameters { get; internal set; } = false; + + public string? TokenIssuer { get; set; } + + public string? ValidationParametersIssuer { get; set; } = null; + + public string? ConfigurationIssuer { get; set; } = null; + } + + private static Saml2SecurityToken CreateTokenWithIssuer(string? issuer) + { + Saml2SecurityTokenHandler saml2TokenHandler = new Saml2SecurityTokenHandler(); + + SecurityTokenDescriptor securityTokenDescriptor = new SecurityTokenDescriptor + { + SigningCredentials = Default.AsymmetricSigningCredentials, + Audience = Default.Audience, + Issuer = issuer, + Subject = Default.SamlClaimsIdentity + }; + + return (Saml2SecurityToken)saml2TokenHandler.CreateToken(securityTokenDescriptor); + } + + private static TokenValidationParameters? CreateTokenValidationParametersForIssuerValidationOnly( + Saml2SecurityToken saml2SecurityToken, + bool nullTokenValidationParameters, + string? validIssuer, + string? configurationIssuer) + { + if (nullTokenValidationParameters) + { + return null; + } + + var tokenValidationParameters = new TokenValidationParameters() + { + ValidateAudience = false, + ValidateIssuer = false, + ValidateLifetime = false, + ValidateTokenReplay = false, + ValidateIssuerSigningKey = false, + IssuerSigningKey = Default.AsymmetricSigningKey, + ValidAudiences = [Default.Audience], + ValidIssuer = validIssuer, + SignatureValidator = delegate (string token, TokenValidationParameters validationParameters) + { + return saml2SecurityToken; + } + }; + + if (configurationIssuer is not null) + { + var validConfig = new OpenIdConnectConfiguration() { Issuer = configurationIssuer }; + tokenValidationParameters.ConfigurationManager = new MockConfigurationManager(validConfig); + } + + return tokenValidationParameters; + } + } +} +#nullable restore From fbcb1ce578bb9f41c689a7e555813087475b4361 Mon Sep 17 00:00:00 2001 From: Franco Fung Date: Mon, 21 Oct 2024 15:04:27 -0700 Subject: [PATCH 2/6] Clean-up --- .../Saml2/Saml2NameIdentifier.cs | 2 +- ...nHandlerTests.ValidateTokenAsyncTests.Issuer.cs | 14 +++----------- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2NameIdentifier.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2NameIdentifier.cs index 408f3b4151..112fcebbcf 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2NameIdentifier.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2NameIdentifier.cs @@ -104,7 +104,7 @@ public string Value get { return _value; } set { - if (string.IsNullOrEmpty(value)) + if (string.IsNullOrEmpty(value)) //NOTE: We can remove this check and let our issuer validator handle this. throw LogArgumentNullException(nameof(value)); _value = value; diff --git a/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs b/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs index d2fa42276e..cf48e68325 100644 --- a/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs +++ b/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs @@ -98,18 +98,10 @@ public static TheoryData ValidateTokenAsync_ ExpectedExceptionValidationParameters = new ExpectedException(typeof(SecurityTokenInvalidIssuerException), "IDX10212:") }); - theoryData.Add(new ValidateTokenAsyncIssuerTheoryData("Invalid_IssuerIsNull") + theoryData.Add(new ValidateTokenAsyncIssuerTheoryData("Invalid_IssuerIsWhitespace") { - TokenIssuer = null, - ValidationParametersIssuer = Default.Issuer, - ValidationParameters = CreateValidationParameters(validIssuer: Default.Issuer), - ExpectedIsValid = false, - ExpectedException = new ExpectedException(typeof(SecurityTokenInvalidIssuerException), "IDX10211:") - }); - - theoryData.Add(new ValidateTokenAsyncIssuerTheoryData("Invalid_IssuerIsEmpty") - { - TokenIssuer = string.Empty, + //This test will cover the case where the issuer is null or empty as well since, we do not allow tokens to be created with null or empty issuer. + TokenIssuer = " ", ValidationParametersIssuer = Default.Issuer, ValidationParameters = CreateValidationParameters(validIssuer: Default.Issuer), ExpectedIsValid = false, From 510c1825cf67122da350a3efb337fcbbcf5d7f5f Mon Sep 17 00:00:00 2001 From: Franco Fung Date: Mon, 21 Oct 2024 15:41:10 -0700 Subject: [PATCH 3/6] Cache issuer validation failed stackframe --- .../InternalAPI.Unshipped.txt | 1 + .../Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs | 3 ++- .../Saml2SecurityTokenHandler.ValidateToken.StackFrames.cs | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt b/src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt index 4ead7095d9..1e39ee9c02 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt +++ b/src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt @@ -4,6 +4,7 @@ static Microsoft.IdentityModel.Tokens.Saml.SamlTokenUtilities.PopulateValidation static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.AssertionConditionsNull -> System.Diagnostics.StackFrame static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.AssertionNull -> System.Diagnostics.StackFrame static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.AudienceValidationFailed -> System.Diagnostics.StackFrame +static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.IssuerValidationFailed -> System.Diagnostics.StackFrame static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.LifetimeValidationFailed -> System.Diagnostics.StackFrame static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.OneTimeUseValidationFailed -> System.Diagnostics.StackFrame static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.TokenNull -> System.Diagnostics.StackFrame diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs index 63d6ce4a90..0193955b5a 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs @@ -58,7 +58,8 @@ internal async Task> ValidateTokenAsync( if (!(await validatedIssuerResult.ConfigureAwait(false)).IsValid) { - return (await validatedIssuerResult.ConfigureAwait(false)).UnwrapError().AddStackFrame(new StackFrame(true)); + StackFrames.IssuerValidationFailed ??= new StackFrame(true); + return (await validatedIssuerResult.ConfigureAwait(false)).UnwrapError().AddStackFrame(StackFrames.IssuerValidationFailed); } return new ValidatedToken(samlToken, this, validationParameters); diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.StackFrames.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.StackFrames.cs index 61466f8406..1831660ac1 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.StackFrames.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.StackFrames.cs @@ -19,6 +19,7 @@ internal static class StackFrames internal static StackFrame? AudienceValidationFailed; internal static StackFrame? AssertionNull; internal static StackFrame? AssertionConditionsNull; + internal static StackFrame? IssuerValidationFailed; internal static StackFrame? LifetimeValidationFailed; internal static StackFrame? OneTimeUseValidationFailed; } From 4773b52d552e42398aa82874a14cdfac30b2c4db Mon Sep 17 00:00:00 2001 From: Franco Fung Date: Mon, 21 Oct 2024 16:29:22 -0700 Subject: [PATCH 4/6] Use WsFedConfig instead --- ...urityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs b/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs index cf48e68325..0246ca0046 100644 --- a/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs +++ b/test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.ValidateTokenAsyncTests.Issuer.cs @@ -3,7 +3,7 @@ using System.Threading; using System.Threading.Tasks; -using Microsoft.IdentityModel.Protocols.OpenIdConnect; +using Microsoft.IdentityModel.Protocols.WsFederation; using Microsoft.IdentityModel.TestUtils; using Microsoft.IdentityModel.Tokens.Saml2; using Xunit; @@ -201,8 +201,8 @@ private static Saml2SecurityToken CreateTokenWithIssuer(string? issuer) if (configurationIssuer is not null) { - var validConfig = new OpenIdConnectConfiguration() { Issuer = configurationIssuer }; - tokenValidationParameters.ConfigurationManager = new MockConfigurationManager(validConfig); + var validConfig = new WsFederationConfiguration() { Issuer = configurationIssuer }; + tokenValidationParameters.ConfigurationManager = new MockConfigurationManager(validConfig); } return tokenValidationParameters; From 8cdc28bc33ddd0f805fd717c2bcf8a696e011df1 Mon Sep 17 00:00:00 2001 From: Franco Fung Date: Tue, 22 Oct 2024 14:48:25 -0700 Subject: [PATCH 5/6] Addressing PR feedback --- .../Saml2SecurityTokenHandler.ValidateToken.Internal.cs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs index 1cb08dcbb9..0d23b4644f 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs @@ -50,17 +50,17 @@ internal async Task> ValidateTokenAsync( return conditionsResult.UnwrapError().AddStackFrame(StackFrames.AssertionConditionsValidationFailed); } - Task> validatedIssuerResult = validationParameters.IssuerValidatorAsync( + ValidationResult validatedIssuerResult = await validationParameters.IssuerValidatorAsync( samlToken.Issuer, samlToken, validationParameters, callContext, - cancellationToken); + cancellationToken).ConfigureAwait(false); - if (!(await validatedIssuerResult.ConfigureAwait(false)).IsValid) + if (!validatedIssuerResult.IsValid) { StackFrames.IssuerValidationFailed ??= new StackFrame(true); - return (await validatedIssuerResult.ConfigureAwait(false)).UnwrapError().AddStackFrame(StackFrames.IssuerValidationFailed); + return validatedIssuerResult.UnwrapError().AddStackFrame(StackFrames.IssuerValidationFailed); } return new ValidatedToken(samlToken, this, validationParameters); From a3ed2706c766bd89b190c57eadec9f79939d23f8 Mon Sep 17 00:00:00 2001 From: Franco Fung <38921563+FuPingFranco@users.noreply.github.com> Date: Wed, 23 Oct 2024 10:59:15 -0700 Subject: [PATCH 6/6] Update src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlTokenUtilities.cs Co-authored-by: kellyyangsong <69649063+kellyyangsong@users.noreply.github.com> --- .../Saml/SamlTokenUtilities.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlTokenUtilities.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlTokenUtilities.cs index d4bbfcf97d..525edc6e21 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlTokenUtilities.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlTokenUtilities.cs @@ -182,7 +182,6 @@ internal static async Task PopulateValidationParametersWit } return validationParametersCloned; - } } }