Update JwtBearer and WsFederation to use updated IdentityModel #48966
Conversation
dotnet-issue-labeler
bot
added
the
area-auth
There was a problem hiding this comment.
The user must opt in by setting a boolean, UseTokenHandlers
How breaking would it be to default to using the new TokenHandlers? We could in theory make it implicitly opt-in only if you touch the legacy SecurityTokenValidators properties. This could help us avoid adding a new UseTokenHandlers bool to the options.
If we changed the default to rely on JsonWebTokenHandler instead of JwtSecurityTokenHandler and force the app to call a method to use the JwtSecurityTokenHandler, it should be easier to eventually trim away System.IdentityModel.
You mentioned that the event handlers might as cast to JwtSecurityToken in the OnTokenValidated/OnSecurityTokenValidated events. Is that the only other code that could break? Could JwtSecurityToken define an explicit conversion to JsonWebToken to mitigate this?
What exactly do the event handlers that would be broken look like? How would we update code using to use the new JsonWebToken? Is there a migration doc?
I think it might also make sense to parameterize all or most of the JwtBearerTests and WsFederationTest to make sure they work with and without UseTokenHandlers set.
| @@ -15,13 +16,17 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer; | |||
| public class JwtBearerOptions : AuthenticationSchemeOptions | |||
| { | |||
| private readonly JwtSecurityTokenHandler _defaultHandler = new JwtSecurityTokenHandler(); | |||
| private readonly JsonWebTokenHandler _defaultTokenHandler = new JsonWebTokenHandler(); | |||
There was a problem hiding this comment.
| private readonly JsonWebTokenHandler _defaultTokenHandler = new JsonWebTokenHandler(); | |
| private readonly JsonWebTokenHandler _defaultTokenHandler = new JsonWebTokenHandler | |
| { | |
| MapInboundClaims = JwtSecurityTokenHandler.DefaultMapInboundClaims, | |
| }; |
Right? Otherwise it doesn't align with the default value of _mapInboundClaims. Can we add a test to JwtBearerTests verifying that we default to mapping claims when UseTokenHandlers is configured?
There was a problem hiding this comment.
@halter73 thanks for pointing this out, i will have a look
There was a problem hiding this comment.
@halter73 About this comment:
How breaking would it be to default to using the new TokenHandlers? We could in theory make it implicitly opt-in only if you touch the legacy SecurityTokenValidators properties. This could help us avoid adding a new UseTokenHandlers bool to the options.
For many users, they will never need to touch SecurityTokenValidators.
There was a problem hiding this comment.
Addressed: 507d241
|
@kevinchalet Do you have any thoughts on this PR? |
Using the new JWT stack is definitely an improvement (OpenIddict was one of the very first non-MSFT projects to adopt it and I have only good things to say about it 😄) Regarding the approach used in this PR, it looks reasonable, as it avoids both a binary/source and behavior change - since the new model is opt-in. That said, the new stack is such an improvement that it should probably be the default option, even if it means it's potentially breaking. Note: to avoid introducing new properties, you could also update the new IM token handlers to implement |
|
|
||
| /// <summary> | ||
| /// Initializes a new instance of <see cref="JwtBearerOptions"/>. | ||
| /// </summary> | ||
| public JwtBearerOptions() | ||
| { | ||
| SecurityTokenValidators = new List<ISecurityTokenValidator> { _defaultHandler }; | ||
| // TODO - communicate to IdentityModel team to see if ITokenValidator interface can be created. | ||
| TokenHandlers = new List<TokenHandler> { _defaultTokenHandler }; |
There was a problem hiding this comment.
@kevinchalet i am thinking that creating the interface ITokenValidator that has a couple of methods instead of the abstract class TokenHandler, this would make it easier for users who currently have an implementation of ISecurityTokenValidator.
Thoughts?
There was a problem hiding this comment.
Thoughts?
IM already has TokenHandler, SecurityTokenHandler and ISecurityTokenValidator, which makes using these abstractions already quite painful. I'm not sure adding a 4th one will help 😄
WIF only had SecurityTokenHandler and it was much clearer: unifying everything in the next Wilson major version would be more than welcome 😄
There was a problem hiding this comment.
@kevinchalet OK let's stick with TokenHandler then as this was meant to be the replacement for SecurityTokenHandler.
There was a problem hiding this comment.
@kevinchalet we could implement ISecurityTokenValidator on JsonWebTokenHandler, but just because we can cast it to TokenHandler doesn't mean that users will not have a runtime break as the SecurityToken will change from JwtSecurityToken to JsonWebToken.
There was a problem hiding this comment.
Sure, but that would mean an instance of JsonWebTokenHandler was added to SecurityTokenValidators, which, if you keep making using the new JWT stack opt-in, requires a deliberate action from the developer. And in this case, getting a JsonWebToken instead of a JwtSecurityToken is a logical result.
There was a problem hiding this comment.
I'm hoping to make it opt-out.
|
Note: before bumping Wilson, you should triple check that AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2059 is fixed for good as it caused a lot of friction when OpenIddict took a dependency on the latest IM version (to the point I had to re-release a new version with the IM references downgraded): |
| } | ||
| } | ||
|
|
||
| private async Task<TokenValidationParameters> SetupTokenValidationParameters() |
There was a problem hiding this comment.
| private async Task<TokenValidationParameters> SetupTokenValidationParameters() | |
| private async Task<TokenValidationParameters> SetupTokenValidationParametersAsync() |
There was a problem hiding this comment.
Addressed: 507d241
|
|
||
| /// <summary> | ||
| /// Initializes a new instance of <see cref="JwtBearerOptions"/>. | ||
| /// </summary> | ||
| public JwtBearerOptions() | ||
| { | ||
| SecurityTokenValidators = new List<ISecurityTokenValidator> { _defaultHandler }; | ||
| // TODO - communicate to IdentityModel team to see if ITokenValidator interface can be created. |
There was a problem hiding this comment.
| // TODO - communicate to IdentityModel team to see if ITokenValidator interface can be created. |
From the discussion, it sounds like this can be removed.
There was a problem hiding this comment.
Addressed: 507d241
| @@ -126,15 +136,20 @@ public new JwtBearerEvents Events | |||
| public bool IncludeErrorDetails { get; set; } = true; | |||
|
|
|||
| /// <summary> | |||
| /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, which is used when determining | |||
| /// whether or not to map claim types that are extracted when validating a <see cref="JwtSecurityToken"/>. | |||
| /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, or <see cref="JsonWebTokenHandler"/>which is used when determining | |||
There was a problem hiding this comment.
| /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, or <see cref="JsonWebTokenHandler"/>which is used when determining | |
| /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, or <see cref="JsonWebTokenHandler"/> in TokenHandlers, which is used when determining |
There was a problem hiding this comment.
Addressed: 507d241
| /// The advantage of using the TokenHandlers is: | ||
| /// <para>There is an Async model.</para> | ||
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> | ||
| /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para> | ||
| /// </summary> |
There was a problem hiding this comment.
| /// The advantage of using the TokenHandlers is: | |
| /// <para>There is an Async model.</para> | |
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> | |
| /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para> | |
| /// </summary> | |
| /// </summary> | |
| /// <remarks> | |
| /// The advantage of using the TokenHandlers is: | |
| /// <para>There is an Async model.</para> | |
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> | |
| /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para> | |
| /// </remarks> |
There was a problem hiding this comment.
Addressed: 507d241
| /// Gets of sets the <see cref="UseTokenHandlers"/> property to control if <see cref="TokenHandlers"/> or <see cref="SecurityTokenValidators"/> will be used to validate the inbound token. | ||
| /// The advantage of using the TokenHandlers is: | ||
| /// <para>There is an Async model.</para> | ||
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> |
There was a problem hiding this comment.
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> | |
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is faster when validating.</para> |
I'm not sure putting specific numbers in our docs is appropriate. The number can change over time, and is specific to a machine configuration.
There was a problem hiding this comment.
Addressed: 507d241
| set | ||
| { | ||
| _tokenHandlers = value ?? throw new ArgumentNullException(nameof(TokenHandlers)); | ||
| } | ||
| } |
There was a problem hiding this comment.
| set | |
| { | |
| _tokenHandlers = value ?? throw new ArgumentNullException(nameof(TokenHandlers)); | |
| } | |
| } | |
| } |
I know the existing SecurityTokenHandlers property has a setter, but it violates the .NET Design Guidelines:
❌ DO NOT provide settable collection properties.
Users can replace the contents of the collection by clearing the collection first and then adding the new contents. If replacing the whole collection is a common scenario, consider providing the AddRange method on the collection.
There was a problem hiding this comment.
Addressed: 507d241
| @@ -181,4 +205,13 @@ public TokenValidationParameters TokenValidationParameters | |||
| /// </summary> | |||
| [EditorBrowsable(EditorBrowsableState.Never)] | |||
| public new bool SaveTokens { get; set; } | |||
|
|
|||
| /// <summary> | |||
| /// Gets of sets the <see cref="UseTokenHandlers"/> property to control if <see cref="TokenHandlers"/> or <see cref="SecurityTokenHandlers"/> will be used to validate the inbound token. | |||
There was a problem hiding this comment.
| /// Gets of sets the <see cref="UseTokenHandlers"/> property to control if <see cref="TokenHandlers"/> or <see cref="SecurityTokenHandlers"/> will be used to validate the inbound token. | |
| /// Gets or sets whether <see cref="TokenHandlers"/> or <see cref="SecurityTokenHandlers"/> will be used to validate the inbound token. |
There was a problem hiding this comment.
Addressed: 507d241
| /// The advantage of using the TokenHandlers is: | ||
| /// <para>There is an Async model.</para> | ||
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> | ||
| /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para> | ||
| /// </summary> |
There was a problem hiding this comment.
| /// The advantage of using the TokenHandlers is: | |
| /// <para>There is an Async model.</para> | |
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> | |
| /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para> | |
| /// </summary> | |
| /// </summary> | |
| /// <remarks> | |
| /// The advantage of using the TokenHandlers is: | |
| /// <para>There is an Async model.</para> | |
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> | |
| /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para> | |
| /// </remarks> |
These are more appropriate for remarks than summary.
There was a problem hiding this comment.
Addressed: 507d241
| /// Gets of sets the <see cref="UseTokenHandlers"/> property to control if <see cref="TokenHandlers"/> or <see cref="SecurityTokenHandlers"/> will be used to validate the inbound token. | ||
| /// The advantage of using the TokenHandlers is: | ||
| /// <para>There is an Async model.</para> | ||
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> |
There was a problem hiding this comment.
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> | |
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is faster when validating.</para> |
There was a problem hiding this comment.
Addressed: 507d241
| /// Gets of sets the <see cref="UseTokenHandlers"/> property to control if <see cref="TokenHandlers"/> or <see cref="SecurityTokenHandlers"/> will be used to validate the inbound token. | ||
| /// The advantage of using the TokenHandlers is: | ||
| /// <para>There is an Async model.</para> | ||
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> |
There was a problem hiding this comment.
"The default token handler is" is kind of incorrect, since there are 3 default TokenHandlers. Maybe just a slight re-wording would help:
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> | |
| /// <para>The default JWT token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> |
There was a problem hiding this comment.
Addressed: 507d241
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is 30 % faster when validating.</para> | ||
| /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para> | ||
| /// </summary> | ||
| public bool UseTokenHandlers { get; set; } |
There was a problem hiding this comment.
| public bool UseTokenHandlers { get; set; } | |
| public bool UseTokenHandlers { get; set; } = true; |
+1 for making this the default.
There was a problem hiding this comment.
Addressed: 507d241
There was a problem hiding this comment.
This appears to have been reverted. Was that intentional?
There was a problem hiding this comment.
@brentschmaltz was the default set to true?
|
Looks like this PR hasn't been active for some time and the codebase could have been changed in the meantime. |
ghost
added
the
pending-ci-rerun
Co-authored-by: Brent Schmaltz <[email protected]>
remove using System
|
/azp run |
ghost
removed
the
pending-ci-rerun
|
No commit pushedDate could be found for PR 48966 in repo dotnet/aspnetcore |
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
I see SignalR tests failing with: |
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
@BrennanConroy @eerhardt the reason the SignalR test failed is due to a security fix in IdentityModel where the HMAC must have a key of the proper size. This speaks to the importance of integrated tests before IdentityModel ships a new version otherwise our customers will hit such issues. |
Co-authored-by: Keegan Caruso <[email protected]>
* SymmetricSecurityKey needs 32 bytes * Update source-build-externals dependencies --------- Co-authored-by: Keegan Caruso <[email protected]>
* Update Wilson7 branch Default to using new handlers Changes from API review * Handle obsolete members * Handle obsolete members in tests * Add aka.ms link --------- Co-authored-by: Keegan Caruso <[email protected]>
|
/backport to release/8.0-preview7 |
|
Started backporting to release/8.0-preview7: https://github.com/dotnet/aspnetcore/actions/runs/5606679712 |
|
@BrennanConroy backporting to release/8.0-preview7 failed, the patch most likely resulted in conflicts: $ git am --3way --ignore-whitespace --keep-non-patch changes.patch
Applying: update IdentityModel to 6.31.0
Applying: Added JsonWebTokenHandler and TokenHandlers (#48857)
Applying: adjust for claims mapping remove using System
Applying: moved api's to unshipped
Applying: Addressed PR comments
Applying: Removed setter.
Applying: fix bild break, useTokenHanlders default false.
Applying: Increase key size to 256 bits or HMAC will fail.
Applying: update version of identity model libraries (#49349)
Applying: Update Wilson7 branch (#49491)
Using index info to reconstruct a base tree...
M eng/Version.Details.xml
M eng/Versions.props
M src/SignalR/clients/csharp/Client/test/FunctionalTests/Startup.cs
M src/SignalR/clients/ts/FunctionalTests/Startup.cs
M src/SignalR/common/Http.Connections/test/HttpConnectionDispatcherTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/SignalR/common/Http.Connections/test/HttpConnectionDispatcherTests.cs
Auto-merging src/SignalR/clients/ts/FunctionalTests/Startup.cs
Auto-merging src/SignalR/clients/csharp/Client/test/FunctionalTests/Startup.cs
Auto-merging eng/Versions.props
CONFLICT (content): Merge conflict in eng/Versions.props
Auto-merging eng/Version.Details.xml
CONFLICT (content): Merge conflict in eng/Version.Details.xml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0010 Update Wilson7 branch (#49491)
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Error: The process '/usr/bin/git' failed with exit code 128Please backport manually! |
|
@BrennanConroy an error occurred while backporting to release/8.0-preview7, please check the run log for details! Error: git am failed, most likely due to a merge conflict. |
|
|
||
| namespace Microsoft.AspNetCore.Authentication.JwtBearer; | ||
|
|
||
| public class JwtBearerTests_Handler : SharedAuthenticationTests<JwtBearerOptions> |
There was a problem hiding this comment.
Is there any way to refactor these tests so they can be shared with the existing JwtBearerTests? For example having a base test class with the tests in them?
May be something to think about as a follow-up refactoring.
| /// The advantage of using TokenHandlers are: | ||
| /// <para>There is an Async model.</para> | ||
| /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is faster than a <see cref="JwtSecurityTokenHandler"/>.</para> | ||
| /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para> |
There was a problem hiding this comment.
I wonder if we should rethink these doc comments as they might not make full sense now that we've inverted the boolean to be UseSecurityTokenValidators.
Maybe we should add why someone would want to use SecurityTokenValidators as well.
| @@ -126,15 +142,20 @@ public new JwtBearerEvents Events | |||
| public bool IncludeErrorDetails { get; set; } = true; | |||
|
|
|||
| /// <summary> | |||
| /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, which is used when determining | |||
| /// whether or not to map claim types that are extracted when validating a <see cref="JwtSecurityToken"/>. | |||
| /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, or <see cref="JsonWebTokenHandler"/> in TokenHandlers which is used when determining | |||
There was a problem hiding this comment.
| /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, or <see cref="JsonWebTokenHandler"/> in TokenHandlers which is used when determining | |
| /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, or <see cref="JsonWebTokenHandler"/> in TokenHandlers, which is used when determining |
| if (Options.ConfigurationManager != null) | ||
| { | ||
| // GetConfigurationAsync has a time interval that must pass before new http request will be issued. | ||
| var configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted); |
There was a problem hiding this comment.
Previously we would cache the _configuration on the handler. However, we don't cache it anymore, and instead will always call GetConfigurationAsync. Is this OK? Will it cause any sort of performance issue?
There was a problem hiding this comment.
GetConfigurationAsync should do its own caching, and handlers are re-created per request anyways. It looks like this is the only place config is read?
There was a problem hiding this comment.
Correct, ConfigurationManager does its own caching
|
Closing in favor of #49542. |
|
Hi @eerhardt. It looks like you just commented on a closed PR. The team will most probably miss it. If you'd like to bring something important up to their attention, consider filing a new issue and add enough details to build context. |
I want to be compatible with the token of my Net6 program, 128 bits. How should I set it in Net8?
|
|
Hi @bbhxwl. It looks like you just commented on a closed PR. The team will most probably miss it. If you'd like to bring something important up to their attention, consider filing a new issue and add enough details to build context. |
Summary of the changes (Less than 80 chars)
Description
IdentityModel has updated the token validation to be more performant, provide an async model and provide a Last-Known-Good model for preserving metadata that was last known to validate a token for a specific identity provider
{Detail}
The user must opt-out in by setting a boolean, UseTokenHandlers, in JwtBearerOptions or WsFederationOptions.
If not disabled, then a JsonWebToken will be the SecurityToken that is available for further processing by the application instead of a JwtSecurityToken.