Update JwtBearer and WsFederation to use updated IdentityModel

eng/Versions.props

@@ -11,6 +11,7 @@
     <AspNetCorePatchVersion>0</AspNetCorePatchVersion>
     <PreReleaseVersionIteration>7</PreReleaseVersionIteration>
     <ValidateBaseline>true</ValidateBaseline>
+    <IdentityModelVersion>6.31.0</IdentityModelVersion>
     <!--
         When StabilizePackageVersion is set to 'true', this branch will produce stable outputs for 'Shipping' packages
     -->
@@ -254,15 +255,15 @@
     <MicrosoftCodeAnalysisCSharpAnalyzerTestingXUnitVersion>1.1.2-beta1.22531.1</MicrosoftCodeAnalysisCSharpAnalyzerTestingXUnitVersion>
     <MicrosoftCodeAnalysisCSharpCodeFixTestingXUnitVersion>1.1.2-beta1.22531.1</MicrosoftCodeAnalysisCSharpCodeFixTestingXUnitVersion>
     <MicrosoftCssParserVersion>1.0.0-20230414.1</MicrosoftCssParserVersion>
-    <MicrosoftIdentityModelLoggingVersion>6.15.1</MicrosoftIdentityModelLoggingVersion>
-    <MicrosoftIdentityModelProtocolsOpenIdConnectVersion>6.15.1</MicrosoftIdentityModelProtocolsOpenIdConnectVersion>
-    <MicrosoftIdentityModelProtocolsWsFederationVersion>6.15.1</MicrosoftIdentityModelProtocolsWsFederationVersion>
+    <MicrosoftIdentityModelLoggingVersion>$(IdentityModelVersion)</MicrosoftIdentityModelLoggingVersion>
+    <MicrosoftIdentityModelProtocolsOpenIdConnectVersion>$(IdentityModelVersion)</MicrosoftIdentityModelProtocolsOpenIdConnectVersion>
+    <MicrosoftIdentityModelProtocolsWsFederationVersion>$(IdentityModelVersion)</MicrosoftIdentityModelProtocolsWsFederationVersion>
     <MicrosoftInternalAspNetCoreH2SpecAllVersion>2.2.1</MicrosoftInternalAspNetCoreH2SpecAllVersion>
     <MicrosoftNETCoreWindowsApiSetsVersion>1.0.1</MicrosoftNETCoreWindowsApiSetsVersion>
     <MicrosoftOwinSecurityCookiesVersion>3.0.1</MicrosoftOwinSecurityCookiesVersion>
     <MicrosoftOwinTestingVersion>3.0.1</MicrosoftOwinTestingVersion>
     <MicrosoftWebAdministrationVersion>11.1.0</MicrosoftWebAdministrationVersion>
-    <SystemIdentityModelTokensJwtVersion>6.21.0</SystemIdentityModelTokensJwtVersion>
+    <SystemIdentityModelTokensJwtVersion>$(IdentityModelVersion)</SystemIdentityModelTokensJwtVersion>
     <SystemComponentModelAnnotationsVersion>5.0.0</SystemComponentModelAnnotationsVersion>
     <SystemNetExperimentalMsQuicVersion>5.0.0-alpha.20560.6</SystemNetExperimentalMsQuicVersion>
     <SystemSecurityPrincipalWindowsVersion>5.0.0</SystemSecurityPrincipalWindowsVersion>

src/Security/Authentication/JwtBearer/src/AuthenticateResults.cs

@@ -6,4 +6,5 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer;
 internal static class AuthenticateResults
 {
     internal static AuthenticateResult ValidatorNotFound = AuthenticateResult.Fail("No SecurityTokenValidator available for token.");
+    internal static AuthenticateResult TokenHandlerUnableToValidate = AuthenticateResult.Fail("No TokenHandler was able to validate the token.");
 }

src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs

@@ -96,79 +96,86 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 }
             }
 
-            if (_configuration == null && Options.ConfigurationManager != null)
-            {
-                _configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);
-            }
-
-            var validationParameters = Options.TokenValidationParameters.Clone();
-            if (_configuration != null)
-            {
-                var issuers = new[] { _configuration.Issuer };
-                validationParameters.ValidIssuers = validationParameters.ValidIssuers?.Concat(issuers) ?? issuers;
-
-                validationParameters.IssuerSigningKeys = validationParameters.IssuerSigningKeys?.Concat(_configuration.SigningKeys)
-                    ?? _configuration.SigningKeys;
-            }
-
+            var tvp = await SetupTokenValidationParametersAsync();
             List<Exception>? validationFailures = null;
             SecurityToken? validatedToken = null;
-            foreach (var validator in Options.SecurityTokenValidators)
+            ClaimsPrincipal? principal = null;
+
+            if (Options.UseTokenHandlers)
             {
-                if (validator.CanReadToken(token))
+                foreach (var tokenHandler in Options.TokenHandlers)
                 {
-                    ClaimsPrincipal principal;
                     try
                     {
-                        principal = validator.ValidateToken(token, validationParameters, out validatedToken);
+                        var tokenValidationResult = await tokenHandler.ValidateTokenAsync(token, tvp);
+                        if (tokenValidationResult.IsValid)
+                        {
+                            principal = new ClaimsPrincipal(tokenValidationResult.ClaimsIdentity);
+                            validatedToken = tokenValidationResult.SecurityToken;
+                            break;
+                        }
+                        else
+                        {
+                            validationFailures ??= new List<Exception>(1);
+                            RecordTokenValidationError(tokenValidationResult.Exception ?? new SecurityTokenValidationException($"The TokenHandler: '{tokenHandler}', was unable to validate the Token."), validationFailures);
+                        }
                     }
                     catch (Exception ex)
                     {
-                        Logger.TokenValidationFailed(ex);
-
-                        // Refresh the configuration for exceptions that may be caused by key rollovers. The user can also request a refresh in the event.
-                        if (Options.RefreshOnIssuerKeyNotFound && Options.ConfigurationManager != null
-                            && ex is SecurityTokenSignatureKeyNotFoundException)
+                        validationFailures ??= new List<Exception>(1);
+                        RecordTokenValidationError(new SecurityTokenValidationException($"TokenHandler: '{tokenHandler}', threw an exception (see inner exception).", ex), validationFailures);
+                    }
+                }
+            }
+            else
+            {
+                foreach (var validator in Options.SecurityTokenValidators)
+                {
+                    if (validator.CanReadToken(token))
+                    {
+                        try
                         {
-                            Options.ConfigurationManager.RequestRefresh();
+                            principal = validator.ValidateToken(token, tvp, out validatedToken);
                         }
-
-                        if (validationFailures == null)
+                        catch (Exception ex)
                         {
-                            validationFailures = new List<Exception>(1);
+                            validationFailures ??= new List<Exception>(1);
+                            RecordTokenValidationError(ex, validationFailures);
+                            continue;
                         }
-                        validationFailures.Add(ex);
-                        continue;
                     }
+                }
+            }
 
-                    Logger.TokenValidationSucceeded();
+            if (principal != null && validatedToken != null)
+            {
+                Logger.TokenValidationSucceeded();
 
-                    var tokenValidatedContext = new TokenValidatedContext(Context, Scheme, Options)
-                    {
-                        Principal = principal,
-                        SecurityToken = validatedToken
-                    };
+                var tokenValidatedContext = new TokenValidatedContext(Context, Scheme, Options)
+                {
+                    Principal = principal
+                };
 
-                    tokenValidatedContext.Properties.ExpiresUtc = GetSafeDateTime(validatedToken.ValidTo);
-                    tokenValidatedContext.Properties.IssuedUtc = GetSafeDateTime(validatedToken.ValidFrom);
+                tokenValidatedContext.SecurityToken = validatedToken;
+                tokenValidatedContext.Properties.ExpiresUtc = GetSafeDateTime(validatedToken.ValidTo);
+                tokenValidatedContext.Properties.IssuedUtc = GetSafeDateTime(validatedToken.ValidFrom);
 
-                    await Events.TokenValidated(tokenValidatedContext);
-                    if (tokenValidatedContext.Result != null)
-                    {
-                        return tokenValidatedContext.Result;
-                    }
+                await Events.TokenValidated(tokenValidatedContext);
+                if (tokenValidatedContext.Result != null)
+                {
+                    return tokenValidatedContext.Result;
+                }
 
-                    if (Options.SaveToken)
+                if (Options.SaveToken)
+                {
+                    tokenValidatedContext.Properties.StoreTokens(new[]
                     {
-                        tokenValidatedContext.Properties.StoreTokens(new[]
-                        {
-                                new AuthenticationToken { Name = "access_token", Value = token }
-                            });
-                    }
-
-                    tokenValidatedContext.Success();
-                    return tokenValidatedContext.Result!;
+                        new AuthenticationToken { Name = "access_token", Value = token }
+                    });
                 }
+
+                tokenValidatedContext.Success();
+                return tokenValidatedContext.Result!;
             }
 
             if (validationFailures != null)
@@ -187,6 +194,11 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 return AuthenticateResult.Fail(authenticationFailedContext.Exception);
             }
 
+            if (Options.UseTokenHandlers)
+            {
+                return AuthenticateResults.TokenHandlerUnableToValidate;
+            }
+
             return AuthenticateResults.ValidatorNotFound;
         }
         catch (Exception ex)
@@ -208,6 +220,47 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
         }
     }
 
+    private void RecordTokenValidationError(Exception exception, List<Exception> exceptions)
+    {
+        if (exception != null)
+        {
+            Logger.TokenValidationFailed(exception);
+            exceptions.Add(exception);
+        }
+
+        // Refresh the configuration for exceptions that may be caused by key rollovers. The user can also request a refresh in the event.
+        // Refreshing on SecurityTokenSignatureKeyNotFound may be redundant if Last-Known-Good is enabled, it won't do much harm, most likely will be a nop.
+        if (Options.RefreshOnIssuerKeyNotFound && Options.ConfigurationManager != null
+            && exception is SecurityTokenSignatureKeyNotFoundException)
+        {
+            Options.ConfigurationManager.RequestRefresh();
+        }
+    }
+
+    private async Task<TokenValidationParameters> SetupTokenValidationParametersAsync()
+    {
+        // Clone to avoid cross request race conditions for updated configurations.
+        var tokenValidationParameters = Options.TokenValidationParameters.Clone();
+
+        if (Options.ConfigurationManager is BaseConfigurationManager baseConfigurationManager)
+        {
+            tokenValidationParameters.ConfigurationManager = baseConfigurationManager;
+        }
+        else
+        {
+            if (Options.ConfigurationManager != null)
+            {
+                // GetConfigurationAsync has a time interval that must pass before new http request will be issued.
+                _configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);
+                var issuers = new[] { _configuration.Issuer };
+                tokenValidationParameters.ValidIssuers = (tokenValidationParameters.ValidIssuers == null ? issuers : tokenValidationParameters.ValidIssuers.Concat(issuers));
+                tokenValidationParameters.IssuerSigningKeys = (tokenValidationParameters.IssuerSigningKeys == null ? _configuration.SigningKeys : tokenValidationParameters.IssuerSigningKeys.Concat(_configuration.SigningKeys));
+            }
+        }
+
+        return tokenValidationParameters;
+    }
+
     private static DateTime? GetSafeDateTime(DateTime dateTime)
     {
         // Assigning DateTime.MinValue or default(DateTime) to a DateTimeOffset when in a UTC+X timezone will throw

src/Security/Authentication/JwtBearer/src/JwtBearerOptions.cs

@@ -5,6 +5,7 @@
 using System.Net.Http;
 using Microsoft.IdentityModel.Protocols;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Tokens;
 
 namespace Microsoft.AspNetCore.Authentication.JwtBearer;
@@ -15,13 +16,20 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer;
 public class JwtBearerOptions : AuthenticationSchemeOptions
 {
     private readonly JwtSecurityTokenHandler _defaultHandler = new JwtSecurityTokenHandler();
+    private readonly JsonWebTokenHandler _defaultTokenHandler = new JsonWebTokenHandler
+    {
+        MapInboundClaims = JwtSecurityTokenHandler.DefaultMapInboundClaims
+    };
+
+    private bool _mapInboundClaims = JwtSecurityTokenHandler.DefaultMapInboundClaims;
 
     /// <summary>
     /// Initializes a new instance of <see cref="JwtBearerOptions"/>.
     /// </summary>
     public JwtBearerOptions()
     {
         SecurityTokenValidators = new List<ISecurityTokenValidator> { _defaultHandler };
+        TokenHandlers = new List<TokenHandler> { _defaultTokenHandler };
     }
 
     /// <summary>
@@ -105,6 +113,11 @@ public JwtBearerOptions()
     /// </summary>
     public IList<ISecurityTokenValidator> SecurityTokenValidators { get; private set; }
 
+    /// <summary>
+    /// Gets the ordered list of <see cref="TokenHandler"/> used to validate access tokens.
+    /// </summary>
+    public IList<TokenHandler> TokenHandlers { get; private set; }
+
     /// <summary>
     /// Gets or sets the parameters used to validate identity tokens.
     /// </summary>
@@ -126,15 +139,20 @@ public JwtBearerOptions()
     public bool IncludeErrorDetails { get; set; } = true;
 
     /// <summary>
-    /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, which is used when determining
-    /// whether or not to map claim types that are extracted when validating a <see cref="JwtSecurityToken"/>.
+    /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, or <see cref="JsonWebTokenHandler"/> in TokenHandlers which is used when determining
+    /// whether or not to map claim types that are extracted when validating a <see cref="JwtSecurityToken"/> or a <see cref="JsonWebToken"/>.
     /// <para>If this is set to true, the Claim Type is set to the JSON claim 'name' after translating using this mapping. Otherwise, no mapping occurs.</para>
     /// <para>The default value is true.</para>
     /// </summary>
     public bool MapInboundClaims
     {
-        get => _defaultHandler.MapInboundClaims;
-        set => _defaultHandler.MapInboundClaims = value;
+        get => _mapInboundClaims;
+        set
+        {
+            _mapInboundClaims = value;
+            _defaultHandler.MapInboundClaims = value;
+            _defaultTokenHandler.MapInboundClaims = value;
+        }
     }
 
     /// <summary>
@@ -152,4 +170,15 @@ public bool MapInboundClaims
     /// Defaults to <see cref="ConfigurationManager{OpenIdConnectConfiguration}.DefaultRefreshInterval" />.
     /// </value>
     public TimeSpan RefreshInterval { get; set; } = ConfigurationManager<OpenIdConnectConfiguration>.DefaultRefreshInterval;
+
+    /// <summary>
+    /// Gets or sets whether <see cref="TokenHandlers"/> or <see cref="SecurityTokenValidators"/> will be used to validate the inbound token.
+    /// </summary>
+    /// <remarks>
+    /// The advantage of using TokenHandlers are:
+    /// <para>There is an Async model.</para>
+    /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is faster than a <see cref="JwtSecurityTokenHandler"/>.</para>
+    /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para>
+    /// </remarks>
+    public bool UseTokenHandlers { get; set; }
 }

src/Security/Authentication/JwtBearer/src/PublicAPI.Unshipped.txt

@@ -1,2 +1,5 @@
 #nullable enable
 Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.JwtBearerHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.UrlEncoder! encoder) -> void
+Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.TokenHandlers.get -> System.Collections.Generic.IList<Microsoft.IdentityModel.Tokens.TokenHandler!>!
+Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.UseTokenHandlers.get -> bool
+Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.UseTokenHandlers.set -> void

src/Security/Authentication/WsFederation/src/PublicAPI.Unshipped.txt

@@ -1,2 +1,5 @@
 #nullable enable
 Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.WsFederationHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.UrlEncoder! encoder) -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.TokenHandlers.get -> System.Collections.Generic.ICollection<Microsoft.IdentityModel.Tokens.TokenHandler!>!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.UseTokenHandlers.get -> bool
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.UseTokenHandlers.set -> void