Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Respect TVP.RequireAudience when set to false #3055

Merged
merged 6 commits into from
Dec 14, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ const Microsoft.IdentityModel.Tokens.LogMessages.IDX10273 = "IDX10273: Algorithm
const Microsoft.IdentityModel.Tokens.LogMessages.IDX10274 = "IDX10274: IssuerSigningKeyValidationDelegate threw an exception, see inner exception." -> string
const Microsoft.IdentityModel.Tokens.LogMessages.IDX10275 = "IDX10275: TokenTypeValidationDelegate threw an exception, see inner exception." -> string
const Microsoft.IdentityModel.Tokens.LogMessages.IDX10276 = "IDX10276: TokenReplayValidationDelegate threw an exception, see inner exception." -> string
const Microsoft.IdentityModel.Tokens.LogMessages.IDX10277 = "IDX10277: RequireAudience property on ValidationParameters is set to false. Exiting without validating the audience." -> string
Microsoft.IdentityModel.Tokens.AlgorithmValidationError
Microsoft.IdentityModel.Tokens.AlgorithmValidationError.AlgorithmValidationError(Microsoft.IdentityModel.Tokens.MessageDetail messageDetail, Microsoft.IdentityModel.Tokens.ValidationFailureType validationFailureType, System.Type exceptionType, System.Diagnostics.StackFrame stackFrame, string invalidAlgorithm, System.Exception innerException = null) -> void
Microsoft.IdentityModel.Tokens.AlgorithmValidationError.InvalidAlgorithm.get -> string
Expand Down
1 change: 1 addition & 0 deletions src/Microsoft.IdentityModel.Tokens/LogMessages.cs
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ internal static class LogMessages
public const string IDX10274 = "IDX10274: IssuerSigningKeyValidationDelegate threw an exception, see inner exception.";
public const string IDX10275 = "IDX10275: TokenTypeValidationDelegate threw an exception, see inner exception.";
public const string IDX10276 = "IDX10276: TokenReplayValidationDelegate threw an exception, see inner exception.";
public const string IDX10277 = "IDX10277: RequireAudience property on ValidationParameters is set to false. Exiting without validating the audience.";

// 10500 - SignatureValidation
public const string IDX10500 = "IDX10500: Signature validation failed. No security keys were provided to validate the signature.";
Expand Down
6 changes: 6 additions & 0 deletions src/Microsoft.IdentityModel.Tokens/Validators.cs
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,12 @@ public static void ValidateAudience(IEnumerable<string> audiences, SecurityToken
return;
}

if (!validationParameters.RequireAudience && !audiences.Any())
kllysng marked this conversation as resolved.
Show resolved Hide resolved
{
LogHelper.LogWarning(LogMessages.IDX10277);
return;
}

if (audiences == null)
throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAudienceException(LogMessages.IDX10207) { InvalidAudience = null });

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,91 +28,89 @@ public void ValidateAudienceParameters(AudienceValidationTheoryData theoryData)

TestUtilities.AssertFailIfErrors(context);
}

public static TheoryData<AudienceValidationTheoryData> ValidateAudienceParametersTheoryData
{
get
{
return new TheoryData<AudienceValidationTheoryData>
{
new AudienceValidationTheoryData
new AudienceValidationTheoryData("TokenValidationParametersNull")
{
Audiences = new List<string> { "audience1" },
ExpectedException = ExpectedException.ArgumentNullException("IDX10000:"),
TestId = "TokenValidationParametersNull",
TokenValidationParameters = null
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("AudiencesEmptyString")
{
Audiences = new List<string> { "" },
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "AudiencesEmptyString",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = "audience"}
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("AudiencesWhiteSpace")
{
Audiences = new List<string> { " " },
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "AudiencesWhiteSpace",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = "audience"}
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("AudiencesNull")
{
Audiences = null,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10207:"),
TestId = "AudiencesNull"
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("AudiencesEmptyList")
{
Audiences = new List<string>{ },
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10206:"),
TestId = "AudiencesEmptyList",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = "audience"}
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidateAudienceFalseAudiencesEmptyList")
{
Audiences = new List<string>{ },
TestId = "ValidateAudienceFalseAudiencesEmptyList",
TokenValidationParameters = new TokenValidationParameters{ ValidateAudience = false }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidateAudienceFalseAudiencesNull")
{
Audiences = null,
TestId = "ValidateAudienceFalseAudiencesNull",
TokenValidationParameters = new TokenValidationParameters{ ValidateAudience = false }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudienceEmptyString")
{
Audiences = new List<string> { "audience1" },
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10208:"),
TestId = "ValidAudienceEmptyString",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = "" }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudienceWhiteSpace")
{
Audiences = new List<string> { "audience1" },
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10208:"),
TestId = "ValidAudienceWhiteSpace",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = " " }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudiencesEmptyString")
{
Audiences = new List<string> { "audience1" },
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "ValidAudiencesEmptyString",
TokenValidationParameters = new TokenValidationParameters{ ValidAudiences = new List<string>{ "" } }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudiencesWhiteSpace")
{
Audiences = new List<string> { "audience1" },
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "ValidAudiencesWhiteSpace",
TokenValidationParameters = new TokenValidationParameters{ ValidAudiences = new List<string>{ " " } }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidateAudienceTrueValidAudienceAndValidAudiencesNull")
{
Audiences = new List<string> { "audience1" },
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10208:"),
TestId = "ValidateAudienceTrueValidAudienceAndValidAudiencesNull"
},
new AudienceValidationTheoryData("AudiencesEmpty_RequireAudienceFalse_NoException")
kllysng marked this conversation as resolved.
Show resolved Hide resolved
// default value of TVP.RequireAudience is true.
{
Audiences = new List<string> { },
TokenValidationParameters = new TokenValidationParameters{
ValidAudience = "audience",
kllysng marked this conversation as resolved.
Show resolved Hide resolved
RequireAudience = false
}
}
};
}
Expand Down Expand Up @@ -149,131 +147,112 @@ public static TheoryData<AudienceValidationTheoryData> ValidateAudienceTheoryDat

return new TheoryData<AudienceValidationTheoryData>
{
new AudienceValidationTheoryData
new AudienceValidationTheoryData("SameLengthMatched")
{
Audiences = audiences1,
TestId = "SameLengthMatched",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience1 }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("SameLengthNotMatched")
{
Audiences = audiences1,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "SameLengthNotMatched",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience2 }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("NoMatchTVPValidateFalse")
{
Audiences = audiences1,
TestId = "NoMatchTVPValidateFalse",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience2, ValidateAudience = false }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("AudiencesValidAudienceWithSlashNotMatched")
{
Audiences = audiences1,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "AudiencesValidAudienceWithSlashNotMatched",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience2 + "/" }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("AudiencesWithSlashValidAudienceSameLengthNotMatched")
{
Audiences = audiences2WithSlash,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "AudiencesWithSlashValidAudienceSameLengthNotMatched",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience1 }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudienceWithSlashTVPFalse")
{
Audiences = audiences1,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "ValidAudienceWithSlashTVPFalse",
TokenValidationParameters = new TokenValidationParameters{ IgnoreTrailingSlashWhenValidatingAudience = false, ValidAudience = audience1 + "/" }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudienceWithSlashTVPTrue")
{
Audiences = audiences1,
TestId = "ValidAudienceWithSlashTVPTrue",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience1 + "/" }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudiencesWithSlashTVPFalse")
{
Audiences = audiences1,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "ValidAudiencesWithSlashTVPFalse",
TokenValidationParameters = new TokenValidationParameters{ IgnoreTrailingSlashWhenValidatingAudience = false, ValidAudiences = audiences1WithSlash }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudiencesWithSlashTVPTrue")
{
Audiences = audiences1,
TestId = "ValidAudiencesWithSlashTVPTrue",
TokenValidationParameters = new TokenValidationParameters{ ValidAudiences = audiences1WithSlash }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudienceWithExtraChar")
{
Audiences = audiences1,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "ValidAudienceWithExtraChar",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience1 + "A" }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudienceWithDoubleSlashTVPTrue")
{
Audiences = audiences1,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "ValidAudienceWithDoubleSlashTVPTrue",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience1 + "//" }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("ValidAudiencesWithDoubleSlashTVPTrue")
{
Audiences = audiences1,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "ValidAudiencesWithDoubleSlashTVPTrue",
TokenValidationParameters = new TokenValidationParameters{ ValidAudiences = audiences1WithTwoSlashes }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("TokenAudienceWithSlashTVPFalse")
{
Audiences = audiences1WithSlash,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "TokenAudienceWithSlashTVPFalse",
TokenValidationParameters = new TokenValidationParameters{ IgnoreTrailingSlashWhenValidatingAudience = false, ValidAudience = audience1 }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("TokenAudienceWithSlashTVPTrue")
{
Audiences = audiences1WithSlash,
TestId = "TokenAudienceWithSlashTVPTrue",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience1 }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("TokenAudienceWithSlashNotEqual")
{
Audiences = audiences2WithSlash,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "TokenAudienceWithSlashNotEqual",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience1 },
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("TokenAudiencesWithSlashTVPFalse")
{
Audiences = audiences1WithSlash,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "TokenAudiencesWithSlashTVPFalse",
TokenValidationParameters = new TokenValidationParameters{ IgnoreTrailingSlashWhenValidatingAudience = false, ValidAudience = audience1 }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("TokenAudiencesWithSlashTVPTrue")
{
Audiences = audiences1WithSlash,
TestId = "TokenAudiencesWithSlashTVPTrue",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience1 }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("TokenAudiencesWithSlashValidAudiencesNotMatchedTVPTrue")
{
Audiences = audiences1WithSlash,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "TokenAudiencesWithSlashValidAudiencesNotMatchedTVPTrue",
TokenValidationParameters = new TokenValidationParameters{ ValidAudiences = audiences2 }
},
new AudienceValidationTheoryData
new AudienceValidationTheoryData("TokenAudienceWithTwoSlashesTVPTrue")
{
Audiences = audiences1WithTwoSlashes,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
TestId = "TokenAudienceWithTwoSlashesTVPTrue",
TokenValidationParameters = new TokenValidationParameters{ ValidAudience = audience1 }
}
};
Expand Down Expand Up @@ -500,6 +479,9 @@ public bool TryFind(string securityToken)

public class AudienceValidationTheoryData : TheoryDataBase
{
public AudienceValidationTheoryData(string testId) : base(testId)
{ }

public List<string> Audiences { get; set; }

public SecurityToken SecurityToken { get; set; }
Expand Down
Loading