#7 IdentityModel dependency update for OpenIdConnect

Author: Tratcher

src/Microsoft.Owin.Security.OpenIdConnect/Microsoft.Owin.Security.OpenIdConnect.csproj

@@ -39,18 +39,34 @@
     <CodeAnalysisRuleSet>..\..\build\CodeAnalysis.ruleset</CodeAnalysisRuleSet>
   </PropertyGroup>
   <ItemGroup>
-    <Reference Include="Microsoft.IdentityModel.Protocol.Extensions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\..\packages\Microsoft.IdentityModel.Protocol.Extensions.1.0.0\lib\net45\Microsoft.IdentityModel.Protocol.Extensions.dll</HintPath>
+    <Reference Include="Microsoft.IdentityModel.Logging, Version=1.1.2.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Microsoft.IdentityModel.Logging.1.1.2\lib\net451\Microsoft.IdentityModel.Logging.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="Microsoft.IdentityModel.Protocols, Version=2.1.2.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Microsoft.IdentityModel.Protocols.2.1.2\lib\net451\Microsoft.IdentityModel.Protocols.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect, Version=2.1.2.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Microsoft.IdentityModel.Protocols.OpenIdConnect.2.1.2\lib\net451\Microsoft.IdentityModel.Protocols.OpenIdConnect.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="Microsoft.IdentityModel.Tokens, Version=5.1.2.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Microsoft.IdentityModel.Tokens.5.1.2\lib\net451\Microsoft.IdentityModel.Tokens.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="Newtonsoft.Json, Version=9.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Newtonsoft.Json.9.0.1\lib\net45\Newtonsoft.Json.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="Owin">
       <HintPath>..\..\packages\Owin.1.0\lib\net40\Owin.dll</HintPath>
     </Reference>
     <Reference Include="System" />
     <Reference Include="System.IdentityModel" />
-    <Reference Include="System.IdentityModel.Tokens.Jwt, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\..\packages\System.IdentityModel.Tokens.Jwt.4.0.0\lib\net45\System.IdentityModel.Tokens.Jwt.dll</HintPath>
+    <Reference Include="System.IdentityModel.Tokens.Jwt, Version=5.1.2.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\System.IdentityModel.Tokens.Jwt.5.1.2\lib\net451\System.IdentityModel.Tokens.Jwt.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="System.Net.Http" />
     <Reference Include="System.Net.Http.WebRequest" />

src/Microsoft.Owin.Security.OpenIdConnect/Microsoft.Owin.Security.OpenIdConnect.nuspec

@@ -21,8 +21,11 @@
       <dependency id="Owin" version="1.0" />
       <dependency id="Microsoft.Owin" version="$version$" />
       <dependency id="Microsoft.Owin.Security" version="$version$" />
-      <dependency id="System.IdentityModel.Tokens.Jwt" version="4.0.0$azureAdJwtSuffix$" />
-      <dependency id="Microsoft.IdentityModel.Protocol.Extensions" version="1.0.0$azureAdExtSuffix$" />
+      <dependency id="System.IdentityModel.Tokens.Jwt" version="5.1.2$azureAdJwtSuffix$" />
+      <dependency id="Microsoft.IdentityModel.Logging" version="1.1.2$azureAdJwtSuffix$" />
+      <dependency id="Microsoft.IdentityModel.Protocols" version="2.1.2$azureAdJwtSuffix$" />
+      <dependency id="Microsoft.IdentityModel.Protocols.OpenIdConnect" version="2.1.2$azureAdJwtSuffix$" />
+      <dependency id="Microsoft.IdentityModel.Tokens" version="5.1.2$azureAdJwtSuffix$" />
     </dependencies>
   </metadata>
   <files>

src/Microsoft.Owin.Security.OpenIdConnect/Notifications/AuthorizationCodeReceivedNotification.cs

@@ -2,9 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Diagnostics.CodeAnalysis;
-using System.IdentityModel.Tokens;
-using System.Security.Claims;
-using Microsoft.IdentityModel.Protocols;
+using System.IdentityModel.Tokens.Jwt;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Microsoft.Owin.Security.OpenIdConnect;
 
 namespace Microsoft.Owin.Security.Notifications

src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs

@@ -4,8 +4,8 @@
 using System;
 using System.Diagnostics.CodeAnalysis;
 using System.Net.Http;
-using Microsoft.IdentityModel.Extensions;
 using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Microsoft.Owin.Logging;
 using Microsoft.Owin.Security.DataHandler;
 using Microsoft.Owin.Security.DataProtection;
@@ -45,11 +45,6 @@ public OpenIdConnectAuthenticationMiddleware(OwinMiddleware next, IAppBuilder ap
                     Options.AuthenticationType, "v1");
                 Options.StateDataFormat = new PropertiesDataFormat(dataProtector);
             }
-
-            if (Options.SecurityTokenHandlers == null)
-            {
-                Options.SecurityTokenHandlers = SecurityTokenHandlerCollectionExtensions.GetDefaultHandlers();
-            }
 
             // if the user has not set the AuthorizeCallback, set it from the redirect_uri
             if (!Options.CallbackPath.HasValue)
@@ -78,9 +73,9 @@ public OpenIdConnectAuthenticationMiddleware(OwinMiddleware next, IAppBuilder ap
                 {
                     Options.ConfigurationManager = new StaticConfigurationManager<OpenIdConnectConfiguration>(Options.Configuration);
                 }
-                else
+                else if (!(string.IsNullOrEmpty(Options.MetadataAddress) && string.IsNullOrEmpty(Options.Authority)))
                 {
-                    if (string.IsNullOrWhiteSpace(Options.MetadataAddress) && !string.IsNullOrWhiteSpace(Options.Authority))
+                    if (string.IsNullOrEmpty(Options.MetadataAddress) && !string.IsNullOrEmpty(Options.Authority))
                     {
                         Options.MetadataAddress = Options.Authority;
                         if (!Options.MetadataAddress.EndsWith("/", StringComparison.Ordinal))
@@ -91,12 +86,25 @@ public OpenIdConnectAuthenticationMiddleware(OwinMiddleware next, IAppBuilder ap
                         Options.MetadataAddress += ".well-known/openid-configuration";
                     }
 
-                    HttpClient httpClient = new HttpClient(ResolveHttpMessageHandler(Options));
-                    httpClient.Timeout = Options.BackchannelTimeout;
-                    httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
-                    Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, httpClient);
+                    if (Options.RequireHttpsMetadata && !Options.MetadataAddress.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
+                    {
+                        throw new InvalidOperationException("The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.");
+                    }
+
+                    var backchannel = new HttpClient(ResolveHttpMessageHandler(Options));
+                    backchannel.DefaultRequestHeaders.UserAgent.ParseAdd("Microsoft ASP.NET Core OpenIdConnect middleware");
+                    backchannel.Timeout = Options.BackchannelTimeout;
+                    backchannel.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
+
+                    Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(),
+                        new HttpDocumentRetriever(backchannel) { RequireHttps = Options.RequireHttpsMetadata });
                 }
             }
+
+            if (Options.ConfigurationManager == null)
+            {
+                throw new InvalidOperationException(string.Format("Provide Authority, MetadataAddress, Configuration, or ConfigurationManager to OpenIdConnectAuthenticationOptions"));
+            }
         }
 
         /// <summary>

src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationNotifications.cs

@@ -3,7 +3,7 @@
 
 using System;
 using System.Threading.Tasks;
-using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Microsoft.Owin.Security.Notifications;
 
 namespace Microsoft.Owin.Security.OpenIdConnect

src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs

@@ -3,9 +3,11 @@
 
 using System;
 using System.Diagnostics.CodeAnalysis;
-using System.IdentityModel.Tokens;
+using System.IdentityModel.Tokens.Jwt;
 using System.Net.Http;
 using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Tokens;
 using Microsoft.Owin.Infrastructure;
 
 namespace Microsoft.Owin.Security.OpenIdConnect
@@ -16,7 +18,6 @@ namespace Microsoft.Owin.Security.OpenIdConnect
     public class OpenIdConnectAuthenticationOptions : AuthenticationOptions
     {
         private OpenIdConnectProtocolValidator _protocolValidator;
-        private SecurityTokenHandlerCollection _securityTokenHandlers;
         private TokenValidationParameters _tokenValidationParameters;
         private TimeSpan _backchannelTimeout;
 
@@ -54,11 +55,14 @@ public OpenIdConnectAuthenticationOptions(string authenticationType)
             Caption = OpenIdConnectAuthenticationDefaults.Caption;
             ProtocolValidator = new OpenIdConnectProtocolValidator()
             {
+                RequireStateValidation = false,
                 NonceLifetime = TimeSpan.FromMinutes(15)
             };
             RefreshOnIssuerKeyNotFound = true;
-            ResponseType = OpenIdConnectResponseTypes.CodeIdToken;
-            Scope = OpenIdConnectScopes.OpenIdProfile;
+            ResponseType = OpenIdConnectResponseType.CodeIdToken;
+            Scope = OpenIdConnectScope.OpenIdProfile;
+            SecurityTokenValidator = new JwtSecurityTokenHandler();
+            RequireHttpsMetadata = true;
             TokenValidationParameters = new TokenValidationParameters();
             UseTokenLifetime = true;
             CookieManager = new CookieManager();
@@ -126,30 +130,6 @@ public string Caption
             set { Description.Caption = value; }
         }
 
-        /// <summary>
-        /// Gets or sets the <see cref="SecurityTokenHandlerCollection"/> of <see cref="SecurityTokenHandler"/>s used to read and validate <see cref="SecurityToken"/>s. 
-        /// </summary>
-        /// <exception cref="ArgumentNullException">if 'value' is null.</exception>
-        [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Justification = "By Design")]
-        [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2208:InstantiateArgumentExceptionsCorrectly", Justification = "By Design")]
-        public SecurityTokenHandlerCollection SecurityTokenHandlers
-        {
-            get
-            {
-                return _securityTokenHandlers;
-            }
-            
-            set
-            {
-                if (value == null)
-                {
-                    throw new ArgumentNullException("SecurityTokenHandlers");
-                }
-
-                _securityTokenHandlers = value;
-            }
-        }
-
         /// <summary>
         /// Gets or sets the 'client_id'.
         /// </summary>
@@ -166,6 +146,12 @@ public SecurityTokenHandlerCollection SecurityTokenHandlers
         /// </summary>
         public OpenIdConnectConfiguration Configuration { get; set; }
 
+        /// <summary>
+        /// Gets or sets if HTTPS is required for the metadata address or authority.
+        /// The default is true. This should be disabled only in development environments.
+        /// </summary>
+        public bool RequireHttpsMetadata { get; set; }
+
         /// <summary>
         /// Gets or sets the discovery endpoint for obtaining metadata
         /// </summary>
@@ -253,6 +239,11 @@ public string SignInAsAuthenticationType
         /// </summary>
         public ISecureDataFormat<AuthenticationProperties> StateDataFormat { get; set; }
 
+        /// <summary>
+        /// Gets or sets the <see cref="ISecurityTokenValidator"/> used to validate identity tokens.
+        /// </summary>
+        public ISecurityTokenValidator SecurityTokenValidator { get; set; }
+
         /// <summary>
         /// Gets or sets the TokenValidationParameters
         /// </summary>

src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs

@@ -4,16 +4,16 @@
 using System;
 using System.Collections.Generic;
 using System.Globalization;
-using System.IdentityModel.Tokens;
+using System.IdentityModel.Tokens.Jwt;
 using System.IO;
 using System.Linq;
 using System.Runtime.ExceptionServices;
 using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading.Tasks;
-using Microsoft.IdentityModel.Extensions;
-using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Tokens;
 using Microsoft.Owin.Logging;
 using Microsoft.Owin.Security.Infrastructure;
 using Microsoft.Owin.Security.Notifications;
@@ -70,7 +70,7 @@ protected override async Task ApplyResponseGrantAsync()
                 OpenIdConnectMessage openIdConnectMessage = new OpenIdConnectMessage()
                 {
                     IssuerAddress = _configuration.EndSessionEndpoint ?? string.Empty,
-                    RequestType = OpenIdConnectRequestType.LogoutRequest,
+                    RequestType = OpenIdConnectRequestType.Logout,
                 };
 
                 // Set End_Session_Endpoint in order:
@@ -143,9 +143,9 @@ protected override async Task ApplyResponseChallengeAsync()
                     ClientId = Options.ClientId,
                     IssuerAddress = _configuration.AuthorizationEndpoint ?? string.Empty,
                     RedirectUri = Options.RedirectUri,
-                    RequestType = OpenIdConnectRequestType.AuthenticationRequest,
+                    RequestType = OpenIdConnectRequestType.Authentication,
                     Resource = Options.Resource,
-                    ResponseMode = OpenIdConnectResponseModes.FormPost,
+                    ResponseMode = OpenIdConnectResponseMode.FormPost,
                     ResponseType = Options.ResponseType,
                     Scope = Options.Scope,
                     State = OpenIdConnectAuthenticationDefaults.AuthenticationPropertiesKey + "=" + Uri.EscapeDataString(Options.StateDataFormat.Protect(properties)),
@@ -286,10 +286,10 @@ protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
                 TokenValidationParameters tvp = Options.TokenValidationParameters.Clone();
                 IEnumerable<string> issuers = new[] { _configuration.Issuer };
                 tvp.ValidIssuers = (tvp.ValidIssuers == null ? issuers : tvp.ValidIssuers.Concat(issuers));
-                tvp.IssuerSigningTokens = (tvp.IssuerSigningTokens == null ? _configuration.SigningTokens : tvp.IssuerSigningTokens.Concat(_configuration.SigningTokens));
+                tvp.IssuerSigningKeys = (tvp.IssuerSigningKeys == null ? _configuration.SigningKeys : tvp.IssuerSigningKeys.Concat<SecurityKey>(_configuration.SigningKeys));
 
                 SecurityToken validatedToken;
-                ClaimsPrincipal principal = Options.SecurityTokenHandlers.ValidateToken(openIdConnectMessage.IdToken, tvp, out validatedToken);
+                ClaimsPrincipal principal = Options.SecurityTokenValidator.ValidateToken(openIdConnectMessage.IdToken, tvp, out validatedToken);
                 ClaimsIdentity claimsIdentity = principal.Identity as ClaimsIdentity;
 
                 // claims principal could have changed claim values, use bits received on wire for validation.
@@ -352,13 +352,13 @@ protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
                 // Flow possible changes
                 ticket = securityTokenValidatedNotification.AuthenticationTicket;
 
-                var protocolValidationContext = new OpenIdConnectProtocolValidationContext
+                Options.ProtocolValidator.ValidateAuthenticationResponse(new OpenIdConnectProtocolValidationContext()
                 {
-                    AuthorizationCode = openIdConnectMessage.Code,
-                    Nonce = nonce,
-                };
-
-                Options.ProtocolValidator.Validate(jwt, protocolValidationContext);
+                    ClientId = Options.ClientId,
+                    ProtocolMessage = openIdConnectMessage,
+                    ValidatedIdToken = jwt,
+                    Nonce = nonce
+                });
 
                 if (openIdConnectMessage.Code != null)
                 {

src/Microsoft.Owin.Security.OpenIdConnect/packages.config

@@ -1,6 +1,10 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
-  <package id="Microsoft.IdentityModel.Protocol.Extensions" version="1.0.0" targetFramework="net45" />
+  <package id="Microsoft.IdentityModel.Logging" version="1.1.2" targetFramework="net451" />
+  <package id="Microsoft.IdentityModel.Protocols" version="2.1.2" targetFramework="net451" />
+  <package id="Microsoft.IdentityModel.Protocols.OpenIdConnect" version="2.1.2" targetFramework="net451" />
+  <package id="Microsoft.IdentityModel.Tokens" version="5.1.2" targetFramework="net451" />
+  <package id="Newtonsoft.Json" version="9.0.1" targetFramework="net451" />
   <package id="Owin" version="1.0" targetFramework="net45" />
-  <package id="System.IdentityModel.Tokens.Jwt" version="4.0.0" targetFramework="net45" />
+  <package id="System.IdentityModel.Tokens.Jwt" version="5.1.2" targetFramework="net451" />
 </packages>