dotnet
diff --git a/‎src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs
Lines changed: 6 additions & 9 deletions b/‎src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs
Lines changed: 6 additions & 9 deletions
diff --git a/‎src/Security/Authentication/JwtBearer/src/JwtBearerOptions.cs
Lines changed: 2 additions & 1 deletion b/‎src/Security/Authentication/JwtBearer/src/JwtBearerOptions.cs
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/Security/Authentication/JwtBearer/src/PublicAPI.Unshipped.txt
Lines changed: 2 additions & 2 deletions b/‎src/Security/Authentication/JwtBearer/src/PublicAPI.Unshipped.txt
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/Security/Authentication/WsFederation/src/PublicAPI.Unshipped.txt
Lines changed: 2 additions & 2 deletions b/‎src/Security/Authentication/WsFederation/src/PublicAPI.Unshipped.txt
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/Security/Authentication/WsFederation/src/Resources.resx
Lines changed: 1 addition & 1 deletion b/‎src/Security/Authentication/WsFederation/src/Resources.resx
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Security/Authentication/WsFederation/src/WsFederationHandler.cs
Lines changed: 1 addition & 3 deletions b/‎src/Security/Authentication/WsFederation/src/WsFederationHandler.cs
Lines changed: 1 addition & 3 deletions
diff --git a/‎src/Security/Authentication/WsFederation/src/WsFederationOptions.cs
Lines changed: 3 additions & 2 deletions b/‎src/Security/Authentication/WsFederation/src/WsFederationOptions.cs
Lines changed: 3 additions & 2 deletions
@@ -9,7 +9,6 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
-using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.Net.Http.Headers;
 
@@ -20,8 +19,6 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer;
 /// </summary>
 public class JwtBearerHandler : AuthenticationHandler<JwtBearerOptions>
 {
-    private OpenIdConnectConfiguration? _configuration;
-
     /// <summary>
     /// Initializes a new instance of <see cref="JwtBearerHandler"/>.
     /// </summary>
@@ -101,7 +98,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             SecurityToken? validatedToken = null;
             ClaimsPrincipal? principal = null;
 
-            if (Options.UseTokenHandlers)
+            if (!Options.UseSecurityTokenValidators)
             {
                 foreach (var tokenHandler in Options.TokenHandlers)
                 {
@@ -123,7 +120,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                     catch (Exception ex)
                     {
                         validationFailures ??= new List<Exception>(1);
-                        RecordTokenValidationError(new SecurityTokenValidationException($"TokenHandler: '{tokenHandler}', threw an exception (see inner exception).", ex), validationFailures);
+                        RecordTokenValidationError(ex, validationFailures);
                     }
                 }
             }
@@ -194,7 +191,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 return AuthenticateResult.Fail(authenticationFailedContext.Exception);
             }
 
-            if (Options.UseTokenHandlers)
+            if (!Options.UseSecurityTokenValidators)
             {
                 return AuthenticateResults.TokenHandlerUnableToValidate;
             }
@@ -251,10 +248,10 @@ private async Task<TokenValidationParameters> SetupTokenValidationParametersAsyn
             if (Options.ConfigurationManager != null)
             {
                 // GetConfigurationAsync has a time interval that must pass before new http request will be issued.
-                _configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);
-                var issuers = new[] { _configuration.Issuer };
+                var configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);
+                var issuers = new[] { configuration.Issuer };
                 tokenValidationParameters.ValidIssuers = (tokenValidationParameters.ValidIssuers == null ? issuers : tokenValidationParameters.ValidIssuers.Concat(issuers));
-                tokenValidationParameters.IssuerSigningKeys = (tokenValidationParameters.IssuerSigningKeys == null ? _configuration.SigningKeys : tokenValidationParameters.IssuerSigningKeys.Concat(_configuration.SigningKeys));
+                tokenValidationParameters.IssuerSigningKeys = (tokenValidationParameters.IssuerSigningKeys == null ? configuration.SigningKeys : tokenValidationParameters.IssuerSigningKeys.Concat(configuration.SigningKeys));
             }
         }
 
 
@@ -111,6 +111,7 @@ public JwtBearerOptions()
     /// <summary>
     /// Gets the ordered list of <see cref="ISecurityTokenValidator"/> used to validate access tokens.
     /// </summary>
+    [Obsolete("SecurityTokenValidators is no longer used by default. Use TokenHandlers instead. To continue using SecurityTokenValidators, set UseSecurityTokenValidators to true.")]
     public IList<ISecurityTokenValidator> SecurityTokenValidators { get; private set; }
 
     /// <summary>
@@ -180,5 +181,5 @@ public bool MapInboundClaims
     /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is faster than a <see cref="JwtSecurityTokenHandler"/>.</para>
     /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para>
     /// </remarks>
-    public bool UseTokenHandlers { get; set; }
+    public bool UseSecurityTokenValidators { get; set; }
 }
@@ -1,5 +1,5 @@
 #nullable enable
 Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.JwtBearerHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.UrlEncoder! encoder) -> void
 Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.TokenHandlers.get -> System.Collections.Generic.IList<Microsoft.IdentityModel.Tokens.TokenHandler!>!
-Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.UseTokenHandlers.get -> bool
-Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.UseTokenHandlers.set -> void
+Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.UseSecurityTokenValidators.get -> bool
+Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.UseSecurityTokenValidators.set -> void
@@ -1,5 +1,5 @@
 #nullable enable
 Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.WsFederationHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.UrlEncoder! encoder) -> void
 Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.TokenHandlers.get -> System.Collections.Generic.ICollection<Microsoft.IdentityModel.Tokens.TokenHandler!>!
-Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.UseTokenHandlers.get -> bool
-Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.UseTokenHandlers.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.UseSecurityTokenHandlers.get -> bool
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.UseSecurityTokenHandlers.set -> void
@@ -121,7 +121,7 @@
     <value>The service descriptor is missing.</value>
   </data>
   <data name="Exception_NoTokenValidatorFound" xml:space="preserve">
-    <value>No token validator was found for the given token.</value>
+    <value>No token validator or token handler was found for the given token.</value>
   </data>
   <data name="Exception_OptionMustBeProvided" xml:space="preserve">
     <value>The '{0}' option must be provided.</value>
 
@@ -245,7 +245,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
             var tvp = await SetupTokenValidationParametersAsync();
             ClaimsPrincipal? principal = null;
             SecurityToken? validatedToken = null;
-            if (Options.UseTokenHandlers)
+            if (!Options.UseSecurityTokenHandlers)
             {
                 foreach (var tokenHandler in Options.TokenHandlers)
                 {
@@ -298,7 +298,6 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
 
             if (principal == null)
             {
-                // TODO - need new string for TokenHandler
                 if (validationFailures == null || validationFailures.Count == 0)
                 {
                     throw new SecurityTokenException(Resources.Exception_NoTokenValidatorFound);
@@ -375,7 +374,6 @@ private async Task<TokenValidationParameters> SetupTokenValidationParametersAsyn
 
         if (Options.ConfigurationManager is BaseConfigurationManager baseConfigurationManager)
         {
-            // TODO - we need to add a parameter to TokenValidationParameters for the CancellationToken.
             tokenValidationParameters.ConfigurationManager = baseConfigurationManager;
         }
         else
 
@@ -105,6 +105,7 @@ public override void Validate()
     /// <summary>
     /// Gets or sets the collection of <see cref="ISecurityTokenValidator"/> used to read and validate the <see cref="SecurityToken"/>s.
     /// </summary>
+    [Obsolete("SecurityTokenHandlers is no longer used by default. Use TokenHandlers instead. To continue using SecurityTokenHandlers, set UseSecurityTokenHandlers to true.")]
     public ICollection<ISecurityTokenValidator> SecurityTokenHandlers
     {
         get
@@ -118,7 +119,7 @@ public ICollection<ISecurityTokenValidator> SecurityTokenHandlers
     }
 
     /// <summary>
-    /// Gets or sets the collection of <see cref="ISecurityTokenValidator"/> used to read and validate the <see cref="SecurityToken"/>s.
+    /// Gets the collection of <see cref="ISecurityTokenValidator"/> used to read and validate the <see cref="SecurityToken"/>s.
     /// </summary>
     public ICollection<TokenHandler> TokenHandlers
     {
@@ -208,5 +209,5 @@ public TokenValidationParameters TokenValidationParameters
     /// <para>The default token handler for JsonWebTokens is a <see cref="JsonWebTokenHandler"/> which is faster than a <see cref="JwtSecurityTokenHandler"/>.</para>
     /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para>
     /// </remarks>
-    public bool UseTokenHandlers { get; set; }
+    public bool UseSecurityTokenHandlers { get; set; }
 }
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,6 @@`
`9`	`9`	`using Microsoft.AspNetCore.Http;`
`10`	`10`	`using Microsoft.Extensions.Logging;`
`11`	`11`	`using Microsoft.Extensions.Options;`
`12`		`-using Microsoft.IdentityModel.Protocols.OpenIdConnect;`
`13`	`12`	`using Microsoft.IdentityModel.Tokens;`
`14`	`13`	`using Microsoft.Net.Http.Headers;`
`15`	`14`
`@@ -20,8 +19,6 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer;`
`20`	`19`	`/// </summary>`
`21`	`20`	`public class JwtBearerHandler : AuthenticationHandler<JwtBearerOptions>`
`22`	`21`	`{`
`23`		`- private OpenIdConnectConfiguration? _configuration;`
`24`		`-`
`25`	`22`	`/// <summary>`
`26`	`23`	`/// Initializes a new instance of <see cref="JwtBearerHandler"/>.`
`27`	`24`	`/// </summary>`
`@@ -101,7 +98,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`101`	`98`	`SecurityToken? validatedToken = null;`
`102`	`99`	`ClaimsPrincipal? principal = null;`
`103`	`100`
`104`		`- if (Options.UseTokenHandlers)`
	`101`	`+ if (!Options.UseSecurityTokenValidators)`
`105`	`102`	`{`
`106`	`103`	`foreach (var tokenHandler in Options.TokenHandlers)`
`107`	`104`	`{`
`@@ -123,7 +120,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`123`	`120`	`catch (Exception ex)`
`124`	`121`	`{`
`125`	`122`	`validationFailures ??= new List<Exception>(1);`
`126`		`- RecordTokenValidationError(new SecurityTokenValidationException($"TokenHandler: '{tokenHandler}', threw an exception (see inner exception).", ex), validationFailures);`
	`123`	`+ RecordTokenValidationError(ex, validationFailures);`
`127`	`124`	`}`
`128`	`125`	`}`
`129`	`126`	`}`
`@@ -194,7 +191,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`194`	`191`	`return AuthenticateResult.Fail(authenticationFailedContext.Exception);`
`195`	`192`	`}`
`196`	`193`
`197`		`- if (Options.UseTokenHandlers)`
	`194`	`+ if (!Options.UseSecurityTokenValidators)`
`198`	`195`	`{`
`199`	`196`	`return AuthenticateResults.TokenHandlerUnableToValidate;`
`200`	`197`	`}`
`@@ -251,10 +248,10 @@ private async Task<TokenValidationParameters> SetupTokenValidationParametersAsyn`
`251`	`248`	`if (Options.ConfigurationManager != null)`
`252`	`249`	`{`
`253`	`250`	`// GetConfigurationAsync has a time interval that must pass before new http request will be issued.`
`254`		`- _configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);`
`255`		`- var issuers = new[] { _configuration.Issuer };`
	`251`	`+ var configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);`
	`252`	`+ var issuers = new[] { configuration.Issuer };`
`256`	`253`	`tokenValidationParameters.ValidIssuers = (tokenValidationParameters.ValidIssuers == null ? issuers : tokenValidationParameters.ValidIssuers.Concat(issuers));`
`257`		`- tokenValidationParameters.IssuerSigningKeys = (tokenValidationParameters.IssuerSigningKeys == null ? _configuration.SigningKeys : tokenValidationParameters.IssuerSigningKeys.Concat(_configuration.SigningKeys));`
	`254`	`+ tokenValidationParameters.IssuerSigningKeys = (tokenValidationParameters.IssuerSigningKeys == null ? configuration.SigningKeys : tokenValidationParameters.IssuerSigningKeys.Concat(configuration.SigningKeys));`
`258`	`255`	`}`
`259`	`256`	`}`
`260`	`257`
Original file line number	Diff line number	Diff line change
`@@ -245,7 +245,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync`
`245`	`245`	`var tvp = await SetupTokenValidationParametersAsync();`
`246`	`246`	`ClaimsPrincipal? principal = null;`
`247`	`247`	`SecurityToken? validatedToken = null;`
`248`		`- if (Options.UseTokenHandlers)`
	`248`	`+ if (!Options.UseSecurityTokenHandlers)`
`249`	`249`	`{`
`250`	`250`	`foreach (var tokenHandler in Options.TokenHandlers)`
`251`	`251`	`{`
`@@ -298,7 +298,6 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync`
`298`	`298`
`299`	`299`	`if (principal == null)`
`300`	`300`	`{`
`301`		`- // TODO - need new string for TokenHandler`
`302`	`301`	`if (validationFailures == null \|\| validationFailures.Count == 0)`
`303`	`302`	`{`
`304`	`303`	`throw new SecurityTokenException(Resources.Exception_NoTokenValidatorFound);`
`@@ -375,7 +374,6 @@ private async Task<TokenValidationParameters> SetupTokenValidationParametersAsyn`
`375`	`374`
`376`	`375`	`if (Options.ConfigurationManager is BaseConfigurationManager baseConfigurationManager)`
`377`	`376`	`{`
`378`		`- // TODO - we need to add a parameter to TokenValidationParameters for the CancellationToken.`
`379`	`377`	`tokenValidationParameters.ConfigurationManager = baseConfigurationManager;`
`380`	`378`	`}`
`381`	`379`	`else`
Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,7 @@ public override void Validate()`
`105`	`105`	`/// <summary>`
`106`	`106`	`/// Gets or sets the collection of <see cref="ISecurityTokenValidator"/> used to read and validate the <see cref="SecurityToken"/>s.`
`107`	`107`	`/// </summary>`
	`108`	`+ [Obsolete("SecurityTokenHandlers is no longer used by default. Use TokenHandlers instead. To continue using SecurityTokenHandlers, set UseSecurityTokenHandlers to true.")]`
`108`	`109`	`public ICollection<ISecurityTokenValidator> SecurityTokenHandlers`
`109`	`110`	`{`
`110`	`111`	`get`
`@@ -118,7 +119,7 @@ public ICollection<ISecurityTokenValidator> SecurityTokenHandlers`
`118`	`119`	`}`
`119`	`120`
`120`	`121`	`/// <summary>`
`121`		`- /// Gets or sets the collection of <see cref="ISecurityTokenValidator"/> used to read and validate the <see cref="SecurityToken"/>s.`
	`122`	`+ /// Gets the collection of <see cref="ISecurityTokenValidator"/> used to read and validate the <see cref="SecurityToken"/>s.`
`122`	`123`	`/// </summary>`
`123`	`124`	`public ICollection<TokenHandler> TokenHandlers`
`124`	`125`	`{`
`@@ -208,5 +209,5 @@ public TokenValidationParameters TokenValidationParameters`
`208`	`209`	`/// <para>The default token handler for JsonWebTokens is a <see cref="JsonWebTokenHandler"/> which is faster than a <see cref="JwtSecurityTokenHandler"/>.</para>`
`209`	`210`	`/// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para>`
`210`	`211`	`/// </remarks>`
`211`		`- public bool UseTokenHandlers { get; set; }`
	`212`	`+ public bool UseSecurityTokenHandlers { get; set; }`
`212`	`213`	`}`