-
Notifications
You must be signed in to change notification settings - Fork 10.4k
Option to use JsonWebTokenHandler in oidc handler #49333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
2260e57
61323b8
7f45829
b208837
9a4cc56
a4c116c
b7c4701
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -164,4 +164,10 @@ internal static partial class LoggingExtensions | |||||
[LoggerMessage(55, LogLevel.Error, "The remote signout request was ignored because the 'iss' parameter didn't match " + | ||||||
"the expected value, which may indicate an unsolicited logout.", EventName = "RemoteSignOutIssuerInvalid")] | ||||||
public static partial void RemoteSignOutIssuerInvalid(this ILogger logger); | ||||||
|
||||||
[LoggerMessage(56, LogLevel.Error, "Unable to validate the 'id_token', no suitable TokenHandler was found for: '{IdToken}'.", EventName = "UnableToValidateIdTokenFromHandler")] | ||||||
public static partial void UnableToValidateIdTokenFromHandler(this ILogger logger, string idToken); | ||||||
|
||||||
[LoggerMessage(57, LogLevel.Error, "The Validated Security Token must be of type JsonWebToken, but instead its type is: '{SecurityTokenType}'", EventName = "InvalidSecurityTokenTypeFromHandler")] | ||||||
public static partial void InvalidSecurityTokenTypeFromHandler(this ILogger logger, string? securityTokenType); | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
I don't think we'd want There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is the same approach as taken in InvalidSecurityTokenType earlier in the file |
||||||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,7 @@ | |
using System.IdentityModel.Tokens.Jwt; | ||
using Microsoft.AspNetCore.Authentication.OAuth.Claims; | ||
using Microsoft.AspNetCore.Http; | ||
using Microsoft.IdentityModel.JsonWebTokens; | ||
using Microsoft.IdentityModel.Protocols; | ||
using Microsoft.IdentityModel.Protocols.OpenIdConnect; | ||
using Microsoft.IdentityModel.Tokens; | ||
|
@@ -17,6 +18,12 @@ public class OpenIdConnectOptions : RemoteAuthenticationOptions | |
{ | ||
private CookieBuilder _nonceCookieBuilder; | ||
private readonly JwtSecurityTokenHandler _defaultHandler = new JwtSecurityTokenHandler(); | ||
private readonly JsonWebTokenHandler _defaultTokenHandler = new JsonWebTokenHandler | ||
{ | ||
MapInboundClaims = JwtSecurityTokenHandler.DefaultMapInboundClaims | ||
}; | ||
|
||
private bool _mapInboundClaims = JwtSecurityTokenHandler.DefaultMapInboundClaims; | ||
|
||
/// <summary> | ||
/// Initializes a new <see cref="OpenIdConnectOptions"/> | ||
|
@@ -37,7 +44,10 @@ public OpenIdConnectOptions() | |
CallbackPath = new PathString("/signin-oidc"); | ||
SignedOutCallbackPath = new PathString("/signout-callback-oidc"); | ||
RemoteSignOutPath = new PathString("/signout-oidc"); | ||
#pragma warning disable CS0618 // Type or member is obsolete | ||
SecurityTokenValidator = _defaultHandler; | ||
#pragma warning restore CS0618 // Type or member is obsolete | ||
TokenHandler = _defaultTokenHandler; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. we discussed off-line. resolved. |
||
|
||
Events = new OpenIdConnectEvents(); | ||
Scope.Add("openid"); | ||
|
@@ -253,8 +263,17 @@ public override void Validate() | |
/// <summary> | ||
/// Gets or sets the <see cref="ISecurityTokenValidator"/> used to validate identity tokens. | ||
/// </summary> | ||
[Obsolete("SecurityTokenValidator is no longer used by default. Use TokenHandler instead. To continue using SecurityTokenValidator, set UseSecurityTokenValidator to true. See https://aka.ms/aspnetcore8/security-token-changes")] | ||
public ISecurityTokenValidator SecurityTokenValidator { get; set; } | ||
|
||
/// <summary> | ||
/// Gets or sets the <see cref="TokenHandler"/> used to validate identity tokens. | ||
/// <para> | ||
/// This will be used instead of <see cref="SecurityTokenValidator"/> if <see cref="UseSecurityTokenValidator"/> is <see langword="false"/> | ||
/// </para> | ||
/// </summary> | ||
public TokenHandler TokenHandler { get; set; } | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The other PR returns There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. resolved |
||
|
||
/// <summary> | ||
/// Gets or sets the parameters used to validate identity tokens. | ||
/// </summary> | ||
|
@@ -353,14 +372,25 @@ public override CookieOptions Build(HttpContext context, DateTimeOffset expiresF | |
public TimeSpan RefreshInterval { get; set; } = ConfigurationManager<OpenIdConnectConfiguration>.DefaultRefreshInterval; | ||
|
||
/// <summary> | ||
/// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidator, which is used when determining | ||
/// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidator | ||
/// and default instance of <see cref="JsonWebTokenHandler"/> in TokenHandler, which is used when determining | ||
/// whether or not to map claim types that are extracted when validating a <see cref="JwtSecurityToken"/>. | ||
/// <para>If this is set to true, the Claim Type is set to the JSON claim 'name' after translating using this mapping. Otherwise, no mapping occurs.</para> | ||
/// <para>The default value is true.</para> | ||
/// </summary> | ||
public bool MapInboundClaims | ||
{ | ||
get => _defaultHandler.MapInboundClaims; | ||
set => _defaultHandler.MapInboundClaims = value; | ||
get => _mapInboundClaims; | ||
set | ||
{ | ||
_mapInboundClaims = value; | ||
_defaultHandler.MapInboundClaims = value; | ||
_defaultTokenHandler.MapInboundClaims = value; | ||
} | ||
} | ||
|
||
/// <summary> | ||
/// Gets or sets whether to use the <see cref="TokenHandler"/> or the <see cref="SecurityTokenValidator"/> for validating identity tokens. | ||
/// </summary> | ||
public bool UseSecurityTokenValidator { get; set; } | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,6 @@ | ||
#nullable enable | ||
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.OpenIdConnectHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.HtmlEncoder! htmlEncoder, System.Text.Encodings.Web.UrlEncoder! encoder) -> void | ||
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.TokenHandler.get -> Microsoft.IdentityModel.Tokens.TokenHandler! | ||
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.TokenHandler.set -> void | ||
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.UseSecurityTokenValidator.get -> bool | ||
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.UseSecurityTokenValidator.set -> void |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
property.TryGetInt32 was throwing a InvalidOperationException on ValueKind not being a number
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/dotnet/runtime/blob/0f56e166b16100c23dc81ae082f6155362b7c596/src/libraries/System.Text.Json/src/System/Text/Json/Document/JsonDocument.cs#L481
is the check that ensures it is a Number.
This seems like a bug. There should be no reason for a
TryGet
method to throw an exception.Looks like this was designed this way according to dotnet/runtime#28132.