Added ValidationSource to IssuerValidationResult to identify the vali…

…dation method
AzureAD · Jun 18, 2024 · 3657e82 · 3657e82
1 parent 47ddd89
commit 3657e82
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 6 deletions.
diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/IssuerValidationResult.cs b/src/Microsoft.IdentityModel.Tokens/Validation/IssuerValidationResult.cs
@@ -11,17 +11,26 @@ namespace Microsoft.IdentityModel.Tokens
     /// </summary>
     internal class IssuerValidationResult : ValidationResult
     {
+        internal enum ValidationSource
+        {
+            NotValidated = 0,
+            IssuerIsConfigurationIssuer,
+            IssuerIsValidIssuer,
+            IssuerIsAmongValidIssuers
+        }
+
         private Exception _exception;
 
         /// <summary>
         /// Creates an instance of <see cref="IssuerValidationResult"/>
         /// </summary>
         /// <paramref name="issuer"/> is the issuer that was validated successfully.
-        public IssuerValidationResult(string issuer)
+        public IssuerValidationResult(string issuer, ValidationSource source)
             : base(ValidationFailureType.ValidationSucceeded)
         {
             Issuer = issuer;
             IsValid = true;
+            Source = source;
         }
 
         /// <summary>
@@ -30,11 +39,12 @@ public IssuerValidationResult(string issuer)
         /// <paramref name="issuer"/> is the issuer that was intended to be validated.
         /// <paramref name="validationFailure"/> is the <see cref="ValidationFailureType"/> that occurred during validation.
         /// <paramref name="exceptionDetail"/> is the <see cref="ExceptionDetail"/> that occurred during validation.
-        public IssuerValidationResult(string issuer, ValidationFailureType validationFailure, ExceptionDetail exceptionDetail)
+        public IssuerValidationResult(string issuer, ValidationFailureType validationFailure, ExceptionDetail exceptionDetail, ValidationSource source = ValidationSource.NotValidated)
             : base(validationFailure, exceptionDetail)
         {
             Issuer = issuer;
             IsValid = false;
+            Source = source;
         }
 
         /// <summary>
@@ -65,5 +75,7 @@ public override Exception Exception
         /// Gets the issuer that was validated or intended to be validated.
         /// </summary>
         public string Issuer { get; }
+
+        public ValidationSource Source { get; }
     }
 }
diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Validators.Issuer.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.Issuer.cs
@@ -263,13 +263,15 @@ internal static async Task<IssuerValidationResult> ValidateIssuerAsync(
                     if (LogHelper.IsEnabled(EventLogLevel.Informational))
                         LogHelper.LogInformation(LogMessages.IDX10236, LogHelper.MarkAsNonPII(issuer), callContext);
 
-                    return new IssuerValidationResult(issuer);
+                    return new IssuerValidationResult(issuer,
+                        IssuerValidationResult.ValidationSource.IssuerIsConfigurationIssuer);
                 }
             }
 
             if (string.Equals(validationParameters.ValidIssuer, issuer))
             {
-                return new IssuerValidationResult(issuer);
+                return new IssuerValidationResult(issuer,
+                    IssuerValidationResult.ValidationSource.IssuerIsValidIssuer);
             }
 
             if (validationParameters.ValidIssuers != null)
@@ -289,7 +291,8 @@ internal static async Task<IssuerValidationResult> ValidateIssuerAsync(
                         if (LogHelper.IsEnabled(EventLogLevel.Informational))
                             LogHelper.LogInformation(LogMessages.IDX10236, LogHelper.MarkAsNonPII(issuer));
 
-                        return new IssuerValidationResult(issuer);
+                        return new IssuerValidationResult(issuer,
+                            IssuerValidationResult.ValidationSource.IssuerIsAmongValidIssuers);
                     }
                 }
             }

diff --git a/test/Microsoft.IdentityModel.TestUtils/IdentityComparer.cs b/test/Microsoft.IdentityModel.TestUtils/IdentityComparer.cs
@@ -574,6 +574,9 @@ internal static bool AreIssuerValidationResultsEqual(
             if (issuerValidationResult1.Issuer != issuerValidationResult2.Issuer)
                 localContext.Diffs.Add($"IssuerValidationResult1.Issuer: {issuerValidationResult1.Issuer} != IssuerValidationResult2.Issuer: {issuerValidationResult2.Issuer}");
 
+            if (issuerValidationResult1.Source != issuerValidationResult2.Source)
+                localContext.Diffs.Add($"IssuerValidationResult1.Source: {issuerValidationResult1.Source} != IssuerValidationResult2.Source: {issuerValidationResult2.Source}");
+
             // true => both are not null.
             if (ContinueCheckingEquality(issuerValidationResult1.Exception, issuerValidationResult2.Exception, localContext))
             {

diff --git a/test/Microsoft.IdentityModel.Tokens.Tests/Validation/IssuerValidationResultTests.cs b/test/Microsoft.IdentityModel.Tokens.Tests/Validation/IssuerValidationResultTests.cs
@@ -9,6 +9,7 @@
 using Microsoft.IdentityModel.Logging;
 using Microsoft.IdentityModel.TestUtils;
 using Microsoft.IdentityModel.Tokens.Json.Tests;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Xunit;
 
 namespace Microsoft.IdentityModel.Tokens.Validation.Tests
@@ -29,7 +30,9 @@ public async Task IssuerValidatorAsyncTests(IssuerValidationResultsTheoryData th
                     new CallContext(),
                     CancellationToken.None).ConfigureAwait(false);
 
-                theoryData.ExpectedException.ProcessException(issuerValidationResult.Exception, context);
+                if (issuerValidationResult.Exception != null)
+                    theoryData.ExpectedException.ProcessException(issuerValidationResult.Exception, context);
+
                 IdentityComparer.AreIssuerValidationResultsEqual(
                     issuerValidationResult,
                     theoryData.IssuerValidationResult,
@@ -129,6 +132,53 @@ public static TheoryData<IssuerValidationResultsTheoryData> IssuerValdationResul
                     SecurityToken = null,
                     ValidationParameters = new TokenValidationParameters()
                 });
+
+                var validConfig = new OpenIdConnectConfiguration() { Issuer = issClaim };
+                theoryData.Add(new IssuerValidationResultsTheoryData("Valid_FromConfig")
+                {
+                    ExpectedException = ExpectedException.NoExceptionExpected,
+                    Issuer = issClaim,
+                    IssuerValidationResult = new IssuerValidationResult(
+                        issClaim,
+                        IssuerValidationResult.ValidationSource.IssuerIsConfigurationIssuer),
+                    IsValid = true,
+                    SecurityToken = JsonUtilities.CreateUnsignedJsonWebToken(JwtRegisteredClaimNames.Iss, issClaim),
+                    ValidationParameters = new TokenValidationParameters()
+                    {
+                        ConfigurationManager = new MockConfigurationManager<OpenIdConnectConfiguration>(validConfig)
+                    }
+                });
+
+                theoryData.Add(new IssuerValidationResultsTheoryData("Valid_FromValidationParametersValidIssuer")
+                {
+                    ExpectedException = ExpectedException.NoExceptionExpected,
+                    Issuer = issClaim,
+                    IssuerValidationResult = new IssuerValidationResult(
+                        issClaim,
+                        IssuerValidationResult.ValidationSource.IssuerIsValidIssuer),
+                    IsValid = true,
+                    SecurityToken = JsonUtilities.CreateUnsignedJsonWebToken(JwtRegisteredClaimNames.Iss, issClaim),
+                    ValidationParameters = new TokenValidationParameters()
+                    {
+                        ValidIssuer = issClaim
+                    }
+                });
+
+                theoryData.Add(new IssuerValidationResultsTheoryData("Valid_FromValidationParametersValidIssuers")
+                {
+                    ExpectedException = ExpectedException.NoExceptionExpected,
+                    Issuer = issClaim,
+                    IssuerValidationResult = new IssuerValidationResult(
+                        issClaim,
+                        IssuerValidationResult.ValidationSource.IssuerIsAmongValidIssuers),
+                    IsValid = true,
+                    SecurityToken = JsonUtilities.CreateUnsignedJsonWebToken(JwtRegisteredClaimNames.Iss, issClaim),
+                    ValidationParameters = new TokenValidationParameters()
+                    {
+                        ValidIssuers = [issClaim]
+                    }
+                });
+
                 return theoryData;
             }
         }