diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a60d30010..c975989b69 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ See the [releases](https://github.com/AzureAD/azure-activedirectory-identitymode
### Breaking changes:
- IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue [#2544](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2544) for details.
- Two IdentityModel extension dlls `Microsoft.IdentityModel.KeyVaultExtensions` and `Microsoft.IdentityModel.ManagedKeyVaultSecurityKey` were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web/wiki/Certificates). See issue [#2454](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2454) for details.
-- `AppContext.SetSwitch` which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue [#2629](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2629) for details.
+- `AppContext.SetSwitch` which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue [#2629](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2629) and https://aka.ms/IdentityModel8x for details.
7.6.1
=====
diff --git a/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectScope.cs b/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectScope.cs
index 6a3c753e77..c32880eaaf 100644
--- a/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectScope.cs
+++ b/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectScope.cs
@@ -37,10 +37,15 @@ public static class OpenIdConnectScope
public const string OpenIdProfile = "openid profile";
///
- /// Indicates phone profile scope see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims.
+ /// Indicates phone scope see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims.
///
public const string Phone = "phone";
+ ///
+ /// Indicates profile scope see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims.
+ ///
+ public const string Profile = "profile";
+
///
/// Indicates user_impersonation scope for Azure Active Directory.
///
diff --git a/src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs b/src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs
index b6b063936d..b9459a1af8 100644
--- a/src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs
+++ b/src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs
@@ -33,7 +33,6 @@ private struct AuthenticatedKeys
private DecryptionDelegate DecryptFunction;
private EncryptionDelegate EncryptFunction;
private const string _className = "Microsoft.IdentityModel.Tokens.AuthenticatedEncryptionProvider";
- internal const string _skipValidationOfAuthenticationTagLength = "Switch.Microsoft.IdentityModel.SkipAuthenticationTagLengthValidation";
///
/// Initializes a new instance of the class used for encryption and decryption.
@@ -167,8 +166,7 @@ private AuthenticatedEncryptionResult EncryptWithAesCbc(byte[] plaintext, byte[]
private byte[] DecryptWithAesCbc(byte[] ciphertext, byte[] authenticatedData, byte[] iv, byte[] authenticationTag)
{
// Verify authentication Tag
- if (ShouldValidateAuthenticationTagLength()
- && SymmetricSignatureProvider.ExpectedSignatureSizeInBytes.TryGetValue(Algorithm, out int expectedTagLength)
+ if (SymmetricSignatureProvider.ExpectedSignatureSizeInBytes.TryGetValue(Algorithm, out int expectedTagLength)
&& expectedTagLength != authenticationTag.Length)
throw LogHelper.LogExceptionMessage(new SecurityTokenDecryptionFailedException(
LogHelper.FormatInvariant(LogMessages.IDX10625, authenticationTag.Length, expectedTagLength, Base64UrlEncoder.Encode(authenticationTag), Algorithm)));
@@ -197,11 +195,6 @@ private byte[] DecryptWithAesCbc(byte[] ciphertext, byte[] authenticatedData, by
}
}
- private static bool ShouldValidateAuthenticationTagLength()
- {
- return !(AppContext.TryGetSwitch(_skipValidationOfAuthenticationTagLength, out bool skipValidation) && skipValidation);
- }
-
private AuthenticatedKeys CreateAuthenticatedKeys()
{
ValidateKeySize(Key, Algorithm);
diff --git a/src/Microsoft.IdentityModel.Tokens/LogMessages.cs b/src/Microsoft.IdentityModel.Tokens/LogMessages.cs
index 4bfc69adb5..c644c0936f 100644
--- a/src/Microsoft.IdentityModel.Tokens/LogMessages.cs
+++ b/src/Microsoft.IdentityModel.Tokens/LogMessages.cs
@@ -136,7 +136,7 @@ internal static class LogMessages
// public const string IDX10622 = "IDX10622:";
// public const string IDX10623 = "IDX10623:";
// public const string IDX10624 = "IDX10624:";
- public const string IDX10625 = "IDX10625: Failed to verify the authenticationTag length, the actual tag length '{0}' does not match the expected tag length '{1}'. authenticationTag: '{2}', algorithm: '{3}' See: https://aka.ms/IdentityModel/SkipAuthenticationTagLengthValidation";
+ public const string IDX10625 = "IDX10625: Failed to verify the authenticationTag length, the actual tag length '{0}' does not match the expected tag length '{1}'. authenticationTag: '{2}', algorithm: '{3}'.";
// public const string IDX10627 = "IDX10627:";
public const string IDX10628 = "IDX10628: Cannot set the MinimumSymmetricKeySizeInBits to less than '{0}'.";
public const string IDX10630 = "IDX10630: The '{0}' for signing cannot be smaller than '{1}' bits. KeySize: '{2}'.";
diff --git a/src/Microsoft.IdentityModel.Tokens/X509EncryptingCredentials.cs b/src/Microsoft.IdentityModel.Tokens/X509EncryptingCredentials.cs
index ec0f483dd8..6a92eaedaa 100644
--- a/src/Microsoft.IdentityModel.Tokens/X509EncryptingCredentials.cs
+++ b/src/Microsoft.IdentityModel.Tokens/X509EncryptingCredentials.cs
@@ -11,8 +11,6 @@ namespace Microsoft.IdentityModel.Tokens
///
public class X509EncryptingCredentials : EncryptingCredentials
{
- internal const string _useShortNameForRsaOaepKey = "Switch.Microsoft.IdentityModel.UseShortNameForRsaOaepKey";
-
///
/// Designed to construct based on a x509 certificate.
///
@@ -23,7 +21,7 @@ public class X509EncryptingCredentials : EncryptingCredentials
///
/// if 'certificate' is null.
public X509EncryptingCredentials(X509Certificate2 certificate)
- : this(certificate, GetEncryptionAlgorithm(), SecurityAlgorithms.DefaultSymmetricEncryptionAlgorithm)
+ : this(certificate, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.DefaultSymmetricEncryptionAlgorithm)
{
}
@@ -50,15 +48,5 @@ public X509Certificate2 Certificate
get;
private set;
}
-
- private static string GetEncryptionAlgorithm()
- {
- return ShouldUseShortNameForRsaOaepKey() ? SecurityAlgorithms.RsaOAEP : SecurityAlgorithms.DefaultAsymmetricKeyWrapAlgorithm;
- }
-
- private static bool ShouldUseShortNameForRsaOaepKey()
- {
- return AppContext.TryGetSwitch(_useShortNameForRsaOaepKey, out var useKeyWrap) && useKeyWrap;
- }
}
}
diff --git a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs
index 7167486561..7e88894509 100644
--- a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs
+++ b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs
@@ -4247,10 +4247,9 @@ public static TheoryData IncludeSecurityTokenOnFailureTes
}
[Theory, MemberData(nameof(ValidateAuthenticationTagLengthTheoryData))]
- public void ValidateTokenAsync_ModifiedAuthNTag(CreateTokenTheoryData theoryData)
+ public async Task ValidateTokenAsync_ModifiedAuthNTag(CreateTokenTheoryData theoryData)
{
// arrange
- AppContext.SetSwitch(AuthenticatedEncryptionProvider._skipValidationOfAuthenticationTagLength, theoryData.EnableAppContextSwitch);
var payload = new JObject()
{
{ JwtRegisteredClaimNames.Email, "Bob@contoso.com" },
@@ -4274,9 +4273,7 @@ public void ValidateTokenAsync_ModifiedAuthNTag(CreateTokenTheoryData theoryData
var jweWithExtraCharacters = jwe + "_cannoli_hunts_truffles_";
// act
- // calling ValidateTokenAsync.Result to prevent tests from sharing app context switch property
- // normally, we would want to await ValidateTokenAsync().ConfigureAwait(false)
- var tokenValidationResult = jsonWebTokenHandler.ValidateTokenAsync(jweWithExtraCharacters, theoryData.ValidationParameters).Result;
+ var tokenValidationResult = await jsonWebTokenHandler.ValidateTokenAsync(jweWithExtraCharacters, theoryData.ValidationParameters).ConfigureAwait(false);
// assert
Assert.Equal(theoryData.IsValid, tokenValidationResult.IsValid);
@@ -4338,47 +4335,6 @@ public static TheoryData ValidateAuthenticationTagLengthT
ValidIssuer = "http://Default.Issuer.com",
},
IsValid = false
- },
- new("A128CBC-HS256_SkipTagLengthValidationAppContextSwitchOn_IsValid")
- {
- EnableAppContextSwitch = true,
- Algorithm = SecurityAlgorithms.Aes128CbcHmacSha256,
- EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes128CbcHmacSha256),
- ValidationParameters = new TokenValidationParameters
- {
- TokenDecryptionKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
- IssuerSigningKey = Default.SymmetricSigningKey256,
- ValidAudience = "http://Default.Audience.com",
- ValidIssuer = "http://Default.Issuer.com",
- },
- IsValid = true
- },
- new("A192CBC-HS384_SkipTagLengthValidationAppContextSwitchOn_IsValid")
- {
- EnableAppContextSwitch = true,
- Algorithm = SecurityAlgorithms.Aes192CbcHmacSha384,
- EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes192CbcHmacSha384),
- ValidationParameters = new TokenValidationParameters
- {
- TokenDecryptionKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
- IssuerSigningKey = Default.SymmetricSigningKey256,
- ValidAudience = "http://Default.Audience.com",
- ValidIssuer = "http://Default.Issuer.com",
- },
- IsValid = true
- },
- new("A256CBC-HS512_SkipTagLengthValidationAppContextSwitchOn_IsValid")
- {
- EnableAppContextSwitch = true,
- EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes256CbcHmacSha512),
- ValidationParameters = new TokenValidationParameters
- {
- TokenDecryptionKey = signingCredentials512.Key,
- IssuerSigningKey = Default.SymmetricSigningKey256,
- ValidAudience = "http://Default.Audience.com",
- ValidIssuer = "http://Default.Issuer.com",
- },
- IsValid = true
}
};
}
@@ -4428,8 +4384,6 @@ public CreateTokenTheoryData(string testId) : base(testId)
public Dictionary ExpectedClaims { get; set; }
- public bool EnableAppContextSwitch { get; set; } = false;
-
public List AudiencesForSecurityTokenDescriptor { get; set; }
}
diff --git a/test/Microsoft.IdentityModel.Tokens.Tests/EncryptingCredentialsTests.cs b/test/Microsoft.IdentityModel.Tokens.Tests/EncryptingCredentialsTests.cs
index 7b44f1b844..ad787f01d4 100644
--- a/test/Microsoft.IdentityModel.Tokens.Tests/EncryptingCredentialsTests.cs
+++ b/test/Microsoft.IdentityModel.Tokens.Tests/EncryptingCredentialsTests.cs
@@ -57,7 +57,7 @@ public static TheoryData ConstructorATheoryData
new EncryptingCredentialsTheoryData
{
Key = null,
- Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+ Alg = SecurityAlgorithms.RsaOAEP,
Enc = SecurityAlgorithms.Aes128CbcHmacSha256,
ExpectedException = ExpectedException.ArgumentNullException("IDX10000: The parameter 'key'"),
TestId = "NullKey"
@@ -73,7 +73,7 @@ public static TheoryData ConstructorATheoryData
new EncryptingCredentialsTheoryData
{
Key = Default.AsymmetricEncryptionKeyPublic,
- Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+ Alg = SecurityAlgorithms.RsaOAEP,
Enc = String.Empty,
ExpectedException = ExpectedException.ArgumentNullException("IDX10000: The parameter 'enc'"),
TestId = "EmptyEncString"
@@ -89,7 +89,7 @@ public static TheoryData ConstructorATheoryData
new EncryptingCredentialsTheoryData
{
Key = Default.AsymmetricEncryptionKeyPublic,
- Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+ Alg = SecurityAlgorithms.RsaOAEP,
Enc = null,
ExpectedException = ExpectedException.ArgumentNullException("IDX10000: The parameter 'enc'"),
TestId = "NullEncString"
@@ -97,7 +97,7 @@ public static TheoryData ConstructorATheoryData
new EncryptingCredentialsTheoryData
{
Key = Default.AsymmetricEncryptionKeyPublic,
- Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+ Alg = SecurityAlgorithms.RsaOAEP,
Enc = SecurityAlgorithms.Aes128CbcHmacSha256,
TestId = "ValidTest"
}
diff --git a/test/Microsoft.IdentityModel.Tokens.Tests/MultiThreadingTests.cs b/test/Microsoft.IdentityModel.Tokens.Tests/MultiThreadingTests.cs
index f1b5d636b6..6352fc6fe4 100644
--- a/test/Microsoft.IdentityModel.Tokens.Tests/MultiThreadingTests.cs
+++ b/test/Microsoft.IdentityModel.Tokens.Tests/MultiThreadingTests.cs
@@ -121,7 +121,7 @@ public static TheoryData MultiThreadingCreateAndVerify
{
Claims = Default.PayloadDictionary,
SigningCredentials = new SigningCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaSha256, SecurityAlgorithms.Sha256),
- EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128CbcHmacSha256)
+ EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256)
};
var tokenValidationParametersEncryptedRsaKW = new TokenValidationParameters
@@ -174,7 +174,7 @@ public static TheoryData MultiThreadingCreateAndVerify
{
Claims = Default.PayloadDictionary,
SigningCredentials = new SigningCredentials(KeyingMaterial.RsaSecurityKeyCng_2048, SecurityAlgorithms.RsaSha256, SecurityAlgorithms.Sha256),
- EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKeyCng_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128CbcHmacSha256)
+ EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKeyCng_2048, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256)
};
var tokenValidationParametersEncryptedRsaKWCng = new TokenValidationParameters
diff --git a/test/Microsoft.IdentityModel.Tokens.Tests/X509EncryptingCredentialsTests.cs b/test/Microsoft.IdentityModel.Tokens.Tests/X509EncryptingCredentialsTests.cs
index 6590737fca..2dee4d2e62 100644
--- a/test/Microsoft.IdentityModel.Tokens.Tests/X509EncryptingCredentialsTests.cs
+++ b/test/Microsoft.IdentityModel.Tokens.Tests/X509EncryptingCredentialsTests.cs
@@ -42,7 +42,7 @@ public static TheoryData ConstructorsTheory
new X509EncryptingCredentialsTheoryData
{
Certificate = null,
- Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+ Alg = SecurityAlgorithms.RsaOAEP,
Enc = SecurityAlgorithms.Aes128CbcHmacSha256,
ExpectedException = ExpectedException.ArgumentNullException("IDX10000: The parameter 'certificate'"),
TestId = "NullCertificate"
@@ -58,7 +58,7 @@ public static TheoryData ConstructorsTheory
new X509EncryptingCredentialsTheoryData
{
Certificate = Default.Certificate,
- Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+ Alg = SecurityAlgorithms.RsaOAEP,
Enc = String.Empty,
ExpectedException = ExpectedException.ArgumentNullException("IDX10000: The parameter 'enc'"),
TestId = "EmptyEncString"
@@ -74,7 +74,7 @@ public static TheoryData ConstructorsTheory
new X509EncryptingCredentialsTheoryData
{
Certificate = Default.Certificate,
- Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+ Alg = SecurityAlgorithms.RsaOAEP,
Enc = null,
ExpectedException = ExpectedException.ArgumentNullException("IDX10000: The parameter 'enc'"),
TestId = "NullEncString"
@@ -82,7 +82,7 @@ public static TheoryData ConstructorsTheory
new X509EncryptingCredentialsTheoryData
{
Certificate = Default.Certificate,
- Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+ Alg = SecurityAlgorithms.RsaOAEP,
Enc = SecurityAlgorithms.Aes128CbcHmacSha256,
TestId = "ValidTest"
}
diff --git a/test/System.IdentityModel.Tokens.Jwt.Tests/JwtSecurityTokenHandlerTests.WithContextSwitches.cs b/test/System.IdentityModel.Tokens.Jwt.Tests/JwtSecurityTokenHandlerTests.WithContextSwitches.cs
deleted file mode 100644
index 7e87575e11..0000000000
--- a/test/System.IdentityModel.Tokens.Jwt.Tests/JwtSecurityTokenHandlerTests.WithContextSwitches.cs
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-using Microsoft.IdentityModel.JsonWebTokens;
-using Microsoft.IdentityModel.TestUtils;
-using Microsoft.IdentityModel.Tokens;
-using Xunit;
-
-namespace System.IdentityModel.Tokens.Jwt.Tests
-{
- [CollectionDefinition("JwtSecurityTokenHandlerTestsWithContextSwitches", DisableParallelization = true)]
- public class JwtSecurityTokenHandlerTestsWithContextSwitches
- {
- [Theory]
- [InlineData(SecurityAlgorithms.RsaOAEP, true)]
- [InlineData(SecurityAlgorithms.RsaOaepKeyWrap, false)]
- public void JwtSecurityTokenHandler_CreateToken_AddShortFormMappingForRsaOAEP(string algorithm, bool useShortNameForRsaOaepKey)
- {
- AppContext.SetSwitch(X509EncryptingCredentials._useShortNameForRsaOaepKey, useShortNameForRsaOaepKey);
- var encryptingCredentials = new X509EncryptingCredentials(Default.Certificate);
- JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
-
- JwtSecurityToken token = CreateJwtSecurityToken(tokenHandler, encryptingCredentials);
-
- Assert.Equal(token.Header.Alg, algorithm);
-
- AppContext.SetSwitch(X509EncryptingCredentials._useShortNameForRsaOaepKey, false);
- }
-
- [Theory]
- [InlineData(SecurityAlgorithms.RsaOAEP, true)]
- [InlineData(SecurityAlgorithms.RsaOaepKeyWrap, false)]
- public void JsonWebTokenHandler_CreateToken_AddShortFormMappingForRsaOAEP(string algorithm, bool useShortNameForRsaOaepKey)
- {
- AppContext.SetSwitch(X509EncryptingCredentials._useShortNameForRsaOaepKey, useShortNameForRsaOaepKey);
- var encryptingCredentials = new X509EncryptingCredentials(Default.Certificate);
- JsonWebTokenHandler tokenHandler = new JsonWebTokenHandler();
-
- JsonWebToken jsonToken = new JsonWebToken(CreateJwtSecurityTokenAsString(tokenHandler, encryptingCredentials));
-
- Assert.Equal(jsonToken.Alg, algorithm);
-
- AppContext.SetSwitch(X509EncryptingCredentials._useShortNameForRsaOaepKey, false);
- }
-
- private JwtSecurityToken CreateJwtSecurityToken(JwtSecurityTokenHandler tokenHandler, X509EncryptingCredentials encryptingCredentials)
- {
- return tokenHandler.CreateJwtSecurityToken(CreateTokenDescriptor(encryptingCredentials));
- }
-
- private string CreateJwtSecurityTokenAsString(JsonWebTokenHandler tokenHandler, X509EncryptingCredentials encryptingCredentials)
- {
- return tokenHandler.CreateToken(CreateTokenDescriptor(encryptingCredentials));
- }
-
- private SecurityTokenDescriptor CreateTokenDescriptor(X509EncryptingCredentials encryptingCredentials)
- {
- return new SecurityTokenDescriptor
- {
- Issuer = Default.Issuer,
- SigningCredentials = Default.AsymmetricSigningCredentials,
- EncryptingCredentials = encryptingCredentials,
- };
- }
- }
-}