Skip to content

Commit

Permalink
Call TVP.CreateClaimsIdentity to support users that have overloaded. (#…
Browse files Browse the repository at this point in the history 
…2716)

* Call TVP.CreateClaimsIdentity to support users that have overloaded.

* picked up SAML changes and TokenValidationResult

* updated JwtSecurityTokenHandler, reverted tests and removed method.

* touched up tests

---------

Co-authored-by: id4s <user@contoso.com>
  • Loading branch information
@brentschmaltz @HP712 @pmaytak
2 people authored and pmaytak committed Jul 16, 2024
1 parent 4eb5df0 commit d1f0a42
Show file tree
Hide file tree
Showing 6 changed files with 46 additions and 93 deletions.
4 changes: 2 additions & 2 deletions src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -775,7 +775,7 @@ private ClaimsIdentity CreateClaimsIdentityWithMapping(JsonWebToken jwtToken, To
{
_ = validationParameters ?? throw LogHelper.LogArgumentNullException(nameof(validationParameters));

ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, issuer);
ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, issuer);
foreach (Claim jwtClaim in jwtToken.Claims)
{
bool wasMapped = _inboundClaimTypeMap.TryGetValue(jwtClaim.Type, out string claimType);
Expand Down Expand Up @@ -842,7 +842,7 @@ private ClaimsIdentity CreateClaimsIdentityPrivate(JsonWebToken jwtToken, TokenV
{
_ = validationParameters ?? throw LogHelper.LogArgumentNullException(nameof(validationParameters));

ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, issuer);
ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, issuer);
foreach (Claim jwtClaim in jwtToken.Claims)
{
string claimType = jwtClaim.Type;
Expand Down
2 changes: 1 addition & 1 deletion src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -647,7 +647,7 @@ protected virtual IEnumerable<ClaimsIdentity> ProcessStatements(SamlSecurityToke

if (!identityDict.TryGetValue(statement.Subject, out ClaimsIdentity identity))
{
identity = ClaimsIdentityFactory.Create(samlToken, validationParameters, issuer);
identity = validationParameters.CreateClaimsIdentity(samlToken, issuer);
ProcessSubject(statement.Subject, identity, issuer);
identityDict.Add(statement.Subject, identity);
}
Expand Down
2 changes: 1 addition & 1 deletion src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1293,7 +1293,7 @@ protected virtual ClaimsIdentity CreateClaimsIdentity(Saml2SecurityToken samlTok
actualIssuer = ClaimsIdentity.DefaultIssuer;
}

var identity = ClaimsIdentityFactory.Create(samlToken, validationParameters, issuer);
var identity = validationParameters.CreateClaimsIdentity(samlToken, issuer);

ProcessSubject(samlToken.Assertion.Subject, identity, actualIssuer);
ProcessStatements(samlToken.Assertion.Statements, identity, actualIssuer);
Expand Down
40 changes: 0 additions & 40 deletions src/Microsoft.IdentityModel.Tokens/ClaimsIdentityFactory.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,45 +37,5 @@ internal static ClaimsIdentity Create(string authenticationType, string nameType

return new ClaimsIdentity(authenticationType: authenticationType, nameType: nameType, roleType: roleType);
}

internal static ClaimsIdentity Create(SecurityToken securityToken, TokenValidationParameters validationParameters, string issuer)
{
ClaimsIdentity claimsIdentity = validationParameters.CreateClaimsIdentity(securityToken, issuer);

// Set the SecurityToken in cases where derived TokenValidationParameters created a CaseSensitiveClaimsIdentity.
if (claimsIdentity is CaseSensitiveClaimsIdentity caseSensitiveClaimsIdentity && caseSensitiveClaimsIdentity.SecurityToken == null)
{
caseSensitiveClaimsIdentity.SecurityToken = securityToken;
}
else if (claimsIdentity is not CaseSensitiveClaimsIdentity && AppContextSwitches.UseCaseSensitiveClaimsIdentityType())
{
claimsIdentity = new CaseSensitiveClaimsIdentity(claimsIdentity)
{
SecurityToken = securityToken,
};
}

return claimsIdentity;
}

internal static ClaimsIdentity Create(TokenHandler tokenHandler, SecurityToken securityToken, TokenValidationParameters validationParameters, string issuer)
{
ClaimsIdentity claimsIdentity = tokenHandler.CreateClaimsIdentityInternal(securityToken, validationParameters, issuer);

// Set the SecurityToken in cases where derived TokenHandler created a CaseSensitiveClaimsIdentity.
if (claimsIdentity is CaseSensitiveClaimsIdentity caseSensitiveClaimsIdentity && caseSensitiveClaimsIdentity.SecurityToken == null)
{
caseSensitiveClaimsIdentity.SecurityToken = securityToken;
}
else if (claimsIdentity is not CaseSensitiveClaimsIdentity && AppContextSwitches.UseCaseSensitiveClaimsIdentityType())
{
claimsIdentity = new CaseSensitiveClaimsIdentity(claimsIdentity)
{
SecurityToken = securityToken,
};
}

return claimsIdentity;
}
}
}
4 changes: 2 additions & 2 deletions src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1469,7 +1469,7 @@ protected virtual ClaimsIdentity CreateClaimsIdentity(JwtSecurityToken jwtToken,

private ClaimsIdentity CreateClaimsIdentityWithMapping(JwtSecurityToken jwtToken, string actualIssuer, TokenValidationParameters validationParameters)
{
ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, actualIssuer);
ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, actualIssuer);
foreach (Claim jwtClaim in jwtToken.Claims)
{
if (_inboundClaimFilter.Contains(jwtClaim.Type))
Expand Down Expand Up @@ -1515,7 +1515,7 @@ private ClaimsIdentity CreateClaimsIdentityWithMapping(JwtSecurityToken jwtToken

private ClaimsIdentity CreateClaimsIdentityWithoutMapping(JwtSecurityToken jwtToken, string actualIssuer, TokenValidationParameters validationParameters)
{
ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, actualIssuer);
ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, actualIssuer);
foreach (Claim jwtClaim in jwtToken.Claims)
{
if (_inboundClaimFilter.Contains(jwtClaim.Type))
Expand Down
87 changes: 40 additions & 47 deletions test/Microsoft.IdentityModel.Tokens.Tests/ClaimsIdentityFactoryTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ public void Create_FromTokenValidationParameters_ReturnsCorrectClaimsIdentity(bo
tokenValidationParameters.NameClaimType = "custom-name";
tokenValidationParameters.RoleClaimType = "custom-role";

var actualClaimsIdentity = ClaimsIdentityFactory.Create(jsonWebToken, tokenValidationParameters, Default.Issuer);
var actualClaimsIdentity = tokenValidationParameters.CreateClaimsIdentity(jsonWebToken, Default.Issuer);

Assert.Equal(tokenValidationParameters.AuthenticationType, actualClaimsIdentity.AuthenticationType);
Assert.Equal(tokenValidationParameters.NameClaimType, actualClaimsIdentity.NameClaimType);
Expand All @@ -47,50 +47,41 @@ public void Create_FromTokenValidationParameters_ReturnsCorrectClaimsIdentity(bo
AppContext.SetSwitch(AppContextSwitches.UseCaseSensitiveClaimsIdentityTypeSwitch, false);
}

[Fact]
public void Create_FromDerivedTokenValidationParameters_HonorsSetSecurityToken()
{
var jsonWebToken = new JsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor()));
var tokenValidationParameters = new DerivedTokenValidationParameters(returnCaseSensitiveClaimsIdentityWithToken: true);
tokenValidationParameters.AuthenticationType = "custom-authentication-type";
tokenValidationParameters.NameClaimType = "custom-name";
tokenValidationParameters.RoleClaimType = "custom-role";

var actualClaimsIdentity = ClaimsIdentityFactory.Create(jsonWebToken, tokenValidationParameters, Default.Issuer);

// The SecurityToken set in derived TokenValidationParameters is honored.
Assert.IsType<CaseSensitiveClaimsIdentity>(actualClaimsIdentity);

var securityToken = ((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken;
Assert.NotNull(securityToken);
Assert.IsType<TvpJsonWebToken>(securityToken);
Assert.NotEqual(jsonWebToken, securityToken);

Assert.Equal(tokenValidationParameters.AuthenticationType, actualClaimsIdentity.AuthenticationType);
Assert.Equal(tokenValidationParameters.NameClaimType, actualClaimsIdentity.NameClaimType);
Assert.Equal(tokenValidationParameters.RoleClaimType, actualClaimsIdentity.RoleClaimType);
}

[Theory]
[InlineData(true)]
[InlineData(false)]
public void Create_FromDerivedTokenValidationParameters_ReturnsCorrectClaimsIdentity(bool tvpReturnsCaseSensitiveClaimsIdentityWithoutToken)
[InlineData(true, true)]
[InlineData(true, false)]
[InlineData(false, false)]
public void Create_FromDerivedTokenValidationParameters_ReturnsCorrectClaimsIdentity(bool tvpReturnsCaseSensitiveClaimsIdentity, bool tvpReturnsCaseSensitiveClaimsIdentityWithToken)
{
AppContext.SetSwitch(AppContextSwitches.UseCaseSensitiveClaimsIdentityTypeSwitch, true);

var jsonWebToken = new JsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor()));
var tokenValidationParameters = new DerivedTokenValidationParameters(returnCaseSensitiveClaimsIdentityWithoutToken: tvpReturnsCaseSensitiveClaimsIdentityWithoutToken);
var tokenValidationParameters = new DerivedTokenValidationParameters(tvpReturnsCaseSensitiveClaimsIdentity, tvpReturnsCaseSensitiveClaimsIdentityWithToken);
tokenValidationParameters.AuthenticationType = "custom-authentication-type";
tokenValidationParameters.NameClaimType = "custom-name";
tokenValidationParameters.RoleClaimType = "custom-role";

var actualClaimsIdentity = ClaimsIdentityFactory.Create(jsonWebToken, tokenValidationParameters, Default.Issuer);
var actualClaimsIdentity = tokenValidationParameters.CreateClaimsIdentity(jsonWebToken, Default.Issuer);

Assert.IsType<CaseSensitiveClaimsIdentity>(actualClaimsIdentity);

var securityToken = ((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken;
Assert.NotNull(securityToken);
Assert.Equal(jsonWebToken, securityToken);
if (tvpReturnsCaseSensitiveClaimsIdentity)
{
Assert.IsType<CaseSensitiveClaimsIdentity>(actualClaimsIdentity);
if (tvpReturnsCaseSensitiveClaimsIdentityWithToken)
{
var securityToken = ((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken;
Assert.NotNull(securityToken);
Assert.IsType<TvpJsonWebToken>(securityToken);
Assert.NotEqual(jsonWebToken, securityToken);
}
else
{
Assert.Null(((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken);
}
}
else
{
Assert.IsType<ClaimsIdentity>(actualClaimsIdentity);
}

Assert.Equal(tokenValidationParameters.AuthenticationType, actualClaimsIdentity.AuthenticationType);
Assert.Equal(tokenValidationParameters.NameClaimType, actualClaimsIdentity.NameClaimType);
Expand All @@ -102,28 +93,30 @@ public void Create_FromDerivedTokenValidationParameters_ReturnsCorrectClaimsIden

private class DerivedTokenValidationParameters : TokenValidationParameters
{
private bool _returnCaseSensitiveClaimsIdentity;
private bool _returnCaseSensitiveClaimsIdentityWithToken;
private bool _returnCaseSensitiveClaimsIdentityWithoutToken;

public DerivedTokenValidationParameters(bool returnCaseSensitiveClaimsIdentityWithToken = false, bool returnCaseSensitiveClaimsIdentityWithoutToken = false)
public DerivedTokenValidationParameters(bool returnCaseSensitiveClaimsIdentity = false, bool returnCaseSensitiveClaimsIdentityWithToken = false)
{
_returnCaseSensitiveClaimsIdentity = returnCaseSensitiveClaimsIdentity;
_returnCaseSensitiveClaimsIdentityWithToken = returnCaseSensitiveClaimsIdentityWithToken;
_returnCaseSensitiveClaimsIdentityWithoutToken = returnCaseSensitiveClaimsIdentityWithoutToken;
}

public override ClaimsIdentity CreateClaimsIdentity(SecurityToken securityToken, string issuer)
{
if (_returnCaseSensitiveClaimsIdentityWithToken)
if (_returnCaseSensitiveClaimsIdentity)
{
return new CaseSensitiveClaimsIdentity(AuthenticationType, NameClaimType, RoleClaimType)
if (_returnCaseSensitiveClaimsIdentityWithToken)
{
SecurityToken = new TvpJsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor())),
};
}

if (_returnCaseSensitiveClaimsIdentityWithoutToken)
{
return new CaseSensitiveClaimsIdentity(AuthenticationType, NameClaimType, RoleClaimType);
return new CaseSensitiveClaimsIdentity(AuthenticationType, NameClaimType, RoleClaimType)
{
SecurityToken = new TvpJsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor())),
};
}
else
{
return new CaseSensitiveClaimsIdentity(AuthenticationType, NameClaimType, RoleClaimType);
}
}

return new ClaimsIdentity(AuthenticationType, NameClaimType, RoleClaimType);
Expand Down

0 comments on commit d1f0a42

Please sign in to comment.