From e79c59e0df4fc347079658fe8c825be729afdfcb Mon Sep 17 00:00:00 2001 From: Ignacio Inglese Date: Wed, 26 Jun 2024 17:28:57 +0100 Subject: [PATCH] Move validators to partial classes (#2671) * Split remaining validators into partial classes --- .../Validation/Validators.Algorithm.cs | 46 +++ .../Validators.IssuerSecurityKey.cs | 108 ++++++++ .../Validation/Validators.TokenReplay.cs | 82 ++++++ .../Validation/Validators.TokenType.cs | 61 ++++ .../Validators.cs | 262 ------------------ 5 files changed, 297 insertions(+), 262 deletions(-) create mode 100644 src/Microsoft.IdentityModel.Tokens/Validation/Validators.Algorithm.cs create mode 100644 src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSecurityKey.cs create mode 100644 src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenReplay.cs create mode 100644 src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenType.cs delete mode 100644 src/Microsoft.IdentityModel.Tokens/Validators.cs diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Validators.Algorithm.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.Algorithm.cs new file mode 100644 index 0000000000..7b03368139 --- /dev/null +++ b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.Algorithm.cs @@ -0,0 +1,46 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. + +using System; +using System.Linq; +using Microsoft.IdentityModel.Logging; + +namespace Microsoft.IdentityModel.Tokens +{ + public static partial class Validators + { + /// + /// Validates if a given algorithm for a is valid. + /// + /// The algorithm to be validated. + /// The that signed the . + /// The being validated. + /// required for validation. + public static void ValidateAlgorithm(string algorithm, SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters) + { + if (validationParameters == null) + throw LogHelper.LogArgumentNullException(nameof(validationParameters)); + + if (validationParameters.AlgorithmValidator != null) + { + if (!validationParameters.AlgorithmValidator(algorithm, securityKey, securityToken, validationParameters)) + { + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAlgorithmException(LogHelper.FormatInvariant(LogMessages.IDX10697, LogHelper.MarkAsNonPII(algorithm), securityKey)) + { + InvalidAlgorithm = algorithm, + }); + } + + return; + } + + if (validationParameters.ValidAlgorithms != null && validationParameters.ValidAlgorithms.Any() && !validationParameters.ValidAlgorithms.Contains(algorithm, StringComparer.Ordinal)) + { + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAlgorithmException(LogHelper.FormatInvariant(LogMessages.IDX10696, LogHelper.MarkAsNonPII(algorithm))) + { + InvalidAlgorithm = algorithm, + }); + } + } + } +} diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSecurityKey.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSecurityKey.cs new file mode 100644 index 0000000000..1a50cb9d45 --- /dev/null +++ b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSecurityKey.cs @@ -0,0 +1,108 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. + +using System; +using System.Security.Cryptography.X509Certificates; +using Microsoft.IdentityModel.Abstractions; +using Microsoft.IdentityModel.Logging; + +namespace Microsoft.IdentityModel.Tokens +{ + public static partial class Validators + { + /// + /// Validates the that signed a . + /// + /// The that signed the . + /// The being validated. + /// required for validation. + /// if 'securityKey' is null and ValidateIssuerSigningKey is true. + /// if 'securityToken' is null and ValidateIssuerSigningKey is true. + /// if 'validationParameters' is null. + public static void ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters) + { + ValidateIssuerSecurityKey(securityKey, securityToken, validationParameters, null); + } + + /// + /// Validates the that signed a . + /// + /// The that signed the . + /// The being validated. + /// required for validation. + /// The required for issuer and signing key validation. + /// if 'securityKey' is null and ValidateIssuerSigningKey is true. + /// if 'securityToken' is null and ValidateIssuerSigningKey is true. + /// if 'validationParameters' is null. + internal static void ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) + { + if (validationParameters == null) + throw LogHelper.LogArgumentNullException(nameof(validationParameters)); + + if (validationParameters.IssuerSigningKeyValidatorUsingConfiguration != null) + { + if (!validationParameters.IssuerSigningKeyValidatorUsingConfiguration(securityKey, securityToken, validationParameters, configuration)) + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, securityKey)) { SigningKey = securityKey }); + + return; + } + + if (validationParameters.IssuerSigningKeyValidator != null) + { + if (!validationParameters.IssuerSigningKeyValidator(securityKey, securityToken, validationParameters)) + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, securityKey)) { SigningKey = securityKey }); + + return; + } + + if (!validationParameters.ValidateIssuerSigningKey) + { + LogHelper.LogVerbose(LogMessages.IDX10237); + return; + } + + if (!validationParameters.RequireSignedTokens && securityKey == null) + { + LogHelper.LogInformation(LogMessages.IDX10252); + return; + } + else if (securityKey == null) + { + throw LogHelper.LogExceptionMessage(new ArgumentNullException(nameof(securityKey), LogMessages.IDX10253)); + } + + if (securityToken == null) + throw LogHelper.LogArgumentNullException(nameof(securityToken)); + + ValidateIssuerSigningKeyLifeTime(securityKey, validationParameters); + } + + /// + /// Given a signing key, when it's derived from a certificate, validates that the certificate is already active and non-expired + /// + /// The that signed the . + /// The that are used to validate the token. + internal static void ValidateIssuerSigningKeyLifeTime(SecurityKey securityKey, TokenValidationParameters validationParameters) + { + X509SecurityKey x509SecurityKey = securityKey as X509SecurityKey; + if (x509SecurityKey?.Certificate is X509Certificate2 cert) + { + DateTime utcNow = DateTime.UtcNow; + var notBeforeUtc = cert.NotBefore.ToUniversalTime(); + var notAfterUtc = cert.NotAfter.ToUniversalTime(); + + if (notBeforeUtc > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew)) + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10248, LogHelper.MarkAsNonPII(notBeforeUtc), LogHelper.MarkAsNonPII(utcNow)))); + + if (LogHelper.IsEnabled(EventLogLevel.Informational)) + LogHelper.LogInformation(LogMessages.IDX10250, LogHelper.MarkAsNonPII(notBeforeUtc), LogHelper.MarkAsNonPII(utcNow)); + + if (notAfterUtc < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate())) + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10249, LogHelper.MarkAsNonPII(notAfterUtc), LogHelper.MarkAsNonPII(utcNow)))); + + if (LogHelper.IsEnabled(EventLogLevel.Informational)) + LogHelper.LogInformation(LogMessages.IDX10251, LogHelper.MarkAsNonPII(notAfterUtc), LogHelper.MarkAsNonPII(utcNow)); + } + } + } +} diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenReplay.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenReplay.cs new file mode 100644 index 0000000000..82d761c314 --- /dev/null +++ b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenReplay.cs @@ -0,0 +1,82 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. + +using System; +using System.Linq; +using System.Security.Cryptography.X509Certificates; +using Microsoft.IdentityModel.Abstractions; +using Microsoft.IdentityModel.Logging; + +namespace Microsoft.IdentityModel.Tokens +{ + public static partial class Validators + { + /// + /// Validates if a token has been replayed. + /// + /// When does the security token expire. + /// The being validated. + /// required for validation. + /// If 'securityToken' is null or whitespace. + /// If 'validationParameters' is null or whitespace. + /// If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time. + /// If the 'securityToken' is found in the cache. + /// If the 'securityToken' could not be added to the . + public static void ValidateTokenReplay(DateTime? expirationTime, string securityToken, TokenValidationParameters validationParameters) + { + if (string.IsNullOrWhiteSpace(securityToken)) + throw LogHelper.LogArgumentNullException(nameof(securityToken)); + + if (validationParameters == null) + throw LogHelper.LogArgumentNullException(nameof(validationParameters)); + + if (validationParameters.TokenReplayValidator != null) + { + if (!validationParameters.TokenReplayValidator(expirationTime, securityToken, validationParameters)) + throw LogHelper.LogExceptionMessage(new SecurityTokenReplayDetectedException( + LogHelper.FormatInvariant( + LogMessages.IDX10228, + LogHelper.MarkAsUnsafeSecurityArtifact(securityToken, t => t.ToString())))); + return; + } + + if (!validationParameters.ValidateTokenReplay) + { + LogHelper.LogVerbose(LogMessages.IDX10246); + return; + } + + // check if token if replay cache is set, then there must be an expiration time. + if (validationParameters.TokenReplayCache != null) + { + if (!expirationTime.HasValue) + throw LogHelper.LogExceptionMessage(new SecurityTokenNoExpirationException(LogHelper.FormatInvariant(LogMessages.IDX10227, securityToken))); + + if (validationParameters.TokenReplayCache.TryFind(securityToken)) + throw LogHelper.LogExceptionMessage(new SecurityTokenReplayDetectedException(LogHelper.FormatInvariant(LogMessages.IDX10228, securityToken))); + + if (!validationParameters.TokenReplayCache.TryAdd(securityToken, expirationTime.Value)) + throw LogHelper.LogExceptionMessage(new SecurityTokenReplayAddFailedException(LogHelper.FormatInvariant(LogMessages.IDX10229, securityToken))); + } + + // if it reaches here, that means no token replay is detected. + LogHelper.LogInformation(LogMessages.IDX10240); + } + + /// + /// Validates if a token has been replayed. + /// + /// The being validated. + /// When does the security token expire. + /// required for validation. + /// If 'securityToken' is null or whitespace. + /// If 'validationParameters' is null or whitespace. + /// If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time. + /// If the 'securityToken' is found in the cache. + /// If the 'securityToken' could not be added to the . + public static void ValidateTokenReplay(string securityToken, DateTime? expirationTime, TokenValidationParameters validationParameters) + { + ValidateTokenReplay(expirationTime, securityToken, validationParameters); + } + } +} diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenType.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenType.cs new file mode 100644 index 0000000000..6fd744fd9d --- /dev/null +++ b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.TokenType.cs @@ -0,0 +1,61 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. + +using System; +using System.Linq; +using Microsoft.IdentityModel.Abstractions; +using Microsoft.IdentityModel.Logging; + +namespace Microsoft.IdentityModel.Tokens +{ + public static partial class Validators + { + /// + /// Validates the type of the token. + /// + /// The token type or null if it couldn't be resolved (e.g from the 'typ' header for a JWT). + /// The that is being validated. + /// required for validation. + /// If is null. + /// If is null. + /// If is null or whitespace and is not null. + /// If failed to match . + /// An EXACT match is required. (case sensitive) is used for comparing against . + /// The actual token type, that may be the same as or a different value if the token type was resolved from a different location. + public static string ValidateTokenType(string type, SecurityToken securityToken, TokenValidationParameters validationParameters) + { + if (securityToken == null) + throw new ArgumentNullException(nameof(securityToken)); + + if (validationParameters == null) + throw LogHelper.LogArgumentNullException(nameof(validationParameters)); + + if (validationParameters.TypeValidator == null && (validationParameters.ValidTypes == null || !validationParameters.ValidTypes.Any())) + { + LogHelper.LogVerbose(LogMessages.IDX10255); + return type; + } + + if (validationParameters.TypeValidator != null) + return validationParameters.TypeValidator(type, securityToken, validationParameters); + + // Note: don't throw an exception for a null or empty token type when a user-defined delegate is set + // to allow it to extract the actual token type from a different location (e.g from the claims). + if (string.IsNullOrEmpty(type)) + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidTypeException(LogMessages.IDX10256) { InvalidType = null }); + + if (!validationParameters.ValidTypes.Contains(type, StringComparer.Ordinal)) + { + throw LogHelper.LogExceptionMessage( + new SecurityTokenInvalidTypeException(LogHelper.FormatInvariant(LogMessages.IDX10257, LogHelper.MarkAsNonPII(type), Utility.SerializeAsSingleCommaDelimitedString(validationParameters.ValidTypes))) + { InvalidType = type }); + } + + // if it reaches here, token type was succcessfully validated. + if (LogHelper.IsEnabled(EventLogLevel.Informational)) + LogHelper.LogInformation(LogMessages.IDX10258, LogHelper.MarkAsNonPII(type)); + + return type; + } + } +} diff --git a/src/Microsoft.IdentityModel.Tokens/Validators.cs b/src/Microsoft.IdentityModel.Tokens/Validators.cs deleted file mode 100644 index 000ba4c617..0000000000 --- a/src/Microsoft.IdentityModel.Tokens/Validators.cs +++ /dev/null @@ -1,262 +0,0 @@ -// Copyright (c) Microsoft Corporation. All rights reserved. -// Licensed under the MIT License. - -using System; -using System.Linq; -using System.Security.Cryptography.X509Certificates; -using Microsoft.IdentityModel.Abstractions; -using Microsoft.IdentityModel.Logging; - -namespace Microsoft.IdentityModel.Tokens -{ - /// - /// AudienceValidator - /// - public static partial class Validators - { - /// - /// Validates if a given algorithm for a is valid. - /// - /// The algorithm to be validated. - /// The that signed the . - /// The being validated. - /// required for validation. - public static void ValidateAlgorithm(string algorithm, SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters) - { - if (validationParameters == null) - throw LogHelper.LogArgumentNullException(nameof(validationParameters)); - - if (validationParameters.AlgorithmValidator != null) - { - if (!validationParameters.AlgorithmValidator(algorithm, securityKey, securityToken, validationParameters)) - { - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAlgorithmException(LogHelper.FormatInvariant(LogMessages.IDX10697, LogHelper.MarkAsNonPII(algorithm), securityKey)) - { - InvalidAlgorithm = algorithm, - }); - } - - return; - } - - if (validationParameters.ValidAlgorithms != null && validationParameters.ValidAlgorithms.Any() && !validationParameters.ValidAlgorithms.Contains(algorithm, StringComparer.Ordinal)) - { - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAlgorithmException(LogHelper.FormatInvariant(LogMessages.IDX10696, LogHelper.MarkAsNonPII(algorithm))) - { - InvalidAlgorithm = algorithm, - }); - } - } - - /// - /// Validates the that signed a . - /// - /// The that signed the . - /// The being validated. - /// required for validation. - /// if 'securityKey' is null and ValidateIssuerSigningKey is true. - /// if 'securityToken' is null and ValidateIssuerSigningKey is true. - /// if 'validationParameters' is null. - public static void ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters) - { - ValidateIssuerSecurityKey(securityKey, securityToken, validationParameters, null); - } - - /// - /// Validates the that signed a . - /// - /// The that signed the . - /// The being validated. - /// required for validation. - /// The required for issuer and signing key validation. - /// if 'securityKey' is null and ValidateIssuerSigningKey is true. - /// if 'securityToken' is null and ValidateIssuerSigningKey is true. - /// if 'validationParameters' is null. - internal static void ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) - { - if (validationParameters == null) - throw LogHelper.LogArgumentNullException(nameof(validationParameters)); - - if (validationParameters.IssuerSigningKeyValidatorUsingConfiguration != null) - { - if (!validationParameters.IssuerSigningKeyValidatorUsingConfiguration(securityKey, securityToken, validationParameters, configuration)) - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, securityKey)) { SigningKey = securityKey }); - - return; - } - - if (validationParameters.IssuerSigningKeyValidator != null) - { - if (!validationParameters.IssuerSigningKeyValidator(securityKey, securityToken, validationParameters)) - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, securityKey)) { SigningKey = securityKey }); - - return; - } - - if (!validationParameters.ValidateIssuerSigningKey) - { - LogHelper.LogVerbose(LogMessages.IDX10237); - return; - } - - if (!validationParameters.RequireSignedTokens && securityKey == null) - { - LogHelper.LogInformation(LogMessages.IDX10252); - return; - } - else if (securityKey == null) - { - throw LogHelper.LogExceptionMessage(new ArgumentNullException(nameof(securityKey), LogMessages.IDX10253)); - } - - if (securityToken == null) - throw LogHelper.LogArgumentNullException(nameof(securityToken)); - - ValidateIssuerSigningKeyLifeTime(securityKey, validationParameters); - } - - /// - /// Given a signing key, when it's derived from a certificate, validates that the certificate is already active and non-expired - /// - /// The that signed the . - /// The that are used to validate the token. - internal static void ValidateIssuerSigningKeyLifeTime(SecurityKey securityKey, TokenValidationParameters validationParameters) - { - X509SecurityKey x509SecurityKey = securityKey as X509SecurityKey; - if (x509SecurityKey?.Certificate is X509Certificate2 cert) - { - DateTime utcNow = DateTime.UtcNow; - var notBeforeUtc = cert.NotBefore.ToUniversalTime(); - var notAfterUtc = cert.NotAfter.ToUniversalTime(); - - if (notBeforeUtc > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew)) - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10248, LogHelper.MarkAsNonPII(notBeforeUtc), LogHelper.MarkAsNonPII(utcNow)))); - - if (LogHelper.IsEnabled(EventLogLevel.Informational)) - LogHelper.LogInformation(LogMessages.IDX10250, LogHelper.MarkAsNonPII(notBeforeUtc), LogHelper.MarkAsNonPII(utcNow)); - - if (notAfterUtc < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate())) - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10249, LogHelper.MarkAsNonPII(notAfterUtc), LogHelper.MarkAsNonPII(utcNow)))); - - if (LogHelper.IsEnabled(EventLogLevel.Informational)) - LogHelper.LogInformation(LogMessages.IDX10251, LogHelper.MarkAsNonPII(notAfterUtc), LogHelper.MarkAsNonPII(utcNow)); - } - } - - /// - /// Validates if a token has been replayed. - /// - /// When does the security token expire. - /// The being validated. - /// required for validation. - /// If 'securityToken' is null or whitespace. - /// If 'validationParameters' is null or whitespace. - /// If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time. - /// If the 'securityToken' is found in the cache. - /// If the 'securityToken' could not be added to the . - public static void ValidateTokenReplay(DateTime? expirationTime, string securityToken, TokenValidationParameters validationParameters) - { - if (string.IsNullOrWhiteSpace(securityToken)) - throw LogHelper.LogArgumentNullException(nameof(securityToken)); - - if (validationParameters == null) - throw LogHelper.LogArgumentNullException(nameof(validationParameters)); - - if (validationParameters.TokenReplayValidator != null) - { - if (!validationParameters.TokenReplayValidator(expirationTime, securityToken, validationParameters)) - throw LogHelper.LogExceptionMessage(new SecurityTokenReplayDetectedException( - LogHelper.FormatInvariant( - LogMessages.IDX10228, - LogHelper.MarkAsUnsafeSecurityArtifact(securityToken, t => t.ToString())))); - return; - } - - if (!validationParameters.ValidateTokenReplay) - { - LogHelper.LogVerbose(LogMessages.IDX10246); - return; - } - - // check if token if replay cache is set, then there must be an expiration time. - if (validationParameters.TokenReplayCache != null) - { - if (!expirationTime.HasValue) - throw LogHelper.LogExceptionMessage(new SecurityTokenNoExpirationException(LogHelper.FormatInvariant(LogMessages.IDX10227, securityToken))); - - if (validationParameters.TokenReplayCache.TryFind(securityToken)) - throw LogHelper.LogExceptionMessage(new SecurityTokenReplayDetectedException(LogHelper.FormatInvariant(LogMessages.IDX10228, securityToken))); - - if (!validationParameters.TokenReplayCache.TryAdd(securityToken, expirationTime.Value)) - throw LogHelper.LogExceptionMessage(new SecurityTokenReplayAddFailedException(LogHelper.FormatInvariant(LogMessages.IDX10229, securityToken))); - } - - // if it reaches here, that means no token replay is detected. - LogHelper.LogInformation(LogMessages.IDX10240); - } - - /// - /// Validates if a token has been replayed. - /// - /// The being validated. - /// When does the security token expire. - /// required for validation. - /// If 'securityToken' is null or whitespace. - /// If 'validationParameters' is null or whitespace. - /// If is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time. - /// If the 'securityToken' is found in the cache. - /// If the 'securityToken' could not be added to the . - public static void ValidateTokenReplay(string securityToken, DateTime? expirationTime, TokenValidationParameters validationParameters) - { - ValidateTokenReplay(expirationTime, securityToken, validationParameters); - } - - /// - /// Validates the type of the token. - /// - /// The token type or null if it couldn't be resolved (e.g from the 'typ' header for a JWT). - /// The that is being validated. - /// required for validation. - /// If is null. - /// If is null. - /// If is null or whitespace and is not null. - /// If failed to match . - /// An EXACT match is required. (case sensitive) is used for comparing against . - /// The actual token type, that may be the same as or a different value if the token type was resolved from a different location. - public static string ValidateTokenType(string type, SecurityToken securityToken, TokenValidationParameters validationParameters) - { - if (securityToken == null) - throw new ArgumentNullException(nameof(securityToken)); - - if (validationParameters == null) - throw LogHelper.LogArgumentNullException(nameof(validationParameters)); - - if (validationParameters.TypeValidator == null && (validationParameters.ValidTypes == null || !validationParameters.ValidTypes.Any())) - { - LogHelper.LogVerbose(LogMessages.IDX10255); - return type; - } - - if (validationParameters.TypeValidator != null) - return validationParameters.TypeValidator(type, securityToken, validationParameters); - - // Note: don't throw an exception for a null or empty token type when a user-defined delegate is set - // to allow it to extract the actual token type from a different location (e.g from the claims). - if (string.IsNullOrEmpty(type)) - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidTypeException(LogMessages.IDX10256) { InvalidType = null }); - - if (!validationParameters.ValidTypes.Contains(type, StringComparer.Ordinal)) - { - throw LogHelper.LogExceptionMessage( - new SecurityTokenInvalidTypeException(LogHelper.FormatInvariant(LogMessages.IDX10257, LogHelper.MarkAsNonPII(type), Utility.SerializeAsSingleCommaDelimitedString(validationParameters.ValidTypes))) - { InvalidType = type }); - } - - // if it reaches here, token type was succcessfully validated. - if (LogHelper.IsEnabled(EventLogLevel.Informational)) - LogHelper.LogInformation(LogMessages.IDX10258, LogHelper.MarkAsNonPII(type)); - - return type; - } - } -}