Restore JwtFormat IIssuerSecurityTokenProvider lazy usage so refreshing providers work.
This commit is contained in:
Chris Ross
Родитель
a2b95f0876
Коммит
45a9f7b328
|
|
@ -33,25 +33,24 @@ namespace Owin
|
||||||
JwtFormat jwtFormat = null;
|
JwtFormat jwtFormat = null;
|
||||||
if (options.TokenValidationParameters != null)
|
if (options.TokenValidationParameters != null)
|
||||||
{
|
{
|
||||||
// Don't override explicit user settings.
|
|
||||||
if (options.TokenValidationParameters.IssuerSigningTokens == null
|
|
||||||
|| !options.TokenValidationParameters.IssuerSigningTokens.Any())
|
|
||||||
{
|
|
||||||
options.TokenValidationParameters.IssuerSigningTokens = cachingSecurityTokenProvider.SecurityTokens;
|
|
||||||
}
|
|
||||||
if (string.IsNullOrWhiteSpace(options.TokenValidationParameters.ValidIssuer)
|
|
||||||
&& (options.TokenValidationParameters.ValidIssuers == null
|
|
||||||
|| !options.TokenValidationParameters.ValidIssuers.Any())
|
|
||||||
&& options.TokenValidationParameters.IssuerValidator == null)
|
|
||||||
{
|
|
||||||
options.TokenValidationParameters.ValidIssuer = cachingSecurityTokenProvider.Issuer;
|
|
||||||
}
|
|
||||||
// Carry over obsolete property if set
|
|
||||||
if (!string.IsNullOrWhiteSpace(options.Audience))
|
if (!string.IsNullOrWhiteSpace(options.Audience))
|
||||||
{
|
{
|
||||||
options.TokenValidationParameters.ValidAudience = options.Audience;
|
// Carry over obsolete property if set
|
||||||
|
if (string.IsNullOrWhiteSpace(options.TokenValidationParameters.ValidAudience))
|
||||||
|
{
|
||||||
|
options.TokenValidationParameters.ValidAudience = options.Audience;
|
||||||
|
}
|
||||||
|
else if (options.TokenValidationParameters.ValidAudiences == null)
|
||||||
|
{
|
||||||
|
options.TokenValidationParameters.ValidAudiences = new[] { options.Audience };
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
options.TokenValidationParameters.ValidAudiences = options.TokenValidationParameters.ValidAudiences.Concat(new[] { options.Audience });
|
||||||
|
}
|
||||||
}
|
}
|
||||||
jwtFormat = new JwtFormat(options.TokenValidationParameters);
|
|
||||||
|
jwtFormat = new JwtFormat(options.TokenValidationParameters, cachingSecurityTokenProvider);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -45,25 +45,24 @@ namespace Owin
|
||||||
JwtFormat jwtFormat = null;
|
JwtFormat jwtFormat = null;
|
||||||
if (options.TokenValidationParameters != null)
|
if (options.TokenValidationParameters != null)
|
||||||
{
|
{
|
||||||
// Don't override explicit user settings.
|
|
||||||
if (options.TokenValidationParameters.IssuerSigningTokens == null
|
|
||||||
|| !options.TokenValidationParameters.IssuerSigningTokens.Any())
|
|
||||||
{
|
|
||||||
options.TokenValidationParameters.IssuerSigningTokens = cachingSecurityTokenProvider.SecurityTokens;
|
|
||||||
}
|
|
||||||
if (string.IsNullOrWhiteSpace(options.TokenValidationParameters.ValidIssuer)
|
|
||||||
&& (options.TokenValidationParameters.ValidIssuers == null
|
|
||||||
|| !options.TokenValidationParameters.ValidIssuers.Any())
|
|
||||||
&& options.TokenValidationParameters.IssuerValidator == null)
|
|
||||||
{
|
|
||||||
options.TokenValidationParameters.ValidIssuer = cachingSecurityTokenProvider.Issuer;
|
|
||||||
}
|
|
||||||
// Carry over obsolete property if set
|
|
||||||
if (!string.IsNullOrWhiteSpace(options.Audience))
|
if (!string.IsNullOrWhiteSpace(options.Audience))
|
||||||
{
|
{
|
||||||
options.TokenValidationParameters.ValidAudience = options.Audience;
|
// Carry over obsolete property if set
|
||||||
|
if (string.IsNullOrWhiteSpace(options.TokenValidationParameters.ValidAudience))
|
||||||
|
{
|
||||||
|
options.TokenValidationParameters.ValidAudience = options.Audience;
|
||||||
|
}
|
||||||
|
else if (options.TokenValidationParameters.ValidAudiences == null)
|
||||||
|
{
|
||||||
|
options.TokenValidationParameters.ValidAudiences = new[] { options.Audience };
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
options.TokenValidationParameters.ValidAudiences = options.TokenValidationParameters.ValidAudiences.Concat(new[] { options.Audience });
|
||||||
|
}
|
||||||
}
|
}
|
||||||
jwtFormat = new JwtFormat(options.TokenValidationParameters);
|
|
||||||
|
jwtFormat = new JwtFormat(options.TokenValidationParameters, cachingSecurityTokenProvider);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,8 @@ namespace Microsoft.Owin.Security.Jwt
|
||||||
/// </summary>
|
/// </summary>
|
||||||
public class JwtFormat : ISecureDataFormat<AuthenticationTicket>
|
public class JwtFormat : ISecureDataFormat<AuthenticationTicket>
|
||||||
{
|
{
|
||||||
private TokenValidationParameters _validationParameters;
|
private readonly TokenValidationParameters _validationParameters;
|
||||||
|
private readonly IEnumerable<IIssuerSecurityTokenProvider> _issuerCredentialProviders;
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Initializes a new instance of the <see cref="JwtFormat"/> class.
|
/// Initializes a new instance of the <see cref="JwtFormat"/> class.
|
||||||
|
|
@ -39,10 +40,8 @@ namespace Microsoft.Owin.Security.Jwt
|
||||||
_validationParameters = new TokenValidationParameters()
|
_validationParameters = new TokenValidationParameters()
|
||||||
{
|
{
|
||||||
ValidAudience = allowedAudience,
|
ValidAudience = allowedAudience,
|
||||||
ValidIssuer = issuerCredentialProvider.Issuer,
|
|
||||||
IssuerSigningTokens = issuerCredentialProvider.SecurityTokens.ToList(),
|
|
||||||
ValidateIssuer = true
|
|
||||||
};
|
};
|
||||||
|
_issuerCredentialProviders = new[] { issuerCredentialProvider };
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
|
|
@ -78,12 +77,8 @@ namespace Microsoft.Owin.Security.Jwt
|
||||||
_validationParameters = new TokenValidationParameters()
|
_validationParameters = new TokenValidationParameters()
|
||||||
{
|
{
|
||||||
ValidAudiences = audiences,
|
ValidAudiences = audiences,
|
||||||
ValidIssuers = credentialProviders.Select(provider => provider.Issuer).ToList(),
|
|
||||||
IssuerSigningTokens = credentialProviders
|
|
||||||
.Select(provider => provider.SecurityTokens.ToList())
|
|
||||||
.Aggregate((l1, l2) => { l1.AddRange(l2); return l1; }),
|
|
||||||
ValidateIssuer = true
|
|
||||||
};
|
};
|
||||||
|
_issuerCredentialProviders = issuerCredentialProviders;
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
|
|
@ -103,6 +98,17 @@ namespace Microsoft.Owin.Security.Jwt
|
||||||
_validationParameters = validationParameters;
|
_validationParameters = validationParameters;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public JwtFormat(TokenValidationParameters validationParameters, IIssuerSecurityTokenProvider issuerCredentialProvider)
|
||||||
|
: this(validationParameters)
|
||||||
|
{
|
||||||
|
if (issuerCredentialProvider == null)
|
||||||
|
{
|
||||||
|
throw new ArgumentNullException("issuerCredentialProvider");
|
||||||
|
}
|
||||||
|
|
||||||
|
_issuerCredentialProviders = new[] { issuerCredentialProvider };
|
||||||
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Gets or sets a value indicating whether JWT issuers should be validated.
|
/// Gets or sets a value indicating whether JWT issuers should be validated.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
|
|
@ -162,7 +168,35 @@ namespace Microsoft.Owin.Security.Jwt
|
||||||
throw new ArgumentOutOfRangeException("protectedText", Properties.Resources.Exception_InvalidJwt);
|
throw new ArgumentOutOfRangeException("protectedText", Properties.Resources.Exception_InvalidJwt);
|
||||||
}
|
}
|
||||||
|
|
||||||
ClaimsPrincipal claimsPrincipal = TokenHandler.ValidateToken(protectedText, _validationParameters);
|
TokenValidationParameters validationParameters = _validationParameters;
|
||||||
|
if (_issuerCredentialProviders != null)
|
||||||
|
{
|
||||||
|
// Lazy augment with issuers and tokens. Note these may be refreshed periodically.
|
||||||
|
validationParameters = new TokenValidationParameters(validationParameters);
|
||||||
|
|
||||||
|
IEnumerable<string> issuers = _issuerCredentialProviders.Select(provider => provider.Issuer);
|
||||||
|
if (validationParameters.ValidIssuers == null)
|
||||||
|
{
|
||||||
|
validationParameters.ValidIssuers = issuers;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
validationParameters.ValidIssuers = validationParameters.ValidAudiences.Concat(issuers);
|
||||||
|
}
|
||||||
|
|
||||||
|
IEnumerable<SecurityToken> tokens = _issuerCredentialProviders.Select(provider => provider.SecurityTokens)
|
||||||
|
.Aggregate((left, right) => left.Concat(right));
|
||||||
|
if (validationParameters.IssuerSigningTokens == null)
|
||||||
|
{
|
||||||
|
validationParameters.IssuerSigningTokens = tokens;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
validationParameters.IssuerSigningTokens = validationParameters.IssuerSigningTokens.Concat(tokens);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ClaimsPrincipal claimsPrincipal = TokenHandler.ValidateToken(protectedText, validationParameters);
|
||||||
var claimsIdentity = (ClaimsIdentity)claimsPrincipal.Identity;
|
var claimsIdentity = (ClaimsIdentity)claimsPrincipal.Identity;
|
||||||
|
|
||||||
// Fill out the authenticationProperties issued and expires times if the equivalent claims are in the JWT
|
// Fill out the authenticationProperties issued and expires times if the equivalent claims are in the JWT
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,8 @@ namespace Microsoft.Owin.Security.Tests
|
||||||
[Fact]
|
[Fact]
|
||||||
public void HandlerConstructorShouldThrowWhenAnAllowedAudienceIsNotSpecified()
|
public void HandlerConstructorShouldThrowWhenAnAllowedAudienceIsNotSpecified()
|
||||||
{
|
{
|
||||||
Should.Throw<ArgumentNullException>(() => new JwtFormat(null, (IIssuerSecurityTokenProvider)null));
|
Should.Throw<ArgumentNullException>(() => new JwtFormat((string)null, (IIssuerSecurityTokenProvider)null));
|
||||||
|
Should.Throw<ArgumentNullException>(() => new JwtFormat((TokenValidationParameters)null, (IIssuerSecurityTokenProvider)null));
|
||||||
}
|
}
|
||||||
|
|
||||||
[Fact]
|
[Fact]
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче