Serialize and deserialize actor token in claims identity #3219
+2,028
−22
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -668,11 +668,16 @@ internal static void WriteJwsPayload( | |||||
| // Duplicates are resolved according to the following priority: | ||||||
| // SecurityTokenDescriptor.{Audience/Audiences, Issuer, Expires, IssuedAt, NotBefore}, SecurityTokenDescriptor.Claims, SecurityTokenDescriptor.Subject.Claims | ||||||
| // SecurityTokenDescriptor.Claims are KeyValuePairs<string,object>, whereas SecurityTokenDescriptor.Subject.Claims are System.Security.Claims.Claim and are processed differently. | ||||||
| bool isActorFound = false; | ||||||
| if (tokenDescriptor.Claims != null && tokenDescriptor.Claims.Count > 0) | ||||||
| { | ||||||
| foreach (KeyValuePair<string, object> kvp in tokenDescriptor.Claims) | ||||||
| { | ||||||
| if (kvp.Key.Equals(tokenDescriptor.ActorClaimType, StringComparison.Ordinal)) | ||||||
| { | ||||||
| isActorFound = true; | ||||||
| continue; | ||||||
| } | ||||||
| if (!descriptorClaimsAudienceChecked && kvp.Key.Equals(JwtRegisteredClaimNames.Aud, StringComparison.Ordinal)) | ||||||
| { | ||||||
| descriptorClaimsAudienceChecked = true; | ||||||
|
|
@@ -754,6 +759,8 @@ internal static void WriteJwsPayload( | |||||
| JsonPrimitives.WriteObject(ref writer, kvp.Key, kvp.Value); | ||||||
| } | ||||||
| } | ||||||
| if (isActorFound || tokenDescriptor.Subject?.Actor != null) | ||||||
|
Contributor
There was a problem hiding this comment. I think this should be: !isActorFound |
||||||
| WriteActorToken(writer, tokenDescriptor, setDefaultTimesOnTokenCreation, tokenLifetimeInMinutes); | ||||||
|
|
||||||
| AddSubjectClaims(ref writer, tokenDescriptor, audienceSet, issuerSet, ref expSet, ref iatSet, ref nbfSet); | ||||||
|
|
||||||
|
|
@@ -1071,6 +1078,74 @@ internal static byte[] WriteJweHeader(SecurityTokenDescriptor tokenDescriptor) | |||||
| } | ||||||
| } | ||||||
| } | ||||||
| internal static void WriteActorToken( | ||||||
| Utf8JsonWriter writer, | ||||||
|
Contributor
There was a problem hiding this comment. It is important to pass the writer using the 'ref' keyword.
Contributor
Author
There was a problem hiding this comment. I will do this thank you for your review @brentschmaltz |
||||||
| SecurityTokenDescriptor tokenDescriptor, | ||||||
| bool setDefaultTimesOnTokenCreation, | ||||||
| int tokenLifetimeInMinutes) | ||||||
| { | ||||||
| if (tokenDescriptor == null) | ||||||
|
Contributor
There was a problem hiding this comment. tokenDescriptor should never be null here, you can check for null, but don't throw, just return.
Contributor
Author
There was a problem hiding this comment. Okay, will do this! |
||||||
| throw new ArgumentNullException(nameof(tokenDescriptor)); | ||||||
|
|
||||||
| var actorTokenDescriptor = CreateActorTokenDescriptor(tokenDescriptor); | ||||||
| if (actorTokenDescriptor == null || actorTokenDescriptor.Subject == null) | ||||||
| return; | ||||||
|
|
||||||
| writer.WritePropertyName(tokenDescriptor.ActorClaimType); | ||||||
saurabhsathe-ms marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| WriteJwsPayload(ref writer, actorTokenDescriptor, setDefaultTimesOnTokenCreation, tokenLifetimeInMinutes); | ||||||
|
Contributor
There was a problem hiding this comment. We can simply this method by just passing the ClaimsIdentity, and the writing the claims into JSON. The parameters to this method could be. internal static void WriteActorToken(
ref Utf8JsonWriter writer,
string claimName,
ClaimsIdentity claimsIdentity) |
||||||
| } | ||||||
|
|
||||||
| private static void ValidateActorChainDepth(SecurityTokenDescriptor tokenDescriptor) | ||||||
| { | ||||||
| if (tokenDescriptor.ActorChainDepth >= tokenDescriptor.MaxActorChainLength) | ||||||
| { | ||||||
| throw LogHelper.LogExceptionMessage( | ||||||
| new SecurityTokenException(LogHelper.FormatInvariant( | ||||||
| LogMessages.IDX14313, | ||||||
| LogHelper.MarkAsNonPII(tokenDescriptor.ActorChainDepth), | ||||||
| LogHelper.MarkAsNonPII(tokenDescriptor.MaxActorChainLength)))); | ||||||
| } | ||||||
| } | ||||||
|
|
||||||
| private static SecurityTokenDescriptor CreateActorTokenDescriptor(SecurityTokenDescriptor tokenDescriptor) | ||||||
| { | ||||||
| SecurityTokenDescriptor actorTokenDescriptor = null; | ||||||
|
|
||||||
| if (tokenDescriptor.Claims?.TryGetValue(tokenDescriptor.ActorClaimType, out object actorValue) == true) | ||||||
| { | ||||||
| if (actorValue is not ClaimsIdentity actor) | ||||||
| { | ||||||
| throw LogHelper.LogExceptionMessage(new SecurityTokenException( | ||||||
| LogHelper.FormatInvariant( | ||||||
| LogMessages.IDX14315, | ||||||
| LogHelper.MarkAsNonPII(tokenDescriptor.ActorClaimType), | ||||||
| LogHelper.MarkAsNonPII(actorValue?.GetType().ToString() ?? "null")))); | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
| } | ||||||
|
|
||||||
| actorTokenDescriptor = new SecurityTokenDescriptor | ||||||
| { | ||||||
| Subject = actor, | ||||||
| }; | ||||||
|
|
||||||
| } | ||||||
| // Then check for actor in subject | ||||||
| else if (tokenDescriptor.Subject?.Actor != null) | ||||||
| { | ||||||
| actorTokenDescriptor = new SecurityTokenDescriptor | ||||||
| { | ||||||
| Subject = tokenDescriptor.Subject.Actor, | ||||||
| }; | ||||||
| } | ||||||
| if (actorTokenDescriptor != null) | ||||||
| { | ||||||
| ValidateActorChainDepth(tokenDescriptor); | ||||||
| actorTokenDescriptor.MaxActorChainLength = tokenDescriptor.MaxActorChainLength; | ||||||
| actorTokenDescriptor.ActorClaimType = tokenDescriptor.ActorClaimType; | ||||||
| actorTokenDescriptor.ActorChainDepth = tokenDescriptor.ActorChainDepth + 1; | ||||||
| } | ||||||
|
|
||||||
| return actorTokenDescriptor; | ||||||
| } | ||||||
|
|
||||||
| internal static byte[] CompressToken(byte[] utf8Bytes, string compressionAlgorithm) | ||||||
| { | ||||||
|
|
||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -51,5 +51,8 @@ internal static class LogMessages | |
| internal const string IDX14310 = "IDX14310: JWE authentication tag is missing."; | ||
| internal const string IDX14311 = "IDX14311: Unable to decode the authentication tag as a Base64Url encoded string."; | ||
| internal const string IDX14312 = "IDX14312: Unable to decode the cipher text as a Base64Url encoded string."; | ||
| internal const string IDX14313 = "IDX14313: Unable to serialize/deserialize act claim. Maximum actor token depth reached. Current nesting depth is {0} while max depth set is {1}"; | ||
| internal const string IDX14314 = "IDX14314: Unable to deserialize act claim. Exception faced while using custom delegate to deserialize act claim. Nested exception is :{0}"; | ||
| internal const string IDX14315 = "IDX14315: Encountered an exception while processing the actor claim. Actor claim {0} is not a claims identity. It is of type {1}."; | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| <Project Sdk="Microsoft.NET.Sdk"> | ||
|
|
||
| <Import Project="..\..\build\common.props" /> | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,2 @@ | ||
| static Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.CreateActorClaimsIdentityFromJsonElement(System.Text.Json.JsonElement jsonElement, Microsoft.IdentityModel.Tokens.TokenValidationParameters tokenValidationParameters, string issuer = null) -> System.Security.Claims.ClaimsIdentity | ||
| Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.DecryptTokenWithConfigurationAsync(Microsoft.IdentityModel.JsonWebTokens.JsonWebToken jwtToken, Microsoft.IdentityModel.Tokens.TokenValidationParameters validationParameters, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task<string> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,6 +3,7 @@ | |
|
|
||
| using System; | ||
| using System.Collections.Generic; | ||
| using System.Security.Claims; | ||
| using System.Text.Json; | ||
| using System.Threading.Tasks; | ||
|
|
||
|
|
@@ -194,4 +195,12 @@ namespace Microsoft.IdentityModel.Tokens | |
| /// <param name="claimValue">The claim value that was read and parsed from the reader.</param> | ||
| /// <returns>True, if the claim value was read successfully; false otherwise.</returns> | ||
| public delegate bool TryReadJwtClaim(ref Utf8JsonReader reader, JwtSegmentType jwtSegmentType, string claimName, out object claimValue); | ||
|
|
||
| /// <summary> | ||
| /// Delegate to validate the 'act' claim and create actor's ClaimsIdentity. | ||
| /// </summary> | ||
| /// <param name="actClaim">The JSON element representing the 'act' claim.</param> | ||
| /// <param name="tokenValidationParameters"> Opitonal validation parameters if needed</param> | ||
| /// <returns>A ClaimsIdentity representing the actor.</returns> | ||
| public delegate ClaimsIdentity ActClaimRetrieverDelegate(JsonElement actClaim, TokenValidationParameters tokenValidationParameters = null); | ||
| } | ||
saurabhsathe-ms marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Following the logic for duplicate claims, we should write out the 'actor' claim, not sure why we continue.