Add ReadOnlyMemory based overload for CanReadToken

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs

@@ -120,6 +120,25 @@ public IDictionary<string, string> InboundClaimTypeMap
             }
         }
 
+        /// <summary>
+        /// Determines if the <see cref="ReadOnlyMemory{T}"/> is a well formed JSON Web Token (JWT). See: <see href="https://datatracker.ietf.org/doc/html/rfc7519"/>.
+        /// </summary>
+        /// <param name="token"><see cref="ReadOnlyMemory{T}"/> that should represent a valid JWT.</param>
+        /// <remarks>Uses <see cref="Regex.IsMatch(string, string)"/> matching:
+        /// <para>JWS: @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$"</para>
+        /// <para>JWE: (dir): @"^[A-Za-z0-9-_]+\.\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$"</para>
+        /// <para>JWE: (wrappedkey): @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]$"</para>
+        /// </remarks>
+        /// <returns>
+        /// <para><see langword="false"/> if the token is null or whitespace.</para>
+        /// <para><see langword="false"/> if token.Length is greater than <see cref="TokenHandler.MaximumTokenSizeInBytes"/>.</para>
+        /// <para><see langword="true"/> if the token is in JSON Compact Serialization format.</para>
+        /// </returns>
+        public virtual bool CanReadToken(ReadOnlyMemory<char> token)
+        {
+            return JwtTokenUtilities.CanReadToken(token, MaximumTokenSizeInBytes);
+        }
+
         /// <summary>
         /// Determines if the string is a well formed JSON Web Token (JWT). See: <see href="https://datatracker.ietf.org/doc/html/rfc7519"/>.
         /// </summary>
@@ -139,6 +158,9 @@ public virtual bool CanReadToken(string token)
             if (string.IsNullOrWhiteSpace(token))
                 return false;
 
+#if NET8_0_OR_GREATER
+            return CanReadToken(token.AsMemory());
+#else
             if (token.Length > MaximumTokenSizeInBytes)
             {
                 if (LogHelper.IsEnabled(EventLogLevel.Informational))
@@ -169,6 +191,7 @@ public virtual bool CanReadToken(string token)
                     LogHelper.LogInformation(LogMessages.IDX14107);
                     return false;
             }
+#endif
         }
 
         private static StringComparison GetStringComparisonRuleIf509(SecurityKey securityKey) =>

src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.cs

@@ -580,30 +580,72 @@ internal static SecurityKey ResolveTokenSigningKey(string kid, string x5t, IEnum
             return null;
         }
 
+        /// <summary>
+        /// Determines if the token can be read.
+        /// </summary>
+        /// <param name="token">The token to check.</param>
+        /// <param name="maximumTokenSizeInBytes">Maximum allowed size of the token, method will return false if exceeded.</param>
+        internal static bool CanReadToken(ReadOnlyMemory<char> token, int maximumTokenSizeInBytes)
+        {
+            if (token.IsEmpty || token.Span.IsWhiteSpace())
+                return false;
+
+            if (token.Length > maximumTokenSizeInBytes)
+            {
+                if (LogHelper.IsEnabled(EventLogLevel.Informational))
+                    LogHelper.LogInformation(TokenLogMessages.IDX10209, LogHelper.MarkAsNonPII(token.Length), LogHelper.MarkAsNonPII(maximumTokenSizeInBytes));
+
+                return false;
+            }
+
+            // Set the maximum number of segments to MaxJwtSegmentCount + 1. This controls the number of splits and allows detecting the number of segments is too large.
+            // For example: "a.b.c.d.e.f.g.h" => [a], [b], [c], [d], [e], [f.g.h]. 6 segments.
+            // If just MaxJwtSegmentCount was used, then [a], [b], [c], [d], [e.f.g.h] would be returned. 5 segments.
+            int segmentCount = CountJwtTokenPart(token.Span, JwtConstants.MaxJwtSegmentCount + 1);
+
+            switch (segmentCount)
+            {
+                case JwtConstants.JwsSegmentCount:
+#if NET8_0_OR_GREATER
+                    return JwtTokenUtilities.RegexJws.IsMatch(token.Span);
+#else
+                    return JwtTokenUtilities.RegexJws.IsMatch(token.ToString());
+#endif
+
+                case JwtConstants.JweSegmentCount:
+#if NET8_0_OR_GREATER
+                    return JwtTokenUtilities.RegexJwe.IsMatch(token.Span);
+#else
+                    return JwtTokenUtilities.RegexJwe.IsMatch(token.ToString());
+#endif
+
+                default:
+                    LogHelper.LogInformation(LogMessages.IDX14107);
+                    return false;
+            }
+        }
+
         /// <summary>
         /// Counts the number of JWT token segments.
         /// </summary>
         /// <param name="token">The JWT token.</param>
         /// <param name="maxCount">The maximum number of segments to count up to.</param>
         /// <returns>The number of segments up to <paramref name="maxCount"/>.</returns>
-        internal static int CountJwtTokenPart(string token, int maxCount)
+        internal static int CountJwtTokenPart(ReadOnlySpan<char> token, int maxCount)
         {
-            var count = 1;
-            var index = 0;
-            while (index < token.Length)
+            int count = 1;
+            ReadOnlySpan<char> localToken = token;
+            while (localToken.Length > 0)
             {
-                var dotIndex = token.IndexOf('.', index);
+                int dotIndex = localToken.IndexOf('.');
                 if (dotIndex < 0)
-                {
                     break;
-                }
                 count++;
-                index = dotIndex + 1;
                 if (count == maxCount)
-                {
                     break;
-                }
+                localToken = localToken.Slice(dotIndex + 1);
             }
+
             return count;
         }
 

src/Microsoft.IdentityModel.JsonWebTokens/PublicAPI.Unshipped.txt

@@ -1 +1,2 @@
-Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.DecryptTokenWithConfigurationAsync(Microsoft.IdentityModel.JsonWebTokens.JsonWebToken jwtToken, Microsoft.IdentityModel.Tokens.TokenValidationParameters validationParameters, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task<string>
+Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.DecryptTokenWithConfigurationAsync(Microsoft.IdentityModel.JsonWebTokens.JsonWebToken jwtToken, Microsoft.IdentityModel.Tokens.TokenValidationParameters validationParameters, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task<string>
+virtual Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.CanReadToken(System.ReadOnlyMemory<char> token) -> bool

src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs

@@ -263,6 +263,26 @@ public override Type TokenType
             get { return typeof(JwtSecurityToken); }
         }
 
+        /// <summary>
+        /// Determines if the <see cref="ReadOnlyMemory{T}"/> is a well formed Json Web Token (JWT).
+        /// <para>See: https://datatracker.ietf.org/doc/html/rfc7519 </para>
+        /// </summary>
+        /// <param name="token"><see cref="ReadOnlyMemory{T}"/> that should represent a valid JWT.</param>
+        /// <remarks>Uses <see cref="Regex.IsMatch(string, string)"/> matching one of:
+        /// <para>JWS: @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$"</para>
+        /// <para>JWE: (dir): @"^[A-Za-z0-9-_]+\.\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$"</para>
+        /// <para>JWE: (wrappedkey): @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]$"</para>
+        /// </remarks>
+        /// <returns>
+        /// <para>'false' if the token is null or whitespace.</para>
+        /// <para>'false' if token.Length is greater than <see cref="TokenHandler.MaximumTokenSizeInBytes"/>.</para>
+        /// <para>'true' if the token is in JSON compact serialization format.</para>
+        /// </returns>
+        public virtual bool CanReadToken(ReadOnlyMemory<char> token)
+        {
+            return JwtTokenUtilities.CanReadToken(token, MaximumTokenSizeInBytes);
+        }
+
         /// <summary>
         /// Determines if the string is a well formed Json Web Token (JWT).
         /// <para>See: https://datatracker.ietf.org/doc/html/rfc7519 </para>
@@ -283,6 +303,9 @@ public override bool CanReadToken(string token)
             if (string.IsNullOrWhiteSpace(token))
                 return false;
 
+#if NET8_0_OR_GREATER
+            return CanReadToken(token.AsMemory());
+#else
             if (token.Length > MaximumTokenSizeInBytes)
             {
                 if (LogHelper.IsEnabled(EventLogLevel.Informational))
@@ -294,7 +317,7 @@ public override bool CanReadToken(string token)
             // Set the maximum number of segments to MaxJwtSegmentCount + 1. This controls the number of splits and allows detecting the number of segments is too large.
             // For example: "a.b.c.d.e.f.g.h" => [a], [b], [c], [d], [e], [f.g.h]. 6 segments.
             // If just MaxJwtSegmentCount was used, then [a], [b], [c], [d], [e.f.g.h] would be returned. 5 segments.
-            int tokenPartCount = JwtTokenUtilities.CountJwtTokenPart(token, JwtConstants.MaxJwtSegmentCount + 1);
+            int tokenPartCount = JwtTokenUtilities.CountJwtTokenPart(token.AsSpan(), JwtConstants.MaxJwtSegmentCount + 1);
             if (tokenPartCount == JwtConstants.JwsSegmentCount)
             {
                 return JwtTokenUtilities.RegexJws.IsMatch(token);
@@ -306,6 +329,7 @@ public override bool CanReadToken(string token)
 
             LogHelper.LogInformation(LogMessages.IDX12720);
             return false;
+#endif
         }
 
         /// <summary>
@@ -823,7 +847,7 @@ public override ClaimsPrincipal ValidateToken(string token, TokenValidationParam
             if (token.Length > MaximumTokenSizeInBytes)
                 throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(TokenLogMessages.IDX10209, LogHelper.MarkAsNonPII(token.Length), LogHelper.MarkAsNonPII(MaximumTokenSizeInBytes))));
 
-            int tokenPartCount = JwtTokenUtilities.CountJwtTokenPart(token, JwtConstants.MaxJwtSegmentCount + 1);
+            int tokenPartCount = JwtTokenUtilities.CountJwtTokenPart(token.AsSpan(), JwtConstants.MaxJwtSegmentCount + 1);
 
             if (tokenPartCount != JwtConstants.JwsSegmentCount && tokenPartCount != JwtConstants.JweSegmentCount)
                 throw LogHelper.LogExceptionMessage(new SecurityTokenMalformedException(LogMessages.IDX12741));

src/System.IdentityModel.Tokens.Jwt/PublicAPI.Unshipped.txt

@@ -0,0 +1 @@
+virtual System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CanReadToken(System.ReadOnlyMemory<char> token) -> bool

test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs

@@ -259,6 +259,18 @@ public void SegmentCanRead(JwtTheoryData theoryData)
             TestUtilities.AssertFailIfErrors(context);
         }
 
+        [Theory, MemberData(nameof(SegmentTheoryData), DisableDiscoveryEnumeration = true)]
+        public void SegmentCanReadMemory(JwtTheoryData theoryData)
+        {
+            var context = TestUtilities.WriteHeader($"{this}.SegmentCanRead", theoryData);
+
+            var handler = new JsonWebTokenHandler();
+            if (theoryData.CanRead != handler.CanReadToken(theoryData.Token.AsMemory()))
+                context.Diffs.Add("theoryData.CanRead != handler.CanReadToken(theoryData.Token.AsMemory()))");
+
+            TestUtilities.AssertFailIfErrors(context);
+        }
+
         public static TheoryData<JwtTheoryData> SegmentTheoryData()
         {
             var theoryData = new TheoryData<JwtTheoryData>();
@@ -540,7 +552,7 @@ public static TheoryData<CreateTokenTheoryData> CreateJWEWithAesGcmTheoryData
             }
         }
 
-        // Tests checks to make sure that the token string created by the JsonWebTokenHandler is consistent with the 
+        // Tests checks to make sure that the token string created by the JsonWebTokenHandler is consistent with the
         // token string created by the JwtSecurityTokenHandler.
         [Theory, MemberData(nameof(CreateJWETheoryData), DisableDiscoveryEnumeration = true)]
         public async Task CreateJWE(CreateTokenTheoryData theoryData)
@@ -868,7 +880,7 @@ private static OpenIdConnectConfiguration CreateCustomConfigurationThatThrows(Se
             return configurationWithCustomCryptoProviderFactory;
         }
 
-        // Tests checks to make sure that the token string (JWE) created by calling 
+        // Tests checks to make sure that the token string (JWE) created by calling
         // CreateToken(string payload, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials)
         // is equivalent to the token string created by calling CreateToken(SecurityTokenDescriptor tokenDescriptor).
         [Theory, MemberData(nameof(CreateJWEUsingSecurityTokenDescriptorTheoryData), DisableDiscoveryEnumeration = true)]
@@ -1259,7 +1271,7 @@ public static TheoryData<CreateTokenTheoryData> CreateJWEUsingSecurityTokenDescr
             }
         }
 
-        // Tests checks to make sure that the token string created by the JsonWebTokenHandler is consistent with the 
+        // Tests checks to make sure that the token string created by the JsonWebTokenHandler is consistent with the
         // token string created by the JwtSecurityTokenHandler.
         [Theory, MemberData(nameof(CreateJWSTheoryData), DisableDiscoveryEnumeration = true)]
         public async Task CreateJWS(CreateTokenTheoryData theoryData)
@@ -2054,7 +2066,7 @@ public static TheoryData<CreateTokenTheoryData> CreateJWSUsingSecurityTokenDescr
                 {
                     // Test checks that the values in SecurityTokenDescriptor.Subject.Claims
                     // are properly combined with those specified in SecurityTokenDescriptor.Claims.
-                    // Duplicate values (if present with different case) should not be overridden. 
+                    // Duplicate values (if present with different case) should not be overridden.
                     // For example, the 'aud' claim on TokenDescriptor.Claims will not be overridden
                     // by the 'AUD' claim on TokenDescriptor.Subject.Claims, but the 'exp' claim will.
                     new CreateTokenTheoryData("TokenDescriptorWithBothSubjectAndClaims")
@@ -2514,7 +2526,7 @@ public async Task AdditionalHeaderValues()
 
 
         // Test checks to make sure that the token payload retrieved from ValidateToken is the same as the payload
-        // the token was initially created with. 
+        // the token was initially created with.
         [Fact]
         public async Task RoundTripJWS()
         {
@@ -3211,7 +3223,7 @@ public async Task ValidateJsonWebTokenClaimMapping()
             TestUtilities.AssertFailIfErrors(context);
         }
 
-        // Test shows if the JwtSecurityTokenHandler has mapping OFF and 
+        // Test shows if the JwtSecurityTokenHandler has mapping OFF and
         // the JsonWebTokenHandler has mapping ON,the claims are different.
         [Fact]
         public async Task ValidateDifferentClaimsBetweenHandlers()