Skip to content

Commit

Permalink
Merge pull request #75 from microsoftgraph/validate-azp-claim
Browse files Browse the repository at this point in the history 
Added check for `azp` claim in validation token
  • Loading branch information
@jasonjoh
jasonjoh authored Sep 5, 2024
2 parents feab41a + 6c19cfe commit e1367a3
Showing 1 changed file with 14 additions and 4 deletions.
18 changes: 14 additions & 4 deletions src/Services/M365AppConfigService.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ namespace GitHubConnector.Services;
/// <param name="settings">The application settings.</param>
public class M365AppConfigService(AppSettings settings)
{
private static readonly string GraphNotificationPublisherId = "0bf30f3b-4a52-48df-9a82-234910c4a086";

private readonly HttpListener listener = new();
private readonly int port = settings.PortNumber;
private readonly string tenantId = settings.TenantId ?? throw new ArgumentException("tenantId not set in app settings");
Expand Down Expand Up @@ -79,23 +81,31 @@ public async Task<bool> ValidateTokensAsync(List<string>? tokens)
{
try
{
handler.ValidateToken(
var principal = handler.ValidateToken(
token,
new()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ValidIssuers = new[]
{
ValidIssuers =
[
$"https://login.microsoftonline.com/{tenantId}/v2.0",
$"https://sts.windows.net/{tenantId}/",
},
],
ValidAudience = clientId,
IssuerSigningKeys = openIdConfig.SigningKeys,
},
out _);

var azpClaim = principal?.FindFirst("azp");
if (azpClaim != null && string.Compare(azpClaim.Value, GraphNotificationPublisherId, StringComparison.OrdinalIgnoreCase) == 0)
{
continue;
}

return false;
}
catch (SecurityTokenValidationException)
{
Expand Down

0 comments on commit e1367a3

Please sign in to comment.