Integrate ServerNonce validation (#1704)

Author: ciaozhang

src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/Exceptions/SignedHttpRequestInvalidNonceClaimException.cs

@@ -0,0 +1,81 @@
+//------------------------------------------------------------------------------
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Runtime.Serialization;
+
+namespace Microsoft.IdentityModel.Protocols.SignedHttpRequest
+{
+    /// <summary>
+    /// This exception is thrown when a SignedHttpRequest handler encounters an error during 'Nonce' claim resolution.   
+    /// </summary>
+    [Serializable]
+    public class SignedHttpRequestInvalidNonceClaimException : SignedHttpRequestValidationException
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SignedHttpRequestInvalidNonceClaimException"/> class.
+        /// </summary>
+        public SignedHttpRequestInvalidNonceClaimException()
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SignedHttpRequestInvalidNonceClaimException"/> class.
+        /// </summary>
+        /// <param name="message">Additional information to be included in the exception and displayed to user.</param>
+        public SignedHttpRequestInvalidNonceClaimException(string message)
+            : base(message)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SignedHttpRequestInvalidNonceClaimException"/> class.
+        /// </summary>
+        /// <param name="message">Additional information to be included in the exception and displayed to user.</param>
+        /// <param name="innerException">A <see cref="Exception"/> that represents the root cause of the exception.</param>
+        public SignedHttpRequestInvalidNonceClaimException(string message, Exception innerException)
+            : base(message, innerException)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SignedHttpRequestInvalidNonceClaimException"/> class.
+        /// </summary>
+        /// <param name="info">the <see cref="SerializationInfo"/> that holds the serialized object data.</param>
+        /// <param name="context">The contextual information about the source or destination.</param>
+        protected SignedHttpRequestInvalidNonceClaimException(SerializationInfo info, StreamingContext context)
+            : base(info, context)
+        {
+        }
+
+        /// <summary>
+        /// Gets or sets an <see cref="IDictionary{String, Object}"/> that enables custom extensibility scenarios.
+        /// </summary>
+        public IDictionary<string, object> PropertyBag { get; set; }
+    }
+}

src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/GlobalSuppressions.cs

@@ -11,3 +11,4 @@
 [assembly: SuppressMessage("Performance", "CA1825: Avoid zero-length array allocations", Justification = "net45 target doesn't support Array.Empty")]
 [assembly: SuppressMessage("Globalization", "CA1308:Normalize strings to uppercase", Justification = "Headers need to be lowercase to calcuate appropriate hash", Scope = "type", Target = "~T:Microsoft.IdentityModel.Protocols.SignedHttpRequest.SignedHttpRequestHandler")]
 [assembly: SuppressMessage("Design", "CA1001:Types that own disposable fields should be disposable", Justification = "Breaking change", Scope = "type", Target = "~T:Microsoft.IdentityModel.Protocols.SignedHttpRequest.SignedHttpRequestHandler")]
+[assembly: SuppressMessage("Usage", "CA2227:Collection properties should be read only", Justification = "<Pending>", Scope = "member", Target = "~P:Microsoft.IdentityModel.Protocols.SignedHttpRequest.SignedHttpRequestInvalidNonceClaimException.PropertyBag")]

src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/LogMessages.cs

@@ -69,5 +69,6 @@ internal static class LogMessages
         public const string IDX23033 = "IDX23033: Unable to validate the 'cnf' claim reference. Thumbprint of the JWK used to sign the SignedHttpRequest (root 'cnf' claim) does not match the expected thumbprint ('at' -> 'cnf' -> 'kid'). Expected value: '{0}', actual value: '{1}'. Root 'cnf' claim value: '{2}'. For more details, see https://aka.ms/IdentityModel/SignedHttpRequest.";
         public const string IDX23034 = "IDX23034: Signed http request signature validation failed. SignedHttpRequest: '{0}'";
         public const string IDX23035 = "IDX23035: Unable to resolve a PoP key from the 'jku' claim. Multiple keys are found in the referenced JWK Set document and the 'cnf' claim doesn't contain a 'kid' value.";
+        public const string IDX23036 = "IDX23036: Signed http request nonce validation failed. Exceptions caught: '{0}'.";
     }
 }

src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestHandler.cs

@@ -483,6 +483,9 @@ public async Task<SignedHttpRequestValidationResult> ValidateSignedHttpRequestAs
                 // validate signed http request signature
                 signedHttpRequest.SigningKey = await ValidateSignatureAsync(signedHttpRequest, popKey, signedHttpRequestValidationContext, cancellationToken).ConfigureAwait(false);
 
+                // validate nonce claim
+                ValidateNonceAsync(signedHttpRequest, popKey, signedHttpRequestValidationContext, cancellationToken);
+
                 // validate signed http request payload
                 var validatedSignedHttpRequest = await ValidateSignedHttpRequestPayloadAsync(signedHttpRequest, signedHttpRequestValidationContext, cancellationToken).ConfigureAwait(false);
 
@@ -648,6 +651,27 @@ internal virtual async Task<SecurityKey> ValidateSignatureAsync(JsonWebToken sig
             throw LogHelper.LogExceptionMessage(new SignedHttpRequestInvalidSignatureException(LogHelper.FormatInvariant(LogMessages.IDX23034, signedHttpRequest.EncodedToken)));
         }
 
+        /// <summary>
+        /// Validates the nonce claim of the signed http request.
+        /// </summary>
+        /// <param name="signedHttpRequest">A SignedHttpRequest.</param>
+        /// <param name="popKey">A Pop key used to validate the signed http request nonce signature.</param>
+        /// <param name="signedHttpRequestValidationContext">A structure that wraps parameters needed for SignedHttpRequest validation.</param>
+        /// <param name="cancellationToken">Propagates notification that operations should be canceled.</param>
+        internal virtual void ValidateNonceAsync(JsonWebToken signedHttpRequest, SecurityKey popKey, SignedHttpRequestValidationContext signedHttpRequestValidationContext, CancellationToken cancellationToken)
+        {
+            try
+            {
+                if (signedHttpRequestValidationContext.SignedHttpRequestValidationParameters.NonceValidatorAsync != null)
+                    if (!signedHttpRequestValidationContext.SignedHttpRequestValidationParameters.NonceValidatorAsync(popKey, signedHttpRequest, signedHttpRequestValidationContext, cancellationToken))
+                        throw LogHelper.LogExceptionMessage(new SignedHttpRequestInvalidNonceClaimException("SignedHttpRequest nonce validation failed."));
+            }
+            catch (Exception ex)
+            {
+                throw LogHelper.LogExceptionMessage(new SignedHttpRequestInvalidNonceClaimException(LogHelper.FormatInvariant(LogMessages.IDX23036, ex.ToString()), ex));
+            }
+        }
+
         /// <summary>
         /// Validates the signed http request lifetime ("ts").
         /// </summary>

src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestValidationParameters.cs

@@ -74,12 +74,22 @@ namespace Microsoft.IdentityModel.Protocols.SignedHttpRequest
     /// <summary>
     /// A delegate that will be called to check if SignedHttpRequest is replayed, if set.
     /// </summary>
-    /// <param name="signedHttpRequest">A SignedHttpRequest.</param>
+    /// <param name="signedHttpRequest">A SignedHttpRequest which contains the 'nonce' claim to validate.</param>
     /// <param name="signedHttpRequestValidationContext">A structure that wraps parameters needed for SignedHttpRequest validation.</param>
     /// <param name="cancellationToken">Propagates notification that operations should be canceled.</param>
     /// <returns>Expected to throw an appropriate exception if SignedHttpRequest replay is detected.</returns>
     public delegate Task ReplayValidatorAsync(SecurityToken signedHttpRequest, SignedHttpRequestValidationContext signedHttpRequestValidationContext, CancellationToken cancellationToken);
 
+    /// <summary>
+    /// A delegate that will take control over SignedHttpRequest nonce validation, if set.
+    /// </summary>
+    /// <param name="key">the key use to validate server nonce.</param>
+    /// <param name="signedHttpRequest">A SignedHttpRequest.</param>
+    /// <param name="signedHttpRequestValidationContext">A structure that wraps parameters needed for SignedHttpRequest validation.</param>
+    /// <param name="cancellationToken">Propagates notification that operations should be canceled.</param>
+    /// <returns>Expected to throw an appropriate exception if SignedHttpRequest replay is detected.</returns>
+    public delegate bool NonceValidatorAsync(SecurityKey key, SecurityToken signedHttpRequest, SignedHttpRequestValidationContext signedHttpRequestValidationContext, CancellationToken cancellationToken);
+
     /// <summary>
     /// A delegate that will take control over SignedHttpRequest signature validation, if set.
     /// </summary>
@@ -142,6 +152,11 @@ public class SignedHttpRequestValidationParameters
         /// <remarks>https://tools.ietf.org/html/rfc7800#section-3.5</remarks>
         public HttpClientProvider HttpClientProvider { get; set; }
 
+        /// <summary>
+        /// Gets or sets the <see cref="NonceValidatorAsync"/> delegate.
+        /// </summary>
+        public NonceValidatorAsync NonceValidatorAsync { get; set; }
+
         /// <summary>
         /// Gets or sets the <see cref="PopKeyResolverAsync"/> delegate.
         /// </summary>

test/Microsoft.IdentityModel.Protocols.SignedHttpRequest.Tests/SignedHttpRequestValidationTests.cs

@@ -1683,8 +1683,50 @@ public static TheoryData<ValidateSignedHttpRequestTheoryData> ValidateSignedHttp
                             ValidatedSignedHttpRequest = signedHttpRequest,
                         },
                         TestId = "ValidTest",
+                    },
+                    new ValidateSignedHttpRequestTheoryData
+                    {
+                        SignedHttpRequestToken = signedHttpRequest,
+                        SignedHttpRequestValidationParameters = new SignedHttpRequestValidationParameters()
+                        {
+                            NonceValidatorAsync =  (popKey, signedHttpRequestToken, signedHttpRequestValidationContext, cancellationToken) => false
+                        },
+                        ExpectedException = new ExpectedException(typeof(SignedHttpRequestInvalidNonceClaimException), "IDX23036", typeof(SignedHttpRequestInvalidNonceClaimException)),
+                        TestId = "InValidNonceValidationFailed"
+                    },
+                    new ValidateSignedHttpRequestTheoryData
+                    {
+                        SignedHttpRequestToken = signedHttpRequest,
+                        SignedHttpRequestValidationParameters = new SignedHttpRequestValidationParameters()
+                        {
+                            ValidateB = false,
+                            ValidateH = false,
+                            ValidateM = false,
+                            ValidateP = false,
+                            ValidateQ = false,
+                            ValidateTs = false,
+                            ValidateU = false,
+                            NonceValidatorAsync =  (popKey, signedHttpRequestToken, signedHttpRequestValidationContext, cancellationToken) =>
+                            {
+                                var jwtSignedHttpRequest = signedHttpRequestToken as JsonWebToken;
+                                var nonce = jwtSignedHttpRequest.GetPayloadValue<string>(SignedHttpRequestClaimTypes.Nonce);
+                                return nonce == SignedHttpRequestTestUtils.DefaultSignedHttpRequestPayload.GetValue(SignedHttpRequestClaimTypes.Nonce).ToString();
+                            }
+                        },
+                        ExpectedSignedHttpRequestValidationResult = new SignedHttpRequestValidationResult()
+                        {
+                            AccessTokenValidationResult = new TokenValidationResult()
+                            {
+                                IsValid = true,
+                                SecurityToken = validatedToken,
+                                ClaimsIdentity = resultingClaimsIdentity
+                            },
+                            IsValid = true,
+                            SignedHttpRequest = signedHttpRequest.EncodedToken,
+                            ValidatedSignedHttpRequest = signedHttpRequest,
+                        },
+                        TestId = "ValidTestWithNonce"
                     }
-
                 };
             }
         }