Update Wilson7 branch

Default to using new handlers
Changes from API review

src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs

@@ -9,7 +9,6 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
-using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.Net.Http.Headers;
 
@@ -20,8 +19,6 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer;
 /// </summary>
 public class JwtBearerHandler : AuthenticationHandler<JwtBearerOptions>
 {
-    private OpenIdConnectConfiguration? _configuration;
-
     /// <summary>
     /// Initializes a new instance of <see cref="JwtBearerHandler"/>.
     /// </summary>
@@ -101,7 +98,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             SecurityToken? validatedToken = null;
             ClaimsPrincipal? principal = null;
 
-            if (Options.UseTokenHandlers)
+            if (!Options.UseSecurityTokenValidators)
             {
                 foreach (var tokenHandler in Options.TokenHandlers)
                 {
@@ -123,7 +120,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                     catch (Exception ex)
                     {
                         validationFailures ??= new List<Exception>(1);
-                        RecordTokenValidationError(new SecurityTokenValidationException($"TokenHandler: '{tokenHandler}', threw an exception (see inner exception).", ex), validationFailures);
+                        RecordTokenValidationError(ex, validationFailures);
                     }
                 }
             }
@@ -194,7 +191,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 return AuthenticateResult.Fail(authenticationFailedContext.Exception);
             }
 
-            if (Options.UseTokenHandlers)
+            if (!Options.UseSecurityTokenValidators)
             {
                 return AuthenticateResults.TokenHandlerUnableToValidate;
             }
@@ -251,10 +248,10 @@ private async Task<TokenValidationParameters> SetupTokenValidationParametersAsyn
             if (Options.ConfigurationManager != null)
             {
                 // GetConfigurationAsync has a time interval that must pass before new http request will be issued.
-                _configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);
-                var issuers = new[] { _configuration.Issuer };
+                var configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);
+                var issuers = new[] { configuration.Issuer };
                 tokenValidationParameters.ValidIssuers = (tokenValidationParameters.ValidIssuers == null ? issuers : tokenValidationParameters.ValidIssuers.Concat(issuers));
-                tokenValidationParameters.IssuerSigningKeys = (tokenValidationParameters.IssuerSigningKeys == null ? _configuration.SigningKeys : tokenValidationParameters.IssuerSigningKeys.Concat(_configuration.SigningKeys));
+                tokenValidationParameters.IssuerSigningKeys = (tokenValidationParameters.IssuerSigningKeys == null ? configuration.SigningKeys : tokenValidationParameters.IssuerSigningKeys.Concat(configuration.SigningKeys));
             }
         }
 

src/Security/Authentication/JwtBearer/src/JwtBearerOptions.cs

@@ -111,6 +111,7 @@ public JwtBearerOptions()
     /// <summary>
     /// Gets the ordered list of <see cref="ISecurityTokenValidator"/> used to validate access tokens.
     /// </summary>
+    [Obsolete("SecurityTokenValidators is no longer used by default. Use TokenHandlers instead. To continue using SecurityTokenValidators, set UseSecurityTokenValidators to true.")]
     public IList<ISecurityTokenValidator> SecurityTokenValidators { get; private set; }
 
     /// <summary>
@@ -180,5 +181,5 @@ public bool MapInboundClaims
     /// <para>The default token handler is a <see cref="JsonWebTokenHandler"/> which is faster than a <see cref="JwtSecurityTokenHandler"/>.</para>
     /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para>
     /// </remarks>
-    public bool UseTokenHandlers { get; set; }
+    public bool UseSecurityTokenValidators { get; set; }
 }

src/Security/Authentication/JwtBearer/src/PublicAPI.Unshipped.txt

@@ -1,5 +1,5 @@
 #nullable enable
 Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.JwtBearerHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.UrlEncoder! encoder) -> void
 Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.TokenHandlers.get -> System.Collections.Generic.IList<Microsoft.IdentityModel.Tokens.TokenHandler!>!
-Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.UseTokenHandlers.get -> bool
-Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.UseTokenHandlers.set -> void
+Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.UseSecurityTokenValidators.get -> bool
+Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions.UseSecurityTokenValidators.set -> void

src/Security/Authentication/WsFederation/src/PublicAPI.Unshipped.txt

@@ -1,5 +1,5 @@
 #nullable enable
 Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.WsFederationHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.UrlEncoder! encoder) -> void
 Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.TokenHandlers.get -> System.Collections.Generic.ICollection<Microsoft.IdentityModel.Tokens.TokenHandler!>!
-Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.UseTokenHandlers.get -> bool
-Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.UseTokenHandlers.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.UseSecurityTokenHandlers.get -> bool
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.UseSecurityTokenHandlers.set -> void

src/Security/Authentication/WsFederation/src/Resources.resx

@@ -121,7 +121,7 @@
     <value>The service descriptor is missing.</value>
   </data>
   <data name="Exception_NoTokenValidatorFound" xml:space="preserve">
-    <value>No token validator was found for the given token.</value>
+    <value>No token validator or token handler was found for the given token.</value>
   </data>
   <data name="Exception_OptionMustBeProvided" xml:space="preserve">
     <value>The '{0}' option must be provided.</value>

src/Security/Authentication/WsFederation/src/WsFederationHandler.cs

@@ -245,7 +245,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
             var tvp = await SetupTokenValidationParametersAsync();
             ClaimsPrincipal? principal = null;
             SecurityToken? validatedToken = null;
-            if (Options.UseTokenHandlers)
+            if (!Options.UseSecurityTokenHandlers)
             {
                 foreach (var tokenHandler in Options.TokenHandlers)
                 {
@@ -298,7 +298,6 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
 
             if (principal == null)
             {
-                // TODO - need new string for TokenHandler
                 if (validationFailures == null || validationFailures.Count == 0)
                 {
                     throw new SecurityTokenException(Resources.Exception_NoTokenValidatorFound);
@@ -375,7 +374,6 @@ private async Task<TokenValidationParameters> SetupTokenValidationParametersAsyn
 
         if (Options.ConfigurationManager is BaseConfigurationManager baseConfigurationManager)
         {
-            // TODO - we need to add a parameter to TokenValidationParameters for the CancellationToken.
             tokenValidationParameters.ConfigurationManager = baseConfigurationManager;
         }
         else

src/Security/Authentication/WsFederation/src/WsFederationOptions.cs

@@ -105,6 +105,7 @@ public override void Validate()
     /// <summary>
     /// Gets or sets the collection of <see cref="ISecurityTokenValidator"/> used to read and validate the <see cref="SecurityToken"/>s.
     /// </summary>
+    [Obsolete("SecurityTokenHandlers is no longer used by default. Use TokenHandlers instead. To continue using SecurityTokenHandlers, set UseSecurityTokenHandlers to true.")]
     public ICollection<ISecurityTokenValidator> SecurityTokenHandlers
     {
         get
@@ -118,7 +119,7 @@ public ICollection<ISecurityTokenValidator> SecurityTokenHandlers
     }
 
     /// <summary>
-    /// Gets or sets the collection of <see cref="ISecurityTokenValidator"/> used to read and validate the <see cref="SecurityToken"/>s.
+    /// Gets the collection of <see cref="ISecurityTokenValidator"/> used to read and validate the <see cref="SecurityToken"/>s.
     /// </summary>
     public ICollection<TokenHandler> TokenHandlers
     {
@@ -208,5 +209,5 @@ public TokenValidationParameters TokenValidationParameters
     /// <para>The default token handler for JsonWebTokens is a <see cref="JsonWebTokenHandler"/> which is faster than a <see cref="JwtSecurityTokenHandler"/>.</para>
     /// <para>There is an ability to make use of a Last-Known-Good model for metadata that protects applications when metadata is published with errors.</para>
     /// </remarks>
-    public bool UseTokenHandlers { get; set; }
+    public bool UseSecurityTokenHandlers { get; set; }
 }