Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Populate the ValidIssuer and the ValidAudience properties of the JwtBearerOptions.TokenValidationParameters. #52821

Merged
merged 9 commits into from
Feb 22, 2024
Merged

Populate the ValidIssuer and the ValidAudience properties of the JwtBearerOptions.TokenValidationParameters. #52821

merged 9 commits into from
Feb 22, 2024

Conversation

satma0745
Copy link
Contributor

PR for the Issue #52820.

@ghost ghost added the community-contribution Indicates that the PR has been added by a community member label Dec 14, 2023
@ghost
Copy link

ghost commented Dec 14, 2023

Thanks for your PR, @satma0745. Someone from the team will get assigned to your PR shortly and we'll get it reviewed.

@martincostello
Copy link
Member

Ideally this PR should include 1 or more tests that validate the fix and that it doesn't get broken again in the future by accident.

@Kahbazi Kahbazi added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Dec 14, 2023
@satma0745
Copy link
Contributor Author

@dotnet-policy-service agree

@satma0745
Copy link
Contributor Author

@martincostello, I've refactored old tests a bit and provide my own one.

Now we have 3 tests related to reading TokenValidationParameters from configuration:

  1. CanReadJwtBearerOptionsFromConfig tests the base case for simple flat values
  2. CanReadMultipleAudiencesFromConfig tests if the array of ValidAudiences is loaded properly
  3. CanReadMultipleIssuersFromConfig tests that ValueIssuers and IssuerSigningKeys are loaded and threated properly. I think it's better to have it in a separate test-method since they have complex rules (in contrast to the ValidAudiences property).

@satma0745
Copy link
Contributor Author

I tried sticking with the established convention of testing and designed the tests not to stand out too much.
Anyway, let me know if You find something looking out of place or little bit off.

@mkArtakMSFT mkArtakMSFT added area-identity Includes: Identity and providers and removed area-security labels Dec 19, 2023
@ghost ghost added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Dec 27, 2023
@satma0745
Copy link
Contributor Author

/azp run

@azure-pipelines Azure Pipelines
Copy link

Commenter does not have sufficient privileges for PR 52821 in repo dotnet/aspnetcore

@martincostello
Copy link
Member

or by simply closing and reopening

@satma0745
Copy link
Contributor Author

or by simply closing and reopening

But what's about the Assigned Developer? Won't he be un-assigned when I close the PR?

@martincostello
Copy link
Member

Not to my knowledge.

@satma0745 satma0745 closed this Dec 27, 2023
@satma0745 satma0745 reopened this Dec 27, 2023
halter73
halter73 reviewed Jan 20, 2024
View reviewed changes
Copy link
Member

@halter73 halter73 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@captainsafia Can you take a look at this since you worked on this and very clearly intentionally set just the multi-value properties?

I noticed while exploring the identity model code that even though they expose single-value properties for config (e.g. ValidIssuer and ValidAudience) it looks like the multi-value properties are ultimately used as the source of truth. Updated this to just set the multi-value property.

#42679 (comment)

I think the current behavior of not setting the single-value properties is fine since it gets included in the multi-value property. And based on my reading of the ValidateIssuerAsync method in IdentityModel, this change is redundant since it checks against ValidIssuer and then all the ValidIssuers.

If we decide to change the config binding at all, we should make it align with the TokenValidationParameters more directly and not include the single-value property in the multi-value property. That might make things less confusing, and I don't think it would cause any real problems since it appears IdentityModel looks at both together.

src/Security/Authentication/test/JwtBearerTests.cs Outdated
@@ -1017,8 +1017,7 @@ public void CanReadJwtBearerOptionsFromConfig()
var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
{
new KeyValuePair<string, string>("Authentication:Schemes:Bearer:ValidIssuer", "dotnet-user-jwts"),
new KeyValuePair<string, string>("Authentication:Schemes:Bearer:ValidAudiences:0", "http://localhost:5000"),
new KeyValuePair<string, string>("Authentication:Schemes:Bearer:ValidAudiences:1", "https://localhost:5001"),
new KeyValuePair<string, string>("Authentication:Schemes:Bearer:ValidAudience", "http://localhost:5000"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we include a test that configures both ValidIssuer and ValidIssuers? Or ValidAudience and ValidAudiences?

@mkArtakMSFT mkArtakMSFT removed the area-identity Includes: Identity and providers label Jan 26, 2024
halter73
halter73 approved these changes Feb 2, 2024
View reviewed changes
Copy link
Member

@halter73 halter73 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I talked to @captainsafia, and we're fine taking this change since we have quite a few previews left to see if there are any problems with this simplification.

@halter73 halter73 enabled auto-merge (squash) February 2, 2024 22:27
@wtgodbe wtgodbe removed the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 13, 2024
@dotnet dotnet deleted a comment Feb 13, 2024
@dotnet-policy-service dotnet-policy-service bot added the area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework label Feb 13, 2024
@wtgodbe wtgodbe removed the area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework label Feb 13, 2024
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Looks like this PR hasn't been active for some time and the codebase could have been changed in the meantime.
To make sure no conflicting changes have occurred, please rerun validation before merging. You can do this by leaving an /azp run comment here (requires commit rights), or by simply closing and reopening.

@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 20, 2024
@halter73 halter73 removed the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 21, 2024
@halter73 halter73 merged commit cc5bc6b into dotnet:main Feb 22, 2024
26 checks passed
@dotnet-policy-service dotnet-policy-service bot added this to the 9.0-preview2 milestone Feb 22, 2024
@halter73 halter73 mentioned this pull request Feb 23, 2024
Closed
1 task
@dmytro-pryvedeniuk dmytro-pryvedeniuk mentioned this pull request Dec 8, 2024
Closed
1 task
@halter73 halter73 mentioned this pull request Dec 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@halter73 halter73 halter73 approved these changes

Assignees

@halter73 halter73

@captainsafia captainsafia

Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer community-contribution Indicates that the PR has been added by a community member
Projects
None yet
Milestone
9.0-preview2
Development

Successfully merging this pull request may close these issues.
7 participants
@satma0745 @martincostello @halter73 @captainsafia @wtgodbe @Kahbazi @mkArtakMSFT