tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Update all the token type validation delegates to assume that tokens that don't have a "typ" header are generic JSON Web Tokens

pull/2344/head
Kévin Chalet 8 months ago
parent
91a68c161a
commit
55cd0e94a8
5 changed files with 24 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      src/OpenIddict.Client/OpenIddictClientOptions.cs
  2. 8
      src/OpenIddict.Client/OpenIddictClientRegistration.cs
  3. 6
      src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
  4. 5
      src/OpenIddict.Server/OpenIddictServerOptions.cs
  5. 5
      src/OpenIddict.Validation/OpenIddictValidationOptions.cs

8
src/OpenIddict.Client/OpenIddictClientOptions.cs
View File

@ -113,9 +113,15 @@ public sealed class OpenIddictClientOptions
ClockSkew = TimeSpan.Zero, ClockSkew = TimeSpan.Zero,
NameClaimType = Claims.Name, NameClaimType = Claims.Name,
RoleClaimType = Claims.Role, RoleClaimType = Claims.Role,
// Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
TypeValidator = static (type, token, parameters) => TypeValidator = static (type, token, parameters) =>
{ {
// Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.
if (string.IsNullOrEmpty(type))
{
type = JsonWebTokenTypes.GenericJsonWebToken;
}
// Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() && if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() &&
!parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase)) !parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase))
{ {

8
src/OpenIddict.Client/OpenIddictClientRegistration.cs
View File

@ -190,9 +190,15 @@ public sealed class OpenIddictClientRegistration
ClockSkew = TimeSpan.Zero, ClockSkew = TimeSpan.Zero,
NameClaimType = Claims.Name, NameClaimType = Claims.Name,
RoleClaimType = Claims.Role, RoleClaimType = Claims.Role,
// Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
TypeValidator = static (type, token, parameters) => TypeValidator = static (type, token, parameters) =>
{ {
// Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.
if (string.IsNullOrEmpty(type))
{
type = JsonWebTokenTypes.GenericJsonWebToken;
}
// Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() && if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() &&
!parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase)) !parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase))
{ {

6
src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
View File

@ -119,6 +119,12 @@ public static partial class OpenIddictServerHandlers
{ {
TypeValidator = static (type, token, parameters) => TypeValidator = static (type, token, parameters) =>
{ {
// Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.
if (string.IsNullOrEmpty(type))
{
type = JsonWebTokenTypes.GenericJsonWebToken;
}
// Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons. // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() && if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() &&
!parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase)) !parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase))

5
src/OpenIddict.Server/OpenIddictServerOptions.cs
View File

@ -154,11 +154,10 @@ public sealed class OpenIddictServerOptions
}; };
} }
// At this point, throw an exception if the type cannot be resolved from the "typ" header // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.
// (provided via the type delegate parameter) or inferred from the token_usage claim.
if (string.IsNullOrEmpty(type)) if (string.IsNullOrEmpty(type))
{ {
throw new SecurityTokenInvalidTypeException(SR.GetResourceString(SR.ID0270)); type = JsonWebTokenTypes.GenericJsonWebToken;
} }
// Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons. // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.

5
src/OpenIddict.Validation/OpenIddictValidationOptions.cs
View File

@ -185,11 +185,10 @@ public sealed class OpenIddictValidationOptions
}; };
} }
// At this point, throw an exception if the type cannot be resolved from the "typ" header // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.
// (provided via the type delegate parameter) or inferred from the token_usage claim.
if (string.IsNullOrEmpty(type)) if (string.IsNullOrEmpty(type))
{ {
throw new SecurityTokenInvalidTypeException(SR.GetResourceString(SR.ID0270)); type = JsonWebTokenTypes.GenericJsonWebToken;
} }
// Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons. // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.

Write Preview
Loading…
Cancel
Save