Skip to content
This repository has been archived by the owner on Aug 24, 2021. It is now read-only.

Commit

Permalink
Updating AspNetCore sample token handling based on updated security g…
Browse files Browse the repository at this point in the history
…uidance
  • Loading branch information
VesaJuvonen committed Mar 27, 2020
1 parent 60acbec commit a746e63
Showing 1 changed file with 21 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
using Microsoft.IdentityModel.Claims;
using System;
using System.Linq;
using System.ServiceModel.Security.Tokens;
using System.Xml;

Expand Down Expand Up @@ -412,6 +414,7 @@ private ClaimsIdentityCollection ValidateTokenCore(System.IdentityModel.Tokens.S
ClaimsIdentity claimsIdentity = new ClaimsIdentity("Federation");
if (!isActorToken && jsonWebSecurityToken.ActorToken != null)
{
ValidateActorTokenForAppOnly(jsonWebSecurityToken.ActorToken);
ClaimsIdentityCollection claimsIdentityCollection2 = this.ValidateActorToken(jsonWebSecurityToken.ActorToken);
if (claimsIdentityCollection2.Count > 1)
{
Expand Down Expand Up @@ -440,6 +443,24 @@ private ClaimsIdentityCollection ValidateTokenCore(System.IdentityModel.Tokens.S
return claimsIdentityCollection;
}

/// <summary>
///Validates that the actor token is an app token by checking for the lack of user claims
/// </summary>
/// <param name="actorToken"></param>
private static void ValidateActorTokenForAppOnly(JsonWebSecurityToken actorToken)
{
if (actorToken != null)
{
if (actorToken.Claims.FirstOrDefault<JsonWebTokenClaim>(x => x.ClaimType.Equals("scp")) != null
|| actorToken.Claims.FirstOrDefault<JsonWebTokenClaim>(x => x.ClaimType.Equals("upn")) != null
|| actorToken.Claims.FirstOrDefault<JsonWebTokenClaim>(x => x.ClaimType.Equals("unique_name")) != null
|| actorToken.Claims.FirstOrDefault<JsonWebTokenClaim>(x => x.ClaimType.Equals("altsecid")) != null)
{
throw new UnauthorizedAccessException("Invalid actor token.");
}
}
}

public override ClaimsIdentityCollection ValidateToken(System.IdentityModel.Tokens.SecurityToken token)
{
return this.ValidateTokenCore(token, false);
Expand Down

0 comments on commit a746e63

Please sign in to comment.