Fixing the ValidateIsseur method:

jmprieur · jmprieur · commit 7bd53b8e04ab · 2018-05-07T19:42:38.000+02:00
The contract for TokenValidationParameters.IssuerValidator is to throw on an invalid issuer. The recommendation is to throw a SecurityTokenInvalidIssuerExpecption.
diff --git a/TodoListService/Extensions/AzureAdAuthenticationBuilderExtensions.cs b/TodoListService/Extensions/AzureAdAuthenticationBuilderExtensions.cs
@@ -63,21 +63,21 @@ private string ValidateIssuer(string issuer, SecurityToken securityToken, TokenV
                     Guid tenantId;
                     if (uri.Scheme != authorityUri.Scheme || uri.Authority != authorityUri.Authority)
                     {
-                        return null;
+                        throw new SecurityTokenInvalidIssuerException("Issuer has wrong authority");
                     }
                     if (!Guid.TryParse(parts[1], out tenantId))
                     {
-                        return null;
+                        throw new SecurityTokenInvalidIssuerException("Cannot find the tenant GUID for the issuer");
                     }
                     if (parts.Length> 2 && parts[2] != "v2.0")
                     {
-                        return null;
+                        throw new SecurityTokenInvalidIssuerException("Only accepted protocol versions are AAD v1.0 or V2.0");
                     }
                     return issuer;
                 }
                 else
                 {
-                    return null;
+                    throw new SecurityTokenInvalidIssuerException("Unknown issuer");
                 }
             }
 

Original file line number	Diff line number	Diff line change
`@@ -63,21 +63,21 @@ private string ValidateIssuer(string issuer, SecurityToken securityToken, TokenV`
`63`	`63`	`Guid tenantId;`
`64`	`64`	`if (uri.Scheme != authorityUri.Scheme \|\| uri.Authority != authorityUri.Authority)`
`65`	`65`	`{`
`66`		`- return null;`
	`66`	`+ throw new SecurityTokenInvalidIssuerException("Issuer has wrong authority");`
`67`	`67`	`}`
`68`	`68`	`if (!Guid.TryParse(parts[1], out tenantId))`
`69`	`69`	`{`
`70`		`- return null;`
	`70`	`+ throw new SecurityTokenInvalidIssuerException("Cannot find the tenant GUID for the issuer");`
`71`	`71`	`}`
`72`	`72`	`if (parts.Length> 2 && parts[2] != "v2.0")`
`73`	`73`	`{`
`74`		`- return null;`
	`74`	`+ throw new SecurityTokenInvalidIssuerException("Only accepted protocol versions are AAD v1.0 or V2.0");`
`75`	`75`	`}`
`76`	`76`	`return issuer;`
`77`	`77`	`}`
`78`	`78`	`else`
`79`	`79`	`{`
`80`		`- return null;`
	`80`	`+ throw new SecurityTokenInvalidIssuerException("Unknown issuer");`
`81`	`81`	`}`
`82`	`82`	`}`
`83`	`83`