Skip to content

Commit ca65a09

Browse files
committed
Iss validator should take into account aliases
1 parent bb2066b commit ca65a09

File tree

2 files changed

+28
-9
lines changed

2 files changed

+28
-9
lines changed

Microsoft.Identity.Web.Test/AadIssuerValidatorTests.cs

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ public class AadIssuerValidatorTests
1212
{
1313
private const string Tid = "9188040d-6c67-4c5b-b112-36a304b66dad";
1414
private static readonly string Iss = $"https://login.microsoftonline.com/{Tid}/v2.0";
15+
private static readonly string Iss2 = $"https://sts.windows.net/{Tid}/v2.0";
1516
private static readonly IEnumerable<string> s_aliases = new[] { "login.microsoftonline.com", "sts.windows.net" };
1617

1718
[Fact]
@@ -44,6 +45,20 @@ public void PassingValidation()
4445
}
4546

4647

48+
[Fact]
49+
public void PassingValidationWithAlias()
50+
{
51+
// Arrange
52+
AadIssuerValidator validator = new AadIssuerValidator(s_aliases);
53+
Claim issClaim = new Claim("tid", Tid);
54+
Claim tidClaim = new Claim("iss", Iss2); // sts.windows.net
55+
JwtSecurityToken jwtSecurityToken = new JwtSecurityToken(issuer: Iss2, claims: new[] { issClaim, tidClaim });
56+
57+
// Act & Assert
58+
validator.Validate(Iss2, jwtSecurityToken,
59+
new TokenValidationParameters() { ValidIssuers = new[] { "https://login.microsoftonline.com/{tenantid}/v2.0" } });
60+
}
61+
4762
[Fact]
4863
public void TokenValidationParameters_ValidIssuer()
4964
{

Microsoft.Identity.Web/Resource/AadIssuerValidator.cs

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -49,11 +49,11 @@ public class AadIssuerValidator
4949
/// <summary>
5050
/// A list of all Issuers across the various Azure AD instances
5151
/// </summary>
52-
private readonly SortedSet<string> _issuerAliases;
52+
private readonly ISet<string> _issuerAliases;
5353

5454
internal /* internal for test */ AadIssuerValidator(IEnumerable<string> aliases)
5555
{
56-
_issuerAliases = new SortedSet<string>(aliases);
56+
_issuerAliases = new HashSet<string>(aliases, StringComparer.OrdinalIgnoreCase);
5757
}
5858

5959
/// <summary>
@@ -86,8 +86,12 @@ public static AadIssuerValidator GetIssuerValidator(string aadAuthority)
8686
}
8787

8888
// Add issuer aliases of the chosen authority
89-
string authority = authorityHost ?? FallbackAuthority;
90-
var aliases = issuerMetadata.Metadata.Where(m => m.Aliases.Any(a => a == authority)).SelectMany(m => m.Aliases).Distinct();
89+
string authority = authorityHost ?? new Uri(FallbackAuthority).Host;
90+
var aliases = issuerMetadata.Metadata
91+
.Where(m => m.Aliases.Any(a => string.Equals(a , authority, StringComparison.OrdinalIgnoreCase)))
92+
.SelectMany(m => m.Aliases)
93+
.Distinct();
94+
9195
s_issuerValidators[authority] = new AadIssuerValidator(aliases);
9296
return s_issuerValidators[authority];
9397
}
@@ -143,15 +147,15 @@ private bool IsValidIssuer(string validIssuerTemplate, string tenantId, string a
143147

144148
try
145149
{
146-
var uri = new Uri(validIssuerTemplate.Replace("{tenantid}", tenantId));
150+
var issuerFromTemplateUri = new Uri(validIssuerTemplate.Replace("{tenantid}", tenantId));
147151
var actualIssuerUri = new Uri(actualIssuer);
148152

149153
// Template authority is in the aliases
150-
return _issuerAliases.Contains(uri.Authority) &&
151-
// "iss" authority matches
152-
string.Equals(uri.Authority, actualIssuerUri.Authority) &&
154+
return _issuerAliases.Contains(issuerFromTemplateUri.Authority) &&
155+
// "iss" authority is in the aliases
156+
_issuerAliases.Contains(actualIssuerUri.Authority) &&
153157
// Template authority ends in the tenantId
154-
IsValidTidInLocalPath(tenantId, uri) &&
158+
IsValidTidInLocalPath(tenantId, issuerFromTemplateUri) &&
155159
// "iss" ends in the tenantId
156160
IsValidTidInLocalPath(tenantId, actualIssuerUri);
157161
}

0 commit comments

Comments
 (0)