Making JWT token audience/issuer validation case insensitive. (#9684)

Author: mathewc

src/WebJobs.Script.WebHost/Filters/JwtAuthenticationAttribute.cs

@@ -5,7 +5,6 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http.Headers;
-using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using System.Web.Http.Filters;
@@ -50,8 +49,8 @@ public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationTok
                     var validationParameters = new TokenValidationParameters()
                     {
                         IssuerSigningKeys = signingKeys,
-                        ValidateAudience = true,
-                        ValidateIssuer = true,
+                        AudienceValidator = AudienceValidator,
+                        IssuerValidator = IssuerValidator,
                         ValidAudiences = new string[]
                         {
                             string.Format(SiteAzureFunctionsUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
@@ -76,5 +75,31 @@ public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationTok
         }
 
         public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken) => Task.CompletedTask;
+
+        private static string IssuerValidator(string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)
+        {
+            if (!validationParameters.ValidIssuers.Any(p => string.Equals(issuer, p, StringComparison.OrdinalIgnoreCase)))
+            {
+                throw new SecurityTokenInvalidIssuerException("IDX10205: Issuer validation failed.")
+                {
+                    InvalidIssuer = issuer,
+                };
+            }
+
+            return issuer;
+        }
+
+        private static bool AudienceValidator(IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
+        {
+            foreach (string audience in audiences)
+            {
+                if (validationParameters.ValidAudiences.Any(p => string.Equals(audience, p, StringComparison.OrdinalIgnoreCase)))
+                {
+                    return true;
+                }
+            }
+
+            return false;
+        }
     }
 }

test/WebJobs.Script.Tests/Filters/JwtAuthenticationAttributeTests.cs

@@ -52,6 +52,7 @@ public JwtAuthenticationAttributeTests()
         [InlineData(nameof(HttpRequestHeader.Authorization), "https://testsite.azurewebsites.net", "https://testsite.azurewebsites.net")]
         [InlineData(ScriptConstants.SiteTokenHeaderName)]
         [InlineData(ScriptConstants.SiteTokenHeaderName, "https://appservice.core.azurewebsites.net", "https://testsite.azurewebsites.net")]
+        [InlineData(ScriptConstants.SiteTokenHeaderName, "https://AppService.Core.Azurewebsites.net", "https://TestSite.Azurewebsites.net")]
         [InlineData(ScriptConstants.SiteTokenHeaderName, "https://appservice.core.azurewebsites.net", "https://testsite.azurewebsites.net/azurefunctions")]
         [InlineData(ScriptConstants.SiteTokenHeaderName, "https://testsite.scm.azurewebsites.net", "https://testsite.azurewebsites.net")]
         [InlineData(ScriptConstants.SiteTokenHeaderName, "https://testsite.scm.azurewebsites.net", "https://testsite.azurewebsites.net/azurefunctions")]