AzureAD · saurabhsathe-ms · May 1, 2025 · May 2, 2025 · May 2, 2025 · May 2, 2025
@@ -27,6 +27,29 @@ public partial class JsonWebTokenHandler : TokenHandler
     {
         private static readonly SecurityTokenDescriptor s_emptyTokenDescriptor = new();
 
+        private static int _maxActorChainLength = 5; // Default value
+
+        /// <summary>
+        /// Gets or sets the maximum depth allowed when processing nested actor tokens.
+        /// This prevents excessive recursion when handling deeply nested actor tokens.
+        /// The value must be at least 0. Value 0 would mean that the actor token is not allowed to be nested.
+        /// Default value is 5.
+        /// </summary>
+        /// <exception cref="ArgumentOutOfRangeException">Thrown if the value is less than 1.</exception>
+        public static int MaxActorChainLength
+        {
+            get => _maxActorChainLength;
+            set
+            {
+                if (value < 0)
+                    throw LogHelper.LogExceptionMessage(
+                        new ArgumentOutOfRangeException(nameof(value),
+                            LogHelper.FormatInvariant("IDX14314: MaxActorChainLength must be non negative. Value provided: {0}", value)));
+
+                _maxActorChainLength = value;
+            }
+        }
+
         /// <summary>
         /// Creates an unsigned JSON Web Signature (JWS).
         /// </summary>
@@ -143,7 +166,8 @@ public virtual string CreateToken(SecurityTokenDescriptor tokenDescriptor)
         internal static string CreateToken(
             SecurityTokenDescriptor tokenDescriptor,
             bool setdefaultTimesOnTokenCreation,
-            int tokenLifetimeInMinutes)
+            int tokenLifetimeInMinutes,
+            int actorChainDepth = 0)
         {
             // The form of a JWS is: Base64UrlEncoding(UTF8(Header)) | . | Base64UrlEncoding(Payload) | . | Base64UrlEncoding(Signature)
             // Where the Header is specifically the UTF8 bytes of the JSON, whereas the Payload encoding is not specified, but UTF8 is used by everyone.
@@ -175,7 +199,8 @@ internal static string CreateToken(
                         ref writer,
                         tokenDescriptor,
                         setdefaultTimesOnTokenCreation,
-                        tokenLifetimeInMinutes);
+                        tokenLifetimeInMinutes,
+                        actorChainDepth);
 
                     // mark end of payload
                     int payloadEnd = (int)utf8ByteMemoryStream.Length;
@@ -601,12 +626,14 @@ int sizeOfEncodedHeaderAndPayloadAsciiBytes
         /// <param name="tokenDescriptor">The <see cref="SecurityTokenDescriptor"/> used to create the token.</param>
         /// <param name="setDefaultTimesOnTokenCreation">A boolean that controls if expiration, notbefore, issuedat should be added if missing.</param>
         /// <param name="tokenLifetimeInMinutes">The default value for the token lifetime in minutes.</param>
+        /// <param name="actorChainDepth">Controls the recursion length while parsing nested actor tokens</param>
         /// <returns>A dictionary of claims.</returns>
         internal static void WriteJwsPayload(
             ref Utf8JsonWriter writer,
             SecurityTokenDescriptor tokenDescriptor,
             bool setDefaultTimesOnTokenCreation,
-            int tokenLifetimeInMinutes)
+            int tokenLifetimeInMinutes,
+            int actorChainDepth)
         {
             bool descriptorClaimsAudienceChecked = false;
             bool audienceSet = false;
@@ -618,6 +645,7 @@ internal static void WriteJwsPayload(
             bool iatSet = false;
             bool descriptorClaimsNbfChecked = false;
             bool nbfSet = false;
+            bool isActorTokenSet = false;
 
             writer.WriteStartObject();
 
@@ -673,6 +701,10 @@ internal static void WriteJwsPayload(
             {
                 foreach (KeyValuePair<string, object> kvp in tokenDescriptor.Claims)
                 {
+                    if (kvp.Key.Equals(JwtRegisteredClaimNames.Actort, StringComparison.Ordinal))
+                    {
+                        continue;
+                    }
                     if (!descriptorClaimsAudienceChecked && kvp.Key.Equals(JwtRegisteredClaimNames.Aud, StringComparison.Ordinal))
                     {
                         descriptorClaimsAudienceChecked = true;
@@ -753,9 +785,36 @@ internal static void WriteJwsPayload(
 
                     JsonPrimitives.WriteObject(ref writer, kvp.Key, kvp.Value);
                 }
+                if (tokenDescriptor.Claims.ContainsKey(JwtRegisteredClaimNames.Actort))
+                {
+                    // Check for maximum actor chain depth
+                    if (actorChainDepth >= MaxActorChainLength)
+                    {
+                        throw LogHelper.LogExceptionMessage(
+                            new SecurityTokenException(
+                                LogHelper.FormatInvariant(
+                                LogMessages.IDX14313,
+                                 LogHelper.MarkAsNonPII(MaxActorChainLength))));
+                    }
+                    if (isActorTokenSet)
+                    {
+                        if (LogHelper.IsEnabled(EventLogLevel.Informational))
+                            LogHelper.LogInformation(LogHelper.FormatInvariant(LogMessages.IDX14113, LogHelper.MarkAsNonPII(nameof(tokenDescriptor.Expires))));
+
+                    }
+                    ClaimsIdentity actor = tokenDescriptor.Claims[JwtRegisteredClaimNames.Actort] as ClaimsIdentity;
+                    var actorTokenDescriptor = new SecurityTokenDescriptor
+                    {
+                        Subject = actor
+                    };
+                    actorChainDepth = actorChainDepth + 1;
+                    string actorToken = CreateToken(actorTokenDescriptor, false, 0, actorChainDepth);
+                    JsonPrimitives.WriteObject(ref writer, JwtRegisteredClaimNames.Actort, actorToken);
+                    isActorTokenSet = true;
+                }
             }
 
-            AddSubjectClaims(ref writer, tokenDescriptor, audienceSet, issuerSet, ref expSet, ref iatSet, ref nbfSet);
+            AddSubjectClaims(ref writer, tokenDescriptor, audienceSet, issuerSet, ref expSet, ref iatSet, ref nbfSet, ref isActorTokenSet, actorChainDepth);
 
             // By default we set these three properties only if they haven't been detected before.
             if (setDefaultTimesOnTokenCreation && !(expSet && iatSet && nbfSet))
@@ -792,7 +851,9 @@ internal static void AddSubjectClaims(
             bool issuerSet,
             ref bool expSet,
             ref bool iatSet,
-            ref bool nbfSet)
+            ref bool nbfSet,
+            ref bool isActorTokenSet,
+            int actorChainDepth = 0)
         {
             if (tokenDescriptor.Subject == null)
                 return;
@@ -805,6 +866,26 @@ internal static void AddSubjectClaims(
 
             bool checkClaims = tokenDescriptor.Claims != null && tokenDescriptor.Claims.Count > 0;
 
+            if (!isActorTokenSet && tokenDescriptor.Subject.Actor != null)
+            {
+                if (actorChainDepth >= MaxActorChainLength)
+                {
+                    throw LogHelper.LogExceptionMessage(
+                        new SecurityTokenException(
+                            LogHelper.FormatInvariant(
+                            LogMessages.IDX14313,
+                             LogHelper.MarkAsNonPII(MaxActorChainLength))));
+                }
+                var actorTokenDescriptor = new SecurityTokenDescriptor
+                {
+                    Subject = tokenDescriptor.Subject.Actor,
+                };
+
+                string actorToken = CreateToken(actorTokenDescriptor, false, 0, actorChainDepth + 1);
+                writer.WritePropertyName(JwtRegisteredClaimNames.Actort);
+                writer.WriteStringValue(actorToken);
+                isActorTokenSet = true;
+            }
             foreach (Claim claim in tokenDescriptor.Subject.Claims)
             {
                 if (claim == null)

@@ -51,5 +51,6 @@ internal static class LogMessages
         internal const string IDX14310 = "IDX14310: JWE authentication tag is missing.";
         internal const string IDX14311 = "IDX14311: Unable to decode the authentication tag as a Base64Url encoded string.";
         internal const string IDX14312 = "IDX14312: Unable to decode the cipher text as a Base64Url encoded string.";
+        internal const string IDX14313 = "IDX14313: Unable to serialize actor token. Actor token chain exceeded maximum depth of {0}";
     }
 }
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <Import Project="..\..\build\common.props" />
 

@@ -0,0 +1,2 @@
+static Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.MaxActorChainLength.get -> int
+static Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.MaxActorChainLength.set -> void
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		static Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.MaxActorChainLength.get -> int
		static Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.MaxActorChainLength.set -> void