SecurityService Use Issuer for token, if no kid available

whamm86 · whamm86 · commit 2ffc513cb453 · 2026-01-22T09:41:23.000+01:00
diff --git a/src/AasSecurity/SecurityHelper.cs b/src/AasSecurity/SecurityHelper.cs
@@ -13,6 +13,7 @@
 
 using AasxServer;
 using Extensions;
+using Microsoft.IdentityModel.Tokens;
 using System.Security.Cryptography.X509Certificates;
 
 namespace AasSecurity
@@ -93,18 +94,20 @@ private static void ParseSecurityMetamodel()
             return null;
         }
 
-        internal static string? FindServerJwksUrl(string kid, out string domain)
+        internal static string? FindServerJwksUrl(string kid, string iss, out string domain)
         {
             domain = "";
             if (GlobalSecurityVariables.ServerKid != null)
             {
                 for (var i = 0; i < GlobalSecurityVariables.ServerKid.Count; i++)
                 {
-                    if (GlobalSecurityVariables.ServerKid[i] == kid)
+                    if ((GlobalSecurityVariables.ServerKid[i] != "" &&
+                        GlobalSecurityVariables.ServerKid[i] == kid)
+                        || GlobalSecurityVariables.ServerJwksUrl[i] == iss)
                     {
                         domain = GlobalSecurityVariables.ServerDomain[i];
                         return GlobalSecurityVariables.ServerJwksUrl[i];
-                    }
+                    }
                 }
             }
 
diff --git a/src/AasSecurity/SecurityService.cs b/src/AasSecurity/SecurityService.cs
@@ -482,7 +482,7 @@ private string HandleBearerToken(string? bearerToken, ref string user, ref bool
                             var kid = jwtSecurityToken.Header["kid"].ToString();
                             if (kid != null)
                             {
-                                jwksUrl = SecurityHelper.FindServerJwksUrl(kid, out domain);
+                                jwksUrl = SecurityHelper.FindServerJwksUrl(kid, iss, out domain);
                             }
                             if (!jwksUrl.IsNullOrEmpty())
                             {
diff --git a/src/AasSecurity/SecuritySettingsForServerParser.cs b/src/AasSecurity/SecuritySettingsForServerParser.cs
@@ -168,9 +168,6 @@ private static void ParseAuthenticationServer(AdminShellPackageEnv env, Submodel
                 XNamespace ns = "http://uri.etsi.org/02231/v2#"; // <- critical
                                                                  // (There's also an XMLDSIG signature later in a different ns; we can ignore it.)
 
-                XNamespace nsDs = "http://www.w3.org/2000/09/xmldsig#";   // XMLDSIG ns (for <Signature>)
-
-
                 // Navigate to <TrustServiceProviderList>
                 var tspList = doc
                     .Root                             // <TrustServiceStatusList>
@@ -227,8 +224,14 @@ private static void ParseAuthenticationServer(AdminShellPackageEnv env, Submodel
                 foreach (var provider in providers)
                 {
                     var serverName = provider?.Service?.Name;
+                    Console.WriteLine(" serverName: " + serverName);
+
                     var domain = provider?.Domain;
+                    Console.WriteLine("  domain: " + domain);
+
                     var jwks = provider?.Service?.SupplyPoint;
+                    Console.WriteLine("  jwks: " + jwks);
+
                     var kid = "";
 
                     GlobalSecurityVariables.ServerCertificates.Add(null);
diff --git a/src/AasxServerBlazor/trustlist.txt b/src/AasxServerBlazor/trustlist.txt
@@ -112,8 +112,3 @@ kooy8pxAjM5YUv+GDZdu3ojEdtDtTeZewiAXVCcDeUSLb+q2ogB2GTbYkuBSebhZ
 BmNbiHJ541E5aeIXKj1Ksdv6fUgYvzXgASKfjpq3l+bD7XSBbIAp9mMYl/pi0C8D
 ejiwt3d6N936huydhEwz
 -----END CERTIFICATE-----
-
-# Token exchange
-serverName: STS
-jwks: https://iam-security-training.com/sts
-kid: demo-key

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`
`14`	`14`	`using AasxServer;`
`15`	`15`	`using Extensions;`
	`16`	`+using Microsoft.IdentityModel.Tokens;`
`16`	`17`	`using System.Security.Cryptography.X509Certificates;`
`17`	`18`
`18`	`19`	`namespace AasSecurity`
`@@ -93,18 +94,20 @@ private static void ParseSecurityMetamodel()`
`93`	`94`	`return null;`
`94`	`95`	`}`
`95`	`96`
`96`		`- internal static string? FindServerJwksUrl(string kid, out string domain)`
	`97`	`+ internal static string? FindServerJwksUrl(string kid, string iss, out string domain)`
`97`	`98`	`{`
`98`	`99`	`domain = "";`
`99`	`100`	`if (GlobalSecurityVariables.ServerKid != null)`
`100`	`101`	`{`
`101`	`102`	`for (var i = 0; i < GlobalSecurityVariables.ServerKid.Count; i++)`
`102`	`103`	`{`
`103`		`- if (GlobalSecurityVariables.ServerKid[i] == kid)`
	`104`	`+ if ((GlobalSecurityVariables.ServerKid[i] != "" &&`
	`105`	`+ GlobalSecurityVariables.ServerKid[i] == kid)`
	`106`	`+ \|\| GlobalSecurityVariables.ServerJwksUrl[i] == iss)`
`104`	`107`	`{`
`105`	`108`	`domain = GlobalSecurityVariables.ServerDomain[i];`
`106`	`109`	`return GlobalSecurityVariables.ServerJwksUrl[i];`
`107`		`- }`
	`110`	`+ }`
`108`	`111`	`}`
`109`	`112`	`}`
`110`	`113`
Original file line number	Diff line number	Diff line change
`@@ -482,7 +482,7 @@ private string HandleBearerToken(string? bearerToken, ref string user, ref bool`
`482`	`482`	`var kid = jwtSecurityToken.Header["kid"].ToString();`
`483`	`483`	`if (kid != null)`
`484`	`484`	`{`
`485`		`- jwksUrl = SecurityHelper.FindServerJwksUrl(kid, out domain);`
	`485`	`+ jwksUrl = SecurityHelper.FindServerJwksUrl(kid, iss, out domain);`
`486`	`486`	`}`
`487`	`487`	`if (!jwksUrl.IsNullOrEmpty())`
`488`	`488`	`{`