-
Notifications
You must be signed in to change notification settings - Fork 396
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add CaseSensitiveClaimsIdentity to 7x (#2715)
* Add CaseSensitiveClaimsIdentity type. (#2700) * Add CaseSensitiveClaimsIdentity. Update JsonWebTokenHandler. * Move switch to a separate class. Update claims identity creation code. * Add test. * Update AppContextSwitches * Update test/Microsoft.IdentityModel.Tokens.Tests/CaseSensitiveClaimsIdentityTests.cs Co-authored-by: msbw2 <brettwhite@microsoft.com> * Update comments. * Update ClaimsIdentity code creation in src. * Add tests. * Update tests to use correct types. * Add SecurityToken property to CsClaimsIdentity. * Update tests to use CsClaimsIdentity. * Refactor code into ClaimsIdentityFactory. * Update tests. * Update ClaimsIdentityFactory. * Fix tests. * Update tests for CaseSensitiveClaimsIdentity * ignore SecurityToken in IdentityComparer * Set security token in ClaimsIdentityFactory. Add tests. * Apply suggestions from code review * Update test. --------- Co-authored-by: msbw2 <brettwhite@microsoft.com> Co-authored-by: Keegan Caruso <keegancaruso@microsoft.com> * Make case sensitive claims identity an opt-in * Revert using CaseSensitiveClaimsIdentity by default in tests * Fix test name * Update src/Microsoft.IdentityModel.Tokens/AppContextSwitches.cs Co-authored-by: Peter <34331512+pmaytak@users.noreply.github.com> * Update src/Microsoft.IdentityModel.Tokens/AppContextSwitches.cs Co-authored-by: Peter <34331512+pmaytak@users.noreply.github.com> * Call TVP.CreateClaimsIdentity to support users that have overloaded. (#2716) * Call TVP.CreateClaimsIdentity to support users that have overloaded. * picked up SAML changes and TokenValidationResult * updated JwtSecurityTokenHandler, reverted tests and removed method. * touched up tests --------- Co-authored-by: id4s <user@contoso.com> * fix reference * Update src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs Co-authored-by: Peter <34331512+pmaytak@users.noreply.github.com> --------- Co-authored-by: Peter <34331512+pmaytak@users.noreply.github.com> Co-authored-by: msbw2 <brettwhite@microsoft.com> Co-authored-by: Keegan Caruso <keegancaruso@microsoft.com> Co-authored-by: BrentSchmaltz <brentschmaltz@hotmail.com> Co-authored-by: id4s <user@contoso.com>
- Loading branch information
6 people
committed
Jul 16, 2024
1 parent
eaeb748
commit 6d6a22e
Showing
23 changed files
with
681 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Security.Claims; | ||
|
|
||
| namespace Microsoft.IdentityModel.Tokens | ||
| { | ||
| /// <summary> | ||
| /// AppContext switches for Microsoft.IdentityModel.Tokens and referencing packages. | ||
| /// </summary> | ||
| internal static class AppContextSwitches | ||
| { | ||
| /// <summary> | ||
| /// Enables a new behavior of using <see cref="CaseSensitiveClaimsIdentity"/> instead of <see cref="ClaimsIdentity"/> globally. | ||
| /// </summary> | ||
| internal const string UseCaseSensitiveClaimsIdentityTypeSwitch = "Microsoft.IdentityModel.Tokens.UseCaseSensitiveClaimsIdentity"; | ||
|
|
||
| internal static bool UseCaseSensitiveClaimsIdentityType() => (AppContext.TryGetSwitch(UseCaseSensitiveClaimsIdentityTypeSwitch, out bool useCaseSensitiveClaimsIdentityType) && useCaseSensitiveClaimsIdentityType); | ||
| } | ||
| } |
122 changes: 122 additions & 0 deletions
122
src/Microsoft.IdentityModel.Tokens/CaseSensitiveClaimsIdentity.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,122 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Collections.Generic; | ||
| using System.Security.Claims; | ||
|
|
||
| namespace Microsoft.IdentityModel.Tokens | ||
| { | ||
| /// <summary> | ||
| /// A derived <see cref="ClaimsIdentity"/> where claim retrieval is case-sensitive. The current <see cref="ClaimsIdentity"/> retrieves claims in a case-insensitive manner which is different than querying the underlying <see cref="SecurityToken"/>. The <see cref="CaseSensitiveClaimsIdentity"/> provides consistent retrieval logic between the <see cref="SecurityToken"/> and <see cref="ClaimsIdentity"/>. | ||
| /// </summary> | ||
| public class CaseSensitiveClaimsIdentity : ClaimsIdentity | ||
| { | ||
| /// <summary> | ||
| /// Gets the <see cref="SecurityToken"/> associated with this claims identity. | ||
| /// </summary> | ||
| public SecurityToken SecurityToken { get; internal set; } | ||
|
|
||
| /// <summary> | ||
| /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>. | ||
| /// </summary> | ||
| public CaseSensitiveClaimsIdentity() : base() | ||
| { | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>. | ||
| /// </summary> | ||
| /// <param name="authenticationType">The authentication method used to establish this identity.</param> | ||
| public CaseSensitiveClaimsIdentity(string authenticationType) : base(authenticationType) | ||
| { | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>. | ||
| /// </summary> | ||
| /// <param name="claimsIdentity"><see cref="ClaimsIdentity"/> to copy.</param> | ||
| public CaseSensitiveClaimsIdentity(ClaimsIdentity claimsIdentity) : base(claimsIdentity) | ||
| { | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>. | ||
| /// </summary> | ||
| /// <param name="claims"><see cref="IEnumerable{Claim}"/> associated with this instance.</param> | ||
| public CaseSensitiveClaimsIdentity(IEnumerable<Claim> claims) : base(claims) | ||
| { | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>. | ||
| /// </summary> | ||
| /// <param name="claims"><see cref="IEnumerable{Claim}"/> associated with this instance.</param> | ||
| /// <param name="authenticationType">The authentication method used to establish this identity.</param> | ||
| public CaseSensitiveClaimsIdentity(IEnumerable<Claim> claims, string authenticationType) : base(claims, authenticationType) | ||
| { | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>. | ||
| /// </summary> | ||
| /// <param name="claims"><see cref="IEnumerable{Claim}"/> associated with this instance.</param> | ||
| /// <param name="authenticationType">The authentication method used to establish this identity.</param> | ||
| /// <param name="nameType">The <see cref="Claim.Type"/> used when obtaining the value of <see cref="ClaimsIdentity.Name"/>.</param> | ||
| /// <param name="roleType">The <see cref="Claim.Type"/> used when performing logic for <see cref="ClaimsPrincipal.IsInRole"/>.</param> | ||
| public CaseSensitiveClaimsIdentity(IEnumerable<Claim> claims, string authenticationType, string nameType, string roleType) : | ||
| base(claims, authenticationType, nameType, roleType) | ||
| { | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>. | ||
| /// </summary> | ||
| /// <param name="authenticationType">The authentication method used to establish this identity.</param> | ||
| /// <param name="nameType">The <see cref="Claim.Type"/> used when obtaining the value of <see cref="ClaimsIdentity.Name"/>.</param> | ||
| /// <param name="roleType">The <see cref="Claim.Type"/> used when performing logic for <see cref="ClaimsPrincipal.IsInRole"/>.</param> | ||
| public CaseSensitiveClaimsIdentity(string authenticationType, string nameType, string roleType) : | ||
| base(authenticationType, nameType, roleType) | ||
| { | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Retrieves a <see cref="IEnumerable{Claim}"/> where each <see cref="Claim.Type"/> equals <paramref name="type"/>. | ||
| /// </summary> | ||
| /// <param name="type">The type of the claim to match.</param> | ||
| /// <returns>A <see cref="IEnumerable{Claim}"/> of matched claims.</returns> | ||
| /// <remarks>Comparison is <see cref="StringComparison.Ordinal"/>.</remarks> | ||
| /// <exception cref="ArgumentNullException">if <paramref name="type"/> is null.</exception> | ||
| public override IEnumerable<Claim> FindAll(string type) | ||
| { | ||
| return base.FindAll(claim => claim?.Type.Equals(type, StringComparison.Ordinal) == true); | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Retrieves the first <see cref="Claim"/> where <see cref="Claim.Type"/> equals <paramref name="type"/>. | ||
| /// </summary> | ||
| /// <param name="type">The type of the claim to match.</param> | ||
| /// <returns>A <see cref="Claim"/>, <see langword="null"/> if nothing matches.</returns> | ||
| /// <remarks>Comparison is <see cref="StringComparison.Ordinal"/>.</remarks> | ||
| /// <exception cref="ArgumentNullException">if <paramref name="type"/> is null.</exception> | ||
| public override Claim FindFirst(string type) | ||
| { | ||
| return base.FindFirst(claim => claim?.Type.Equals(type, StringComparison.Ordinal) == true); | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Determines if a claim with type AND value is contained within this claims identity. | ||
| /// </summary> | ||
| /// <param name="type">The type of the claim to match.</param> | ||
| /// <param name="value">The value of the claim to match.</param> | ||
| /// <returns><c>true</c> if a claim is matched, <c>false</c> otherwise.</returns> | ||
| /// <remarks>Comparison is <see cref="StringComparison.Ordinal"/> for <see cref="Claim.Type"/> and <see cref="Claim.Value"/>.</remarks> | ||
| /// <exception cref="ArgumentNullException">if <paramref name="type"/> is null.</exception> | ||
| /// <exception cref="ArgumentNullException">if <paramref name="value"/> is null.</exception> | ||
| public override bool HasClaim(string type, string value) | ||
| { | ||
| return base.HasClaim(claim => claim?.Type.Equals(type, StringComparison.Ordinal) == true | ||
| && claim?.Value.Equals(value, StringComparison.Ordinal) == true); | ||
| } | ||
| } | ||
| } |
41 changes: 41 additions & 0 deletions
41
src/Microsoft.IdentityModel.Tokens/ClaimsIdentityFactory.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System.Collections.Generic; | ||
| using System.Security.Claims; | ||
|
|
||
| namespace Microsoft.IdentityModel.Tokens | ||
| { | ||
| /// <summary> | ||
| /// Facilitates the creation of <see cref="ClaimsIdentity"/> and <see cref="CaseSensitiveClaimsIdentity"/> instances based on the <see cref="AppContextSwitches.UseCaseSensitiveClaimsIdentityTypeSwitch"/>. | ||
| /// </summary> | ||
| internal static class ClaimsIdentityFactory | ||
| { | ||
| internal static ClaimsIdentity Create(IEnumerable<Claim> claims) | ||
| { | ||
| if (AppContextSwitches.UseCaseSensitiveClaimsIdentityType()) | ||
| return new CaseSensitiveClaimsIdentity(claims); | ||
|
|
||
| return new ClaimsIdentity(claims); | ||
| } | ||
|
|
||
| internal static ClaimsIdentity Create(IEnumerable<Claim> claims, string authenticationType) | ||
| { | ||
| if (AppContextSwitches.UseCaseSensitiveClaimsIdentityType()) | ||
| return new CaseSensitiveClaimsIdentity(claims, authenticationType); | ||
|
|
||
| return new ClaimsIdentity(claims, authenticationType); | ||
| } | ||
|
|
||
| internal static ClaimsIdentity Create(string authenticationType, string nameType, string roleType, SecurityToken securityToken) | ||
| { | ||
| if (AppContextSwitches.UseCaseSensitiveClaimsIdentityType()) | ||
| return new CaseSensitiveClaimsIdentity(authenticationType: authenticationType, nameType: nameType, roleType: roleType) | ||
| { | ||
| SecurityToken = securityToken, | ||
| }; | ||
|
|
||
| return new ClaimsIdentity(authenticationType: authenticationType, nameType: nameType, roleType: roleType); | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
74 changes: 74 additions & 0 deletions
74
test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerClaimsIdentityTests.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Security.Claims; | ||
| using Microsoft.IdentityModel.TestUtils; | ||
| using Microsoft.IdentityModel.Tokens; | ||
| using Xunit; | ||
|
|
||
| namespace Microsoft.IdentityModel.JsonWebTokens.Tests | ||
| { | ||
| [Collection(nameof(JsonWebTokenHandlerClaimsIdentityTests))] | ||
| public class JsonWebTokenHandlerClaimsIdentityTests | ||
| { | ||
| [Fact] | ||
| public void CreateClaimsIdentity_ReturnsClaimsIdentity_ByDefault() | ||
| { | ||
| var handler = new DerivedJsonWebTokenHandler(); | ||
| var jsonWebToken = new JsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor())); | ||
| var tokenValidationParameters = new TokenValidationParameters(); | ||
|
|
||
| var actualClaimsIdentity = handler.CreateClaimsIdentity(jsonWebToken, tokenValidationParameters); | ||
| Assert.IsType<ClaimsIdentity>(actualClaimsIdentity); | ||
|
|
||
| actualClaimsIdentity = handler.CreateClaimsIdentity(jsonWebToken, tokenValidationParameters, Default.Issuer); | ||
| Assert.IsType<ClaimsIdentity>(actualClaimsIdentity); | ||
|
|
||
| actualClaimsIdentity = handler.CreateClaimsIdentityInternal(jsonWebToken, tokenValidationParameters, Default.Issuer); | ||
| Assert.IsType<ClaimsIdentity>(actualClaimsIdentity); | ||
|
|
||
| // This will also test mapped claims flow. | ||
| handler.MapInboundClaims = true; | ||
| actualClaimsIdentity = handler.CreateClaimsIdentityInternal(jsonWebToken, tokenValidationParameters, Default.Issuer); | ||
| Assert.IsType<ClaimsIdentity>(actualClaimsIdentity); | ||
| } | ||
|
|
||
| [Fact] | ||
| public void CreateClaimsIdentity_ReturnsCaseSensitiveClaimsIdentity_WithAppContextSwitch() | ||
| { | ||
| AppContext.SetSwitch(AppContextSwitches.UseCaseSensitiveClaimsIdentityTypeSwitch, true); | ||
|
|
||
| var handler = new DerivedJsonWebTokenHandler(); | ||
| var jsonWebToken = new JsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor())); | ||
| var tokenValidationParameters = new TokenValidationParameters(); | ||
|
|
||
| var actualClaimsIdentity = handler.CreateClaimsIdentity(jsonWebToken, tokenValidationParameters); | ||
| Assert.IsType<CaseSensitiveClaimsIdentity>(actualClaimsIdentity); | ||
| Assert.NotNull(((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken); | ||
|
|
||
| actualClaimsIdentity = handler.CreateClaimsIdentity(jsonWebToken, tokenValidationParameters, Default.Issuer); | ||
| Assert.IsType<CaseSensitiveClaimsIdentity>(actualClaimsIdentity); | ||
| Assert.NotNull(((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken); | ||
|
|
||
| actualClaimsIdentity = handler.CreateClaimsIdentityInternal(jsonWebToken, tokenValidationParameters, Default.Issuer); | ||
| Assert.IsType<CaseSensitiveClaimsIdentity>(actualClaimsIdentity); | ||
| Assert.NotNull(((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken); | ||
|
|
||
| // This will also test mapped claims flow. | ||
| handler.MapInboundClaims = true; | ||
| actualClaimsIdentity = handler.CreateClaimsIdentityInternal(jsonWebToken, tokenValidationParameters, Default.Issuer); | ||
| Assert.IsType<CaseSensitiveClaimsIdentity>(actualClaimsIdentity); | ||
| Assert.NotNull(((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken); | ||
|
|
||
| AppContext.SetSwitch(AppContextSwitches.UseCaseSensitiveClaimsIdentityTypeSwitch, false); | ||
| } | ||
|
|
||
| private class DerivedJsonWebTokenHandler : JsonWebTokenHandler | ||
| { | ||
| public new ClaimsIdentity CreateClaimsIdentity(JsonWebToken jwtToken, TokenValidationParameters validationParameters) => base.CreateClaimsIdentity(jwtToken, validationParameters); | ||
| public new ClaimsIdentity CreateClaimsIdentity(JsonWebToken jwtToken, TokenValidationParameters validationParameters, string issuer) => base.CreateClaimsIdentity(jwtToken, validationParameters, issuer); | ||
| public new ClaimsIdentity CreateClaimsIdentityInternal(SecurityToken securityToken, TokenValidationParameters tokenValidationParameters, string issuer) => base.CreateClaimsIdentityInternal(securityToken, tokenValidationParameters, issuer); | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.