From d5e27bf546108be3d835fd0f189fe9ce307912ac Mon Sep 17 00:00:00 2001 From: Chris R Date: Tue, 25 Aug 2015 13:47:11 -0700 Subject: [PATCH] #278 Validate the message, not the JWT. --- .../OpenIdConnectAuthenticationHandler.cs | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs index 861ee36ce9..9e57c3fdf7 100644 --- a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs +++ b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs @@ -403,7 +403,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect ticket = ValidateToken(idToken, message, properties, validationParameters, out jwt); - await ValidateOpenIdConnectProtocolAsync(jwt, null); + await ValidateOpenIdConnectProtocolAsync(null, message); if (Options.GetClaimsFromUserInfoEndpoint) { @@ -878,24 +878,27 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect private async Task ValidateOpenIdConnectProtocolAsync(JwtSecurityToken jwt, OpenIdConnectMessage message) { - string nonce = jwt.Payload.Nonce; - if (Options.CacheNonces) + string nonce = jwt?.Payload.Nonce; + if (!string.IsNullOrEmpty(nonce)) { - if (await Options.NonceCache.GetAsync(nonce) != null) + if (Options.CacheNonces) { - await Options.NonceCache.RemoveAsync(nonce); + if (await Options.NonceCache.GetAsync(nonce) != null) + { + await Options.NonceCache.RemoveAsync(nonce); + } + else + { + // If the nonce cannot be removed, it was + // already used and MUST be rejected. + nonce = null; + } } else { - // If the nonce cannot be removed, it was - // already used and MUST be rejected. - nonce = null; + nonce = ReadNonceCookie(nonce); } } - else - { - nonce = ReadNonceCookie(nonce); - } var protocolValidationContext = new OpenIdConnectProtocolValidationContext {