huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

#278 Validate the message, not the JWT.

This commit is contained in:
Chris R 2015-08-25 13:47:11 -07:00
parent 7213b53554
commit d5e27bf546
1 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs
View File

@ -403,7 +403,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
ticket = ValidateToken(idToken, message, properties, validationParameters, out jwt);
await ValidateOpenIdConnectProtocolAsync(jwt, null);
await ValidateOpenIdConnectProtocolAsync(null, message);
if (Options.GetClaimsFromUserInfoEndpoint)
{
@ -878,7 +878,9 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
private async Task ValidateOpenIdConnectProtocolAsync(JwtSecurityToken jwt, OpenIdConnectMessage message)
{
string nonce = jwt.Payload.Nonce;
string nonce = jwt?.Payload.Nonce;
if (!string.IsNullOrEmpty(nonce))
{
if (Options.CacheNonces)
{
if (await Options.NonceCache.GetAsync(nonce) != null)
@ -896,6 +898,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
{
nonce = ReadNonceCookie(nonce);
}
}
var protocolValidationContext = new OpenIdConnectProtocolValidationContext
{