Merge branch 'release' into dev

2015-08-25 13:54:41 -07:00 · 2015-08-25 13:54:41 -07:00 · d6882ce4a5
parent 34354ef53d d5e27bf546
commit d6882ce4a5
1 changed files with 18 additions and 17 deletions
--- a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs
+++ b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs
@ -403,14 +403,14 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect

            ticket = ValidateToken(idToken, message, properties, validationParameters, out jwt);

+            await ValidateOpenIdConnectProtocolAsync(null, message);
+
            if (Options.GetClaimsFromUserInfoEndpoint)
            {
                Logger.LogDebug(Resources.OIDCH_0040_Sending_Request_UIEndpoint);
                ticket = await GetUserInformationAsync(properties, tokenEndpointResponse.Message, ticket);
            }

-            await ValidateOpenIdConnectProtocolAsync(jwt, null);
-
            var securityTokenValidatedNotification = await RunSecurityTokenValidatedNotificationAsync(message, ticket);
            if (securityTokenValidatedNotification.HandledResponse)
            {
@ -528,8 +528,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
            var subjectClaimType = identity.FindFirst(ClaimTypes.NameIdentifier);
            if (subjectClaimType == null)
            {
-                Logger.LogError(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0041_Subject_Claim_Not_Found, identity.ToString()));
-                return ticket;
+                throw new OpenIdConnectProtocolException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0041_Subject_Claim_Not_Found, identity.ToString()));
            }

            var userInfoSubjectClaimValue = user.Value<string>(JwtRegisteredClaimNames.Sub);
@ -537,8 +536,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
            // check if the sub claim matches
            if (userInfoSubjectClaimValue == null || !string.Equals(userInfoSubjectClaimValue, subjectClaimType.Value, StringComparison.Ordinal))
            {
-                Logger.LogError(Resources.OIDCH_0039_Subject_Claim_Mismatch);
-                return ticket;
+                throw new OpenIdConnectProtocolException(Resources.OIDCH_0039_Subject_Claim_Mismatch);
            }

            foreach (var claim in identity.Claims)
@ -880,24 +878,27 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect

        private async Task ValidateOpenIdConnectProtocolAsync(JwtSecurityToken jwt, OpenIdConnectMessage message)
        {
-            string nonce = jwt.Payload.Nonce;
-            if (Options.CacheNonces)
+            string nonce = jwt?.Payload.Nonce;
+            if (!string.IsNullOrEmpty(nonce))
            {
-                if (await Options.NonceCache.GetAsync(nonce) != null)
+                if (Options.CacheNonces)
                {
-                    await Options.NonceCache.RemoveAsync(nonce);
+                    if (await Options.NonceCache.GetAsync(nonce) != null)
+                    {
+                        await Options.NonceCache.RemoveAsync(nonce);
+                    }
+                    else
+                    {
+                        // If the nonce cannot be removed, it was
+                        // already used and MUST be rejected.
+                        nonce = null;
+                    }
                }
                else
                {
-                    // If the nonce cannot be removed, it was
-                    // already used and MUST be rejected.
-                    nonce = null;
+                    nonce = ReadNonceCookie(nonce);
                }
            }
-            else
-            {
-                nonce = ReadNonceCookie(nonce);
-            }

            var protocolValidationContext = new OpenIdConnectProtocolValidationContext
            {