Merge branch 'release' into dev
This commit is contained in:
commit
d6882ce4a5
|
|
@ -403,14 +403,14 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
|
||||||
|
|
||||||
ticket = ValidateToken(idToken, message, properties, validationParameters, out jwt);
|
ticket = ValidateToken(idToken, message, properties, validationParameters, out jwt);
|
||||||
|
|
||||||
|
await ValidateOpenIdConnectProtocolAsync(null, message);
|
||||||
|
|
||||||
if (Options.GetClaimsFromUserInfoEndpoint)
|
if (Options.GetClaimsFromUserInfoEndpoint)
|
||||||
{
|
{
|
||||||
Logger.LogDebug(Resources.OIDCH_0040_Sending_Request_UIEndpoint);
|
Logger.LogDebug(Resources.OIDCH_0040_Sending_Request_UIEndpoint);
|
||||||
ticket = await GetUserInformationAsync(properties, tokenEndpointResponse.Message, ticket);
|
ticket = await GetUserInformationAsync(properties, tokenEndpointResponse.Message, ticket);
|
||||||
}
|
}
|
||||||
|
|
||||||
await ValidateOpenIdConnectProtocolAsync(jwt, null);
|
|
||||||
|
|
||||||
var securityTokenValidatedNotification = await RunSecurityTokenValidatedNotificationAsync(message, ticket);
|
var securityTokenValidatedNotification = await RunSecurityTokenValidatedNotificationAsync(message, ticket);
|
||||||
if (securityTokenValidatedNotification.HandledResponse)
|
if (securityTokenValidatedNotification.HandledResponse)
|
||||||
{
|
{
|
||||||
|
|
@ -528,8 +528,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
|
||||||
var subjectClaimType = identity.FindFirst(ClaimTypes.NameIdentifier);
|
var subjectClaimType = identity.FindFirst(ClaimTypes.NameIdentifier);
|
||||||
if (subjectClaimType == null)
|
if (subjectClaimType == null)
|
||||||
{
|
{
|
||||||
Logger.LogError(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0041_Subject_Claim_Not_Found, identity.ToString()));
|
throw new OpenIdConnectProtocolException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0041_Subject_Claim_Not_Found, identity.ToString()));
|
||||||
return ticket;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var userInfoSubjectClaimValue = user.Value<string>(JwtRegisteredClaimNames.Sub);
|
var userInfoSubjectClaimValue = user.Value<string>(JwtRegisteredClaimNames.Sub);
|
||||||
|
|
@ -537,8 +536,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
|
||||||
// check if the sub claim matches
|
// check if the sub claim matches
|
||||||
if (userInfoSubjectClaimValue == null || !string.Equals(userInfoSubjectClaimValue, subjectClaimType.Value, StringComparison.Ordinal))
|
if (userInfoSubjectClaimValue == null || !string.Equals(userInfoSubjectClaimValue, subjectClaimType.Value, StringComparison.Ordinal))
|
||||||
{
|
{
|
||||||
Logger.LogError(Resources.OIDCH_0039_Subject_Claim_Mismatch);
|
throw new OpenIdConnectProtocolException(Resources.OIDCH_0039_Subject_Claim_Mismatch);
|
||||||
return ticket;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach (var claim in identity.Claims)
|
foreach (var claim in identity.Claims)
|
||||||
|
|
@ -880,24 +878,27 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
|
||||||
|
|
||||||
private async Task ValidateOpenIdConnectProtocolAsync(JwtSecurityToken jwt, OpenIdConnectMessage message)
|
private async Task ValidateOpenIdConnectProtocolAsync(JwtSecurityToken jwt, OpenIdConnectMessage message)
|
||||||
{
|
{
|
||||||
string nonce = jwt.Payload.Nonce;
|
string nonce = jwt?.Payload.Nonce;
|
||||||
if (Options.CacheNonces)
|
if (!string.IsNullOrEmpty(nonce))
|
||||||
{
|
{
|
||||||
if (await Options.NonceCache.GetAsync(nonce) != null)
|
if (Options.CacheNonces)
|
||||||
{
|
{
|
||||||
await Options.NonceCache.RemoveAsync(nonce);
|
if (await Options.NonceCache.GetAsync(nonce) != null)
|
||||||
|
{
|
||||||
|
await Options.NonceCache.RemoveAsync(nonce);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
// If the nonce cannot be removed, it was
|
||||||
|
// already used and MUST be rejected.
|
||||||
|
nonce = null;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
// If the nonce cannot be removed, it was
|
nonce = ReadNonceCookie(nonce);
|
||||||
// already used and MUST be rejected.
|
|
||||||
nonce = null;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
|
||||||
{
|
|
||||||
nonce = ReadNonceCookie(nonce);
|
|
||||||
}
|
|
||||||
|
|
||||||
var protocolValidationContext = new OpenIdConnectProtocolValidationContext
|
var protocolValidationContext = new OpenIdConnectProtocolValidationContext
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue