fix check for tenantId (#1801)

AzureAD · Jan 19, 2022 · 9e6f90a · 9e6f90a
1 parent 669515a
commit 9e6f90a
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 2 deletions.
diff --git a/src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs b/src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs
@@ -264,7 +264,7 @@ private static string GetTenantIdFromToken(SecurityToken securityToken)
                 if (jsonWebToken.TryGetPayloadValue(AadIssuerValidatorConstants.Tid, out string tid))
                     return tid;
 
-                if (jsonWebToken.TryGetPayloadValue(AadIssuerValidatorConstants.Tid, out string tenantId))
+                if (jsonWebToken.TryGetPayloadValue(AadIssuerValidatorConstants.TenantId, out string tenantId))
                     return tenantId;
 
                 // Since B2C doesn't have "tid" as default, get it from issuer

diff --git a/test/Microsoft.IdentityModel.TestUtils/Default.cs b/test/Microsoft.IdentityModel.TestUtils/Default.cs
@@ -804,6 +804,28 @@ public static SecurityTokenDescriptor SecurityTokenDescriptor(EncryptingCredenti
             };
         }
 
+        public static SecurityTokenDescriptor SecurityTokenDescriptor(SigningCredentials signingCredentials, List<Claim> claims)
+        {
+            var securityTokenDescriptor = new SecurityTokenDescriptor
+            {
+                Audience = Audience,
+                EncryptingCredentials = null,
+                Expires = DateTime.UtcNow + TimeSpan.FromDays(1),
+                Issuer = claims?.FirstOrDefault(c => c.Type == "iss")?.Value ?? Issuer,
+                IssuedAt = DateTime.UtcNow,
+                NotBefore = DateTime.UtcNow,
+                SigningCredentials = signingCredentials,
+                Subject = claims == null ? ClaimsIdentity : new ClaimsIdentity(claims),
+            };
+
+            if (securityTokenDescriptor.Claims == null)
+                securityTokenDescriptor.Claims = new Dictionary<string, object>();
+
+            foreach (Claim c in claims)
+                securityTokenDescriptor.Claims.Add(c.Type, c.Value);
+            return securityTokenDescriptor;
+        }
+
         public static SecurityTokenDescriptor X509SecurityTokenDescriptor(EncryptingCredentials encryptingCredentials, X509SigningCredentials signingCredentials, List<Claim> claims)
         {
             return new SecurityTokenDescriptor
@@ -887,7 +909,7 @@ public static Signature SignatureNS
                     KeyInfo = KeyInfo,
                     Prefix = "ds",
                     SignedInfo = SignedInfoNS,
-                    SignatureValue = "biUXAYkV/sx8E7B/0POdk4J5LDkgsRLqHwZDvlJOHSDrsKuGlAlg6+oCfuV14j7uNGu/NSoOFavDSXuS9tJNAxGfeWuy3AOOeXqG+VtJY+cEJtw2WpjSs9xVc3aP58OM/x2phYOZ60Gp4h+mjjG76q7NSAoPrqaVTpw67efbB30pvPSLqTTYdXSOodcKBS25fmEFLraHvWnxAyvFCqbteIOcuOeCDL68dTcqTwVXSZIfeU3Xz8dztA7S4+DuIVuPyEFz9oV3ku8LaNfBO1Zu+v76bZMvLy2iBWhH756UILSLgEndFEOVeAb/PDzXqhwAU4NCUOeNe2WBE6nttNKmXQ==",                    
+                    SignatureValue = "biUXAYkV/sx8E7B/0POdk4J5LDkgsRLqHwZDvlJOHSDrsKuGlAlg6+oCfuV14j7uNGu/NSoOFavDSXuS9tJNAxGfeWuy3AOOeXqG+VtJY+cEJtw2WpjSs9xVc3aP58OM/x2phYOZ60Gp4h+mjjG76q7NSAoPrqaVTpw67efbB30pvPSLqTTYdXSOodcKBS25fmEFLraHvWnxAyvFCqbteIOcuOeCDL68dTcqTwVXSZIfeU3Xz8dztA7S4+DuIVuPyEFz9oV3ku8LaNfBO1Zu+v76bZMvLy2iBWhH756UILSLgEndFEOVeAb/PDzXqhwAU4NCUOeNe2WBE6nttNKmXQ==",
                 };
 
                 return signature;

diff --git a/test/Microsoft.IdentityModel.Validators.Tests/MicrosoftIdentityIssuerValidatorTest.cs b/test/Microsoft.IdentityModel.Validators.Tests/MicrosoftIdentityIssuerValidatorTest.cs
@@ -26,6 +26,7 @@
 //------------------------------------------------------------------------------
 
 using System;
+using System.Collections.Generic;
 using System.Globalization;
 using System.IdentityModel.Tokens.Jwt;
 using System.Net.Http;
@@ -305,6 +306,31 @@ public void Validate_IssuerNotInTokenValidationParameters_ReturnsIssuer(string t
             TestUtilities.AssertFailIfErrors(context);
         }
 
+        [Theory]
+        [InlineData(ValidatorConstants.ClaimNameTid, ValidatorConstants.AadIssuer)]
+        [InlineData(ValidatorConstants.TenantId, ValidatorConstants.AadIssuer)]
+        [InlineData(ValidatorConstants.ClaimNameTid, ValidatorConstants.V1Issuer)]
+        [InlineData(ValidatorConstants.TenantId, ValidatorConstants.V1Issuer)]
+        public void ValidateJsonWebToken_ReturnsIssuer(string tidClaimType, string issuer)
+        {
+            var context = new CompareContext();
+            var validator = new AadIssuerValidator(_httpClient, issuer);
+            var tidClaim = new Claim(tidClaimType, ValidatorConstants.TenantIdAsGuid);
+
+            var issClaim = new Claim(ValidatorConstants.ClaimNameIss, issuer);
+            List<Claim> claims = new List<Claim>();
+            claims.Add(tidClaim);
+            claims.Add(issClaim);
+
+            var jsonWebToken = new JsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor(Default.SymmetricSigningCredentials, claims)));
+            var tokenValidationParams = new TokenValidationParameters() { ConfigurationManager = new MockConfigurationManager<OpenIdConnectConfiguration>(new OpenIdConnectConfiguration() { Issuer = issuer }) };
+
+            var actualIssuer = validator.Validate(issuer, jsonWebToken, tokenValidationParams);
+
+            IdentityComparer.AreEqual(issuer, actualIssuer, context);
+            TestUtilities.AssertFailIfErrors(context);
+        }
+
         [Theory]
         [InlineData(ValidatorConstants.ClaimNameTid)]
         [InlineData(ValidatorConstants.TenantId)]