Added methods in JsonWebTokenHandler that allow custom JWT header claims to be added

[mafurman]

Fixes #1210 and #1237.

[brentschmaltz]

should we modify this parameter name and comment, we don't really know or verify that the string is a JWS in Compact Serialization Format.

[mafurman]

I agree that the parameter name and comment should be changed, or perhaps maybe we should verify that the string is in JWS format?

In the RFC the value to be encrypted is referred to as 'plaintext', so we could call it that.

However, if something other than a JWS is passed into this method, the result produced by this method will no longer be something our library can verify. I feel like this may cause confusion.

The name of the method also happens to be 'EncryptToken', which may also get confusing.

[brentschmaltz]

This property is only for JWT's. What will SAML handlers do with this?

[mafurman]

I was thinking this would be a property that's only used when creating JWT tokens. I could make the comment clearer with regards to this if you think that'll help.

On a related note, IDictionary<string, object> Claims is currently not being used by the SAML handlers either.

[brentschmaltz]

this captures the issue for SAML and the dictionary: #1155

[leastprivilege]

I haven't looked at the API yet - but per our recent discussion, please make sure it is easily possible to set the typ header value.

[brentschmaltz]

Alg, Enc can not be null.

azure-activedirectory-identitymodel-extensions-for-dotnet/src/Microsoft.IdentityModel.Tokens/EncryptingCredentials.cs

Line 100 in b16a4d5

private set => _alg = string.IsNullOrEmpty(value) ? throw LogHelper.LogArgumentNullException("alg") : value;

azure-activedirectory-identitymodel-extensions-for-dotnet/src/Microsoft.IdentityModel.Tokens/EncryptingCredentials.cs

Line 109 in b16a4d5

private set => _enc = string.IsNullOrEmpty(value) ? throw LogHelper.LogArgumentNullException("enc") : value;

[mafurman]

Good point! Fixed.

[brentschmaltz]

KeyId can be null.

[mafurman]

Fixed. Also added in a test for this.

[brentschmaltz]

#1237 was opened as an empty payload should be allowed.

[mafurman]

Fixed. Also added in some tests.

[brentschmaltz]

need to add a comment to capture the SecurityTokenException thrown if any default header claims are found.

[mafurman]

Good catch! I fixed this in all the relevant methods.

[brentschmaltz]

need to add a comment to capture the SecurityTokenException thrown if any default header claims are found.

[mafurman]

Fixed!

[brentschmaltz]

(nit) could add additionalHeaderClaims.Count > 0

[mafurman]

Do you mean that we should check for this before seeing if 'additionalHeaderClaims' intersects _defaultHeaderParameters? Or that we should check for this so that we still use the header cache if 'additionalHeaderClaims' is empty?

I added in a check in both places.

[steveoshima]

FYI, this currently isnt working with RSA-PSS support.

[GeoK]

Hi @steveoshima - It's not clear what exactly is not working. Can you provide more information or/and a small repro project?

[GeoK]

@steveoshima - Are you still hitting the issue when using RSA-PSS?
We are planning on releasing 5.6.0 soon and we would appreciate your input.

[steveoshima]

@steveoshima - Are you still hitting the issue when using RSA-PSS?
We are planning on releasing 5.6.0 soon and we would appreciate your input.

I attempted to check different branches to get RSA-PSS with custom headers working last week. However, no branches worked that i tried. I spotted the cusom header test with RSA-PSS was incomplete. I messaged about this on the issue. See my comment here - #1210

You will see the test is missing additonal header setup data, if this is added im sure the error will occur. -

azure-activedirectory-identitymodel-extensions-for-dotnet/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs

Line 1347 in 1c16adc

#if NET461 || NET_CORE