Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fetch configuration when validating SAML issuer and signature #2412

Merged
merged 8 commits into from
Mar 13, 2024
Merged

Fetch configuration when validating SAML issuer and signature #2412

merged 8 commits into from
Mar 13, 2024

Conversation

Hakon
Copy link

@Hakon Hakon commented Nov 21, 2023

Fetch configuration when validating SAML issuer and signature

  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • If any gains or losses in performance are possible, you've included benchmarks for your changes. More info
  • There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Fetch configuration on token validation for SAML in the same way as JwtSecurityTokenHandler

Description

This is already done in the JwtSecurityTokenHandler and the semantics should be similar.
This caused a regression in Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler which assumes the token handler will fetch the current configuration as part of the token validation if the ConfigurationManager is a subclass of BaseConfigurationManager.
This change makes the SamlSecurityTokenHandler and Saml2SecurityTokenHandler semantics equal to the JwtSecurityTokenHandler with regards to fetching the configuration before validation.

This discrepancy allowed the following bug to appear in Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.

Fixes #2406

Fetch configuration when validating SAML issuer and signature
41842f1 
This is already done in the JwtSecurityTokenHandler and the semantics should be similar.
This caused a regression in Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler which assumes the token handler will fetch the current configuration as part of the token validation if the ConfigurationManager is a subclass of BaseConfigurationManager.
This change makes the SamlSecurityTokenHandler and Saml2SecurityTokenHandler equal to the JwtSecurityTokenHandler with regards to fetching the configuration before validation.
@Hakon
Copy link
Author

Hakon commented Nov 22, 2023

@microsoft-github-policy-service agree company="Frende"

hakon.lerring added 2 commits November 22, 2023 07:25
Small refactor of SamlSecurityTokenHandler
78ec401 
Refactor PopulateValidationParametersWithCurrentConfigurationAsync null check to guard with an early return.
Rename cloned variable to make code easier to read.
Small refactor of Saml2SecurityTokenHandler
400e17c 
Refactor PopulateValidationParametersWithCurrentConfigurationAsync null check to guard with an early return.
Rename cloned variable to make code easier to read.
@Hakon Hakon marked this pull request as ready for review November 22, 2023 12:58
@Hakon
Copy link
Author

Hakon commented Nov 23, 2023

@microsoft-github-policy-service agree company="Frende"

@Hakon
Copy link
Author

Hakon commented Nov 28, 2023

Do you need anything more from me on this issue?

@jennyf19
Copy link
Collaborator

@Hakon will you be continuing work on this PR? Please see above comments from @brentschmaltz thank you.

@Hakon
Copy link
Author

Hakon commented Jan 29, 2024

I will, it's just a bit busy period for me. If someone else want to continue this work I'm open to share :)

hakon.lerring added 2 commits February 26, 2024 08:41
Refactor PopulateValidationParametersWithCurrentConfigurationAsync to…
33697cd 
… a shared utility class
Add tests:
1b31ec0 
Issuer set,
Key set,
Issuer and key set
and nothing set
@Hakon Hakon requested a review from brentschmaltz February 26, 2024 08:32
@halter73 halter73 mentioned this pull request Feb 27, 2024
Open
1 task
@Hakon
Copy link
Author

Hakon commented Feb 28, 2024

I implemented the changes mentioned, could you take another look?

@brentschmaltz brentschmaltz merged commit 795bbf0 into AzureAD:dev Mar 13, 2024
4 checks passed
@Hakon Hakon deleted the saml-configuration-fetch branch March 18, 2024 14:37
This was referenced Mar 18, 2024
Closed
Merged
@DominikAmon
Copy link

Update other Microsoft packages to latest as well, such as: Microsoft.AspNetCore.Authentication.WsFederation
The latest package 8.0.3 and even the 9.x.x Preview sill references the old 7.1.2 version.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brentschmaltz brentschmaltz brentschmaltz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@Hakon @jennyf19 @DominikAmon @brentschmaltz