Validate IssuerSigningKey: Refactor to use ValidationParameters over TVP

src/Microsoft.IdentityModel.Tokens/Validation/ValidationParameters.cs

@@ -29,6 +29,7 @@ internal class ValidationParameters
         private LifetimeValidatorDelegate _lifetimeValidator = Validators.ValidateLifetime;
         private TokenReplayValidatorDelegate _tokenReplayValidator = Validators.ValidateTokenReplay;
         private TypeValidatorDelegate _typeValidator = Validators.ValidateTokenType;
+        private IssuerSigningKeyValidatorDelegate _issuerSigningKeyValidator = Validators.ValidateIssuerSigningKey;
 
         /// <summary>
         /// This is the default value of <see cref="ClaimsIdentity.AuthenticationType"/> when creating a <see cref="ClaimsIdentity"/>.
@@ -269,7 +270,11 @@ public virtual ClaimsIdentity CreateClaimsIdentity(SecurityToken securityToken,
         /// If both <see cref="IssuerSigningKeyValidatorUsingConfiguration"/> and <see cref="IssuerSigningKeyValidator"/> are set, IssuerSigningKeyResolverUsingConfiguration takes
         /// priority.
         /// </remarks>
-        public IssuerSigningKeyValidator IssuerSigningKeyValidator { get; set; }
+        public IssuerSigningKeyValidatorDelegate IssuerSigningKeyValidator
+        {
+            get => _issuerSigningKeyValidator;
+            set => _issuerSigningKeyValidator = value ?? throw new ArgumentNullException(nameof(value), "IssuerSigningKeyValidator cannot be set as null.");
+        }
 
         /// <summary>
         /// Gets a <see cref="IDictionary{String, Object}"/> that is unique to this instance.

src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSecurityKey.cs → src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSigningKey.cs

@@ -17,17 +17,17 @@ namespace Microsoft.IdentityModel.Tokens
     /// </summary>
     /// <param name="signingKey">The security key to validate.</param>
     /// <param name="securityToken">The <see cref="SecurityToken"/> that is being validated.</param>
-    /// <param name="validationParameters">The <see cref="TokenValidationParameters"/> to be used for validating the token.</param>
-    /// <param name="callContext"></param>
-    /// <param name="cancellationToken"></param>
+    /// <param name="validationParameters">The <see cref="ValidationParameters"/> to be used for validating the token.</param>
+    /// <param name="configuration">The <see cref="BaseConfiguration"/> to be used for validation.</param>
+    /// <param name="callContext">The <see cref="CallContext"/> to be used for logging.</param> 
     /// <returns>A <see cref="SigningKeyValidationResult"/>that contains the results of validating the issuer.</returns>
     /// <remarks>This delegate is not expected to throw.</remarks>
-    internal delegate Task<SigningKeyValidationResult> IssuerSecurityKeyValidationDelegate(
+    internal delegate SigningKeyValidationResult IssuerSigningKeyValidatorDelegate(
         SecurityKey signingKey,
         SecurityToken securityToken,
-        TokenValidationParameters validationParameters,
-        CallContext callContext,
-        CancellationToken cancellationToken);
+        ValidationParameters validationParameters,
+        BaseConfiguration? configuration,
+        CallContext? callContext);
 
     /// <summary>
     /// SigningKeyValidation
@@ -40,28 +40,20 @@ public static partial class Validators
         /// </summary>
         /// <param name="securityKey">The <see cref="SecurityKey"/> that signed the <see cref="SecurityToken"/>.</param>
         /// <param name="securityToken">The <see cref="SecurityToken"/> being validated.</param>
-        /// <param name="validationParameters">The <see cref="TokenValidationParameters"/> to be used for validating the token.</param>
-        /// <param name="callContext"></param>
+        /// <param name="validationParameters">The <see cref="ValidationParameters"/> to be used for validating the token.</param>
+        /// <param name="configuration">The <see cref="BaseConfiguration"/> to be used for validation.</param>
+        /// <param name="callContext">The <see cref="CallContext"/> to be used for logging.</param>
         /// <exception cref="ArgumentNullException"> if 'securityKey' is null and ValidateIssuerSigningKey is true.</exception>
         /// <exception cref="ArgumentNullException"> if 'securityToken' is null and ValidateIssuerSigningKey is true.</exception>
         /// <exception cref="ArgumentNullException"> if 'validationParameters' is null.</exception>
-        internal static SigningKeyValidationResult ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters, CallContext callContext)
-        {
-            return ValidateIssuerSecurityKey(securityKey, securityToken, validationParameters, null, callContext);
-        }
-
-        /// <summary>
-        /// Validates the <see cref="SecurityKey"/> that signed a <see cref="SecurityToken"/>.
-        /// </summary>
-        /// <param name="securityKey">The <see cref="SecurityKey"/> that signed the <see cref="SecurityToken"/>.</param>
-        /// <param name="securityToken">The <see cref="SecurityToken"/> being validated.</param>
-        /// <param name="validationParameters">The <see cref="TokenValidationParameters"/> to be used for validating the token.</param>
-        /// <param name="configuration">The <see cref="BaseConfiguration"/> required for issuer and signing key validation.</param>
-        /// <param name="callContext"></param>
-        /// <exception cref="ArgumentNullException"> if 'securityKey' is null and ValidateIssuerSigningKey is true.</exception>
-        /// <exception cref="ArgumentNullException"> if 'securityToken' is null and ValidateIssuerSigningKey is true.</exception>
-        /// <exception cref="ArgumentNullException"> if 'validationParameters' is null.</exception>
-        internal static SigningKeyValidationResult ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration? configuration, CallContext callContext)
+        internal static SigningKeyValidationResult ValidateIssuerSigningKey(
+            SecurityKey securityKey,
+            SecurityToken securityToken,
+            ValidationParameters validationParameters,
+#pragma warning disable CA1801 // Review unused parameters
+            BaseConfiguration? configuration,
+#pragma warning restore CA1801 // Review unused parameters
+            CallContext? callContext)
         {
             if (validationParameters == null)
                 return new SigningKeyValidationResult(
@@ -74,28 +66,7 @@ internal static SigningKeyValidationResult ValidateIssuerSecurityKey(SecurityKey
                         typeof(ArgumentNullException),
                         new StackFrame(true)));
 
-            if (validationParameters.IssuerSigningKeyValidatorUsingConfiguration != null)
-            {
-                return ValidateSigningKeyUsingDelegateAndConfiguration(securityKey, securityToken, validationParameters, configuration);
-            }
-
-            if (validationParameters.IssuerSigningKeyValidator != null)
-            {
-                return ValidateSigningKeyUsingDelegateAndConfiguration(securityKey, securityToken, validationParameters, null);
-            }
-
-            if (!validationParameters.ValidateIssuerSigningKey)
-            {
-                LogHelper.LogVerbose(LogMessages.IDX10237);
-                return new SigningKeyValidationResult(securityKey);
-            }
-
-            if (!validationParameters.RequireSignedTokens && securityKey == null)
-            {
-                LogHelper.LogInformation(LogMessages.IDX10252);
-                return new SigningKeyValidationResult(securityKey);
-            }
-            else if (securityKey == null)
+            if (securityKey == null)
             {
                 return new SigningKeyValidationResult(
                     securityKey,
@@ -126,10 +97,13 @@ internal static SigningKeyValidationResult ValidateIssuerSecurityKey(SecurityKey
         /// Given a signing key, when it's derived from a certificate, validates that the certificate is already active and non-expired
         /// </summary>
         /// <param name="securityKey">The <see cref="SecurityKey"/> that signed the <see cref="SecurityToken"/>.</param>
-        /// <param name="validationParameters">The <see cref="TokenValidationParameters"/> to be used for validating the token.</param>
+        /// <param name="validationParameters">The <see cref="ValidationParameters"/> to be used for validating the token.</param>
         /// <param name="callContext"></param>
 #pragma warning disable CA1801 // Review unused parameters
-        internal static SigningKeyValidationResult ValidateIssuerSigningKeyLifeTime(SecurityKey securityKey, TokenValidationParameters validationParameters, CallContext callContext)
+        internal static SigningKeyValidationResult ValidateIssuerSigningKeyLifeTime(
+            SecurityKey securityKey,
+            ValidationParameters validationParameters,
+            CallContext? callContext)
 #pragma warning restore CA1801 // Review unused parameters
         {
             X509SecurityKey? x509SecurityKey = securityKey as X509SecurityKey;
@@ -174,46 +148,6 @@ internal static SigningKeyValidationResult ValidateIssuerSigningKeyLifeTime(Secu
 
             return new SigningKeyValidationResult(securityKey);
         }
-
-        private static SigningKeyValidationResult ValidateSigningKeyUsingDelegateAndConfiguration(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration? configuration)
-        {
-            try
-            {
-                bool success;
-                if (configuration != null)
-                    success = validationParameters.IssuerSigningKeyValidatorUsingConfiguration(securityKey, securityToken, validationParameters, configuration);
-                else
-                    success = validationParameters.IssuerSigningKeyValidator(securityKey, securityToken, validationParameters);
-
-                if (!success)
-                    return new SigningKeyValidationResult(
-                        securityKey,
-                        ValidationFailureType.SigningKeyValidationFailed,
-                        new ExceptionDetail(
-                            new MessageDetail(
-                                LogMessages.IDX10232,
-                                securityKey),
-                            typeof(SecurityTokenInvalidSigningKeyException),
-                            new StackFrame(true)));
-
-                return new SigningKeyValidationResult(securityKey);
-            }
-#pragma warning disable CA1031 // Do not catch general exception types
-            catch (Exception exception)
-#pragma warning restore CA1031 // Do not catch general exception types
-            {
-                return new SigningKeyValidationResult(
-                    securityKey,
-                    ValidationFailureType.SigningKeyValidationFailed,
-                    new ExceptionDetail(
-                        new MessageDetail(
-                            LogMessages.IDX10232,
-                            securityKey),
-                        exception.GetType(),
-                        new StackFrame(true),
-                        exception));
-            }
-        }
     }
 }
 #nullable restore