Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cloud instance name validation #2804

Merged
merged 16 commits into from
Sep 20, 2024
Merged

Add cloud instance name validation #2804

merged 16 commits into from
Sep 20, 2024

Conversation

alexholub113
Copy link
Contributor

@alexholub113 alexholub113 commented Aug 30, 2024
edited by GeoK
Loading

Added optional check to prevent using keys that are shared across multiple clouds.

  • Added a new extension method EnableEntraIdSigningKeyCloudInstanceNameValidation that adds additional validation to the IssuerSigningKeyValidatorUsingConfiguration delegate call chain.
  • New validation checks that the cloud instance name of the openid-configuration matches the cloud instance name of the signing key.
  • New exception SecurityTokenInvalidCloudInstanceException is thrown in case check is failed.

Resolves #2832

@alexholub113 alexholub113 requested a review from a team as a code owner August 30, 2024 19:54
@alexholub113 alexholub113 self-assigned this Sep 3, 2024
@alexholub113 alexholub113 changed the title [Draft] Add cloud instance name validation Add cloud instance name validation Sep 3, 2024
GeoK
GeoK reviewed Sep 3, 2024
View reviewed changes
src/Microsoft.IdentityModel.Tokens/Exceptions/SecurityTokenInvalidCloudInstanceException.cs Outdated Show resolved Hide resolved
src/Microsoft.IdentityModel.Validators/AadTokenValidationParametersExtension.cs Outdated Show resolved Hide resolved
src/Microsoft.IdentityModel.Validators/AadTokenValidationParametersExtension.cs Outdated Show resolved Hide resolved
src/Microsoft.IdentityModel.Validators/AadTokenValidationParametersExtension.cs Outdated Show resolved Hide resolved
src/Microsoft.IdentityModel.Validators/AadTokenValidationParametersExtension.cs Outdated Show resolved Hide resolved
src/Microsoft.IdentityModel.Validators/AadTokenValidationParametersExtension.cs Outdated Show resolved Hide resolved
src/Microsoft.IdentityModel.Validators/AadTokenValidationParametersExtension.cs Outdated Show resolved Hide resolved
Alex Holub added 2 commits September 3, 2024 16:46
brentschmaltz
brentschmaltz reviewed Sep 11, 2024
View reviewed changes
src/Microsoft.IdentityModel.Tokens/Exceptions/SecurityTokenInvalidCloudInstanceNameException.cs Outdated
/// </summary>
[Serializable]
public class SecurityTokenInvalidCloudInstanceNameException : SecurityTokenInvalidSigningKeyException
{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest the name: SecurityTokenInvalidCloudInstanceException (drop the 'Name') as there may be other reasons in the future.

@GeoK not sure about the need to inherit from SecurityTokenInvalidSigningKeyException, perhaps SecurityTokenException

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed class.
in my opinion SecurityTokenInvalidCloudInstanceNameException is still SecurityTokenInvalidSigningKeyException but more specific

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed this with Brent offline - it is ok as-is.

@jennyf19 jennyf19 merged commit f0d09d4 into dev Sep 20, 2024
5 of 6 checks passed
@GeoK GeoK added this to the 8.0.3 milestone Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keegan-caruso keegan-caruso keegan-caruso left review comments

@GeoK GeoK GeoK approved these changes

@brentschmaltz brentschmaltz brentschmaltz approved these changes

Assignees

@alexholub113 alexholub113

Labels
None yet
Projects
None yet
Milestone
8.1.0
Development

Successfully merging this pull request may close these issues.

Support cloud instance name validation
5 participants
@alexholub113 @GeoK @brentschmaltz @keegan-caruso @jennyf19