React to properties format changes in aspnet-contrib/AspNet.Security.OpenIdConnect.Server

kevinchalet · kevinchalet · commit 0125c36d240a · 2017-02-10T09:20:05.000+01:00
diff --git a/src/AspNet.Security.OAuth.Introspection/Events/ValidateTokenContext.cs b/src/AspNet.Security.OAuth.Introspection/Events/ValidateTokenContext.cs
@@ -16,7 +16,7 @@ public class ValidateTokenContext : BaseControlContext {
         public ValidateTokenContext(
             [NotNull] HttpContext context,
             [NotNull] OAuthIntrospectionOptions options,
-            [NotNull] AuthenticationTicket ticket) 
+            [NotNull] AuthenticationTicket ticket)
             : base(context) {
             Options = options;
             Ticket = ticket;
diff --git a/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs b/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs
@@ -7,7 +7,6 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
-using System.Linq;
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Security.Claims;
@@ -18,6 +17,7 @@
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
 using Microsoft.Net.Http.Headers;
+using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 
 namespace AspNet.Security.OAuth.Introspection {
@@ -220,12 +220,22 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket) {
                 return false;
             }
 
-            // Ensure that the authentication ticket contains at least one of the registered audiences.
-            if (audiences == null || !audiences.Split(' ').Intersect(Options.Audiences, StringComparer.Ordinal).Any()) {
+            if (string.IsNullOrEmpty(audiences)) {
                 return false;
             }
 
-            return true;
+            // Ensure that the authentication ticket contains one of the registered audiences.
+            foreach (var audience in JArray.Parse(audiences).Values<string>()) {
+                if (string.IsNullOrEmpty(audience)) {
+                    continue;
+                }
+
+                if (Options.Audiences.Contains(audience)) {
+                    return true;
+                }
+            }
+
+            return false;
         }
 
         protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject payload) {
@@ -259,7 +269,6 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
                         continue;
                     }
 
-
                     case OAuthIntrospectionConstants.Claims.ExpiresAt: {
 #if NETSTANDARD1_3
                         // Convert the UNIX timestamp to a DateTimeOffset.
@@ -299,8 +308,9 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
                     case OAuthIntrospectionConstants.Claims.Scope: {
                         var scopes = (string) property.Value;
 
-                        // Store the scopes list as-is in the authentication properties.
-                        properties.Items[OAuthIntrospectionConstants.Properties.Scopes] = scopes;
+                        // Store the scopes list in the authentication properties.
+                        properties.Items[OAuthIntrospectionConstants.Properties.Scopes] =
+                            new JArray(scopes.Split(' ')).ToString(Formatting.None);
 
                         foreach (var scope in scopes.Split(' ')) {
                             identity.AddClaim(new Claim(property.Name, scope));
@@ -319,12 +329,12 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
                                 continue;
                             }
 
-                            var audiences = string.Join(" ", value.Select(item => item.Value<string>()));
-                            properties.Items[OAuthIntrospectionConstants.Properties.Audiences] = audiences;
+                            properties.Items[OAuthIntrospectionConstants.Properties.Audiences] = value.ToString(Formatting.None);
                         }
 
                         else if (property.Value.Type == JTokenType.String) {
-                            properties.Items[OAuthIntrospectionConstants.Properties.Audiences] = (string) property.Value;
+                            properties.Items[OAuthIntrospectionConstants.Properties.Audiences] =
+                                new JArray((string) property.Value).ToString(Formatting.None);
                         }
 
                         continue;
diff --git a/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs b/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs
@@ -57,11 +57,11 @@ public OAuthIntrospectionMiddleware(
 
             if (Options.HttpClient == null) {
                 Options.HttpClient = new HttpClient {
-                    Timeout = TimeSpan.FromSeconds(60),
+                    Timeout = TimeSpan.FromSeconds(15),
                     MaxResponseContentBufferSize = 1024 * 1024 * 10
                 };
 
-                Options.HttpClient.DefaultRequestHeaders.UserAgent.ParseAdd("ASP.NET OAuth2 introspection middleware");
+                Options.HttpClient.DefaultRequestHeaders.UserAgent.ParseAdd("ASP.NET Core OAuth2 introspection middleware");
             }
         }
 
diff --git a/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs b/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs
@@ -21,11 +21,11 @@ public OAuthIntrospectionOptions() {
         }
 
         /// <summary>
-        /// Gets or sets the intended audiences of this resource server.
+        /// Gets the intended audiences of this resource server.
         /// Setting this property is recommended when the authorization
         /// server issues access tokens for multiple distinct resource servers.
         /// </summary>
-        public IList<string> Audiences { get; } = new List<string>();
+        public ISet<string> Audiences { get; } = new HashSet<string>();
 
         /// <summary>
         /// Gets or sets the base address of the OAuth2/OpenID Connect server.
@@ -71,7 +71,7 @@ public OAuthIntrospectionOptions() {
         /// Gets or sets the HTTP client used to communicate
         /// with the remote OAuth2/OpenID Connect server.
         /// </summary>
-        public HttpClient HttpClient { get; set; } = new HttpClient();
+        public HttpClient HttpClient { get; set; }
 
         /// <summary>
         /// Gets or sets the clock used to determine the current date/time.
diff --git a/src/AspNet.Security.OAuth.Validation/OAuthValidationHandler.cs b/src/AspNet.Security.OAuth.Validation/OAuthValidationHandler.cs
@@ -5,13 +5,12 @@
  */
 
 using System;
-using System.Diagnostics;
-using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Logging;
 using Microsoft.Net.Http.Headers;
+using Newtonsoft.Json.Linq;
 
 namespace AspNet.Security.OAuth.Validation {
     public class OAuthValidationHandler : AuthenticationHandler<OAuthValidationOptions> {
@@ -129,12 +128,22 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket) {
                 return false;
             }
 
-            // Ensure that the authentication ticket contains the registered audience.
-            if (audiences == null || !audiences.Split(' ').Intersect(Options.Audiences, StringComparer.Ordinal).Any()) {
+            if (string.IsNullOrEmpty(audiences)) {
                 return false;
             }
 
-            return true;
+            // Ensure that the authentication ticket contains one of the registered audiences.
+            foreach (var audience in JArray.Parse(audiences).Values<string>()) {
+                if (string.IsNullOrEmpty(audience)) {
+                    continue;
+                }
+
+                if (Options.Audiences.Contains(audience)) {
+                    return true;
+                }
+            }
+
+            return false;
         }
 
         protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token) {
@@ -150,14 +159,18 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
                 });
             }
 
-            var identity = ticket.Principal.Identity as ClaimsIdentity;
-            Debug.Assert(identity != null);
+            // Resolve the primary identity associated with the principal.
+            var identity = (ClaimsIdentity) ticket.Principal.Identity;
 
             string scopes;
             // Copy the scopes extracted from the authentication ticket to the
             // ClaimsIdentity to make them easier to retrieve from application code.
             if (ticket.Properties.Items.TryGetValue(OAuthValidationConstants.Properties.Scopes, out scopes)) {
-                foreach (var scope in scopes.Split(' ')) {
+                foreach (var scope in JArray.Parse(scopes).Values<string>()) {
+                    if (string.IsNullOrEmpty(scope)) {
+                        continue;
+                    }
+
                     identity.AddClaim(new Claim(OAuthValidationConstants.Claims.Scope, scope));
                 }
             }
diff --git a/src/AspNet.Security.OAuth.Validation/OAuthValidationOptions.cs b/src/AspNet.Security.OAuth.Validation/OAuthValidationOptions.cs
@@ -19,11 +19,11 @@ public OAuthValidationOptions() {
         }
 
         /// <summary>
-        /// Gets or sets the intended audiences of this resource server.
+        /// Gets the intended audiences of this resource server.
         /// Setting this property is recommended when the authorization
         /// server issues access tokens for multiple distinct resource servers.
         /// </summary>
-        public IList<string> Audiences { get; } = new List<string>();
+        public ISet<string> Audiences { get; } = new HashSet<string>();
 
         /// <summary>
         /// Gets or sets a boolean determining whether the access token should be stored in the
diff --git a/src/AspNet.Security.OAuth.Validation/project.json b/src/AspNet.Security.OAuth.Validation/project.json
@@ -33,6 +33,7 @@
 
   "dependencies": {
     "JetBrains.Annotations": { "type": "build", "version": "10.1.4" },
+    "Newtonsoft.Json": "9.0.1",
     "Microsoft.AspNetCore.Authentication": "1.0.0"
   },
 
diff --git a/src/Owin.Security.OAuth.Introspection/Events/ValidateTokenContext.cs b/src/Owin.Security.OAuth.Introspection/Events/ValidateTokenContext.cs
@@ -17,7 +17,7 @@ public class ValidateTokenContext : BaseNotification<OAuthIntrospectionOptions>
         public ValidateTokenContext(
             [NotNull] IOwinContext context,
             [NotNull] OAuthIntrospectionOptions options,
-            [NotNull] AuthenticationTicket ticket) 
+            [NotNull] AuthenticationTicket ticket)
             : base(context, options) {
             Ticket = ticket;
         }
diff --git a/src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs b/src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs
@@ -7,7 +7,6 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
-using System.Linq;
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Security.Claims;
@@ -17,6 +16,7 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Owin.Security;
 using Microsoft.Owin.Security.Infrastructure;
+using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 
 namespace Owin.Security.OAuth.Introspection {
@@ -223,12 +223,22 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket) {
                 return false;
             }
 
-            // Ensure that the authentication ticket contains at least one of the registered audiences.
-            if (audiences == null || !audiences.Split(' ').Intersect(Options.Audiences, StringComparer.Ordinal).Any()) {
+            if (string.IsNullOrEmpty(audiences)) {
                 return false;
             }
 
-            return true;
+            // Ensure that the authentication ticket contains one of the registered audiences.
+            foreach (var audience in JArray.Parse(audiences).Values<string>()) {
+                if (string.IsNullOrEmpty(audience)) {
+                    continue;
+                }
+
+                if (Options.Audiences.Contains(audience)) {
+                    return true;
+                }
+            }
+
+            return false;
         }
 
         protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject payload) {
@@ -254,7 +264,6 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
                         continue;
                     }
 
-
                     case OAuthIntrospectionConstants.Claims.ExpiresAt: {
                         properties.ExpiresUtc = new DateTimeOffset(1970, 1, 1, 0, 0, 0, 0, TimeSpan.Zero) +
                                                 TimeSpan.FromSeconds((long) property.Value);
@@ -275,7 +284,7 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
 
                         continue;
                     }
-                        
+
                     // Add the token identifier as a property on the authentication ticket.
                     case OAuthIntrospectionConstants.Claims.JwtId: {
                         properties.Dictionary[OAuthIntrospectionConstants.Properties.TicketId] = (string) property;
@@ -289,8 +298,9 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
                     case OAuthIntrospectionConstants.Claims.Scope: {
                         var scopes = (string) property.Value;
 
-                        // Store the scopes list as-is in the authentication properties.
-                        properties.Dictionary[OAuthIntrospectionConstants.Properties.Scopes] = scopes;
+                        // Store the scopes list in the authentication properties.
+                        properties.Dictionary[OAuthIntrospectionConstants.Properties.Scopes] =
+                            new JArray(scopes.Split(' ')).ToString(Formatting.None);
 
                         foreach (var scope in scopes.Split(' ')) {
                             identity.AddClaim(new Claim(property.Name, scope));
@@ -309,12 +319,12 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
                                 continue;
                             }
 
-                            var audiences = string.Join(" ", value.Select(item => item.Value<string>()));
-                            properties.Dictionary[OAuthIntrospectionConstants.Properties.Audiences] = audiences;
+                            properties.Dictionary[OAuthIntrospectionConstants.Properties.Audiences] = value.ToString(Formatting.None);
                         }
 
                         else if (property.Value.Type == JTokenType.String) {
-                            properties.Dictionary[OAuthIntrospectionConstants.Properties.Audiences] = (string) property.Value;
+                            properties.Dictionary[OAuthIntrospectionConstants.Properties.Audiences] =
+                                new JArray((string) property.Value).ToString(Formatting.None);
                         }
 
                         continue;
diff --git a/src/Owin.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs b/src/Owin.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs
@@ -71,11 +71,11 @@ public OAuthIntrospectionMiddleware(
 
             if (options.HttpClient == null) {
                 options.HttpClient = new HttpClient {
-                    Timeout = TimeSpan.FromSeconds(60),
+                    Timeout = TimeSpan.FromSeconds(15),
                     MaxResponseContentBufferSize = 1024 * 1024 * 10
                 };
 
-                options.HttpClient.DefaultRequestHeaders.UserAgent.ParseAdd("ASP.NET OAuth2 introspection middleware");
+                options.HttpClient.DefaultRequestHeaders.UserAgent.ParseAdd("OWIN OAuth2 introspection middleware");
             }
         }
 
diff --git a/src/Owin.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs b/src/Owin.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs
@@ -20,11 +20,11 @@ public OAuthIntrospectionOptions()
         }
 
         /// <summary>
-        /// Gets or sets the intended audiences of this resource server.
+        /// Gets the intended audiences of this resource server.
         /// Setting this property is recommended when the authorization
         /// server issues access tokens for multiple distinct resource servers.
         /// </summary>
-        public IList<string> Audiences { get; } = new List<string>();
+        public ISet<string> Audiences { get; } = new HashSet<string>();
 
         /// <summary>
         /// Gets or sets the base address of the OAuth2/OpenID Connect server.
@@ -70,7 +70,7 @@ public OAuthIntrospectionOptions()
         /// Gets or sets the HTTP client used to communicate
         /// with the remote OAuth2/OpenID Connect server.
         /// </summary>
-        public HttpClient HttpClient { get; set; } = new HttpClient();
+        public HttpClient HttpClient { get; set; }
 
         /// <summary>
         /// Gets or sets the logger used by <see cref="OAuthIntrospectionMiddleware"/>.
diff --git a/src/Owin.Security.OAuth.Validation/OAuthValidationHandler.cs b/src/Owin.Security.OAuth.Validation/OAuthValidationHandler.cs
@@ -5,12 +5,12 @@
  */
 
 using System;
-using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
 using Microsoft.Owin.Security;
 using Microsoft.Owin.Security.Infrastructure;
+using Newtonsoft.Json.Linq;
 
 namespace Owin.Security.OAuth.Validation {
     public class OAuthValidationHandler : AuthenticationHandler<OAuthValidationOptions> {
@@ -132,12 +132,22 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket) {
                 return false;
             }
 
-            // Ensure that the authentication ticket contains the registered audience.
-            if (audiences == null || !audiences.Split(' ').Intersect(Options.Audiences, StringComparer.Ordinal).Any()) {
+            if (string.IsNullOrEmpty(audiences)) {
                 return false;
             }
 
-            return true;
+            // Ensure that the authentication ticket contains one of the registered audiences.
+            foreach (var audience in JArray.Parse(audiences).Values<string>()) {
+                if (string.IsNullOrEmpty(audience)) {
+                    continue;
+                }
+
+                if (Options.Audiences.Contains(audience)) {
+                    return true;
+                }
+            }
+
+            return false;
         }
 
         protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token) {
@@ -155,7 +165,11 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
             // Copy the scopes extracted from the authentication ticket to the
             // ClaimsIdentity to make them easier to retrieve from application code.
             if (ticket.Properties.Dictionary.TryGetValue(OAuthValidationConstants.Properties.Scopes, out scopes)) {
-                foreach (var scope in scopes.Split(' ')) {
+                foreach (var scope in JArray.Parse(scopes).Values<string>()) {
+                    if (string.IsNullOrEmpty(scope)) {
+                        continue;
+                    }
+
                     ticket.Identity.AddClaim(new Claim(OAuthValidationConstants.Claims.Scope, scope));
                 }
             }
diff --git a/src/Owin.Security.OAuth.Validation/OAuthValidationOptions.cs b/src/Owin.Security.OAuth.Validation/OAuthValidationOptions.cs
diff --git a/src/Owin.Security.OAuth.Validation/project.json b/src/Owin.Security.OAuth.Validation/project.json
diff --git a/test/AspNet.Security.OAuth.Validation.Tests/OAuthValidationMiddlewareTests.cs b/test/AspNet.Security.OAuth.Validation.Tests/OAuthValidationMiddlewareTests.cs
diff --git a/test/Owin.Security.OAuth.Validation.Tests/OAuthValidationMiddlewareTests.cs b/test/Owin.Security.OAuth.Validation.Tests/OAuthValidationMiddlewareTests.cs

Original file line number	Diff line number	Diff line change
`@@ -57,11 +57,11 @@ public OAuthIntrospectionMiddleware(`
`57`	`57`
`58`	`58`	`if (Options.HttpClient == null) {`
`59`	`59`	`Options.HttpClient = new HttpClient {`
`60`		`- Timeout = TimeSpan.FromSeconds(60),`
	`60`	`+ Timeout = TimeSpan.FromSeconds(15),`
`61`	`61`	`MaxResponseContentBufferSize = 1024 * 1024 * 10`
`62`	`62`	`};`
`63`	`63`
`64`		`- Options.HttpClient.DefaultRequestHeaders.UserAgent.ParseAdd("ASP.NET OAuth2 introspection middleware");`
	`64`	`+ Options.HttpClient.DefaultRequestHeaders.UserAgent.ParseAdd("ASP.NET Core OAuth2 introspection middleware");`
`65`	`65`	`}`
`66`	`66`	`}`
`67`	`67`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ public class ValidateTokenContext : BaseNotification<OAuthIntrospectionOptions>`
`17`	`17`	`public ValidateTokenContext(`
`18`	`18`	`[NotNull] IOwinContext context,`
`19`	`19`	`[NotNull] OAuthIntrospectionOptions options,`
`20`		`- [NotNull] AuthenticationTicket ticket)`
	`20`	`+ [NotNull] AuthenticationTicket ticket)`
`21`	`21`	`: base(context, options) {`
`22`	`22`	`Ticket = ticket;`
`23`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -71,11 +71,11 @@ public OAuthIntrospectionMiddleware(`
`71`	`71`
`72`	`72`	`if (options.HttpClient == null) {`
`73`	`73`	`options.HttpClient = new HttpClient {`
`74`		`- Timeout = TimeSpan.FromSeconds(60),`
	`74`	`+ Timeout = TimeSpan.FromSeconds(15),`
`75`	`75`	`MaxResponseContentBufferSize = 1024 * 1024 * 10`
`76`	`76`	`};`
`77`	`77`
`78`		`- options.HttpClient.DefaultRequestHeaders.UserAgent.ParseAdd("ASP.NET OAuth2 introspection middleware");`
	`78`	`+ options.HttpClient.DefaultRequestHeaders.UserAgent.ParseAdd("OWIN OAuth2 introspection middleware");`
`79`	`79`	`}`
`80`	`80`	`}`
`81`	`81`