Update the Data Protection purposes to force the validation middleware to reject access tokens serialized using the old properties format

kevinchalet · kevinchalet · commit fe9d69e3ab85 · 2017-03-06T21:40:03.000+01:00
diff --git a/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs b/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs
@@ -48,7 +48,7 @@ public OAuthIntrospectionMiddleware(
             {
                 var protector = Options.DataProtectionProvider.CreateProtector(
                     nameof(OAuthIntrospectionMiddleware),
-                    Options.AuthenticationScheme, "Access_Token", "v1");
+                    nameof(Options.AccessTokenFormat), Options.AuthenticationScheme);
 
                 Options.AccessTokenFormat = new TicketDataFormat(protector);
             }
diff --git a/src/AspNet.Security.OAuth.Validation/OAuthValidationMiddleware.cs b/src/AspNet.Security.OAuth.Validation/OAuthValidationMiddleware.cs
@@ -36,9 +36,9 @@ public OAuthValidationMiddleware(
 
             if (Options.AccessTokenFormat == null)
             {
-                // Note: the following purposes must match the values used by ASOS.
+                // Note: the following purposes must match the ones used by the OpenID Connect server middleware.
                 var protector = Options.DataProtectionProvider.CreateProtector(
-                    "OpenIdConnectServerMiddleware", "ASOS", "Access_Token", "v1");
+                    "OpenIdConnectServerMiddleware", nameof(Options.AccessTokenFormat), "ASOS");
 
                 Options.AccessTokenFormat = new TicketDataFormat(protector);
             }
diff --git a/src/Owin.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs b/src/Owin.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs
@@ -57,7 +57,7 @@ public OAuthIntrospectionMiddleware(
             {
                 var protector = Options.DataProtectionProvider.CreateProtector(
                     nameof(OAuthIntrospectionMiddleware),
-                    Options.AuthenticationType, "Access_Token", "v1");
+                    nameof(Options.AccessTokenFormat), Options.AuthenticationType);
 
                 options.AccessTokenFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));
             }
diff --git a/src/Owin.Security.OAuth.Validation/OAuthValidationMiddleware.cs b/src/Owin.Security.OAuth.Validation/OAuthValidationMiddleware.cs
@@ -46,9 +46,9 @@ public OAuthValidationMiddleware(
 
             if (options.AccessTokenFormat == null)
             {
-                // Note: the following purposes must match the ones used by ASOS.
-                var protector = options.DataProtectionProvider.CreateProtector(
-                    "OpenIdConnectServerMiddleware", "ASOS", "Access_Token", "v1");
+                // Note: the following purposes must match the ones used by the OpenID Connect server middleware.
+                var protector = Options.DataProtectionProvider.CreateProtector(
+                    "OpenIdConnectServerMiddleware", nameof(Options.AccessTokenFormat), "ASOS");
 
                 options.AccessTokenFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));
             }

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ public OAuthIntrospectionMiddleware(`
`48`	`48`	`{`
`49`	`49`	`var protector = Options.DataProtectionProvider.CreateProtector(`
`50`	`50`	`nameof(OAuthIntrospectionMiddleware),`
`51`		`- Options.AuthenticationScheme, "Access_Token", "v1");`
	`51`	`+ nameof(Options.AccessTokenFormat), Options.AuthenticationScheme);`
`52`	`52`
`53`	`53`	`Options.AccessTokenFormat = new TicketDataFormat(protector);`
`54`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,9 +36,9 @@ public OAuthValidationMiddleware(`
`36`	`36`
`37`	`37`	`if (Options.AccessTokenFormat == null)`
`38`	`38`	`{`
`39`		`- // Note: the following purposes must match the values used by ASOS.`
	`39`	`+ // Note: the following purposes must match the ones used by the OpenID Connect server middleware.`
`40`	`40`	`var protector = Options.DataProtectionProvider.CreateProtector(`
`41`		`- "OpenIdConnectServerMiddleware", "ASOS", "Access_Token", "v1");`
	`41`	`+ "OpenIdConnectServerMiddleware", nameof(Options.AccessTokenFormat), "ASOS");`
`42`	`42`
`43`	`43`	`Options.AccessTokenFormat = new TicketDataFormat(protector);`
`44`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ public OAuthIntrospectionMiddleware(`
`57`	`57`	`{`
`58`	`58`	`var protector = Options.DataProtectionProvider.CreateProtector(`
`59`	`59`	`nameof(OAuthIntrospectionMiddleware),`
`60`		`- Options.AuthenticationType, "Access_Token", "v1");`
	`60`	`+ nameof(Options.AccessTokenFormat), Options.AuthenticationType);`
`61`	`61`
`62`	`62`	`options.AccessTokenFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));`
`63`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -46,9 +46,9 @@ public OAuthValidationMiddleware(`
`46`	`46`
`47`	`47`	`if (options.AccessTokenFormat == null)`
`48`	`48`	`{`
`49`		`- // Note: the following purposes must match the ones used by ASOS.`
`50`		`- var protector = options.DataProtectionProvider.CreateProtector(`
`51`		`- "OpenIdConnectServerMiddleware", "ASOS", "Access_Token", "v1");`
	`49`	`+ // Note: the following purposes must match the ones used by the OpenID Connect server middleware.`
	`50`	`+ var protector = Options.DataProtectionProvider.CreateProtector(`
	`51`	`+ "OpenIdConnectServerMiddleware", nameof(Options.AccessTokenFormat), "ASOS");`
`52`	`52`
`53`	`53`	`options.AccessTokenFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));`
`54`	`54`	`}`