Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add checks to protect the internal claims used by MIW. Ref: issue #2968 #3131

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Add checks to protect the internal claims used by MIW. Ref: issue #2968 #3131

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
f8f5512
Add InternalClaimDetectedException for ID Token validation
DOMZE Nov 5, 2024
6be209b
Add unit tests for the modifications
DOMZE Nov 5, 2024
06befbe
Add check for claim equality
DOMZE Nov 6, 2024
60e16d2
Change string comparison to OrdinalIgnoreCase
DOMZE Nov 7, 2024
cb2b715
Improvements based on feedback from PR
DOMZE Nov 8, 2024
be83a8a
Merge from master
DOMZE Nov 8, 2024
a54dcaf
PR changes post discussion
DOMZE Nov 8, 2024
9aabaed
Update src/Microsoft.Identity.Web.OWIN/AppBuilderExtension.cs
DOMZE Nov 11, 2024
fb3e767
Merge branch 'AzureAD:master' into domze/fix-issue-2968-claim-already…
DOMZE Nov 11, 2024
56b255c
Refactor to test each claim separately.
DOMZE Nov 12, 2024
31040e2
Merge branch 'master' into domze/fix-issue-2968-claim-already-exist
DOMZE Nov 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions src/Microsoft.Identity.Web.OWIN/AppBuilderExtension.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,23 @@ public static IAppBuilder AddMicrosoftIdentityWebApp(

if (clientInfoFromServer != null && clientInfoFromServer.UniqueTenantIdentifier != null && clientInfoFromServer.UniqueObjectIdentifier != null)
DOMZE marked this conversation as resolved.
Show resolved Hide resolved
{
var uniqueTenantIdentifierClaim = context.AuthenticationTicket.Identity.FindFirst(c => c.Type == ClaimConstants.UniqueTenantIdentifier);
var uniqueObjectIdentifierClaim = context.AuthenticationTicket.Identity.FindFirst(c => c.Type == ClaimConstants.UniqueObjectIdentifier);
DOMZE marked this conversation as resolved.
Show resolved Hide resolved
if (uniqueTenantIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueTenantIdentifier, uniqueTenantIdentifierClaim.Value, StringComparison.Ordinal))
DOMZE marked this conversation as resolved.
Show resolved Hide resolved
{
throw new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueTenantIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
DOMZE marked this conversation as resolved.
Show resolved Hide resolved
bgavrilMS marked this conversation as resolved.
Show resolved Hide resolved
{
Claim = uniqueTenantIdentifierClaim,
DOMZE marked this conversation as resolved.
Show resolved Hide resolved
};
}
if (uniqueObjectIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueObjectIdentifier, uniqueObjectIdentifierClaim.Value, StringComparison.Ordinal))
{
throw new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueObjectIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueObjectIdentifierClaim
};
}

context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimConstants.UniqueTenantIdentifier, clientInfoFromServer.UniqueTenantIdentifier));
context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimConstants.UniqueObjectIdentifier, clientInfoFromServer.UniqueObjectIdentifier));
}
Expand All @@ -187,6 +204,23 @@ public static IAppBuilder AddMicrosoftIdentityWebApp(

if (clientInfoFromServer != null && clientInfoFromServer.UniqueTenantIdentifier != null && clientInfoFromServer.UniqueObjectIdentifier != null)
{
var uniqueTenantIdentifierClaim = context.AuthenticationTicket.Identity.FindFirst(c => c.Type == ClaimConstants.UniqueTenantIdentifier);
DOMZE marked this conversation as resolved.
Show resolved Hide resolved
var uniqueObjectIdentifierClaim = context.AuthenticationTicket.Identity.FindFirst(c => c.Type == ClaimConstants.UniqueObjectIdentifier);
if (uniqueTenantIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueTenantIdentifier, uniqueTenantIdentifierClaim.Value, StringComparison.Ordinal))
{
throw new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueTenantIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueTenantIdentifierClaim
};
}
if (uniqueObjectIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueObjectIdentifier, uniqueObjectIdentifierClaim.Value, StringComparison.Ordinal))
{
throw new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueObjectIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueObjectIdentifierClaim
};
}

context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimConstants.UniqueTenantIdentifier, clientInfoFromServer.UniqueTenantIdentifier));
context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimConstants.UniqueObjectIdentifier, clientInfoFromServer.UniqueObjectIdentifier));
}
Expand Down
31 changes: 31 additions & 0 deletions src/Microsoft.Identity.Web.OWIN/InternalClaimDetectedException.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System;
using System.Security.Claims;

namespace Microsoft.Identity.Web.OWIN
{
/// <summary>
/// The exception that is thrown when an internal ID Token claim used by Microsoft.Identity.Web internally is detected in the user's ID Token.
/// </summary>
public class InternalClaimDetectedException : Exception
DOMZE marked this conversation as resolved.
Show resolved Hide resolved
{
/// <summary>
/// Gets or sets the invalid claim.
/// </summary>
public Claim Claim { get; set; }
DOMZE marked this conversation as resolved.
Show resolved Hide resolved

public InternalClaimDetectedException()
DOMZE marked this conversation as resolved.
Show resolved Hide resolved
{
}

public InternalClaimDetectedException(string message) : base(message)
{
}

public InternalClaimDetectedException(string message, Exception innerException) : base(message, innerException)
{
}
}
}
30 changes: 20 additions & 10 deletions src/Microsoft.Identity.Web.OWIN/Microsoft.Identity.Web.OWIN.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

31 changes: 31 additions & 0 deletions src/Microsoft.Identity.Web/InternalClaimDetectedException.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System;
using System.Security.Claims;

namespace Microsoft.Identity.Web
{
/// <summary>
/// The exception that is thrown when an internal ID Token claim used by Microsoft.Identity.Web internally is detected in the user's ID Token.
/// </summary>
public class InternalClaimDetectedException : Exception
DOMZE marked this conversation as resolved.
Show resolved Hide resolved
{
/// <summary>
/// Gets or sets the invalid claim.
/// </summary>
public Claim Claim { get; set; }

public InternalClaimDetectedException()
{
}

public InternalClaimDetectedException(string message) : base(message)
{
}

public InternalClaimDetectedException(string message, Exception innerException) : base(message, innerException)
{
}
}
}
27 changes: 25 additions & 2 deletions src/Microsoft.Identity.Web/WebAppExtensions/MicrosoftIdentityWebAppAuthenticationBuilder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,8 +179,31 @@ internal static void WebAppCallsWebApiImplementation(

if (clientInfoFromServer != null && clientInfoFromServer.UniqueTenantIdentifier != null && clientInfoFromServer.UniqueObjectIdentifier != null)
DOMZE marked this conversation as resolved.
Show resolved Hide resolved
{
context!.Principal!.Identities.FirstOrDefault()?.AddClaim(new Claim(ClaimConstants.UniqueTenantIdentifier, clientInfoFromServer.UniqueTenantIdentifier));
context!.Principal!.Identities.FirstOrDefault()?.AddClaim(new Claim(ClaimConstants.UniqueObjectIdentifier, clientInfoFromServer.UniqueObjectIdentifier));
var identity = context!.Principal!.Identities.FirstOrDefault();
if (identity != null)
{
var uniqueTenantIdentifierClaim = identity.FindFirst(c => c.Type == ClaimConstants.UniqueTenantIdentifier);
var uniqueObjectIdentifierClaim = identity.FindFirst(c => c.Type == ClaimConstants.UniqueObjectIdentifier);
if (uniqueTenantIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueTenantIdentifier, uniqueTenantIdentifierClaim.Value, StringComparison.Ordinal))
{
context.Fail(new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueTenantIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueTenantIdentifierClaim
});
return;
}
if (uniqueObjectIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueObjectIdentifier, uniqueObjectIdentifierClaim.Value, StringComparison.Ordinal))
{
context.Fail(new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueObjectIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueObjectIdentifierClaim
});
return;
}

identity.AddClaim(new Claim(ClaimConstants.UniqueTenantIdentifier, clientInfoFromServer.UniqueTenantIdentifier));
identity.AddClaim(new Claim(ClaimConstants.UniqueObjectIdentifier, clientInfoFromServer.UniqueObjectIdentifier));
}
}
}
await onTokenValidatedHandler(context).ConfigureAwait(false);
Expand Down
10 changes: 10 additions & 0 deletions tests/Microsoft.Identity.Web.Test.Common/TestHelpers/HttpContextUtilities.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System.Collections.Generic;
using System.IO;
using System.Security.Claims;
using Microsoft.AspNetCore.Http;
Expand Down Expand Up @@ -44,5 +45,14 @@ public static HttpContext CreateHttpContext(

return httpContext;
}

public static HttpContext CreateHttpContext(IEnumerable<Claim> claims)
{
var httpContext = CreateHttpContext();

httpContext.User = new ClaimsPrincipal(new CaseSensitiveClaimsIdentity(claims));

return httpContext;
}
}
}
Loading