Add checks to protect the internal claims used by MIW. Ref: issue #2968 #3131
Conversation
Introduce InternalClaimDetectedException in Microsoft.Identity.Web and Microsoft.Identity.Web.OWIN namespaces. This exception is thrown when internal ID Token claims (UniqueTenantIdentifier, UniqueObjectIdentifier) are detected in the user's ID Token. Updated AppBuilderExtension.cs and MicrosoftIdentityWebAppAuthenticationBuilder.cs to check for these claims and throw the exception if found. The new exception class includes a property to store the invalid claim
|
@bgavrilMS / @jennyf19 / @jmprieur please review. Thank you! |
|
@microsoft-github-policy-service agree |
src/Microsoft.Identity.Web.OWIN/InternalClaimDetectedException.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.OWIN/Microsoft.Identity.Web.OWIN.xml
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.OWIN/InternalClaimDetectedException.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.OWIN/InternalClaimDetectedException.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web/WebAppExtensions/MicrosoftIdentityWebAppAuthenticationBuilder.cs
Outdated
Show resolved
Hide resolved
|
LGTM, I only have minor comments and resolving @msbw2 's comments |
Update the description based on PR review Co-authored-by: Bogdan Gavril <bogavril@microsoft.com>
|
@bgavrilMS @jmprieur @jennyf19 @pmaytak to be able to go forward, we just need your input on claims casing match (type+value/value only) and the changes are done. Thank you! |
I am fine with case insensitive. |
ClaimsType should never be treated as case insensitive |
|
I think claim names should be case sensitive at least as per JWT spec. IdentityModel also treats them as case sensstive. |
|
Read the issue, thought about this more. When we search for a claim to validate or use, then we should be case sensitive. This way we get the exact claim we're looking for. However, if our intent is to throw an exception if the user specified any variation of utid or uid, then we should use case insensitive approach to broaden the search. This way we ensure that the token only ever has utid and uid variations of claim names. |
There was a problem hiding this comment.
Copilot reviewed 5 out of 13 changed files in this pull request and generated no comments.
Files not reviewed (8)
- src/Microsoft.Identity.Web.OWIN/Microsoft.Identity.Web.OWIN.xml: Language not supported
- src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/InternalAPI.Shipped.txt: Language not supported
- src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/InternalAPI.Shipped.txt: Language not supported
- src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net6.0/InternalAPI.Shipped.txt: Language not supported
- src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net7.0/InternalAPI.Shipped.txt: Language not supported
- src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/InternalAPI.Shipped.txt: Language not supported
- src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/InternalAPI.Shipped.txt: Language not supported
- src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/InternalAPI.Shipped.txt: Language not supported
Add checks to protect the users to not use internal claims used by the library
Summary of the changes (Less than 80 chars)
Description
Introduce InternalClaimDetectedException in Microsoft.Identity.Web and Microsoft.Identity.Web.OWIN namespaces. This exception is thrown when internal ID Token claims (UniqueTenantIdentifier, UniqueObjectIdentifier) are detected in the user's ID Token. Updated AppBuilderExtension.cs and MicrosoftIdentityWebAppAuthenticationBuilder.cs to check for these claims and throw the exception if found. The new exception class includes a property to store the invalid claim
Fixes #2968 (in this specific format)