There is a relationship between P, Q and Modulus, if this is not correct, then things most likely will go very bad from here. So this fix is in the principal of early detection and failure as later when creating the RSACryptoServiceProvider fail later on.

Add this check and throw appropriate exception.

With the latest RC2 bits I notice that the 'sub' claim gets filtered out when using OpenIdc middleware for authentication.

Parameters are expected to be strings, if not we need to log the error.
see: public JsonWebKey(IDictionary<string, object> dictionary)

Support for Symmetric Algorithms needs to be added back into K.
This support was dropped while FxCore was solidifying the crypto support.
Action is to review the symmetric support in FxCore and determine if it is sufficient if not, add a PInvoke layer into the OS.

The code at https://gist.github.com/simonjefford/af965f76a75a7ce0f0ea fails with

System.IdentityModel.SignatureVerificationFailedException: IDX10501: Signature validation failed. Key tried: 'System.IdentityModel.Tokens.RsaSecurityKey'.

I can provide a sample JWT over email.

How would I construct a JWT with multiple audiences? There should be a constructor that takes a string[] for the audience.

Symbols for the identitymodel extensions dlls are not available, making it hard to debug.

They are available for the Katana dlls.

Build form post is not appending the closing "bracket" correctly after the IssuerAddress and for each "key,value" when adding in the foreach (KeyValuePair< ....) loop.

Currently RSA is the only supported key type, that is 'Kty must equal JsonWebAlgorithmsKeyTypes.RSA'
We need to add support for

1. x5t
2. Symmetric
3. ECH

JwtSecurityTokenHandler uses string.split('.') which is not performant if a lot of .'s exist.

OpenIdConnectProtocolValidator has code to validate hashes, but the project doesn't have a hash generator. There's significant overlap between the two flows, and this would be useful to provide for developers.

See:
https://katanaproject.codeplex.com/SourceControl/network/forks/manfredsteyer/OIDCServerMiddleware/contribution/6985#file_diff_Microsoft.Owin.Security.OpenIdConnect.Server/OpenIdConnectHashGenerator.cs

Waiting for FxCore to solidify on Crypto support. Review what is available in RC and if sufficient, use it OR add a PInvoke layer to call the OS support.

The OpenID Connect Discovery 1.0 specification describes a RECOMMENDED metadata value called "userinfo_endpoint". This is supported by the UserInfoEndpoint property of class OpenIdConnectConfiguration, but unfortunately the SetFromDictionary method doesn't process the value from the incoming JSON.

The simple fix is to add a new constant to OpenIdProviderMetadataNames and to provide support for that value in the SetFromDictionary method.

New changes in specifications require the JwtHeader to support JSON parameters. In particular X5c.

Please consider updating the error message to

The 'nonce' found in the jwt token: '{0}', did not match the nonce found in the cookie: '{1}'.\njwt: '{2}'.";

Wilson provides a mechanism for automatic configuration retrieval, Kantana users need a way to turn it off.

The mechanism for turning off automatic configuration requires users to obtain config and set in on the optons. There is no way to easily way to set the metatdata address and indicate to the runtime "do not update automatically".

Add a test to ensure that out of the box, MSA pass-through works by default for Wilson.

These need to be added to constructor.

        AuthorizationEndpoint = other.AuthorizationEndpoint;
        RequestType = other.RequestType;
        TokenEndpoint = other.TokenEndpoint;

There has been some confusion because users tend to think of 'auth-time' as a POSIX time and 'http://.../authenticationinstance' as a date time string such as: 2014-10-28T00:50:51.000Z

Here are some known locations, there may be others:

1. RsaSecurityKey(RSAParameters rsaParameters)
2. AsymmetricSignatureProvider.Sign
3. AsymmetricSignatureProvider.Verify
4. GenericDocumentRetriever.GetDocumentAsync

Do we need to have some 'other' type of reporting when these fail (return false).
OR is that up to the implementer.

Can you please implement JWE support? I have a requirement for using this and it is not available. It also seems pretty common to use JWT and JWE together (for example OpenID Connect spec). So this would be really helpful. Thank you!

ConfigurationManager<T>’s AutomaticRefreshInterval, MinimumIntervalBetweenRefreshAttempts should clearly indicate the bounds when a value is set outside of the bounds.

For example for the below setting, the following exception message is shown:

Notifications = new WsFederationAuthenticationNotifications()
                    {
                        MessageReceived = context =>
                            {
                                var configManager = context.Options.ConfigurationManager as ConfigurationManager<WsFederationConfiguration>;
                                configManager.MinimumIntervalBetweenRefreshAttempts = new TimeSpan(100);
                                context.Options.ConfigurationManager.RequestRefresh();
                                return Task.FromResult(0);
                            }
                    }

00:00:01
Parameter name: value
Actual value was 00:00:00.0000100.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ArgumentOutOfRangeException: 00:00:01
Parameter name: value
Actual value was 00:00:00.0000100.

The jwt token that comes to the Relying Party is in the format of "BinarySecurityToken". The code path in JwtSecurityTokenHandler that takes in TokenValidationParameters, expects the jwt token to be in the format of encoded jwt string (^[A-Za-z0-9-]+.[A-Za-z0-9-]+.[A-Za-z0-9-_]*$).

The stack trace is available at http://katanaproject.codeplex.com/discussions/548517#post1259890

Example BinarySecurityToken:

"<wsse:BinarySecurityToken wsu:Id="_38f31386-bf3e-4c93-a62c-30fa0452ade8-D60C1C07E1AFA969FE4254D90951D072" ValueType="urn:ietf:params:oauth:token-type:jwt" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">ZXlK3ZMM.............I5dloyeGVXMA==/wsse:BinarySecurityToken

We should support disabling one or both refresh intervals by setting Timeout.InfiniteTimeSpan.

                ConfigurationManager = new ConfigurationManager<WsFederationConfiguration>(metadata)
                {
                    AutomaticRefreshInterval = Timeout.InfiniteTimeSpan,
                    MinimumIntervalBetweenRefreshAttempts = Timeout.InfiniteTimeSpan
                },

Seperately, we'll add bool RefreshOnIssuerKeyNotFound at the middleware layer.

JwtSecurityTokenHandler.ValidateSignature uses string concat, stringbuilder would be more efficient.

When creating a nonce, add a the current time in UTC to the beginning.
Add a timespan property (default 1 min) to ProtocolValidation that will reject all nonces that are 'old'.

Why do you have Azure AD in the naming? Shouldn't the JWT or OIDC implementations be general purpose?

ConfigurationManager.GetConfigurationAsync should log the exception in the catch(Exception ex) block.

This is a helper class used by the SamlSecurityTokenHandlers to act as a SecurityTokenResolver when validating tokens.

The current model for delegates puts the control of throwing in the developers hands. this means in order have a consistent model with the runtime (from the perspective of exceptions), the developer will need to review our exception classes.

A review with Vittorio resulted in a suggested change to the model to have the delegates (audience and lifetime) return true / false and the runtime throw SecurityTokenInvalidAudienceException and SecurityTokenInvalidLifeTimeException if false is returned. This is a simplier model for users.

The proposed error messages are:

"IDX10230: Lifetime validation failed. Delegate returned false, securitytoken: '{0}'.";
"IDX10231: Audience validation failed. Delegate returned false, securitytoken: '{0}'.";

The ValidateIssuer delegate returns a string as an issuer may not be defined in a token.

The current OM returns a string;
public delegate string IssuerValidator(string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters);

Some options:

1. Out param / throw on false: public delegate bool IssuerValidator(string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, out string useIhisIssuer);
2. Leave the OM as is, if issuer is returned as null or whitespace throw

"IDX10232: Issuer validation failed. Delegate returned null or whitespace, securitytoken: '{0}'.";

From Prabu,

Yesterday when I downloaded the latest bits of WSFederation & identity model bits from their respective myget feeds, I ran into these exceptions. Chris and I looking at it further realized that the strong name of the identity model assemblies contain the nightly build version numbers. Since the latest WSFederation dll that I downloaded from myget was compiled against a different version of these identity model assemblies I ran into this exception. Typically nuget adds a binding redirect in these cases, but sometimes it does not when these packages are being installed on class libraries – especially the case if it’s a class library.

Ask here is: Can we make the strong name of the identity model dlls to contain only the release version instead of the nightly build version? In katana as a general practice we revise the version number in strong name only for major versions. Nightly build numbers will go only as package version and file version giving a smoother experience for people trying out nighty builds.

A first chance exception of type 'System.IO.FileLoadException' occurred in Microsoft.Owin.Security.WsFederation.dll

Additional information: Could not load file or assembly 'System.IdentityModel.Tokens.Jwt, Version=4.0.10527.1506, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

A first chance exception of type 'System.IO.FileLoadException' occurred in mscorlib.dll

Additional information: Could not load file or assembly 'Microsoft.IdentityModel.Protocol.Extensions, Version=1.0.10527.1506, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

It can be something like this:

Microsoft.IdentityModel.Protocol.Extensions, Version=1.0.10602.1106 1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Microsoft.IdentityModel.Protocol.Extensions, Version=4.0.10527.1506 4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

In file :
https://github.com/MSOpenTech/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/master/src/System.IdentityModel.Tokens.Jwt/JwtPayload.cs

line 153, IList audiences = value as IList;
it checks audiences against string, however when the object serializes tojson and deserialized, due to natüre of json, it would be converted to an object[]. So even if we have valid strings, it will fail due to incorrect check as above. It should check if value is IEnumerable then it should check if each item is a string instead.

ConfigurationManager<T>, StaticConfigurationManager<T> contains a TODO’s comment in the class level XML comment.
ConfigurationManager<T>’s AutomaticRefreshInterval, MinimumIntervalBetweenRefreshAttempts properties XML summary can indicate what’s the default value used.

e.g. HttpUtility.

I don't want a System.Web dependency in e.g. a OWIN self-host.

It would be good if the issuer validation can be toggled with one switch, ValidateIssuer.

CreateProvider should check the maximum size of the key. this helps mitigate DOS attacks where large key sizes are specified.

The class in the file is SecurityKeyResolver, they should have the same name.

[assembly: AssemblyMetadata("Serviceable", "True")]

The 4.5.1 CLR can pick up this attribute and service this assembly from Windows Update.

public interface IExpirableNonceCache is used by developers for mitigating token replays. TokenValidationParameters.TokenReplayCache is the property they use when token replay mitigation is required.

Review with Vittorio concluded with a recommendation of changing the interface and parameter names to match the use of the property.

new OM suggested:
public ITokenReplayCache TokenReplayCache
bool TryAdd(string securityToken, DateTime expiresOn);
bool TryFind(string securityToken);

http://katanaproject.codeplex.com/discussions/548518#post1256530

I’d guess it’s caused by these statements:

private static bool AreEqual(byte[] a, byte[] b)
        {
            int result = 0;
            byte[] a1, a2;

            if (((null == a) || (null == b))
            || (a.Length != b.Length))
            {
                a1 = bytesA; // HERE
                a2 = bytesB;
            }
            else
            {
                a1 = a; 
                a2 = b;
            }

            for (int i = 0; i < a.Length; i++) // HERE
            {
                result |= a1[i] ^ a2[i];  // And HERE
            }

            return result == 0;
        }

public const string IDX10228 = "IDX10228: The securityToken has previously been been validated, securityToken: '{0}'.";

Comments are missing from the Type.

JSon serialization / deserialization and creation of claims takes a hard dependency on NewtonSoft throughout the stack. If a user wishes to use a different serializer, it would be difficult to do so.
We need to examine the stack and ensure extensibility is possible.

See:

1. JwtPayload.Claims
2. JsonWebKey constructor
3. JsonWebKeySet constructor
4. ConfigurationManager

if the user has set TokenValidationParameters.IssuerSigningKeyResolver and that delegate returns a null key the method should return false. Otherwise layers below will try to access a null key.

A token is created by calling CreateToken() and in the claimsIdentity obtained by calling JwtFormat.Unprotect(jwtToken), the claims iss, aud and exp are missing.

public int? Iat

    {

        get { return this.GetIntClaim(JwtConstants.ReservedClaims.Iss);  --- should be Iat instead.}

    }

Reminder to run PoliCheck, APIScan, FXCop, etc before GA, as required for QE process

When using the JwtSecurityTokenHandler in my web application I ended up with an exception IDX11008 (This method is not supported to validate a 'jwt' use the method: ValidateToken(String, TokenValidationParameters, out SecurityToken))
The call stack is this:
System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(SecurityToken token) +46 System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +73 System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +118 System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +489 System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +361 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69

I created the web application with Visual Studio 2013 by using the the wizard for .NET 4.5: "ASP .NET Web Application" and then the "Web Forms" template. Then "Change Authetication", "Organizational Accounts", "On-Premisis" and then the fedaration URL of Azure ACS.

I don't know if I did it as it is supposed to work. But I don't understand why the ValidateToken is declared obsolete while it is called by the .NET Framework.