Skip to content

Add checks to protect the internal claims used by MIW. Ref: issue #2968 #3131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 17 commits into from
Jan 3, 2025
Merged

Add checks to protect the internal claims used by MIW. Ref: issue #2968 #3131

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
f8f5512
Add InternalClaimDetectedException for ID Token validation
DOMZE Nov 5, 2024
6be209b
Add unit tests for the modifications
DOMZE Nov 5, 2024
06befbe
Add check for claim equality
DOMZE Nov 6, 2024
60e16d2
Change string comparison to OrdinalIgnoreCase
DOMZE Nov 7, 2024
cb2b715
Improvements based on feedback from PR
DOMZE Nov 8, 2024
be83a8a
Merge from master
DOMZE Nov 8, 2024
a54dcaf
PR changes post discussion
DOMZE Nov 8, 2024
9aabaed
Update src/Microsoft.Identity.Web.OWIN/AppBuilderExtension.cs
DOMZE Nov 11, 2024
fb3e767
Merge branch 'AzureAD:master' into domze/fix-issue-2968-claim-already…
DOMZE Nov 11, 2024
56b255c
Refactor to test each claim separately.
DOMZE Nov 12, 2024
31040e2
Merge branch 'master' into domze/fix-issue-2968-claim-already-exist
DOMZE Nov 12, 2024
ea8ef24
Merge branch 'master' into domze/fix-issue-2968-claim-already-exist
DOMZE Dec 9, 2024
3fcd58d
Merge branch 'master' into domze/fix-issue-2968-claim-already-exist
DOMZE Dec 12, 2024
c2b2f21
Merge branch 'master' into domze/fix-issue-2968-claim-already-exist
DOMZE Dec 20, 2024
22705ef
Change the logic to match
DOMZE Jan 2, 2025
642e791
Merge branch 'master' into domze/fix-issue-2968-claim-already-exist
DOMZE Jan 2, 2025
a81d6c6
Merge branch 'master' into domze/fix-issue-2968-claim-already-exist
DOMZE Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions src/Microsoft.Identity.Web.OWIN/AppBuilderExtension.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,23 @@ public static IAppBuilder AddMicrosoftIdentityWebApp(

if (clientInfoFromServer != null && clientInfoFromServer.UniqueTenantIdentifier != null && clientInfoFromServer.UniqueObjectIdentifier != null)
{
var uniqueTenantIdentifierClaim = context.AuthenticationTicket.Identity.FindFirst(c => c.Type == ClaimConstants.UniqueTenantIdentifier);
var uniqueObjectIdentifierClaim = context.AuthenticationTicket.Identity.FindFirst(c => c.Type == ClaimConstants.UniqueObjectIdentifier);
if (uniqueTenantIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueTenantIdentifier, uniqueTenantIdentifierClaim.Value, StringComparison.Ordinal))
{
throw new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueTenantIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueTenantIdentifierClaim,
};
}
if (uniqueObjectIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueObjectIdentifier, uniqueObjectIdentifierClaim.Value, StringComparison.Ordinal))
{
throw new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueObjectIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueObjectIdentifierClaim
};
}

context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimConstants.UniqueTenantIdentifier, clientInfoFromServer.UniqueTenantIdentifier));
context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimConstants.UniqueObjectIdentifier, clientInfoFromServer.UniqueObjectIdentifier));
}
Expand All @@ -187,6 +204,23 @@ public static IAppBuilder AddMicrosoftIdentityWebApp(

if (clientInfoFromServer != null && clientInfoFromServer.UniqueTenantIdentifier != null && clientInfoFromServer.UniqueObjectIdentifier != null)
{
var uniqueTenantIdentifierClaim = context.AuthenticationTicket.Identity.FindFirst(c => c.Type == ClaimConstants.UniqueTenantIdentifier);
var uniqueObjectIdentifierClaim = context.AuthenticationTicket.Identity.FindFirst(c => c.Type == ClaimConstants.UniqueObjectIdentifier);
if (uniqueTenantIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueTenantIdentifier, uniqueTenantIdentifierClaim.Value, StringComparison.Ordinal))
{
throw new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueTenantIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueTenantIdentifierClaim
};
}
if (uniqueObjectIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueObjectIdentifier, uniqueObjectIdentifierClaim.Value, StringComparison.Ordinal))
{
throw new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueObjectIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueObjectIdentifierClaim
};
}

context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimConstants.UniqueTenantIdentifier, clientInfoFromServer.UniqueTenantIdentifier));
context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimConstants.UniqueObjectIdentifier, clientInfoFromServer.UniqueObjectIdentifier));
}
Expand Down
31 changes: 31 additions & 0 deletions src/Microsoft.Identity.Web.OWIN/InternalClaimDetectedException.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System;
using System.Security.Claims;

namespace Microsoft.Identity.Web.OWIN
{
/// <summary>
/// The exception that is thrown when an internal ID Token claim used by Microsoft.Identity.Web internally is detected in the user's ID Token.
/// </summary>
public class InternalClaimDetectedException : Exception
{
/// <summary>
/// Gets or sets the invalid claim.
/// </summary>
public Claim Claim { get; set; }

public InternalClaimDetectedException()
{
}

public InternalClaimDetectedException(string message) : base(message)
{
}

public InternalClaimDetectedException(string message, Exception innerException) : base(message, innerException)
{
}
}
}
30 changes: 20 additions & 10 deletions src/Microsoft.Identity.Web.OWIN/Microsoft.Identity.Web.OWIN.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

31 changes: 31 additions & 0 deletions src/Microsoft.Identity.Web/InternalClaimDetectedException.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System;
using System.Security.Claims;

namespace Microsoft.Identity.Web
{
/// <summary>
/// The exception that is thrown when an internal ID Token claim used by Microsoft.Identity.Web internally is detected in the user's ID Token.
/// </summary>
public class InternalClaimDetectedException : Exception
{
/// <summary>
/// Gets or sets the invalid claim.
/// </summary>
public Claim Claim { get; set; }

public InternalClaimDetectedException()
{
}

public InternalClaimDetectedException(string message) : base(message)
{
}

public InternalClaimDetectedException(string message, Exception innerException) : base(message, innerException)
{
}
}
}
27 changes: 25 additions & 2 deletions src/Microsoft.Identity.Web/WebAppExtensions/MicrosoftIdentityWebAppAuthenticationBuilder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,8 +179,31 @@ internal static void WebAppCallsWebApiImplementation(

if (clientInfoFromServer != null && clientInfoFromServer.UniqueTenantIdentifier != null && clientInfoFromServer.UniqueObjectIdentifier != null)
{
context!.Principal!.Identities.FirstOrDefault()?.AddClaim(new Claim(ClaimConstants.UniqueTenantIdentifier, clientInfoFromServer.UniqueTenantIdentifier));
context!.Principal!.Identities.FirstOrDefault()?.AddClaim(new Claim(ClaimConstants.UniqueObjectIdentifier, clientInfoFromServer.UniqueObjectIdentifier));
var identity = context!.Principal!.Identities.FirstOrDefault();
if (identity != null)
{
var uniqueTenantIdentifierClaim = identity.FindFirst(c => c.Type == ClaimConstants.UniqueTenantIdentifier);
var uniqueObjectIdentifierClaim = identity.FindFirst(c => c.Type == ClaimConstants.UniqueObjectIdentifier);
if (uniqueTenantIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueTenantIdentifier, uniqueTenantIdentifierClaim.Value, StringComparison.Ordinal))
{
context.Fail(new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueTenantIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueTenantIdentifierClaim
});
return;
}
if (uniqueObjectIdentifierClaim != null && !string.Equals(clientInfoFromServer.UniqueObjectIdentifier, uniqueObjectIdentifierClaim.Value, StringComparison.Ordinal))
{
context.Fail(new InternalClaimDetectedException($"The claim \"{ClaimConstants.UniqueObjectIdentifier}\" is reserved for internal use by this library. To ensure proper functionality and avoid conflicts, please remove or rename this claim in your ID Token.")
{
Claim = uniqueObjectIdentifierClaim
});
return;
}

identity.AddClaim(new Claim(ClaimConstants.UniqueTenantIdentifier, clientInfoFromServer.UniqueTenantIdentifier));
identity.AddClaim(new Claim(ClaimConstants.UniqueObjectIdentifier, clientInfoFromServer.UniqueObjectIdentifier));
}
}
}
await onTokenValidatedHandler(context).ConfigureAwait(false);
Expand Down
10 changes: 10 additions & 0 deletions tests/Microsoft.Identity.Web.Test.Common/TestHelpers/HttpContextUtilities.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System.Collections.Generic;
using System.IO;
using System.Security.Claims;
using Microsoft.AspNetCore.Http;
Expand Down Expand Up @@ -44,5 +45,14 @@ public static HttpContext CreateHttpContext(

return httpContext;
}

public static HttpContext CreateHttpContext(IEnumerable<Claim> claims)
{
var httpContext = CreateHttpContext();

httpContext.User = new ClaimsPrincipal(new CaseSensitiveClaimsIdentity(claims));

return httpContext;
}
}
}
Loading