Call TVP.CreateClaimsIdentity to support users that have overloaded. (#2716)

* Call TVP.CreateClaimsIdentity to support users that have overloaded.

* picked up SAML changes and TokenValidationResult

* updated JwtSecurityTokenHandler, reverted tests and removed method.

* touched up tests

---------

Co-authored-by: id4s <[email protected]>

Author: 2 people

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs

@@ -227,7 +227,7 @@ private ClaimsIdentity CreateClaimsIdentityWithMapping(JsonWebToken jwtToken, To
         {
             _ = validationParameters ?? throw LogHelper.LogArgumentNullException(nameof(validationParameters));
 
-            ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, issuer);
+            ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, issuer);
             foreach (Claim jwtClaim in jwtToken.Claims)
             {
                 bool wasMapped = _inboundClaimTypeMap.TryGetValue(jwtClaim.Type, out string claimType);
@@ -296,7 +296,7 @@ private ClaimsIdentity CreateClaimsIdentityPrivate(JsonWebToken jwtToken, TokenV
         {
             _ = validationParameters ?? throw LogHelper.LogArgumentNullException(nameof(validationParameters));
 
-            ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, issuer);
+            ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, issuer);
             foreach (Claim jwtClaim in jwtToken.Claims)
             {
                 string claimType = jwtClaim.Type;

src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.cs

@@ -649,7 +649,7 @@ protected virtual IEnumerable<ClaimsIdentity> ProcessStatements(SamlSecurityToke
 
                 if (!identityDict.TryGetValue(statement.Subject, out ClaimsIdentity identity))
                 {
-                    identity = ClaimsIdentityFactory.Create(samlToken, validationParameters, issuer);
+                    identity = validationParameters.CreateClaimsIdentity(samlToken, issuer);
                     ProcessSubject(statement.Subject, identity, issuer);
                     identityDict.Add(statement.Subject, identity);
                 }

src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs

@@ -1307,7 +1307,7 @@ protected virtual ClaimsIdentity CreateClaimsIdentity(Saml2SecurityToken samlTok
                 actualIssuer = ClaimsIdentity.DefaultIssuer;
             }
 
-            var identity = ClaimsIdentityFactory.Create(samlToken, validationParameters, issuer);
+            var identity = validationParameters.CreateClaimsIdentity(samlToken, issuer);
 
             ProcessSubject(samlToken.Assertion.Subject, identity, actualIssuer);
             ProcessStatements(samlToken.Assertion.Statements, identity, actualIssuer);

src/Microsoft.IdentityModel.Tokens/ClaimsIdentityFactory.cs

@@ -37,45 +37,5 @@ internal static ClaimsIdentity Create(string authenticationType, string nameType
 
             return new ClaimsIdentity(authenticationType: authenticationType, nameType: nameType, roleType: roleType);
         }
-
-        internal static ClaimsIdentity Create(SecurityToken securityToken, TokenValidationParameters validationParameters, string issuer)
-        {
-            ClaimsIdentity claimsIdentity = validationParameters.CreateClaimsIdentity(securityToken, issuer);
-
-            // Set the SecurityToken in cases where derived TokenValidationParameters created a CaseSensitiveClaimsIdentity.
-            if (claimsIdentity is CaseSensitiveClaimsIdentity caseSensitiveClaimsIdentity && caseSensitiveClaimsIdentity.SecurityToken == null)
-            {
-                caseSensitiveClaimsIdentity.SecurityToken = securityToken;
-            }
-            else if (claimsIdentity is not CaseSensitiveClaimsIdentity && AppContextSwitches.UseCaseSensitiveClaimsIdentityType())
-            {
-                claimsIdentity = new CaseSensitiveClaimsIdentity(claimsIdentity)
-                {
-                    SecurityToken = securityToken,
-                };
-            }
-
-            return claimsIdentity;
-        }
-
-        internal static ClaimsIdentity Create(TokenHandler tokenHandler, SecurityToken securityToken, TokenValidationParameters validationParameters, string issuer)
-        {
-            ClaimsIdentity claimsIdentity = tokenHandler.CreateClaimsIdentityInternal(securityToken, validationParameters, issuer);
-
-            // Set the SecurityToken in cases where derived TokenHandler created a CaseSensitiveClaimsIdentity.
-            if (claimsIdentity is CaseSensitiveClaimsIdentity caseSensitiveClaimsIdentity && caseSensitiveClaimsIdentity.SecurityToken == null)
-            {
-                caseSensitiveClaimsIdentity.SecurityToken = securityToken;
-            }
-            else if (claimsIdentity is not CaseSensitiveClaimsIdentity && AppContextSwitches.UseCaseSensitiveClaimsIdentityType())
-            {
-                claimsIdentity = new CaseSensitiveClaimsIdentity(claimsIdentity)
-                {
-                    SecurityToken = securityToken,
-                };
-            }
-
-            return claimsIdentity;
-        }
     }
 }

src/Microsoft.IdentityModel.Tokens/TokenValidationResult.cs

@@ -122,7 +122,7 @@ internal ClaimsIdentity ClaimsIdentityNoLocking
 
                     if (_validationParameters != null && SecurityToken != null && _tokenHandler != null && Issuer != null)
                     {
-                        _claimsIdentity = ClaimsIdentityFactory.Create(_tokenHandler, SecurityToken, _validationParameters, Issuer);
+                        _claimsIdentity = _tokenHandler.CreateClaimsIdentityInternal(SecurityToken, _validationParameters, Issuer);
                     }
 
                     _claimsIdentityInitialized = true;

src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs

@@ -1505,7 +1505,7 @@ protected virtual ClaimsIdentity CreateClaimsIdentity(JwtSecurityToken jwtToken,
 
         private ClaimsIdentity CreateClaimsIdentityWithMapping(JwtSecurityToken jwtToken, string actualIssuer, TokenValidationParameters validationParameters)
         {
-            ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, actualIssuer);
+            ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, actualIssuer);
             foreach (Claim jwtClaim in jwtToken.Claims)
             {
                 if (_inboundClaimFilter.Contains(jwtClaim.Type))
@@ -1551,7 +1551,7 @@ private ClaimsIdentity CreateClaimsIdentityWithMapping(JwtSecurityToken jwtToken
 
         private ClaimsIdentity CreateClaimsIdentityWithoutMapping(JwtSecurityToken jwtToken, string actualIssuer, TokenValidationParameters validationParameters)
         {
-            ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, actualIssuer);
+            ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, actualIssuer);
             foreach (Claim jwtClaim in jwtToken.Claims)
             {
                 if (_inboundClaimFilter.Contains(jwtClaim.Type))

test/Microsoft.IdentityModel.JsonWebTokens.Tests/json/JsonWebTokenHandler.cs

@@ -792,7 +792,7 @@ private ClaimsIdentity CreateClaimsIdentityWithMapping(JsonWebToken jwtToken, To
         {
             _ = validationParameters ?? throw LogHelper.LogArgumentNullException(nameof(validationParameters));
 
-            ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, issuer);
+            ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, issuer);
             foreach (Claim jwtClaim in jwtToken.Claims)
             {
                 bool wasMapped = _inboundClaimTypeMap.TryGetValue(jwtClaim.Type, out string claimType);
@@ -861,7 +861,7 @@ private ClaimsIdentity CreateClaimsIdentityPrivate(JsonWebToken jwtToken, TokenV
         {
             _ = validationParameters ?? throw LogHelper.LogArgumentNullException(nameof(validationParameters));
 
-            ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, issuer);
+            ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, issuer);
             foreach (Claim jwtClaim in jwtToken.Claims)
             {
                 string claimType = jwtClaim.Type;

test/Microsoft.IdentityModel.Tokens.Tests/ClaimsIdentityFactoryTests.cs

@@ -25,7 +25,7 @@ public void Create_FromTokenValidationParameters_ReturnsCorrectClaimsIdentity(bo
             tokenValidationParameters.NameClaimType = "custom-name";
             tokenValidationParameters.RoleClaimType = "custom-role";
 
-            var actualClaimsIdentity = ClaimsIdentityFactory.Create(jsonWebToken, tokenValidationParameters, Default.Issuer);
+            var actualClaimsIdentity = tokenValidationParameters.CreateClaimsIdentity(jsonWebToken, Default.Issuer);
 
             Assert.Equal(tokenValidationParameters.AuthenticationType, actualClaimsIdentity.AuthenticationType);
             Assert.Equal(tokenValidationParameters.NameClaimType, actualClaimsIdentity.NameClaimType);
@@ -45,50 +45,41 @@ public void Create_FromTokenValidationParameters_ReturnsCorrectClaimsIdentity(bo
             AppContext.SetSwitch(AppContextSwitches.UseCaseSensitiveClaimsIdentityIdentityTypeSwitch, false);
         }
 
-        [Fact]
-        public void Create_FromDerivedTokenValidationParameters_HonorsSetSecurityToken()
-        {
-            var jsonWebToken = new JsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor()));
-            var tokenValidationParameters = new DerivedTokenValidationParameters(returnCaseSensitiveClaimsIdentityWithToken: true);
-            tokenValidationParameters.AuthenticationType = "custom-authentication-type";
-            tokenValidationParameters.NameClaimType = "custom-name";
-            tokenValidationParameters.RoleClaimType = "custom-role";
-
-            var actualClaimsIdentity = ClaimsIdentityFactory.Create(jsonWebToken, tokenValidationParameters, Default.Issuer);
-
-            // The SecurityToken set in derived TokenValidationParameters is honored.
-            Assert.IsType<CaseSensitiveClaimsIdentity>(actualClaimsIdentity);
-
-            var securityToken = ((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken;
-            Assert.NotNull(securityToken);
-            Assert.IsType<TvpJsonWebToken>(securityToken);
-            Assert.NotEqual(jsonWebToken, securityToken);
-
-            Assert.Equal(tokenValidationParameters.AuthenticationType, actualClaimsIdentity.AuthenticationType);
-            Assert.Equal(tokenValidationParameters.NameClaimType, actualClaimsIdentity.NameClaimType);
-            Assert.Equal(tokenValidationParameters.RoleClaimType, actualClaimsIdentity.RoleClaimType);
-        }
-
         [Theory]
-        [InlineData(true)]
-        [InlineData(false)]
-        public void Create_FromDerivedTokenValidationParameters_ReturnsCorrectClaimsIdentity(bool tvpReturnsCaseSensitiveClaimsIdentityWithoutToken)
+        [InlineData(true, true)]
+        [InlineData(true, false)]
+        [InlineData(false, false)]
+        public void Create_FromDerivedTokenValidationParameters_ReturnsCorrectClaimsIdentity(bool tvpReturnsCaseSensitiveClaimsIdentity, bool tvpReturnsCaseSensitiveClaimsIdentityWithToken)
         {
             AppContext.SetSwitch(AppContextSwitches.UseCaseSensitiveClaimsIdentityIdentityTypeSwitch, true);
 
             var jsonWebToken = new JsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor()));
-            var tokenValidationParameters = new DerivedTokenValidationParameters(returnCaseSensitiveClaimsIdentityWithoutToken: tvpReturnsCaseSensitiveClaimsIdentityWithoutToken);
+            var tokenValidationParameters = new DerivedTokenValidationParameters(tvpReturnsCaseSensitiveClaimsIdentity, tvpReturnsCaseSensitiveClaimsIdentityWithToken);
             tokenValidationParameters.AuthenticationType = "custom-authentication-type";
             tokenValidationParameters.NameClaimType = "custom-name";
             tokenValidationParameters.RoleClaimType = "custom-role";
 
-            var actualClaimsIdentity = ClaimsIdentityFactory.Create(jsonWebToken, tokenValidationParameters, Default.Issuer);
+            var actualClaimsIdentity = tokenValidationParameters.CreateClaimsIdentity(jsonWebToken, Default.Issuer);
 
-            Assert.IsType<CaseSensitiveClaimsIdentity>(actualClaimsIdentity);
-
-            var securityToken = ((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken;
-            Assert.NotNull(securityToken);
-            Assert.Equal(jsonWebToken, securityToken);
+            if (tvpReturnsCaseSensitiveClaimsIdentity)
+            {
+                Assert.IsType<CaseSensitiveClaimsIdentity>(actualClaimsIdentity);
+                if (tvpReturnsCaseSensitiveClaimsIdentityWithToken)
+                {
+                    var securityToken = ((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken;
+                    Assert.NotNull(securityToken);
+                    Assert.IsType<TvpJsonWebToken>(securityToken);
+                    Assert.NotEqual(jsonWebToken, securityToken);
+                }
+                else
+                {
+                    Assert.Null(((CaseSensitiveClaimsIdentity)actualClaimsIdentity).SecurityToken);
+                }
+            }
+            else
+            {
+                Assert.IsType<ClaimsIdentity>(actualClaimsIdentity);
+            }
 
             Assert.Equal(tokenValidationParameters.AuthenticationType, actualClaimsIdentity.AuthenticationType);
             Assert.Equal(tokenValidationParameters.NameClaimType, actualClaimsIdentity.NameClaimType);
@@ -101,28 +92,30 @@ public void Create_FromDerivedTokenValidationParameters_ReturnsCorrectClaimsIden
 
         private class DerivedTokenValidationParameters : TokenValidationParameters
         {
+            private bool _returnCaseSensitiveClaimsIdentity;
             private bool _returnCaseSensitiveClaimsIdentityWithToken;
-            private bool _returnCaseSensitiveClaimsIdentityWithoutToken;
 
-            public DerivedTokenValidationParameters(bool returnCaseSensitiveClaimsIdentityWithToken = false, bool returnCaseSensitiveClaimsIdentityWithoutToken = false)
+            public DerivedTokenValidationParameters(bool returnCaseSensitiveClaimsIdentity = false, bool returnCaseSensitiveClaimsIdentityWithToken = false)
             {
+                _returnCaseSensitiveClaimsIdentity = returnCaseSensitiveClaimsIdentity;
                 _returnCaseSensitiveClaimsIdentityWithToken = returnCaseSensitiveClaimsIdentityWithToken;
-                _returnCaseSensitiveClaimsIdentityWithoutToken = returnCaseSensitiveClaimsIdentityWithoutToken;
             }
 
             public override ClaimsIdentity CreateClaimsIdentity(SecurityToken securityToken, string issuer)
             {
-                if (_returnCaseSensitiveClaimsIdentityWithToken)
+                if (_returnCaseSensitiveClaimsIdentity)
                 {
-                    return new CaseSensitiveClaimsIdentity(AuthenticationType, NameClaimType, RoleClaimType)
+                    if (_returnCaseSensitiveClaimsIdentityWithToken)
                     {
-                        SecurityToken = new TvpJsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor())),
-                    };
-                }
-
-                if (_returnCaseSensitiveClaimsIdentityWithoutToken)
-                {
-                    return new CaseSensitiveClaimsIdentity(AuthenticationType, NameClaimType, RoleClaimType);
+                        return new CaseSensitiveClaimsIdentity(AuthenticationType, NameClaimType, RoleClaimType)
+                        {
+                            SecurityToken = new TvpJsonWebToken(Default.Jwt(Default.SecurityTokenDescriptor())),
+                        };
+                    }
+                    else
+                    {
+                        return new CaseSensitiveClaimsIdentity(AuthenticationType, NameClaimType, RoleClaimType);
+                    }
                 }
 
                 return new ClaimsIdentity(AuthenticationType, NameClaimType, RoleClaimType);