Add TimeProvider support to token validation by alexmurari · Pull Request #2573 · AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet

alexmurari · 2024-04-28T23:27:56Z

Add TimeProvider support to token validation

TimeProvider abstracts time and enables deterministic tests.

Description

Added a new parameter to the TokenValidationParameters class to hold the TimeProvider instance.
The default behavior's still the use of DateTime class to obtain the current time.

Fixes #2572

The TimeProvider class abstracts time, facilitating deterministic tests by removing reliance on ambient context for obtaining the current time. If not set, validators will fall back to using the DateTime class to obtain the current time.

alexmurari · 2024-04-28T23:31:12Z

@microsoft-github-policy-service agree

alexmurari · 2024-04-28T23:33:44Z

src/Microsoft.IdentityModel.Tokens/Microsoft.IdentityModel.Tokens.csproj

  </PropertyGroup>

+  <PropertyGroup>
+    <FrameworksWithoutTimeProvider>|net461|net462|net472|netstandard2.0|net6.0|</FrameworksWithoutTimeProvider>


TimeProvider is included by default in .NET 8 onwards. For every other target, we must eat the Microsoft.Bcl.TimeProvider nuget.

alexmurari · 2024-04-28T23:35:20Z

test/Microsoft.IdentityModel.Tokens.Tests/Microsoft.IdentityModel.Tokens.Tests.csproj

    <PackageReference Include="Microsoft.Azure.KeyVault.Cryptography" Version="$(MicrosoftAzureKeyVaultCryptographyVersion)" />
  </ItemGroup>

+  <ItemGroup Condition="'$(TargetFramework)' != 'net461'">


Every test target, except .NET FWK 4.6.1 supports the Microsoft.Extensions.TimeProvider.Testing.

alexmurari · 2024-04-28T23:41:53Z

build/common.props

  </PropertyGroup>

  <PropertyGroup>
+    <SuppressTfmSupportBuildWarnings>true</SuppressTfmSupportBuildWarnings>


Suppress "Microsoft.Bcl.TimeProvider doesn't support .NET Framework 4.6.1, consider upgrading [...]" warnings. (Altough it's compatible with that framework version).

alexmurari · 2024-04-28T23:42:12Z

build/commonTest.props

  </PropertyGroup>

  <PropertyGroup>
+    <SuppressTfmSupportBuildWarnings>true</SuppressTfmSupportBuildWarnings>


alexmurari · 2024-04-28T23:47:32Z

build/commonTest.props

+    <SuppressTfmSupportBuildWarnings>true</SuppressTfmSupportBuildWarnings>
    <NoWarn>$(NoWarn);SYSLIB0050</NoWarn>
    <NoWarn>$(NoWarn);SYSLIB0051</NoWarn>
+    <NoWarn>$(NoWarn);NU1701</NoWarn>


Suppresses the "This package may not be fully compatible with your project" warning. The cause is that Microsoft.Extensions.TimeProvider.Testing package is not compatible with .NET FWK 4.6.1.

pmaytak · 2024-05-02T17:15:16Z

@alexmurari Thanks for the proposal.

After team discussion, there is more design and work needed here. (Our PR process is described in the contributing guide, making sure a design is discussed before time is spent making changes.)

We're careful with adding new dependencies (MS.Bcl.TimeProvider) as it can create conflicts higher in the stack.
- So we can conditionally use TimeProvider only in .NET 8.
We need to make sure adding TimeProvider property to TokenValidationParameters is the right thing to do as it's a commonly used class.

Proposal could be:

Create an internal time provider abstraction, e.g. IInternalTimeProvider.
On .NET 8 it will use .NET's TimeProvider, on other platforms - the current DateTime class.
Update all DateTime related code to use this abstraction, including tests.
This will allow us more easily to add MS.Bcl.TimeProvider package in the future, if it's the right thing to do.

alexmurari · 2024-05-03T01:15:38Z

@pmaytak Thanks for the review and the modified proposal.

I agree to those points.

Client code would still need to provide a TimeProvider instance. Since DateTime usage is ubiquitous, we have two possibilities:

a. (Constructor/Method injection) Every class/method that needs a TimeProvider will have new parameters to receive it. (This kinda defeats the IInternalTimeProvider purpose).

- OR -

b. (Property-injection) We create an options class (e.g. TimeProviderOptions) that has an TimeProvider property. It's suitable for property-injection because it has a good local default: TimeProvider.System. It's basically an extension point.

public class TimeProviderOptions
{
    private TimeProvider _timeProvider = TimeProvider.System; // Local default

    public TimeProvider TimeProvider
    {
        get
        {
            return _timeProvider;
        }
        set
        {
            if (value == null) 
               throw new ArgumentNullException("value");

            _timeProvider = value;
        }
    }
}

We just need somewhere to set an instance of this options class, then the IInternalTimeProvider would use it to obtain the TimeProvider instance.

What do you think?

trejjam · 2024-05-23T17:09:09Z

We used a similar path with TimeProvider in OpenIddict:
https://github.com/openiddict/openiddict-core/pull/2071/files#diff-63fa24a3f983e94df2b11646deac927651bd5a5836f02d3d1de6dbd30f61e5baR1092

One of the constraints was also not to use the Bcl package. So there is #SUPPORTS_TIME_PROVIDER used instead

trejjam · 2024-05-23T17:12:12Z

This way, the PR becomes simple and minimalistic. I am willing to prepare PR using this approach.

trejjam · 2024-05-23T17:19:26Z

A workaround can look like this:

private const string TimeProviderName = "TimeProviderName";

/// <summary>
/// Validates the lifetime of a <see cref="SecurityToken"/>.
/// </summary>
internal static bool ValidateLifetime(DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
{
    if (!expires.HasValue && validationParameters.RequireExpirationTime)
    {
        throw LogHelper.LogExceptionMessage(new SecurityTokenNoExpirationException(
            LogHelper.FormatInvariant("IDX10225", LogHelper.MarkAsNonPII(securityToken.GetType().ToString()))
        ));
    }

    if (notBefore.HasValue && expires.HasValue && notBefore.Value > expires.Value)
    {
        throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidLifetimeException(
            LogHelper.FormatInvariant("IDX10224", LogHelper.MarkAsNonPII(notBefore.Value), LogHelper.MarkAsNonPII(expires.Value))
        )
        {
            NotBefore = notBefore,
            Expires = expires,
        });
    }

    var timeProvider = (TimeProvider) validationParameters.InstancePropertyBag[TimeProviderName];

    var utcNow = timeProvider.GetUtcNow().UtcDateTime;
    if (notBefore.HasValue && notBefore.Value > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew))
    {
        throw LogHelper.LogExceptionMessage(new SecurityTokenNotYetValidException(
            LogHelper.FormatInvariant("IDX10222", LogHelper.MarkAsNonPII(notBefore.Value), LogHelper.MarkAsNonPII(utcNow))
        )
        {
            NotBefore = notBefore.Value,
        });
    }

    if (expires.HasValue && expires.Value < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate()))
    {
        throw LogHelper.LogExceptionMessage(new SecurityTokenExpiredException(
            LogHelper.FormatInvariant("IDX10223", LogHelper.MarkAsNonPII(expires.Value), LogHelper.MarkAsNonPII(utcNow))
        )
        {
            Expires = expires.Value,
        });
    }

    // if it reaches here, that means lifetime of the token is valid
    LogHelper.LogInformation("IDX10239");
    return true;
}

var timeProvider = TimeProvider.System;

var validationParameters = new TokenValidationParameters
{
  LifetimeValidator = ValidateLifetime,
}
validationParameters.InstancePropertyBag.Add(TimeProviderName, timeProvider);

alexmurari · 2024-05-26T15:50:04Z

@trejjam That's a great approach! The changes to OpenIddict were minimal.

Fine by me a new PR with this approach. I'm just not sure where client code will configure the desired TimeProvider instance.

trejjam · 2024-05-27T10:26:48Z

Hi my PR is here: #2612

alexmurari · 2024-05-27T13:34:33Z

Closing in favor of #2612

alexmurari added 2 commits April 28, 2024 19:17

Add TimeProvider support to token validation

1ce98a6

The TimeProvider class abstracts time, facilitating deterministic tests by removing reliance on ambient context for obtaining the current time. If not set, validators will fall back to using the DateTime class to obtain the current time.

Add TimeProvider tests

7b29662

alexmurari requested a review from a team as a code owner April 28, 2024 23:27

alexmurari commented Apr 28, 2024

View reviewed changes

alexmurari closed this May 27, 2024

alexmurari deleted the feature/support-timeprovider-token-validation branch May 27, 2024 13:34

alexmurari mentioned this pull request Jul 26, 2024

Feature/time provider #2612

Open

5 tasks

Conversation

alexmurari commented Apr 28, 2024

Add TimeProvider support to token validation

Description

Uh oh!

alexmurari commented Apr 28, 2024

Uh oh!

alexmurari Apr 28, 2024

Choose a reason for hiding this comment

Uh oh!

alexmurari Apr 28, 2024

Choose a reason for hiding this comment

Uh oh!

alexmurari Apr 28, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

alexmurari Apr 28, 2024

Choose a reason for hiding this comment

Uh oh!

alexmurari Apr 28, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

pmaytak commented May 2, 2024

Uh oh!

alexmurari commented May 3, 2024

Uh oh!

trejjam commented May 23, 2024

Uh oh!

trejjam commented May 23, 2024

Uh oh!

trejjam commented May 23, 2024

Uh oh!

alexmurari commented May 26, 2024

Uh oh!

trejjam commented May 27, 2024

Uh oh!

alexmurari commented May 27, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

alexmurari Apr 28, 2024 •

edited

Loading

alexmurari Apr 28, 2024 •

edited

Loading