Add MapInboundClaims top level sugar for JwtBearerOptions (#24636)

HaoK · web-flow · commit fae4a56ff6a2 · 2020-08-13T22:44:10.000Z
* Add MapInboundClaims option

* Update JwtBearerOptions.cs

* Update JwtBearerTests.cs

* Update JwtBearerOptions.cs

* Update JwtBearerOptions.cs

* Update JwtBearerTests.cs

* Add MapImboundClaims to OIDC

* Update OpenIdConnectTests.cs

* Update OpenIdConnectOptions.cs

* Update OpenIdConnectOptions.cs

* Use MapInboundClaims

* Update OpenIdConnectTests.cs
diff --git a/src/Security/Authentication/JwtBearer/src/JwtBearerOptions.cs b/src/Security/Authentication/JwtBearer/src/JwtBearerOptions.cs
@@ -16,6 +16,13 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer
     /// </summary>
     public class JwtBearerOptions : AuthenticationSchemeOptions
     {
+        private JwtSecurityTokenHandler _defaultHandler = new JwtSecurityTokenHandler();
+        
+        public JwtBearerOptions()
+        {
+            SecurityTokenValidators = new List<ISecurityTokenValidator> { _defaultHandler };
+        }
+    
         /// <summary>
         /// Gets or sets if HTTPS is required for the metadata address or authority.
         /// The default is true. This should be disabled only in development environments.
@@ -90,7 +97,7 @@ public class JwtBearerOptions : AuthenticationSchemeOptions
         /// <summary>
         /// Gets the ordered list of <see cref="ISecurityTokenValidator"/> used to validate access tokens.
         /// </summary>
-        public IList<ISecurityTokenValidator> SecurityTokenValidators { get; } = new List<ISecurityTokenValidator> { new JwtSecurityTokenHandler() };
+        public IList<ISecurityTokenValidator> SecurityTokenValidators { get; private set; }
 
         /// <summary>
         /// Gets or sets the parameters used to validate identity tokens.
@@ -111,6 +118,18 @@ public class JwtBearerOptions : AuthenticationSchemeOptions
         /// from returning an error and an error_description in the WWW-Authenticate header.
         /// </summary>
         public bool IncludeErrorDetails { get; set; } = true;
+        
+        /// <summary>
+        /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, which is used when determining 
+        /// whether or not to map claim types that are extracted when validating a <see cref="JwtSecurityToken"/>. 
+        /// <para>If this is set to true, the Claim Type is set to the JSON claim 'name' after translating using this mapping. Otherwise, no mapping occurs.</para>
+        /// <para>The default value is true.</para>
+        /// </summary>
+        public bool MapInboundClaims
+        {
+            get => _defaultHandler.MapInboundClaims;
+            set => _defaultHandler.MapInboundClaims = value;
+        }
 
         /// <summary>
         /// 1 day is the default time interval that afterwards, <see cref="ConfigurationManager" /> will obtain new configuration.
diff --git a/src/Security/Authentication/OpenIdConnect/samples/OpenIdConnectSample/Startup.cs b/src/Security/Authentication/OpenIdConnect/samples/OpenIdConnectSample/Startup.cs
@@ -89,8 +89,6 @@ public static bool DisallowsSameSiteNone(string userAgent)
 
         public void ConfigureServices(IServiceCollection services)
         {
-            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
-
             services.Configure<CookiePolicyOptions>(options =>
             {
                 options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
@@ -120,6 +118,7 @@ public void ConfigureServices(IServiceCollection services)
                 o.SaveTokens = true;
                 o.GetClaimsFromUserInfoEndpoint = true;
                 o.AccessDeniedPath = "/access-denied-from-remote";
+                o.MapInboundClaims = false;
 
                 // o.ClaimActions.MapAllExcept("aud", "iss", "iat", "nbf", "exp", "aio", "c_hash", "uti", "nonce");
 
diff --git a/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs
@@ -18,6 +18,7 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect
     public class OpenIdConnectOptions : RemoteAuthenticationOptions
     {
         private CookieBuilder _nonceCookieBuilder;
+        private JwtSecurityTokenHandler _defaultHandler = new JwtSecurityTokenHandler();
 
         /// <summary>
         /// Initializes a new <see cref="OpenIdConnectOptions"/>
@@ -38,6 +39,7 @@ public OpenIdConnectOptions()
             CallbackPath = new PathString("/signin-oidc");
             SignedOutCallbackPath = new PathString("/signout-callback-oidc");
             RemoteSignOutPath = new PathString("/signout-oidc");
+            SecurityTokenValidator = _defaultHandler;
 
             Events = new OpenIdConnectEvents();
             Scope.Add("openid");
@@ -253,7 +255,7 @@ public override void Validate()
         /// <summary>
         /// Gets or sets the <see cref="ISecurityTokenValidator"/> used to validate identity tokens.
         /// </summary>
-        public ISecurityTokenValidator SecurityTokenValidator { get; set; } = new JwtSecurityTokenHandler();
+        public ISecurityTokenValidator SecurityTokenValidator { get; set; }
 
         /// <summary>
         /// Gets or sets the parameters used to validate identity tokens.
@@ -337,5 +339,17 @@ public override CookieOptions Build(HttpContext context, DateTimeOffset expiresF
         /// The minimum time between <see cref="ConfigurationManager" /> retrievals, in the event that a retrieval failed, or that a refresh was explicitly requested. 30 seconds is the default.
         /// </summary>
         public TimeSpan RefreshInterval { get; set; } = ConfigurationManager<OpenIdConnectConfiguration>.DefaultRefreshInterval;
+        
+        /// <summary>
+        /// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidator, which is used when determining 
+        /// whether or not to map claim types that are extracted when validating a <see cref="JwtSecurityToken"/>. 
+        /// <para>If this is set to true, the Claim Type is set to the JSON claim 'name' after translating using this mapping. Otherwise, no mapping occurs.</para>
+        /// <para>The default value is true.</para>
+        /// </summary>
+        public bool MapInboundClaims
+        {
+            get => _defaultHandler.MapInboundClaims;
+            set => _defaultHandler.MapInboundClaims = value;
+        }        
     }
 }
diff --git a/src/Security/Authentication/test/JwtBearerTests.cs b/src/Security/Authentication/test/JwtBearerTests.cs
@@ -116,6 +116,27 @@ public async Task SaveBearerToken()
             Assert.Equal(tokenText, await response.Response.Content.ReadAsStringAsync());
         }
 
+        [Fact]
+        public void MapInboundClaimsDefaultsToTrue()
+        {
+            var options = new JwtBearerOptions();
+            Assert.True(options.MapInboundClaims);
+            var jwtHandler = options.SecurityTokenValidators.First() as JwtSecurityTokenHandler;
+            Assert.NotNull(jwtHandler);
+            Assert.True(jwtHandler.MapInboundClaims);
+        }
+
+        [Fact]
+        public void MapInboundClaimsCanBeSetToFalse()
+        {
+            var options = new JwtBearerOptions();
+            options.MapInboundClaims = false;
+            Assert.False(options.MapInboundClaims);
+            var jwtHandler = options.SecurityTokenValidators.First() as JwtSecurityTokenHandler;
+            Assert.NotNull(jwtHandler);
+            Assert.False(jwtHandler.MapInboundClaims);
+        }
+
         [Fact]
         public async Task SignInThrows()
         {
diff --git a/src/Security/Authentication/test/OpenIdConnect/OpenIdConnectTests.cs b/src/Security/Authentication/test/OpenIdConnect/OpenIdConnectTests.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Globalization;
+using System.IdentityModel.Tokens.Jwt;
 using System.Linq;
 using System.Net;
 using System.Security.Claims;
@@ -366,6 +367,27 @@ public async Task RemoteSignOut_Get_Successful()
             Assert.Contains(remoteSignOutTransaction.Response.Headers, h => h.Key == "Set-Cookie");
         }
 
+        [Fact]
+        public void MapInboundClaimsDefaultsToTrue()
+        {
+            var options = new OpenIdConnectOptions();
+            Assert.True(options.MapInboundClaims);
+            var jwtHandler = options.SecurityTokenValidator as JwtSecurityTokenHandler;
+            Assert.NotNull(jwtHandler);
+            Assert.True(jwtHandler.MapInboundClaims);
+        }
+
+        [Fact]
+        public void MapInboundClaimsCanBeSetToFalse()
+        {
+            var options = new OpenIdConnectOptions();
+            options.MapInboundClaims = false;
+            Assert.False(options.MapInboundClaims);
+            var jwtHandler = options.SecurityTokenValidator as JwtSecurityTokenHandler;
+            Assert.NotNull(jwtHandler);
+            Assert.False(jwtHandler.MapInboundClaims);
+        }
+        
         // Test Cases for calculating the expiration time of cookie from cookie name
         [Fact]
         public void NonceCookieExpirationTime()

Original file line number	Diff line number	Diff line change
`@@ -89,8 +89,6 @@ public static bool DisallowsSameSiteNone(string userAgent)`
`89`	`89`
`90`	`90`	`public void ConfigureServices(IServiceCollection services)`
`91`	`91`	`{`
`92`		`- JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();`
`93`		`-`
`94`	`92`	`services.Configure<CookiePolicyOptions>(options =>`
`95`	`93`	`{`
`96`	`94`	`options.MinimumSameSitePolicy = SameSiteMode.Unspecified;`
`@@ -120,6 +118,7 @@ public void ConfigureServices(IServiceCollection services)`
`120`	`118`	`o.SaveTokens = true;`
`121`	`119`	`o.GetClaimsFromUserInfoEndpoint = true;`
`122`	`120`	`o.AccessDeniedPath = "/access-denied-from-remote";`
	`121`	`+ o.MapInboundClaims = false;`
`123`	`122`
`124`	`123`	`// o.ClaimActions.MapAllExcept("aud", "iss", "iat", "nbf", "exp", "aio", "c_hash", "uti", "nonce");`
`125`	`124`