accomodate for breaking changes in JWT handler

leastprivilege · leastprivilege · commit dcdb7ab058a8 · 2021-05-11T20:02:37.000+02:00
diff --git a/src/IdentityTokenValidator/IdentityTokenValidator.csproj b/src/IdentityTokenValidator/IdentityTokenValidator.csproj
@@ -29,7 +29,7 @@
     <ItemGroup>
         <PackageReference Include="minver" Version="2.5.0" PrivateAssets="All" />
 
-        <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.9.0" />
+        <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.11.0" />
         <PackageReference Include="Microsoft.Extensions.Logging" Version="5.0.0" />
         <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.0.0" PrivateAssets="All" />
     </ItemGroup>
diff --git a/src/IdentityTokenValidator/JwtHandlerIdentityTokenValidator.cs b/src/IdentityTokenValidator/JwtHandlerIdentityTokenValidator.cs
@@ -94,6 +94,14 @@ public async Task<IdentityTokenValidationResult> ValidateAsync(string identityTo
                     };
                 }
 
+                if (result.Exception is SecurityTokenUnableToValidateException)
+                {
+                    return new IdentityTokenValidationResult
+                    {
+                        Error = "unable_to_validate_token"
+                    };
+                }
+
                 throw result.Exception;
             }
 
diff --git a/test/JwtValidationTests/CodeFlowResponseTestsWithJwtValidation.cs b/test/JwtValidationTests/CodeFlowResponseTestsWithJwtValidation.cs
@@ -601,7 +601,7 @@ public async Task No_keyset_for_identity_token_should_fail()
             var result = await client.ProcessResponseAsync(url, state);
 
             result.IsError.Should().BeTrue();
-            result.Error.Should().Contain("invalid_signature");
+            result.Error.Should().Contain("unable_to_validate_token");
         }
 
         [Fact]
@@ -626,7 +626,7 @@ public async Task Untrusted_identity_token_should_fail()
             var result = await client.ProcessResponseAsync(url, state);
 
             result.IsError.Should().BeTrue();
-            result.Error.Should().Contain("invalid_signature");
+            result.Error.Should().Contain("unable_to_validate_token");
         }
 
         [Theory]

Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,14 @@ public async Task<IdentityTokenValidationResult> ValidateAsync(string identityTo`
`94`	`94`	`};`
`95`	`95`	`}`
`96`	`96`
	`97`	`+ if (result.Exception is SecurityTokenUnableToValidateException)`
	`98`	`+ {`
	`99`	`+ return new IdentityTokenValidationResult`
	`100`	`+ {`
	`101`	`+ Error = "unable_to_validate_token"`
	`102`	`+ };`
	`103`	`+ }`
	`104`	`+`
`97`	`105`	`throw result.Exception;`
`98`	`106`	`}`
`99`	`107`
Original file line number	Diff line number	Diff line change
`@@ -601,7 +601,7 @@ public async Task No_keyset_for_identity_token_should_fail()`
`601`	`601`	`var result = await client.ProcessResponseAsync(url, state);`
`602`	`602`
`603`	`603`	`result.IsError.Should().BeTrue();`
`604`		`- result.Error.Should().Contain("invalid_signature");`
	`604`	`+ result.Error.Should().Contain("unable_to_validate_token");`
`605`	`605`	`}`
`606`	`606`
`607`	`607`	`[Fact]`
`@@ -626,7 +626,7 @@ public async Task Untrusted_identity_token_should_fail()`
`626`	`626`	`var result = await client.ProcessResponseAsync(url, state);`
`627`	`627`
`628`	`628`	`result.IsError.Should().BeTrue();`
`629`		`- result.Error.Should().Contain("invalid_signature");`
	`629`	`+ result.Error.Should().Contain("unable_to_validate_token");`
`630`	`630`	`}`
`631`	`631`
`632`	`632`	`[Theory]`