From dcd998173eb9b5ee7c8377d585d51626ca96de30 Mon Sep 17 00:00:00 2001
From: jennyf19 <jeferrie@microsoft.com>
Date: Thu, 10 Jun 2021 12:52:21 -0700
Subject: [PATCH] fix issuer (#1260)

* fix issuer

* fix warning
---
 .../Microsoft.Identity.Web.xml                |  4 +-
 .../Resource/AadIssuerValidator.cs            | 39 ++++++++--------
 .../MicrosoftIdentityIssuerValidatorTests.cs  | 44 -------------------
 3 files changed, 24 insertions(+), 63 deletions(-)

diff --git a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
index 94fb9e4da..7c9988aca 100644
--- a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
+++ b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
@@ -2412,7 +2412,7 @@
             <param name="msalErrorMessage">Specific log message from TokenAcquisition.</param>
             <param name="ex">Exception from MSAL.NET.</param>
         </member>
-        <member name="M:Microsoft.Identity.Web.TokenAcquisition.Logger.TokenAcquisitionMsalAuthenticationResultTime(Microsoft.Extensions.Logging.ILogger,System.Int64,System.Int64,System.Int64,System.Exception)">
+        <member name="M:Microsoft.Identity.Web.TokenAcquisition.Logger.TokenAcquisitionMsalAuthenticationResultTime(Microsoft.Extensions.Logging.ILogger,System.Int64,System.Int64,System.Int64,System.String,System.String,System.Exception)">
             <summary>
             Logger for handling information specific to MSAL in token acquisition.
             </summary>
@@ -2420,6 +2420,8 @@
             <param name="durationTotalInMs">durationTotalInMs.</param>
             <param name="durationInHttpInMs">durationInHttpInMs.</param>
             <param name="durationInCacheInMs">durationInCacheInMs.</param>
+            <param name="tokenSource">cache or IDP.</param>
+            <param name="correlationId">correlationId.</param>
             <param name="ex">Exception from MSAL.NET.</param>
         </member>
         <member name="T:Microsoft.Identity.Web.TokenAcquisitionOptions">
diff --git a/src/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs b/src/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs
index 61934f02d..836f0bf3e 100644
--- a/src/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs
+++ b/src/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs
@@ -74,7 +74,26 @@ public string Validate(
                 throw new SecurityTokenInvalidIssuerException(IDWebErrorMessage.TenantIdClaimNotPresentInToken);
             }
 
-            if (validationParameters.ValidIssuers == null && validationParameters.ValidIssuer == null)
+            if (validationParameters.ValidIssuers != null)
+            {
+                foreach (var validIssuerTemplate in validationParameters.ValidIssuers)
+                {
+                    if (IsValidIssuer(validIssuerTemplate, tenantId, actualIssuer))
+                    {
+                        return actualIssuer;
+                    }
+                }
+            }
+
+            if (validationParameters.ValidIssuer != null)
+            {
+                if (IsValidIssuer(validationParameters.ValidIssuer, tenantId, actualIssuer))
+                {
+                    return actualIssuer;
+                }
+            }
+
+            try
             {
                 if (securityToken.Issuer.EndsWith("v2.0", StringComparison.OrdinalIgnoreCase))
                 {
@@ -105,24 +124,8 @@ public string Validate(
                     }
                 }
             }
-
-            if (validationParameters.ValidIssuers != null)
-            {
-                foreach (var validIssuerTemplate in validationParameters.ValidIssuers)
-                {
-                    if (IsValidIssuer(validIssuerTemplate, tenantId, actualIssuer))
-                    {
-                        return actualIssuer;
-                    }
-                }
-            }
-
-            if (validationParameters.ValidIssuer != null)
+            catch
             {
-                if (IsValidIssuer(validationParameters.ValidIssuer, tenantId, actualIssuer))
-                {
-                    return actualIssuer;
-                }
             }
 
             // If a valid issuer is not found, throw
diff --git a/tests/Microsoft.Identity.Web.Test/Resource/MicrosoftIdentityIssuerValidatorTests.cs b/tests/Microsoft.Identity.Web.Test/Resource/MicrosoftIdentityIssuerValidatorTests.cs
index 09bf74baa..40f5a1a79 100644
--- a/tests/Microsoft.Identity.Web.Test/Resource/MicrosoftIdentityIssuerValidatorTests.cs
+++ b/tests/Microsoft.Identity.Web.Test/Resource/MicrosoftIdentityIssuerValidatorTests.cs
@@ -250,50 +250,6 @@ public void Validate_TidClaimInToken_ReturnsIssuer()
             Assert.Equal(TestConstants.AadIssuer, actualIssuer);
         }
 
-        [Fact]
-        public void Validate_NotMatchedIssuer_ThrowsException()
-        {
-            var validator = new AadIssuerValidator(null, _httpClientFactory, TestConstants.AadIssuer);
-            var tidClaim = new Claim(TestConstants.ClaimNameTid, TestConstants.TenantIdAsGuid);
-            var issClaim = new Claim(TestConstants.ClaimNameIss, TestConstants.AadIssuer);
-            var jwtSecurityToken = new JwtSecurityToken(issuer: TestConstants.AadIssuer, claims: new[] { issClaim, tidClaim });
-            var expectedErrorMessage = string.Format(
-                    CultureInfo.InvariantCulture,
-                    IDWebErrorMessage.IssuerDoesNotMatchValidIssuers,
-                    TestConstants.AadIssuer);
-
-            var exception = Assert.Throws<SecurityTokenInvalidIssuerException>(() =>
-                validator.Validate(TestConstants.AadIssuer, jwtSecurityToken, new TokenValidationParameters() { ValidIssuer = TestConstants.B2CIssuer }));
-            Assert.Equal(expectedErrorMessage, exception.Message);
-        }
-
-        [Fact]
-        public void Validate_NotMatchedToMultipleIssuers_ThrowsException()
-        {
-            var validator = new AadIssuerValidator(null, _httpClientFactory, TestConstants.AadIssuer);
-            var issClaim = new Claim(TestConstants.ClaimNameIss, TestConstants.AadIssuer);
-            var tidClaim = new Claim(TestConstants.ClaimNameTid, TestConstants.TenantIdAsGuid);
-            var jwtSecurityToken = new JwtSecurityToken(issuer: TestConstants.AadIssuer, claims: new[] { issClaim, tidClaim });
-            var expectedErrorMessage = string.Format(
-                    CultureInfo.InvariantCulture,
-                    IDWebErrorMessage.IssuerDoesNotMatchValidIssuers,
-                    TestConstants.AadIssuer);
-
-            var exception = Assert.Throws<SecurityTokenInvalidIssuerException>(() =>
-                validator.Validate(
-                    TestConstants.AadIssuer,
-                    jwtSecurityToken,
-                    new TokenValidationParameters()
-                    {
-                        ValidIssuers = new[]
-                        {
-                            "https://host1/{tenantid}/v2.0",
-                            "https://host2/{tenantid}/v2.0",
-                        },
-                    }));
-            Assert.Equal(expectedErrorMessage, exception.Message);
-        }
-
         // Regression test for https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/issues/68
         // Similar to Validate_NotMatchedToMultipleIssuers_ThrowsException but uses B2C values
         [Fact]