From ade3b16d997cf318097f230487d100ade66692b2 Mon Sep 17 00:00:00 2001
From: Joe Schmitt <joschmit@microsoft.com>
Date: Mon, 15 Apr 2024 11:19:02 -0700
Subject: [PATCH] Enable EnableAadSigningKeyIssuerValidation

---
 .../GenerateKeyTests.cs                                      | 4 ++++
 .../dotnet-monitor/Auth/ApiKey/JwtBearerOptionsExtensions.cs | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/src/Tests/Microsoft.Diagnostics.Monitoring.Tool.FunctionalTests/GenerateKeyTests.cs b/src/Tests/Microsoft.Diagnostics.Monitoring.Tool.FunctionalTests/GenerateKeyTests.cs
index 9b82d5a2839..c6dec5b8fe9 100644
--- a/src/Tests/Microsoft.Diagnostics.Monitoring.Tool.FunctionalTests/GenerateKeyTests.cs
+++ b/src/Tests/Microsoft.Diagnostics.Monitoring.Tool.FunctionalTests/GenerateKeyTests.cs
@@ -7,6 +7,7 @@
 using Microsoft.Diagnostics.Monitoring.Tool.FunctionalTests.Runners;
 using Microsoft.Diagnostics.Monitoring.WebApi;
 using Microsoft.IdentityModel.Tokens;
+using Microsoft.IdentityModel.Validators;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 using System.Threading;
@@ -90,6 +91,9 @@ public async Task GenerateKey(OutputFormat? format)
                 ValidateActor = false,
                 ValidateLifetime = false,
             };
+            // Required for CodeQL. 
+            tokenValidationParams.EnableAadSigningKeyIssuerValidation();
+
             ClaimsPrincipal claimsPrinciple = tokenHandler.ValidateToken(tokenStr, tokenValidationParams, out SecurityToken validatedToken);
 
             Assert.True(claimsPrinciple.HasClaim(ClaimTypes.NameIdentifier, subject));
diff --git a/src/Tools/dotnet-monitor/Auth/ApiKey/JwtBearerOptionsExtensions.cs b/src/Tools/dotnet-monitor/Auth/ApiKey/JwtBearerOptionsExtensions.cs
index 3f36cef64f7..2eeea6cd475 100644
--- a/src/Tools/dotnet-monitor/Auth/ApiKey/JwtBearerOptionsExtensions.cs
+++ b/src/Tools/dotnet-monitor/Auth/ApiKey/JwtBearerOptionsExtensions.cs
@@ -4,6 +4,7 @@
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Diagnostics.Monitoring.WebApi;
 using Microsoft.IdentityModel.Tokens;
+using Microsoft.IdentityModel.Validators;
 
 namespace Microsoft.Diagnostics.Tools.Monitor.Auth.ApiKey
 {
@@ -31,6 +32,10 @@ public static void ConfigureApiKeyTokenValidation(this JwtBearerOptions options,
                 ValidateActor = false,
                 ValidateLifetime = false,
             };
+
+            // Required for CodeQL. 
+            tokenValidationParameters.EnableAadSigningKeyIssuerValidation();
+
             options.TokenValidationParameters = tokenValidationParameters;
         }
     }