fix: Fixing code scanning alert on AAD issuer validation

microsoftgraph · Aug 19, 2024 · 523a5dc · 523a5dc
1 parent 7c7511c
commit 523a5dc
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/src/Microsoft.Graph.Core/Extensions/ITokenValidableExtension.cs b/src/Microsoft.Graph.Core/Extensions/ITokenValidableExtension.cs
@@ -7,6 +7,7 @@ namespace Microsoft.Graph
     using Microsoft.IdentityModel.Protocols.OpenIdConnect;
     using Microsoft.IdentityModel.Tokens;
     using Microsoft.IdentityModel.Protocols;
+    using Microsoft.IdentityModel.Validators;
     using System;
     using System.Collections.Generic;
     using System.Linq;
@@ -65,7 +66,7 @@ private static bool IsTokenValid(string token, JwtSecurityTokenHandler handler,
         {
             try
             {
-                handler.ValidateToken(token, new TokenValidationParameters
+                var tokenValidationParameters = new TokenValidationParameters
                 {
                     ValidateIssuer = true,
                     ValidateAudience = true,
@@ -74,7 +75,9 @@ private static bool IsTokenValid(string token, JwtSecurityTokenHandler handler,
                     ValidIssuers = issuersToValidate,
                     ValidAudiences = appIds,
                     IssuerSigningKeys = openIdConfig.SigningKeys
-                }, out _);
+                };
+                tokenValidationParameters.EnableAadSigningKeyIssuerValidation();
+                handler.ValidateToken(token,  tokenValidationParameters, out _);
             }
             catch
             {

diff --git a/src/Microsoft.Graph.Core/Microsoft.Graph.Core.csproj b/src/Microsoft.Graph.Core/Microsoft.Graph.Core.csproj
@@ -63,14 +63,15 @@
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.0.1" />
+    <PackageReference Include="Microsoft.IdentityModel.Validators" Version="8.0.1" />
     <PackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="All" />
     <PackageReference Include="Microsoft.Kiota.Abstractions" Version="1.11.3" />
     <PackageReference Include="Microsoft.Kiota.Authentication.Azure" Version="1.11.3" />
     <PackageReference Include="Microsoft.Kiota.Serialization.Json" Version="1.11.3" />
-    <PackageReference Include="Microsoft.Kiota.Serialization.Text" Version="1.11.2" />
-    <PackageReference Include="Microsoft.Kiota.Serialization.Form" Version="1.11.2" />
+    <PackageReference Include="Microsoft.Kiota.Serialization.Text" Version="1.11.3" />
+    <PackageReference Include="Microsoft.Kiota.Serialization.Form" Version="1.11.3" />
     <PackageReference Include="Microsoft.Kiota.Http.HttpClientLibrary" Version="1.11.3" />
-    <PackageReference Include="Microsoft.Kiota.Serialization.Multipart" Version="1.11.2" />
+    <PackageReference Include="Microsoft.Kiota.Serialization.Multipart" Version="1.11.3" />
   </ItemGroup>
   <ItemGroup Condition=" '$(TargetFramework)' == 'net462' ">
     <PackageReference Include="System.Net.Http.WinHttpHandler" Version="[6.0,9.0)" />