azure-activedirectory-identitymodel-extensions-for-dotnet icon indicating copy to clipboard operation
azure-activedirectory-identitymodel-extensions-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

ValidateTokenValidAccessCheckAsync() is failing when upgraded to 6.1.0 from 5.7.0

Open Kotla-ReddyRajesh-GitHub opened this issue 3 months ago • 0 comments

Hi Team,

While upgrading System.IdentityModel.Tokens.Jwt from 5.70 to 6.1.0 we are getting the below test case failure.

We are unable to find the issue and also could not find any breaking changes.

Could you please help us fixing the issue.

Below is the error and piece of code.

Error: Failed Microsoft.Liftr.JwtLibrary.Tests.JwtTokenExtensionsTests.ValidateTokenValidAccessCheckAsync [1 s] Error Message: Assert.True() Failure Expected: True Actual: False

Code:

        public async Task ValidateTokenValidAccessCheckAsync()
        {
            var logger = Log.Logger;

            // use key 1 to generate the token
            var tg_1 = new JwtTokenGenerator(logger);
            await tg_1.AddKeyAsync(pkfile1, password1);
            var issuer = Constants.LiftrTokenService;
            var audience = Constants.LiftrServiceNames.BillingService.ToString();
            var subject = "subject";
            var payload = tg_1.NewJwtPayload(issuer, audience, subject, DateTime.UtcNow.AddHours(1));
            var access = new List<ResourceScope>();
            access.Add(new ResourceScope()
            {
                Type = TokenRequestTypes.LiftrBillingToken,
                Name = "myresourceId",
                Actions = new string[] { ResourceScope.ReadAction, ResourceScope.WriteAction },
            });
            payload.AddAccess(access);
            var token = tg_1.GetJwtToken(payload);

            // user cert 1 to validate
            var tv_1 = new JwtTokenValidator(logger);
            await tv_1.AddKeyAsync(certfile1);
            var validPayload = tv_1.ValidateJwtToken(token, issuer, audience);

            // validation
            Assert.NotNull(validPayload);
            var accessCheck = validPayload.ValidateAccess(TokenRequestTypes.LiftrBillingToken, ResourceScope.WriteAction);
            Assert.True(accessCheck);
        }

Here is ValidateAccess method:

public static bool ValidateAccess(this JwtPayload payload, TokenRequestTypes type, string permission)
{
    payload.TryGet("access", out object access);
    var accessList = (access as JArray)?.ToObject<List<ResourceScope>>();
    if (accessList == null)
    {
        return false;
    }
    foreach (var item in accessList)
    {
        if (item.Type == type)
        {
            if (string.IsNullOrEmpty(permission))
            {
                return true;
            }
            foreach (var act in item.Actions)
            {
                if (act == permission)
                {
                    return true;
                }
            }
        }
    }
    return false;
}

Kotla-ReddyRajesh-GitHub avatar May 09 '24 12:05 Kotla-ReddyRajesh-GitHub