Add more system claims and 'sub' support (#1916)

vicancy · web-flow · commit fb60e1cddd5d · 2024-02-21T16:41:45.000+08:00
diff --git a/src/Microsoft.Azure.SignalR.Common/Utilities/ClaimsUtility.cs b/src/Microsoft.Azure.SignalR.Common/Utilities/ClaimsUtility.cs
@@ -7,6 +7,7 @@
 using System.Security.Claims;
 using Microsoft.AspNetCore.Http.Connections;
 using Microsoft.Azure.SignalR.Protocol;
+using Newtonsoft.Json.Linq;
 
 namespace Microsoft.Azure.SignalR
 {
@@ -18,7 +19,14 @@ internal static class ClaimsUtility
             "aud", // Audience claim, used by service to make sure token is matched with target resource.
             "exp", // Expiration time claims. A token is valid only before its expiration time.
             "iat", // Issued At claim. Added by default. It is not validated by service.
-            "nbf"  // Not Before claim. Added by default. It is not validated by service.
+            "nbf",  // Not Before claim. Added by default. It is not validated by service.
+            "iss",  // "iss" is a system claim. It is not validated by service.
+            "actort",
+            "acr",
+            "azp",
+            "c_hash",
+            "jti",
+            "nonce",
         };
 
         private static readonly ClaimsIdentity DefaultClaimsIdentity = new ClaimsIdentity();
@@ -115,14 +123,33 @@ public static IEnumerable<Claim> BuildJwtClaims(
             }
 
             // return customer's claims
-            var customerClaims = claimsProvider == null ? user?.Claims : claimsProvider.Invoke();
+            var customerClaims = (claimsProvider == null ? user?.Claims : claimsProvider.Invoke())?.ToArray();
             if (customerClaims != null)
             {
+                // According to the spec https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
+                // the "sub" value is a case-sensitive string containing a StringOrURI value
+                // "sub" is used as the UserId if userId is not specified
+                // If "sub" exists, we here make sure only one "sub" is preserved, others will be renamed as user claim type
+                var hasSubClaim = false;
                 foreach (var claim in customerClaims)
                 {
+                    if (claim.Type == "sub")
+                    {
+                        if (hasSubClaim)
+                        {
+                            // only the first "sub" is preserved as "sub", others will be renamed as user claims
+                            yield return new Claim(Constants.ClaimType.AzureSignalRUserPrefix + claim.Type, claim.Value);
+                        }
+                        else
+                        {
+                            hasSubClaim = true;
+                            // The first "sub" would be also considered as "nameIdentifier" and used as SignalR's UserIdentifier
+                            yield return claim;
+                        }
+
+                    }
                     // Add AzureSignalRUserPrefix if customer's claim name is duplicated with SignalR system claims.
-                    // And split it when return from SignalR Service.
-                    if (SystemClaims.Contains(claim.Type))
+                    else if (SystemClaims.Contains(claim.Type))
                     {
                         yield return new Claim(Constants.ClaimType.AzureSignalRUserPrefix + claim.Type, claim.Value);
                     }
diff --git a/test/Microsoft.Azure.SignalR.Common.Tests/ClaimsUtilityTests.cs b/test/Microsoft.Azure.SignalR.Common.Tests/ClaimsUtilityTests.cs
@@ -50,5 +50,80 @@ public void TestGetSystemClaims(ClaimsIdentity identity, string userId, Func<IEn
 
             Assert.Equal(expectedClaimsCount, ci.Claims.Count());
         }
+
+        [Fact]
+        public void TestGetPreservedSystemClaims()
+        {
+            // preserved system claims are renamed and reverted back
+            var claims = ClaimsUtility.BuildJwtClaims(
+                new ClaimsPrincipal(new ClaimsIdentity(new Claim[] { new Claim("iss", "A"), new Claim("jti", "B") })), null, null).ToArray();
+            Assert.Equal("asrs.u.iss", claims[0].Type);
+            Assert.Equal("asrs.u.jti", claims[1].Type);
+
+            var resultIdentity = ClaimsUtility.GetUserPrincipal(claims).Identity;
+
+            var ci = resultIdentity as ClaimsIdentity;
+            Assert.NotNull(ci);
+            Assert.Equal(2, ci.Claims.Count());
+            Assert.True(ci.HasClaim("iss", "A"));
+            Assert.True(ci.HasClaim("jti", "B"));
+        }
+
+        [Fact]
+        public void TestGetSubjectClaims()
+        {
+            // only the first sub claim is considered as valid to the service
+            var claims = ClaimsUtility.BuildJwtClaims(
+                new ClaimsPrincipal(new ClaimsIdentity(new Claim[] { new Claim("sub", "A"), new Claim("sub", "B") })), null, null).ToArray();
+            Assert.Equal("sub", claims[0].Type);
+            Assert.Equal("asrs.u.sub", claims[1].Type);
+
+            var resultIdentity = ClaimsUtility.GetUserPrincipal(claims).Identity;
+
+            var ci = resultIdentity as ClaimsIdentity;
+            Assert.NotNull(ci);
+            Assert.Equal(2, ci.Claims.Count());
+            Assert.True(ci.HasClaim("sub", "A"));
+            Assert.True(ci.HasClaim("sub", "B"));
+
+            claims = ClaimsUtility.BuildJwtClaims(
+                new ClaimsPrincipal(new ClaimsIdentity(new Claim[] { new Claim("sub", "A"), new Claim("sub", "B") })), "C", null).ToArray();
+            Assert.Equal("asrs.s.uid", claims[0].Type);
+            Assert.Equal("sub", claims[1].Type);
+            Assert.Equal("asrs.u.sub", claims[2].Type);
+
+            resultIdentity = ClaimsUtility.GetUserPrincipal(claims).Identity;
+
+            ci = resultIdentity as ClaimsIdentity;
+            Assert.NotNull(ci);
+            Assert.Equal(2, ci.Claims.Count());
+            Assert.True(ci.HasClaim("sub", "A"));
+            Assert.True(ci.HasClaim("sub", "B"));
+
+            // single sub claim is considered as valid
+            claims = ClaimsUtility.BuildJwtClaims(
+                new ClaimsPrincipal(new ClaimsIdentity(new Claim[] { new Claim("sub", "A") })), null, null).ToArray();
+            Assert.Single(claims);
+            Assert.Equal("sub", claims[0].Type);
+
+            resultIdentity = ClaimsUtility.GetUserPrincipal(claims).Identity;
+
+            ci = resultIdentity as ClaimsIdentity;
+            Assert.NotNull(ci);
+            Assert.Single(ci.Claims);
+            Assert.True(ci.HasClaim("sub", "A"));
+
+            claims = ClaimsUtility.BuildJwtClaims(
+                new ClaimsPrincipal(new ClaimsIdentity(new Claim[] { new Claim("sub", "A") })), "C", null).ToArray();
+            Assert.Equal("asrs.s.uid", claims[0].Type);
+            Assert.Equal("sub", claims[1].Type);
+
+            resultIdentity = ClaimsUtility.GetUserPrincipal(claims).Identity;
+
+            ci = resultIdentity as ClaimsIdentity;
+            Assert.NotNull(ci);
+            Assert.Single(ci.Claims);
+            Assert.True(ci.HasClaim("sub", "A"));
+        }
     }
 }
