Add CaseSensitiveClaimsIdentity type. (#2700)

* Add CaseSensitiveClaimsIdentity. Update JsonWebTokenHandler.

* Move switch to a separate class. Update claims identity creation code.

* Add test.

* Update AppContextSwitches

* Update test/Microsoft.IdentityModel.Tokens.Tests/CaseSensitiveClaimsIdentityTests.cs

Co-authored-by: msbw2 <[email protected]>

* Update comments.

* Update ClaimsIdentity code creation in src.

* Add tests.

* Update tests to use correct types.

* Add SecurityToken property to CsClaimsIdentity.

* Update tests to use CsClaimsIdentity.

* Refactor code into ClaimsIdentityFactory.

* Update tests.

* Update ClaimsIdentityFactory.

* Fix tests.

* Update tests for CaseSensitiveClaimsIdentity

* ignore SecurityToken in IdentityComparer

* Set security token in ClaimsIdentityFactory. Add tests.

* Apply suggestions from code review

* Update test.

---------

Co-authored-by: msbw2 <[email protected]>
Co-authored-by: Keegan Caruso <[email protected]>

Author: 3 people

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs

@@ -212,7 +212,7 @@ private ClaimsIdentity CreateClaimsIdentityWithMapping(JsonWebToken jwtToken, To
         {
             _ = validationParameters ?? throw LogHelper.LogArgumentNullException(nameof(validationParameters));
 
-            ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, issuer);
+            ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, issuer);
             foreach (Claim jwtClaim in jwtToken.Claims)
             {
                 bool wasMapped = _inboundClaimTypeMap.TryGetValue(jwtClaim.Type, out string claimType);
@@ -281,7 +281,7 @@ private ClaimsIdentity CreateClaimsIdentityPrivate(JsonWebToken jwtToken, TokenV
         {
             _ = validationParameters ?? throw LogHelper.LogArgumentNullException(nameof(validationParameters));
 
-            ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(jwtToken, issuer);
+            ClaimsIdentity identity = ClaimsIdentityFactory.Create(jwtToken, validationParameters, issuer);
             foreach (Claim jwtClaim in jwtToken.Claims)
             {
                 string claimType = jwtClaim.Type;

src/Microsoft.IdentityModel.TestExtensions/TestTokenCreator.cs

@@ -357,7 +357,7 @@ public SecurityTokenDescriptor CreateTokenDescriptorWithInstanceOverrides()
         {
             var securityTokenDescriptor = new SecurityTokenDescriptor()
             {
-                Subject = new ClaimsIdentity(_payloadClaims),
+                Subject = ClaimsIdentityFactory.Create(_payloadClaims),
             };
 
             if (!string.IsNullOrEmpty(Issuer))

src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.cs

@@ -677,7 +677,7 @@ protected virtual IEnumerable<ClaimsIdentity> ProcessStatements(SamlSecurityToke
 
                 if (!identityDict.TryGetValue(statement.Subject, out ClaimsIdentity identity))
                 {
-                    identity = validationParameters.CreateClaimsIdentity(samlToken, issuer);
+                    identity = ClaimsIdentityFactory.Create(samlToken, validationParameters, issuer);
                     ProcessSubject(statement.Subject, identity, issuer);
                     identityDict.Add(statement.Subject, identity);
                 }
@@ -898,7 +898,7 @@ protected virtual void SetDelegateFromAttribute(SamlAttribute attribute, ClaimsI
                 }
             }
 
-            subject.Actor = new ClaimsIdentity(claims, "Federation");
+            subject.Actor = ClaimsIdentityFactory.Create(claims, "Federation");
             SetDelegateFromAttribute(actingAsAttribute, subject.Actor, issuer);
         }
 

src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs

@@ -1129,7 +1129,7 @@ protected virtual void SetClaimsIdentityActorFromAttribute(Saml2Attribute attrib
                 }
             }
 
-            identity.Actor = new ClaimsIdentity(claims);
+            identity.Actor = ClaimsIdentityFactory.Create(claims);
             SetClaimsIdentityActorFromAttribute(actorAttribute, identity.Actor, issuer);
         }
 
@@ -1314,7 +1314,8 @@ protected virtual ClaimsIdentity CreateClaimsIdentity(Saml2SecurityToken samlTok
                 actualIssuer = ClaimsIdentity.DefaultIssuer;
             }
 
-            var identity = validationParameters.CreateClaimsIdentity(samlToken, actualIssuer);
+            var identity = ClaimsIdentityFactory.Create(samlToken, validationParameters, issuer);
+
             ProcessSubject(samlToken.Assertion.Subject, identity, actualIssuer);
             ProcessStatements(samlToken.Assertion.Statements, identity, actualIssuer);
 

src/Microsoft.IdentityModel.Tokens/AppContextSwitches.cs

@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Security.Claims;
+
+namespace Microsoft.IdentityModel.Tokens
+{
+    /// <summary>
+    /// AppContext switches for Microsoft.IdentityModel.Tokens and referencing packages.
+    /// </summary>
+    internal static class AppContextSwitches
+    {
+        /// <summary>
+        /// Enables a fallback to the previous behavior of using <see cref="ClaimsIdentity"/> instead of <see cref="CaseSensitiveClaimsIdentity"/> globally.
+        /// </summary>
+        internal const string UseClaimsIdentityTypeSwitch = "Microsoft.IdentityModel.Tokens.UseClaimsIdentityType";
+
+        internal static bool UseClaimsIdentityType() => (AppContext.TryGetSwitch(UseClaimsIdentityTypeSwitch, out bool useClaimsIdentityType) && useClaimsIdentityType);
+    }
+}

src/Microsoft.IdentityModel.Tokens/CaseSensitiveClaimsIdentity.cs

@@ -0,0 +1,122 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Security.Claims;
+
+namespace Microsoft.IdentityModel.Tokens
+{
+    /// <summary>
+    /// A derived <see cref="ClaimsIdentity"/> where claim retrieval is case-sensitive. The current <see cref="ClaimsIdentity"/> retrieves claims in a case-insensitive manner which is different than querying the underlying <see cref="SecurityToken"/>. The <see cref="CaseSensitiveClaimsIdentity"/> provides consistent retrieval logic between the <see cref="SecurityToken"/> and <see cref="ClaimsIdentity"/>.
+    /// </summary>
+    public class CaseSensitiveClaimsIdentity : ClaimsIdentity
+    {
+        /// <summary>
+        /// Gets the <see cref="SecurityToken"/> associated with this claims identity.
+        /// </summary>
+        public SecurityToken SecurityToken { get; internal set; }
+
+        /// <summary>
+        /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>.
+        /// </summary>
+        public CaseSensitiveClaimsIdentity() : base()
+        {
+        }
+
+        /// <summary>
+        /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>.
+        /// </summary>
+        /// <param name="authenticationType">The authentication method used to establish this identity.</param>
+        public CaseSensitiveClaimsIdentity(string authenticationType) : base(authenticationType)
+        {
+        }
+
+        /// <summary>
+        /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>.
+        /// </summary>
+        /// <param name="claimsIdentity"><see cref="ClaimsIdentity"/> to copy.</param>
+        public CaseSensitiveClaimsIdentity(ClaimsIdentity claimsIdentity) : base(claimsIdentity)
+        {
+        }
+
+        /// <summary>
+        /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>.
+        /// </summary>
+        /// <param name="claims"><see cref="IEnumerable{Claim}"/> associated with this instance.</param>
+        public CaseSensitiveClaimsIdentity(IEnumerable<Claim> claims) : base(claims)
+        {
+        }
+
+        /// <summary>
+        /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>.
+        /// </summary>
+        /// <param name="claims"><see cref="IEnumerable{Claim}"/> associated with this instance.</param>
+        /// <param name="authenticationType">The authentication method used to establish this identity.</param>
+        public CaseSensitiveClaimsIdentity(IEnumerable<Claim> claims, string authenticationType) : base(claims, authenticationType)
+        {
+        }
+
+        /// <summary>
+        /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>.
+        /// </summary>
+        /// <param name="claims"><see cref="IEnumerable{Claim}"/> associated with this instance.</param>
+        /// <param name="authenticationType">The authentication method used to establish this identity.</param>
+        /// <param name="nameType">The <see cref="Claim.Type"/> used when obtaining the value of <see cref="ClaimsIdentity.Name"/>.</param>
+        /// <param name="roleType">The <see cref="Claim.Type"/> used when performing logic for <see cref="ClaimsPrincipal.IsInRole"/>.</param>
+        public CaseSensitiveClaimsIdentity(IEnumerable<Claim> claims, string authenticationType, string nameType, string roleType) :
+            base(claims, authenticationType, nameType, roleType)
+        {
+        }
+
+        /// <summary>
+        /// Initializes an instance of <see cref="CaseSensitiveClaimsIdentity"/>.
+        /// </summary>
+        /// <param name="authenticationType">The authentication method used to establish this identity.</param>
+        /// <param name="nameType">The <see cref="Claim.Type"/> used when obtaining the value of <see cref="ClaimsIdentity.Name"/>.</param>
+        /// <param name="roleType">The <see cref="Claim.Type"/> used when performing logic for <see cref="ClaimsPrincipal.IsInRole"/>.</param>
+        public CaseSensitiveClaimsIdentity(string authenticationType, string nameType, string roleType) :
+            base(authenticationType, nameType, roleType)
+        {
+        }
+
+        /// <summary>
+        /// Retrieves a <see cref="IEnumerable{Claim}"/> where each <see cref="Claim.Type"/> equals <paramref name="type"/>.
+        /// </summary>
+        /// <param name="type">The type of the claim to match.</param>
+        /// <returns>A <see cref="IEnumerable{Claim}"/> of matched claims.</returns>
+        /// <remarks>Comparison is <see cref="StringComparison.Ordinal"/>.</remarks>
+        /// <exception cref="ArgumentNullException">if <paramref name="type"/> is null.</exception>
+        public override IEnumerable<Claim> FindAll(string type)
+        {
+            return base.FindAll(claim => claim?.Type.Equals(type, StringComparison.Ordinal) == true);
+        }
+
+        /// <summary>
+        /// Retrieves the first <see cref="Claim"/> where <see cref="Claim.Type"/> equals <paramref name="type"/>.
+        /// </summary>
+        /// <param name="type">The type of the claim to match.</param>
+        /// <returns>A <see cref="Claim"/>, <see langword="null"/> if nothing matches.</returns>
+        /// <remarks>Comparison is <see cref="StringComparison.Ordinal"/>.</remarks>
+        /// <exception cref="ArgumentNullException">if <paramref name="type"/> is null.</exception>
+        public override Claim FindFirst(string type)
+        {
+            return base.FindFirst(claim => claim?.Type.Equals(type, StringComparison.Ordinal) == true);
+        }
+
+        /// <summary>
+        /// Determines if a claim with type AND value is contained within this claims identity.
+        /// </summary>
+        /// <param name="type">The type of the claim to match.</param>
+        /// <param name="value">The value of the claim to match.</param>
+        /// <returns><c>true</c> if a claim is matched, <c>false</c> otherwise.</returns>
+        /// <remarks>Comparison is <see cref="StringComparison.Ordinal"/> for <see cref="Claim.Type"/> and <see cref="Claim.Value"/>.</remarks>
+        /// <exception cref="ArgumentNullException">if <paramref name="type"/> is null.</exception>
+        /// <exception cref="ArgumentNullException">if <paramref name="value"/> is null.</exception>
+        public override bool HasClaim(string type, string value)
+        {
+            return base.HasClaim(claim => claim?.Type.Equals(type, StringComparison.Ordinal) == true
+                && claim?.Value.Equals(value, StringComparison.Ordinal) == true);
+        }
+    }
+}

src/Microsoft.IdentityModel.Tokens/ClaimsIdentityFactory.cs

@@ -0,0 +1,81 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+using System.Security.Claims;
+
+namespace Microsoft.IdentityModel.Tokens
+{
+    /// <summary>
+    /// Facilitates the creation of <see cref="ClaimsIdentity"/> and <see cref="CaseSensitiveClaimsIdentity"/> instances based on the <see cref="AppContextSwitches.UseClaimsIdentityTypeSwitch"/>.
+    /// </summary>
+    internal static class ClaimsIdentityFactory
+    {
+        internal static ClaimsIdentity Create(IEnumerable<Claim> claims)
+        {
+            if (AppContextSwitches.UseClaimsIdentityType())
+                return new ClaimsIdentity(claims);
+
+            return new CaseSensitiveClaimsIdentity(claims);
+        }
+
+        internal static ClaimsIdentity Create(IEnumerable<Claim> claims, string authenticationType)
+        {
+            if (AppContextSwitches.UseClaimsIdentityType())
+                return new ClaimsIdentity(claims, authenticationType);
+
+            return new CaseSensitiveClaimsIdentity(claims, authenticationType);
+        }
+
+        internal static ClaimsIdentity Create(string authenticationType, string nameType, string roleType, SecurityToken securityToken)
+        {
+            if (AppContextSwitches.UseClaimsIdentityType())
+                return new ClaimsIdentity(authenticationType: authenticationType, nameType: nameType, roleType: roleType);
+
+            return new CaseSensitiveClaimsIdentity(authenticationType: authenticationType, nameType: nameType, roleType: roleType)
+            {
+                SecurityToken = securityToken,
+            };
+        }
+
+        internal static ClaimsIdentity Create(SecurityToken securityToken, TokenValidationParameters validationParameters, string issuer)
+        {
+            ClaimsIdentity claimsIdentity = validationParameters.CreateClaimsIdentity(securityToken, issuer);
+
+            // Set the SecurityToken in cases where derived TokenValidationParameters created a CaseSensitiveClaimsIdentity.
+            if (claimsIdentity is CaseSensitiveClaimsIdentity caseSensitiveClaimsIdentity && caseSensitiveClaimsIdentity.SecurityToken == null)
+            {
+                caseSensitiveClaimsIdentity.SecurityToken = securityToken;
+            }
+            else if (claimsIdentity is not CaseSensitiveClaimsIdentity && !AppContextSwitches.UseClaimsIdentityType())
+            {
+                claimsIdentity = new CaseSensitiveClaimsIdentity(claimsIdentity)
+                {
+                    SecurityToken = securityToken,
+                };
+            }
+
+            return claimsIdentity;
+        }
+
+        internal static ClaimsIdentity Create(TokenHandler tokenHandler, SecurityToken securityToken, TokenValidationParameters validationParameters, string issuer)
+        {
+            ClaimsIdentity claimsIdentity = tokenHandler.CreateClaimsIdentityInternal(securityToken, validationParameters, issuer);
+
+            // Set the SecurityToken in cases where derived TokenHandler created a CaseSensitiveClaimsIdentity.
+            if (claimsIdentity is CaseSensitiveClaimsIdentity caseSensitiveClaimsIdentity && caseSensitiveClaimsIdentity.SecurityToken == null)
+            {
+                caseSensitiveClaimsIdentity.SecurityToken = securityToken;
+            }
+            else if (claimsIdentity is not CaseSensitiveClaimsIdentity && !AppContextSwitches.UseClaimsIdentityType())
+            {
+                claimsIdentity = new CaseSensitiveClaimsIdentity(claimsIdentity)
+                {
+                    SecurityToken = securityToken,
+                };
+            }
+
+            return claimsIdentity;
+        }
+    }
+}

src/Microsoft.IdentityModel.Tokens/TokenHandler.cs

@@ -30,8 +30,8 @@ public abstract class TokenHandler
         /// <exception cref="ArgumentOutOfRangeException">'value' less than 1.</exception>
         public virtual int MaximumTokenSizeInBytes
         {
-            get => _maximumTokenSizeInBytes; 
-            set => _maximumTokenSizeInBytes =  (value < 1) ? throw LogExceptionMessage(new ArgumentOutOfRangeException(nameof(value), FormatInvariant(LogMessages.IDX10101, MarkAsNonPII(value)))) : value;
+            get => _maximumTokenSizeInBytes;
+            set => _maximumTokenSizeInBytes = (value < 1) ? throw LogExceptionMessage(new ArgumentOutOfRangeException(nameof(value), FormatInvariant(LogMessages.IDX10101, MarkAsNonPII(value)))) : value;
         }
 
         /// <summary>
@@ -53,7 +53,6 @@ public int TokenLifetimeInMinutes
         }
 
         #region methods
-
         /// <summary>
         /// Validates a token.
         /// On a validation failure, no exception will be thrown; instead, the exception will be set in the returned TokenValidationResult.Exception property.

src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs

@@ -240,7 +240,7 @@ public virtual ClaimsIdentity CreateClaimsIdentity(SecurityToken securityToken,
             if (LogHelper.IsEnabled(EventLogLevel.Informational))
                 LogHelper.LogInformation(LogMessages.IDX10245, securityToken);
 
-            return new ClaimsIdentity(authenticationType: AuthenticationType ?? DefaultAuthenticationType, nameType: nameClaimType ?? ClaimsIdentity.DefaultNameClaimType, roleType: roleClaimType ?? ClaimsIdentity.DefaultRoleClaimType);
+            return ClaimsIdentityFactory.Create(authenticationType: AuthenticationType ?? DefaultAuthenticationType, nameType: nameClaimType ?? ClaimsIdentity.DefaultNameClaimType, roleType: roleClaimType ?? ClaimsIdentity.DefaultRoleClaimType, securityToken);
         }
 
         /// <summary>

src/Microsoft.IdentityModel.Tokens/Validation/TokenValidationResult.cs

@@ -135,7 +135,7 @@ internal ClaimsIdentity ClaimsIdentityNoLocking
 
                     if (_validationParameters != null && SecurityToken != null && _tokenHandler != null && Issuer != null)
                     {
-                        _claimsIdentity = _tokenHandler.CreateClaimsIdentityInternal(SecurityToken, _validationParameters, Issuer);
+                        _claimsIdentity = ClaimsIdentityFactory.Create(_tokenHandler, SecurityToken, _validationParameters, Issuer);
                     }
 
                     _claimsIdentityInitialized = true;