Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dictionary claims added to SecurityTokenDescriptor.Claims are no longer correctly serialized in 7.0.0-preview3 #2245

Closed
kevinchalet opened this issue Aug 22, 2023 · 2 comments
Closed

Dictionary claims added to SecurityTokenDescriptor.Claims are no longer correctly serialized in 7.0.0-preview3 #2245

kevinchalet opened this issue Aug 22, 2023 · 2 comments
Assignees
@keegan-caruso
Labels
Bug Product is not functioning as expected Customer reported Indicates issue was opened by customer P0 Totally broken or major security hole. Stop and fix. Regression
Milestone
7.0.0-preview4

Comments

@kevinchalet
Copy link
Contributor

kevinchalet commented Aug 22, 2023
edited

Dictionaries (but it's likely other types of complex claims are impacted) are no longer correctly serialized in 7.0.0-preview3:

var dictionary = new Dictionary<string, string[]>
{
    ["prop1"] = new[] { "value1", "value2" }
};

var descriptor = new SecurityTokenDescriptor
{
    Claims = new Dictionary<string, object>
    {
        ["a"] = dictionary
    },

    SigningCredentials = new SigningCredentials(new RsaSecurityKey(RSA.Create(2048)), SecurityAlgorithms.RsaSha256)
};

var handler = new JsonWebTokenHandler();

var token = handler.CreateToken(descriptor);

7.0.0-preview:

{
  "a": {
    "prop1": [
      "value1",
      "value2"
    ]
  },
  "exp": 1692706803,
  "iat": 1692703203,
  "nbf": 1692703203
}

7.0.0-preview3

{
  "a": "System.Collections.Generic.Dictionary`2[System.String,System.String[]]",
  "exp": 1692706612,
  "iat": 1692703012,
  "nbf": 1692703012
}

Complex claims should be correctly serialized or an exception should be thrown, but using the CLR type name as the claim value in the generated token seems like a terrible choice.

/cc @brentschmaltz @jennyf19
@kevinchalet kevinchalet mentioned this issue Aug 22, 2023
Merged
@jennyf19 jennyf19 added this to the 7.0.0-preview4 milestone Aug 22, 2023
@jennyf19 jennyf19 added Customer reported Indicates issue was opened by customer Bug Product is not functioning as expected P0 Totally broken or major security hole. Stop and fix. Regression labels Aug 22, 2023
@brentschmaltz
Copy link
Member

@kevinchalet I expected this and am waiting to hear back about an api we wanted to use to see it if is compatible with AOT.

@keegan-caruso keegan-caruso mentioned this issue Aug 25, 2023
Closed
@keegan-caruso keegan-caruso linked a pull request Aug 25, 2023 that will close this issue
Correctly serialize IList and IDictionary in CreateToken #2262
Closed
@jennyf19
Copy link
Collaborator

Included in preview4 release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@keegan-caruso keegan-caruso

Labels
Bug Product is not functioning as expected Customer reported Indicates issue was opened by customer P0 Totally broken or major security hole. Stop and fix. Regression
Projects
None yet
Milestone
7.0.0-preview4
4 participants
@brentschmaltz @kevinchalet @jennyf19 @keegan-caruso