From bbd6a73aa89565edc8fbd51c1ad19b2d4f8f1043 Mon Sep 17 00:00:00 2001 From: Westin Musser <127992899+westin-m@users.noreply.github.com> Date: Wed, 12 Jul 2023 23:52:10 -0700 Subject: [PATCH] update wilson version and add key issuer validation (#2325) --- Directory.Build.props | 2 +- .../MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Directory.Build.props b/Directory.Build.props index 3691acd65..9fd64c7b6 100644 --- a/Directory.Build.props +++ b/Directory.Build.props @@ -63,7 +63,7 @@ - 6.30.0 + 6.32.0 4.54.1 3.3.0 4.7.2 diff --git a/src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs b/src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs index 2a2821b67..7572eec2b 100644 --- a/src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs +++ b/src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs @@ -15,6 +15,7 @@ using Microsoft.Extensions.Options; using Microsoft.Identity.Web.Resource; using Microsoft.IdentityModel.Tokens; +using Microsoft.IdentityModel.Validators; namespace Microsoft.Identity.Web { @@ -216,6 +217,8 @@ private static void AddMicrosoftIdentityWebApiImplementation( microsoftIdentityIssuerValidatorFactory.GetAadIssuerValidator(options.Authority).Validate; } + mergedOptions.TokenValidationParameters.EnableAadSigningKeyIssuerValidation(); + // If you provide a token decryption certificate, it will be used to decrypt the token // TODO use the credential loader if (mergedOptions.TokenDecryptionCredentials != null)