From ffb5366d15a747019b446d47dd68b09c90a709c5 Mon Sep 17 00:00:00 2001
From: Anders Revsgaard <anders@itfoxtec.com>
Date: Fri, 10 Nov 2023 11:10:55 +0100
Subject: [PATCH] SAML 2.0 up-party redirect binding only validate the
 certificate that can verify the signature. This has previously been changed
 for post bindings. Accept to process claim values up to 10,000 characters.
 Internal created claim and formats up to 4,000 characters.

---
 src/FoxIDs.Control/FoxIDs.Control.csproj                | 2 +-
 src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj    | 2 +-
 src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj    | 2 +-
 src/FoxIDs.Shared/FoxIDs.Shared.csproj                  | 2 +-
 src/FoxIDs.Shared/Models/Tracks/ClaimAndValues.cs       | 4 ++--
 src/FoxIDs.SharedBase/Constants.cs                      | 5 ++++-
 src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj          | 4 ++--
 src/FoxIDs/FoxIDs.csproj                                | 4 ++--
 src/FoxIDs/Logic/Oidc/OidcRpInitiatedLogoutDownLogic.cs | 2 +-
 src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs               | 4 ++--
 src/FoxIDs/Logic/Tracks/ClaimValidationLogic.cs         | 4 ++--
 src/FoxIDs/Logic/Tracks/ClaimsDownLogic.cs              | 4 ++--
 12 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/src/FoxIDs.Control/FoxIDs.Control.csproj b/src/FoxIDs.Control/FoxIDs.Control.csproj
index 1e9bdf4fc..a63489a41 100644
--- a/src/FoxIDs.Control/FoxIDs.Control.csproj
+++ b/src/FoxIDs.Control/FoxIDs.Control.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
diff --git a/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj b/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj
index 1554207e1..e02757322 100644
--- a/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj
+++ b/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs.Client</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
diff --git a/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj b/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj
index dc556d966..6fa404ce9 100644
--- a/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj
+++ b/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
diff --git a/src/FoxIDs.Shared/FoxIDs.Shared.csproj b/src/FoxIDs.Shared/FoxIDs.Shared.csproj
index bc308b63a..a751e2ccc 100644
--- a/src/FoxIDs.Shared/FoxIDs.Shared.csproj
+++ b/src/FoxIDs.Shared/FoxIDs.Shared.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
diff --git a/src/FoxIDs.Shared/Models/Tracks/ClaimAndValues.cs b/src/FoxIDs.Shared/Models/Tracks/ClaimAndValues.cs
index c184b689c..aaae1c3ba 100644
--- a/src/FoxIDs.Shared/Models/Tracks/ClaimAndValues.cs
+++ b/src/FoxIDs.Shared/Models/Tracks/ClaimAndValues.cs
@@ -21,9 +21,9 @@ public class ClaimAndValues : IValidatableObject
         public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
         {
             var results = new List<ValidationResult>();
-            if (Claim.Length > Constants.Models.Claim.ValueLength)
+            if (Claim.Length > Constants.Models.Claim.ProcessValueLength)
             {
-                results.Add(new ValidationResult($"Claim '{Claim}' value is too long, maximum length of '{Constants.Models.Claim.ValueLength}'."));
+                results.Add(new ValidationResult($"Claim '{Claim}' value is too long, maximum length of '{Constants.Models.Claim.ProcessValueLength}'."));
             }
             return results;
         }
diff --git a/src/FoxIDs.SharedBase/Constants.cs b/src/FoxIDs.SharedBase/Constants.cs
index 85d4bd836..9c1552fad 100644
--- a/src/FoxIDs.SharedBase/Constants.cs
+++ b/src/FoxIDs.SharedBase/Constants.cs
@@ -293,7 +293,10 @@ public static class Claim
                 /// <summary>
                 /// JWT and SAML claim value max length.
                 /// </summary>
-                public const int ValueLength = 8000;
+                public const int ValueLength = 4000;
+                public const int ProcessValueLength = 10000;
+
+                public const int IdTokenLimitedHintValueLength = 8000;
 
                 public const int MapIdLength = 90;
                 public const int MapMin = 0;
diff --git a/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj b/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj
index 499732f6c..9586f9913 100644
--- a/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj
+++ b/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
@@ -11,7 +11,7 @@
 
 	<ItemGroup>
 		<PackageReference Include="ITfoxtec.Identity" Version="2.5.34" />
-		<PackageReference Include="ITfoxtec.Identity.Saml2" Version="4.10.3" />
+		<PackageReference Include="ITfoxtec.Identity.Saml2" Version="4.10.4" />
 		<PackageReference Include="Microsoft.AspNetCore.Components.DataAnnotations.Validation" Version="3.2.0-rc1.20223.4" />
 		<PackageReference Include="System.Net.Http.Json" Version="7.0.1" />
 	</ItemGroup>
diff --git a/src/FoxIDs/FoxIDs.csproj b/src/FoxIDs/FoxIDs.csproj
index ac249e511..7a6277162 100644
--- a/src/FoxIDs/FoxIDs.csproj
+++ b/src/FoxIDs/FoxIDs.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
@@ -31,7 +31,7 @@
 		<PackageReference Include="Azure.Identity" Version="1.10.3" />
 		<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.5.1" />
 		<PackageReference Include="GoogleAuthenticator" Version="3.1.1" />
-		<PackageReference Include="ITfoxtec.Identity.Saml2.MvcCore" Version="4.10.3" />
+		<PackageReference Include="ITfoxtec.Identity.Saml2.MvcCore" Version="4.10.4" />
 		<PackageReference Include="BuildBundlerMinifier" Version="3.2.449" />
 		<PackageReference Include="Microsoft.AspNetCore.DataProtection.StackExchangeRedis" Version="7.0.12" />
 		<PackageReference Include="Microsoft.AspNetCore.Cryptography.KeyDerivation" Version="7.0.12" />
diff --git a/src/FoxIDs/Logic/Oidc/OidcRpInitiatedLogoutDownLogic.cs b/src/FoxIDs/Logic/Oidc/OidcRpInitiatedLogoutDownLogic.cs
index 8a13ab296..ec0a068ae 100644
--- a/src/FoxIDs/Logic/Oidc/OidcRpInitiatedLogoutDownLogic.cs
+++ b/src/FoxIDs/Logic/Oidc/OidcRpInitiatedLogoutDownLogic.cs
@@ -61,7 +61,7 @@ public async Task<IActionResult> EndSessionRequestAsync(string partyId)
 
             try
             {
-                if (party.Client.ResponseMode == IdentityConstants.ResponseModes.Query && rpInitiatedLogoutRequest.IdTokenHint?.Count() > Constants.Models.Claim.ValueLength)
+                if (party.Client.ResponseMode == IdentityConstants.ResponseModes.Query && rpInitiatedLogoutRequest.IdTokenHint?.Count() > Constants.Models.Claim.IdTokenLimitedHintValueLength)
                 {
                     throw new Exception("The ID Token hint length is close to the maximum allowed limit and may be truncated. If this happens the ID Token become invalid and is not accepted.");
                 }
diff --git a/src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs b/src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs
index 9ebe12946..d5ce3581c 100644
--- a/src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs
+++ b/src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs
@@ -317,9 +317,9 @@ private IEnumerable<Claim> ValidateClaims(SamlUpParty party, IEnumerable<Claim>
                     throw new SamlRequestException($"Claim '{claim.Type.Substring(0, Constants.Models.Claim.SamlTypeLength)}' is too long, maximum length of '{Constants.Models.Claim.SamlTypeLength}'.") { RouteBinding = RouteBinding, Status = Saml2StatusCodes.Responder };
                 }
 
-                if (claim.Value?.Length > Constants.Models.Claim.ValueLength)
+                if (claim.Value?.Length > Constants.Models.Claim.ProcessValueLength)
                 {
-                    throw new SamlRequestException($"Claim '{claim.Type}' value is too long, maximum length of '{Constants.Models.Claim.ValueLength}'.") { RouteBinding = RouteBinding, Status = Saml2StatusCodes.Responder };
+                    throw new SamlRequestException($"Claim '{claim.Type}' value is too long, maximum length of '{Constants.Models.Claim.ProcessValueLength}'.") { RouteBinding = RouteBinding, Status = Saml2StatusCodes.Responder };
                 }
             }
             return claims;
diff --git a/src/FoxIDs/Logic/Tracks/ClaimValidationLogic.cs b/src/FoxIDs/Logic/Tracks/ClaimValidationLogic.cs
index b83245a17..21a47fd94 100644
--- a/src/FoxIDs/Logic/Tracks/ClaimValidationLogic.cs
+++ b/src/FoxIDs/Logic/Tracks/ClaimValidationLogic.cs
@@ -31,9 +31,9 @@ public List<Claim> ValidateUpPartyClaims(List<string> upPartyClaims, List<Claim>
                     throw new OAuthRequestException($"Claim '{claim.Type.Substring(0, Constants.Models.Claim.JwtTypeLength)}' is too long, maximum length of '{Constants.Models.Claim.JwtTypeLength}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidToken };
                 }
 
-                if (claim.Value?.Length > Constants.Models.Claim.ValueLength)
+                if (claim.Value?.Length > Constants.Models.Claim.ProcessValueLength)
                 {
-                    throw new OAuthRequestException($"Claim '{claim.Type}' value is too long, maximum length of '{Constants.Models.Claim.ValueLength}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidToken };
+                    throw new OAuthRequestException($"Claim '{claim.Type}' value is too long, maximum length of '{Constants.Models.Claim.ProcessValueLength}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidToken };
                 }
             }
             return claims;
diff --git a/src/FoxIDs/Logic/Tracks/ClaimsDownLogic.cs b/src/FoxIDs/Logic/Tracks/ClaimsDownLogic.cs
index 4549cc103..4c22d13fb 100644
--- a/src/FoxIDs/Logic/Tracks/ClaimsDownLogic.cs
+++ b/src/FoxIDs/Logic/Tracks/ClaimsDownLogic.cs
@@ -190,9 +190,9 @@ private List<Claim> TruncateJwtClaimValues(IEnumerable<Claim> jwtClaims)
             var truncateClaims = new List<Claim>();
             foreach (var claim in jwtClaims)
             {
-                if (claim.Value?.Length > Constants.Models.Claim.ValueLength)
+                if (claim.Value?.Length > Constants.Models.Claim.ProcessValueLength)
                 {
-                    truncateClaims.AddClaim(claim.Type, claim.Value.Substring(0, Constants.Models.Claim.ValueLength), claim.ValueType, claim.Issuer);
+                    truncateClaims.AddClaim(claim.Type, claim.Value.Substring(0, Constants.Models.Claim.ProcessValueLength), claim.ValueType, claim.Issuer);
                 }
                 else
                 {