From 020e3fc83e0f466f1c9aefe51f32edc0f1f932ee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Jan 2024 13:30:28 +0100 Subject: [PATCH] Bump System.IdentityModel.Tokens.Jwt from 6.5.0 to 6.34.0 in /src/Auth0.AuthenticationApi (#702) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Frederik Prijck --- src/Auth0.AuthenticationApi/Auth0.AuthenticationApi.csproj | 2 +- src/Auth0.AuthenticationApi/Tokens/SignedDecoder.cs | 4 ++++ .../Tokens/SymmetricSignedDecoderTests.cs | 6 +++--- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/Auth0.AuthenticationApi/Auth0.AuthenticationApi.csproj b/src/Auth0.AuthenticationApi/Auth0.AuthenticationApi.csproj index c17aff1df..cca0593eb 100644 --- a/src/Auth0.AuthenticationApi/Auth0.AuthenticationApi.csproj +++ b/src/Auth0.AuthenticationApi/Auth0.AuthenticationApi.csproj @@ -17,6 +17,6 @@ - + \ No newline at end of file diff --git a/src/Auth0.AuthenticationApi/Tokens/SignedDecoder.cs b/src/Auth0.AuthenticationApi/Tokens/SignedDecoder.cs index da727c99c..fa65afc48 100644 --- a/src/Auth0.AuthenticationApi/Tokens/SignedDecoder.cs +++ b/src/Auth0.AuthenticationApi/Tokens/SignedDecoder.cs @@ -37,6 +37,10 @@ public JwtSecurityToken DecodeSignedToken(string token) } catch (SecurityTokenSignatureKeyNotFoundException ex) { + if (signatureAlgorithm == JwtSignatureAlgorithm.HS256) + { + throw new IdTokenValidationException("Invalid token signature.", ex); + } throw new IdTokenValidationKeyMissingException("Token signature key could not be found", ex); } catch (SecurityTokenException ex) diff --git a/tests/Auth0.AuthenticationApi.IntegrationTests/Tokens/SymmetricSignedDecoderTests.cs b/tests/Auth0.AuthenticationApi.IntegrationTests/Tokens/SymmetricSignedDecoderTests.cs index fc4c8d5ed..4a082716d 100644 --- a/tests/Auth0.AuthenticationApi.IntegrationTests/Tokens/SymmetricSignedDecoderTests.cs +++ b/tests/Auth0.AuthenticationApi.IntegrationTests/Tokens/SymmetricSignedDecoderTests.cs @@ -9,12 +9,12 @@ namespace Auth0.AuthenticationApi.IntegrationTests.Tokens { public class SymmetricSignedDecoderTests : TestBase { - readonly SignedDecoder hs256Verifier = new SymmetricSignedDecoder("AUTH0_VALID_CLIENT_SECRET"); + readonly SignedDecoder hs256Verifier = new SymmetricSignedDecoder("___AUTH0_VALID__CLIENT_SECRET___"); [Fact] public void SucceedsWhenSignatureIsValid() { - var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("AUTH0_VALID_CLIENT_SECRET")); + var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("___AUTH0_VALID__CLIENT_SECRET___")); var tokenFactory = new JwtTokenFactory(key, SecurityAlgorithms.HmacSha256Signature); @@ -26,7 +26,7 @@ public void SucceedsWhenSignatureIsValid() [Fact] public void ThrowsWhenSignatureIsInvalid() { - var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("AUTH0_INVALID_CLIENT_SECRET")); + var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("__AUTH0_INVALID__CLIENT_SECRET__")); var tokenFactory = new JwtTokenFactory(key, SecurityAlgorithms.HmacSha256Signature);