Better thread safety for JsonClaimSet Claims and JsonWebToken Audiences (#2185)

Author: keegan-caruso

src/Microsoft.IdentityModel.JsonWebTokens/Json/JsonClaimSet.cs

@@ -21,6 +21,7 @@ namespace Microsoft.IdentityModel.JsonWebTokens
     internal class JsonClaimSet
     {
         private IList<Claim> _claims;
+        private readonly object _claimsLock = new object();
 
         internal JsonClaimSet(JsonDocument jsonDocument)
         {
@@ -41,10 +42,17 @@ internal JsonClaimSet(string json)
 
         internal IList<Claim> Claims(string issuer)
         {
-            if (_claims != null)
-                return _claims;
-
-            _claims = CreateClaims(issuer);
+            if (_claims == null)
+            {
+                lock (_claimsLock)
+                {
+                    if (_claims == null)
+                    {
+                        _claims = CreateClaims(issuer);
+                    }
+                }
+            }
+            
             return _claims;
         }
 

src/Microsoft.IdentityModel.JsonWebTokens/Json/JsonClaimSet45.cs

@@ -21,6 +21,7 @@ namespace Microsoft.IdentityModel.JsonWebTokens
     internal class JsonClaimSet45
     {
         IList<Claim> _claims;
+        private readonly object _claimsLock = new object();
 
         internal JsonClaimSet45()
         {
@@ -122,35 +123,46 @@ internal IList<Claim> CreateClaims(string issuer)
 
         internal IList<Claim> Claims(string issuer)
         {
-            if (_claims != null)
-                return _claims;
-
-            _claims = new List<Claim>();
-
-            if (!RootElement.HasValues)
-                return _claims;
-
-            // there is some code redundancy here that was not factored as this is a high use method. Each identity received from the host will pass through here.
-            foreach (var entry in RootElement)
+            if (_claims == null)
             {
-                if (entry.Value == null)
-                {
-                    _claims.Add(new Claim(entry.Key, string.Empty, JsonClaimValueTypes.JsonNull, issuer, issuer));
-                    continue;
-                }
-
-                if (entry.Value.Type is JTokenType.String)
+                lock (_claimsLock)
                 {
-                    var claimValue = entry.Value.ToObject<string>();
-                    _claims.Add(new Claim(entry.Key, claimValue, ClaimValueTypes.String, issuer, issuer));
-                    continue;
-                }
-
-                var jtoken = entry.Value;
-                if (jtoken != null)
-                {
-                    AddClaimsFromJToken(_claims, entry.Key, jtoken, issuer);
-                    continue;
+                    if (_claims == null)
+                    {
+                        var claims = new List<Claim>();
+
+                        if (!RootElement.HasValues)
+                        {
+                            _claims = claims;
+                            return _claims;
+                        }
+
+                        // there is some code redundancy here that was not factored as this is a high use method. Each identity received from the host will pass through here.
+                        foreach (var entry in RootElement)
+                        {
+                            if (entry.Value == null)
+                            {
+                                claims.Add(new Claim(entry.Key, string.Empty, JsonClaimValueTypes.JsonNull, issuer, issuer));
+                                continue;
+                            }
+
+                            if (entry.Value.Type is JTokenType.String)
+                            {
+                                var claimValue = entry.Value.ToObject<string>();
+                                claims.Add(new Claim(entry.Key, claimValue, ClaimValueTypes.String, issuer, issuer));
+                                continue;
+                            }
+
+                            var jtoken = entry.Value;
+                            if (jtoken != null)
+                            {
+                                AddClaimsFromJToken(claims, entry.Key, jtoken, issuer);
+                                continue;
+                            }
+                        }
+
+                        _claims = claims;
+                    }
                 }
             }
 

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebToken.cs

@@ -37,6 +37,7 @@ public class JsonWebToken : SecurityToken
         private string _act;
         private string _alg;
         private IList<string> _audiences;
+        private readonly object _audiencesLock = new object();
         private string _authenticationTag;
         private string _ciphertext;
         private string _cty;
@@ -650,28 +651,35 @@ public IEnumerable<string> Audiences
             {
                 if (_audiences == null)
                 {
-                    _audiences = new List<string>();
-#if NET45
-                    if (Payload.TryGetValue(JwtRegisteredClaimNames.Aud, out JToken value))
-                    {
-                        if (value.Type is JTokenType.String)
-                            _audiences = new List<string> { value.ToObject<string>() };
-                        else if (value.Type is JTokenType.Array)
-                            _audiences = value.ToObject<List<string>>();
-                    }
-#else
-                    if (Payload.TryGetValue(JwtRegisteredClaimNames.Aud, out JsonElement audiences))
+                    lock (_audiencesLock)
                     {
-                        if (audiences.ValueKind == JsonValueKind.String)
-                            _audiences = new List<string> { audiences.GetString() };
-
-                        if (audiences.ValueKind == JsonValueKind.Array)
+                        if (_audiences == null)
                         {
-                            foreach (JsonElement jsonElement in audiences.EnumerateArray())
-                                _audiences.Add(jsonElement.ToString());
+                            var aud = new List<string>();
+#if NET45
+                            if (Payload.TryGetValue(JwtRegisteredClaimNames.Aud, out JToken value))
+                            {
+                                if (value.Type is JTokenType.String)
+                                    aud = new List<string> { value.ToObject<string>() };
+                                else if (value.Type is JTokenType.Array)
+                                    aud = value.ToObject<List<string>>();
+                            }
+#else
+                            if (Payload.TryGetValue(JwtRegisteredClaimNames.Aud, out JsonElement audiences))
+                            {
+                                if (audiences.ValueKind == JsonValueKind.String)
+                                    aud = new List<string> { audiences.GetString() };
+
+                                if (audiences.ValueKind == JsonValueKind.Array)
+                                {
+                                    foreach (JsonElement jsonElement in audiences.EnumerateArray())
+                                        aud.Add(jsonElement.ToString());
+                                }
+                            }
+#endif
+                            _audiences = aud;
                         }
                     }
-#endif
                 }
 
                 return _audiences;