Update audience exceptions (#3195)

* Update audience exceptions.

* Add switch tests

* Apply suggestions from code review

* Update API files.

---------

Co-authored-by: Jean-Marc Prieur <[email protected]>

Author: pmaytak

src/Microsoft.IdentityModel.Tokens/AppContextSwitches.cs

@@ -84,6 +84,13 @@ internal static class AppContextSwitches
         /// </summary>
         internal static bool UpdateConfigAsBlocking => _updateConfigAsBlockingCall ??= (AppContext.TryGetSwitch(UpdateConfigAsBlockingSwitch, out bool blockingCall) && blockingCall);
 
+        /// <summary>
+        /// When enabled, some exceptions and log messages will contain additional details. Enable temporarily only for debugging purposes.
+        /// </summary>
+        internal const string DoNotScrubExceptionsSwitch = "Switch.Microsoft.IdentityModel.DoNotScrubExceptions";
+        private static bool? _doNotScrubExceptions;
+        internal static bool DoNotScrubExceptions => _doNotScrubExceptions ??= (AppContext.TryGetSwitch(DoNotScrubExceptionsSwitch, out bool doNotScrubExceptions) && doNotScrubExceptions);
+
         /// <summary>
         /// Used for testing to reset all switches to its default value.
         /// </summary>
@@ -103,6 +110,9 @@ internal static void ResetAllSwitches()
 
             _updateConfigAsBlockingCall = null;
             AppContext.SetSwitch(UpdateConfigAsBlockingSwitch, false);
+
+            _doNotScrubExceptions = null;
+            AppContext.SetSwitch(DoNotScrubExceptionsSwitch, false);
         }
     }
 }

src/Microsoft.IdentityModel.Tokens/InternalAPI.Unshipped.txt

@@ -1,3 +1,5 @@
+const Microsoft.IdentityModel.Tokens.LogMessages.IDX10214S = "IDX10214: Audience validation failed. See https://aka.ms/identitymodel/app-context-switches" -> string
+const Microsoft.IdentityModel.Tokens.LogMessages.IDX10215S = "IDX10215: Audience validation failed. See https://aka.ms/identitymodel/app-context-switches" -> string
 Microsoft.IdentityModel.Tokens.Cnf.Jku.set -> void
 Microsoft.IdentityModel.Tokens.Cnf.JsonWebKey.set -> void
 Microsoft.IdentityModel.Tokens.Cnf.Jwe.set -> void

src/Microsoft.IdentityModel.Tokens/LogMessages.cs

@@ -41,7 +41,9 @@ internal static class LogMessages
         public const string IDX10211 = "IDX10211: Unable to validate issuer. The 'issuer' parameter is null or whitespace.";
         public const string IDX10212 = "IDX10212: Issuer validation failed. Issuer: '{0}'. Did not match any: validationParameters.ValidIssuers: '{1}' or validationParameters.ConfigurationManager.CurrentConfiguration.Issuer: '{2}'. For more details, see https://aka.ms/IdentityModel/issuer-validation. ";
         public const string IDX10214 = "IDX10214: Audience validation failed. Audiences: '{0}'. Did not match: validationParameters.ValidAudience: '{1}' or validationParameters.ValidAudiences: '{2}'.";
+        public const string IDX10214S = "IDX10214: Audience validation failed. See https://aka.ms/identitymodel/app-context-switches";
         public const string IDX10215 = "IDX10215: Audience validation failed. Audiences: '{0}'. Did not match: validationParameters.ValidAudiences: '{1}'.";
+        public const string IDX10215S = "IDX10215: Audience validation failed. See https://aka.ms/identitymodel/app-context-switches";
         public const string IDX10222 = "IDX10222: Lifetime validation failed. The token is not yet valid. ValidFrom (UTC): '{0}', Current time (UTC): '{1}'.";
         public const string IDX10223 = "IDX10223: Lifetime validation failed. The token is expired. ValidTo (UTC): '{0}', Current time (UTC): '{1}'.";
         public const string IDX10224 = "IDX10224: Lifetime validation failed. The NotBefore (UTC): '{0}' is after Expires (UTC): '{1}'.";

src/Microsoft.IdentityModel.Tokens/Validation/Results/Details/AudienceValidationError.cs

@@ -47,7 +47,9 @@ protected override Exception CreateException()
         {
             if (ExceptionType == typeof(SecurityTokenInvalidAudienceException))
             {
-                var exception = new SecurityTokenInvalidAudienceException(MessageDetail.Message, InnerException) { InvalidAudience = Utility.SerializeAsSingleCommaDelimitedString(TokenAudiences) };
+                var exception = TokenAudiences != null ?
+                    new SecurityTokenInvalidAudienceException(MessageDetail.Message, InnerException) { InvalidAudience = Utility.SerializeAsSingleCommaDelimitedString(TokenAudiences) } :
+                    new SecurityTokenInvalidAudienceException(MessageDetail.Message, InnerException);
                 exception.SetValidationError(this);
 
                 return exception;

src/Microsoft.IdentityModel.Tokens/Validation/Validators.Audience.cs

@@ -86,16 +86,27 @@ internal static ValidationResult<string> ValidateAudience(
                 return validAudience;
 
             // TODO we shouldn't be serializing here.
-            return new AudienceValidationError(
-                new MessageDetail(
-                    LogMessages.IDX10215,
-                    LogHelper.MarkAsNonPII(Utility.SerializeAsSingleCommaDelimitedString(tokenAudiences)),
-                    LogHelper.MarkAsNonPII(Utility.SerializeAsSingleCommaDelimitedString(validationParameters.ValidAudiences))),
-                ValidationFailureType.AudienceValidationFailed,
-                typeof(SecurityTokenInvalidAudienceException),
-                ValidationError.GetCurrentStackFrame(),
-                tokenAudiences,
-                validationParameters.ValidAudiences);
+
+            if (AppContextSwitches.DoNotScrubExceptions)
+                return new AudienceValidationError(
+                    new MessageDetail(
+                        LogMessages.IDX10215,
+                        LogHelper.MarkAsNonPII(Utility.SerializeAsSingleCommaDelimitedString(tokenAudiences)),
+                        LogHelper.MarkAsNonPII(Utility.SerializeAsSingleCommaDelimitedString(validationParameters.ValidAudiences))),
+                    ValidationFailureType.AudienceValidationFailed,
+                    typeof(SecurityTokenInvalidAudienceException),
+                    ValidationError.GetCurrentStackFrame(),
+                    tokenAudiences,
+                    validationParameters.ValidAudiences);
+            else
+                return new AudienceValidationError(
+                    new MessageDetail(
+                        LogMessages.IDX10215S),
+                    ValidationFailureType.AudienceValidationFailed,
+                    typeof(SecurityTokenInvalidAudienceException),
+                    ValidationError.GetCurrentStackFrame(),
+                    null,
+                    null);
         }
 
         private static string? ValidTokenAudience(IList<string> tokenAudiences, IList<string> validAudiences, bool ignoreTrailingSlashWhenValidatingAudience)

src/Microsoft.IdentityModel.Tokens/Validators.cs

@@ -117,12 +117,18 @@ public static void ValidateAudience(IEnumerable<string> audiences, SecurityToken
             if (AudienceIsValid(audiences, validationParameters, validationParametersAudiences))
                 return;
 
-            SecurityTokenInvalidAudienceException ex = new SecurityTokenInvalidAudienceException(
-                LogHelper.FormatInvariant(LogMessages.IDX10214,
-                    LogHelper.MarkAsNonPII(Utility.SerializeAsSingleCommaDelimitedString(audiences)),
-                    LogHelper.MarkAsNonPII(validationParameters.ValidAudience ?? "null"),
-                    LogHelper.MarkAsNonPII(Utility.SerializeAsSingleCommaDelimitedString(validationParameters.ValidAudiences))))
-            { InvalidAudience = Utility.SerializeAsSingleCommaDelimitedString(audiences) };
+            SecurityTokenInvalidAudienceException ex;
+
+            if (AppContextSwitches.DoNotScrubExceptions)
+                ex = new SecurityTokenInvalidAudienceException(
+                    LogHelper.FormatInvariant(LogMessages.IDX10214,
+                        LogHelper.MarkAsNonPII(Utility.SerializeAsSingleCommaDelimitedString(audiences)),
+                        LogHelper.MarkAsNonPII(validationParameters.ValidAudience ?? "null"),
+                        LogHelper.MarkAsNonPII(Utility.SerializeAsSingleCommaDelimitedString(validationParameters.ValidAudiences))))
+                { InvalidAudience = Utility.SerializeAsSingleCommaDelimitedString(audiences) };
+            else
+                ex = new SecurityTokenInvalidAudienceException(
+                    LogHelper.FormatInvariant(LogMessages.IDX10214S));
 
             if (!validationParameters.LogValidationExceptions)
                 throw ex;

test/Microsoft.IdentityModel.Tokens.Tests/Validation/AudienceValidationResultTests.cs

@@ -16,47 +16,56 @@ public class AudienceValidationResultTests
         [Theory, MemberData(nameof(ValidateAudienceParameterTestCases), DisableDiscoveryEnumeration = true)]
         public void ValidateAudienceParameters(AudienceValidationTheoryData theoryData)
         {
-            CompareContext context = TestUtilities.WriteHeader($"{this}.ValidateAudienceParameters", theoryData);
+            AppContext.SetSwitch(AppContextSwitches.DoNotScrubExceptionsSwitch, theoryData.DoNotScrubErrorMessages);
 
-            if (theoryData.ValidAudiences != null)
+            try
             {
-                foreach (string audience in theoryData.ValidAudiences)
-                    theoryData.ValidationParameters.ValidAudiences.Add(audience);
-            }
+                CompareContext context = TestUtilities.WriteHeader($"{this}.ValidateAudienceParameters", theoryData);
 
-            ValidationResult<string> result = Validators.ValidateAudience(
-                theoryData.TokenAudiences,
-                theoryData.SecurityToken,
-                theoryData.ValidationParameters,
-                theoryData.CallContext);
+                if (theoryData.ValidAudiences != null)
+                {
+                    foreach (string audience in theoryData.ValidAudiences)
+                        theoryData.ValidationParameters.ValidAudiences.Add(audience);
+                }
 
-            if (result.IsValid)
-            {
-                IdentityComparer.AreStringsEqual(
-                    result.UnwrapResult(),
-                    theoryData.Result.UnwrapResult(),
-                    context);
+                ValidationResult<string> result = Validators.ValidateAudience(
+                    theoryData.TokenAudiences,
+                    theoryData.SecurityToken,
+                    theoryData.ValidationParameters,
+                    theoryData.CallContext);
 
-                theoryData.ExpectedException.ProcessNoException(context);
-            }
-            else
-            {
-                ValidationError validationError = result.UnwrapError();
-                IdentityComparer.AreStringsEqual(
-                    validationError.FailureType.Name,
-                    theoryData.Result.UnwrapError().FailureType.Name,
-                    context);
+                if (result.IsValid)
+                {
+                    IdentityComparer.AreStringsEqual(
+                        result.UnwrapResult(),
+                        theoryData.Result.UnwrapResult(),
+                        context);
 
-                IdentityComparer.AreStringsEqual(
-                    validationError.MessageDetail.Message,
-                    theoryData.Result.UnwrapError().MessageDetail.Message,
-                    context);
+                    theoryData.ExpectedException.ProcessNoException(context);
+                }
+                else
+                {
+                    ValidationError validationError = result.UnwrapError();
+                    IdentityComparer.AreStringsEqual(
+                        validationError.FailureType.Name,
+                        theoryData.Result.UnwrapError().FailureType.Name,
+                        context);
 
-                Exception exception = validationError.GetException();
-                theoryData.ExpectedException.ProcessException(exception, context);
-            }
+                    IdentityComparer.AreStringsEqual(
+                        validationError.MessageDetail.Message,
+                        theoryData.Result.UnwrapError().MessageDetail.Message,
+                        context);
 
-            TestUtilities.AssertFailIfErrors(context);
+                    Exception exception = validationError.GetException();
+                    theoryData.ExpectedException.ProcessException(exception, context);
+                }
+
+                TestUtilities.AssertFailIfErrors(context);
+            }
+            finally
+            {
+                AppContextSwitches.ResetAllSwitches();
+            }
         }
 
         public static TheoryData<AudienceValidationTheoryData> ValidateAudienceParameterTestCases
@@ -99,6 +108,33 @@ public static TheoryData<AudienceValidationTheoryData> ValidateAudienceParameter
                             typeof(SecurityTokenInvalidAudienceException),
                             null)
                     },
+                    new AudienceValidationTheoryData("AudiencesEmptyString_ScrubbedMessage")
+                    {
+                        TokenAudiences = new List<string> { string.Empty },
+                        ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10215:"),
+                        ValidationParameters = new ValidationParameters(),
+                        ValidAudiences = ["audience1"],
+                        Result = new ValidationError(
+                            new MessageDetail(
+                                LogMessages.IDX10215S),
+                            ValidationFailureType.AudienceValidationFailed,
+                            typeof(SecurityTokenInvalidAudienceException),
+                            null)
+                    },
+                    new AudienceValidationTheoryData("AudiencesWhiteSpace_ScrubbedMessage")
+                    {
+                        TokenAudiences = new List<string> { "    " },
+                        ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10215:"),
+                        ValidationParameters = new ValidationParameters(),
+                        ValidAudiences = ["audience1"],
+                        Result = new ValidationError(
+                            new MessageDetail(
+                                LogMessages.IDX10215S),
+                            ValidationFailureType.AudienceValidationFailed,
+                            typeof(SecurityTokenInvalidAudienceException),
+                            null)
+                    },
+
                     new AudienceValidationTheoryData("AudiencesEmptyString")
                     {
                         TokenAudiences = new List<string> { string.Empty },
@@ -112,7 +148,8 @@ public static TheoryData<AudienceValidationTheoryData> ValidateAudienceParameter
                                 LogHelper.MarkAsNonPII("audience1")),
                             ValidationFailureType.AudienceValidationFailed,
                             typeof(SecurityTokenInvalidAudienceException),
-                            null)
+                            null),
+                        DoNotScrubErrorMessages = true
                     },
                     new AudienceValidationTheoryData("AudiencesWhiteSpace")
                     {
@@ -127,9 +164,9 @@ public static TheoryData<AudienceValidationTheoryData> ValidateAudienceParameter
                                 LogHelper.MarkAsNonPII("audience1")),
                             ValidationFailureType.AudienceValidationFailed,
                             typeof(SecurityTokenInvalidAudienceException),
-                            null)
+                            null),
+                        DoNotScrubErrorMessages = true
                     },
-
                 };
             }
         }
@@ -448,6 +485,8 @@ public AudienceValidationTheoryData(string testId) : base(testId) { }
             public List<string> ValidAudiences { get; set; }
 
             internal ValidationResult<string> Result { get; set; }
+
+            internal bool DoNotScrubErrorMessages { get; set; }
         }
     }
 }

test/System.IdentityModel.Tokens.Jwt.Tests/JwtSecurityTokenHandlerTests.cs

@@ -1795,6 +1795,8 @@ public static TheoryData<JwtTheoryData> ValidateAlgorithmTheoryData
         [Theory, MemberData(nameof(ValidateAudienceTheoryData), DisableDiscoveryEnumeration = true)]
         public void ValidateAudience(JwtTheoryData theoryData)
         {
+            AppContext.SetSwitch(AppContextSwitches.DoNotScrubExceptionsSwitch, theoryData.DoNotScrubErrorMessages);
+
             TestUtilities.WriteHeader($"{this}.ValidateAudience", theoryData);
 
             try
@@ -1807,6 +1809,10 @@ public void ValidateAudience(JwtTheoryData theoryData)
             {
                 theoryData.ExpectedException.ProcessException(ex);
             }
+            finally
+            {
+                AppContextSwitches.ResetAllSwitches();
+            }
         }
 
         public static TheoryData<JwtTheoryData> ValidateAudienceTheoryData
@@ -1845,11 +1851,19 @@ public static TheoryData<JwtTheoryData> ValidateAudienceTheoryData
                         ValidationParameters = ValidateAudienceValidationParameters(null, null, null, true),
                     },
                     new JwtTheoryData
+                    {
+                        ExpectedException = new ExpectedException(typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214", propertiesExpected: new Dictionary<string, object>{ { "InvalidAudience", null } }),
+                        TestId = "'Audience == NotDefault.Audience' ScrubbedMessage",
+                        SecurityToken = tokenHandler.CreateJwtSecurityToken(issuer: Default.Issuer, audience: Default.Audience),
+                        ValidationParameters = ValidateAudienceValidationParameters(NotDefault.Audience, null, null, true),
+                    },
+                    new JwtTheoryData
                     {
                         ExpectedException = new ExpectedException(typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214", propertiesExpected: new Dictionary<string, object>{ { "InvalidAudience", Default.Audience } }),
                         TestId = "'Audience == NotDefault.Audience'",
                         SecurityToken = tokenHandler.CreateJwtSecurityToken(issuer: Default.Issuer, audience: Default.Audience),
                         ValidationParameters = ValidateAudienceValidationParameters(NotDefault.Audience, null, null, true),
+                        DoNotScrubErrorMessages = true,
                     },
                     new JwtTheoryData
                     {

test/System.IdentityModel.Tokens.Jwt.Tests/JwtTheoryData.cs

@@ -38,5 +38,7 @@ public JwtTheoryData() { }
         public bool SetupIssuerLkg { get; set; }
 
         public BaseConfigurationManager SetupIssuerLkgConfigurationManager { get; set; }
+
+        internal bool DoNotScrubErrorMessages { get; set; }
     }
 }