Fix JWT DateTimeOffset handling with DateTime.MinValue (#33651)

BrennanConroy · web-flow · commit 7b28c2b572cf · 2021-06-23T15:19:55.000-07:00
diff --git a/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs b/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs
@@ -143,8 +143,8 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                             SecurityToken = validatedToken
                         };
 
-                        tokenValidatedContext.Properties.ExpiresUtc = validatedToken.ValidTo;
-                        tokenValidatedContext.Properties.IssuedUtc = validatedToken.ValidFrom;
+                        tokenValidatedContext.Properties.ExpiresUtc = GetSafeDateTime(validatedToken.ValidTo);
+                        tokenValidatedContext.Properties.IssuedUtc = GetSafeDateTime(validatedToken.ValidFrom);
 
                         await Events.TokenValidated(tokenValidatedContext);
                         if (tokenValidatedContext.Result != null)
@@ -202,6 +202,17 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             }
         }
 
+        private static DateTime? GetSafeDateTime(DateTime dateTime)
+        {
+            // Assigning DateTime.MinValue or default(DateTime) to a DateTimeOffset when in a UTC+X timezone will throw
+            // Since we don't really care about DateTime.MinValue in this case let's just set the field to null
+            if (dateTime == DateTime.MinValue)
+            {
+                return null;
+            }
+            return dateTime;
+        }
+
         /// <inheritdoc />
         protected override async Task HandleChallengeAsync(AuthenticationProperties properties)
         {
diff --git a/src/Security/Authentication/test/JwtBearerTests.cs b/src/Security/Authentication/test/JwtBearerTests.cs
@@ -846,6 +846,47 @@ public async Task ExpirationAndIssuedSetOnAuthenticateResult()
             Assert.Equal(token.ValidFrom, dom.RootElement.GetProperty("issued").GetDateTimeOffset());
         }
 
+        [Fact]
+        public async Task ExpirationAndIssuedNullWhenMinOrMaxValue()
+        {
+            var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(new string('a', 128)));
+            var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
+
+            var claims = new[]
+            {
+                new Claim(ClaimTypes.NameIdentifier, "Bob")
+            };
+
+            var token = new JwtSecurityToken(
+                issuer: "issuer.contoso.com",
+                audience: "audience.contoso.com",
+                claims: claims,
+                expires: DateTime.MaxValue,
+                signingCredentials: creds);
+
+            var tokenText = new JwtSecurityTokenHandler().WriteToken(token);
+
+            using var host = await CreateHost(o =>
+            {
+                o.SaveToken = true;
+                o.TokenValidationParameters = new TokenValidationParameters()
+                {
+                    ValidIssuer = "issuer.contoso.com",
+                    ValidAudience = "audience.contoso.com",
+                    IssuerSigningKey = key,
+                };
+            });
+
+            var newBearerToken = "Bearer " + tokenText;
+            using var server = host.GetTestServer();
+            var response = await SendAsync(server, "http://example.com/expiration", newBearerToken);
+            Assert.Equal(HttpStatusCode.OK, response.Response.StatusCode);
+            var responseBody = await response.Response.Content.ReadAsStringAsync();
+            using var dom = JsonDocument.Parse(responseBody);
+            Assert.Equal(JsonValueKind.Null, dom.RootElement.GetProperty("expires").ValueKind);
+            Assert.Equal(JsonValueKind.Null, dom.RootElement.GetProperty("issued").ValueKind);
+        }
+
         class InvalidTokenValidator : ISecurityTokenValidator
         {
             public InvalidTokenValidator()
@@ -1065,7 +1106,7 @@ private static async Task<IHost> CreateHost(Action<JwtBearerOptions> options = n
                                 {
                                     var authenticationResult = await context.AuthenticateAsync(JwtBearerDefaults.AuthenticationScheme);
                                     await context.Response.WriteAsJsonAsync(
-                                        new { Expires = authenticationResult.Properties.ExpiresUtc, Issued = authenticationResult.Properties.IssuedUtc });
+                                        new { Expires = authenticationResult.Properties?.ExpiresUtc, Issued = authenticationResult.Properties?.IssuedUtc });
                                 }
                                 else
                                 {
