Remove System.IdentityModel.Tokens.Jwt dependency (#1862)

* Internally decode JWT.

* Remove System.IdentityModel.Tokens.Jwt dependency

* Update tests

Author: peombwa

src/Authentication/Authentication.Core/Microsoft.Graph.Authentication.Core.csproj

@@ -16,10 +16,6 @@
     <PackageReference Include="Microsoft.Graph.Core" Version="2.0.15" />
     <PackageReference Include="Microsoft.Identity.Client" Version="4.50.0" />
     <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="2.26.0" />
-    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.27.0" />
-    <PackageReference Include="Microsoft.IdentityModel.Logging" Version="6.27.0" />
-    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="6.27.0" />
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.27.0" />
     <!--Always ensure this version matches the versions of System.Security.Cryptography.* dependencies of Microsoft.Identity.Client when targeting PowerShell 6 and below.-->
     <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="7.0.1" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.2" />

src/Authentication/Authentication.Core/Models/JwtContent.cs

@@ -0,0 +1,12 @@
+// ------------------------------------------------------------------------------
+//  Copyright (c) Microsoft Corporation.  All Rights Reserved.  Licensed under the MIT License.  See License in the project root for license information.
+// ------------------------------------------------------------------------------
+
+namespace Microsoft.Graph.PowerShell.Authentication.Core.Models
+{
+    internal class JwtContent
+    {
+        public string Header { get; set; }
+        public string Payload { get; set; }
+    }
+}

src/Authentication/Authentication.Core/Utilities/JwtHelpers.cs

@@ -2,11 +2,13 @@
 //  Copyright (c) Microsoft Corporation.  All Rights Reserved.  Licensed under the MIT License.  See License in the project root for license information.
 // ------------------------------------------------------------------------------
 
+using Microsoft.Graph.PowerShell.Authentication.Core.Models;
+using Microsoft.Graph.PowerShell.Authentication.Models;
 using Microsoft.Identity.Client;
 using Newtonsoft.Json;
 using System;
 using System.Globalization;
-using System.IdentityModel.Tokens.Jwt;
+using System.Text;
 
 namespace Microsoft.Graph.PowerShell.Authentication.Core.Utilities
 {
@@ -23,7 +25,7 @@ internal static class JwtHelpers
         /// <param name="authContext">An <see cref="IAuthContext"/> to store JWT claims in.</param>
         internal static void DecodeJWT(string jwToken, IAccount account, ref IAuthContext authContext)
         {
-            var jwtPayload = DecodeToObject<Models.JwtPayload>(jwToken);
+            var jwtPayload = DecodeToObject<JwtPayload>(jwToken);
             if (authContext.AuthType == AuthenticationType.UserProvidedAccessToken)
             {
                 if (jwtPayload == null)
@@ -50,22 +52,6 @@ internal static void DecodeJWT(string jwToken, IAccount account, ref IAuthContex
             authContext.Account = jwtPayload?.Upn ?? account?.Username;
         }
 
-        /// <summary>
-        /// Decodes a JWT token by extracting claims from the payload.
-        /// </summary>
-        /// <param name="jwToken">A JWT string.</param>
-        internal static string Decode(string jwToken)
-        {
-            JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
-            if (jwtHandler.CanReadToken(jwToken))
-            {
-                JwtSecurityToken token = jwtHandler.ReadJwtToken(jwToken);
-                return token.Payload.SerializeToJson();
-            } else {
-                return null;
-            }
-        }
-
         /// <summary>
         /// Decodes a JWT token by extracting claims from the payload to an object of type T.
         /// </summary>
@@ -75,17 +61,49 @@ internal static T DecodeToObject<T>(string jwtString)
         {
             try
             {
-                string decodedJWT = Decode(jwtString);
-                if (decodedJWT == null)
+                var decodedJWT = DecodeJWT(jwtString);
+                if (string.IsNullOrWhiteSpace(decodedJWT?.Payload))
                     return default;
-                return JsonConvert.DeserializeObject<T>(decodedJWT);
+                return JsonConvert.DeserializeObject<T>(decodedJWT.Payload);
             }
             catch (Exception ex)
             {
                 throw new AuthenticationException(ErrorConstants.Message.InvalidJWT, ex);
             }
         }
 
+        internal static JwtContent DecodeJWT(string jwtString)
+        {
+            // See https://tools.ietf.org/html/rfc7519
+            if (string.IsNullOrWhiteSpace(jwtString) || !jwtString.Contains(".") || !jwtString.StartsWith("eyJ"))
+                throw new ArgumentException("Invalid JSON Web Token (JWT).");
+
+            var jwtSegments = jwtString.Split('.');
+
+            if (jwtSegments.Length <= 1)
+                throw new ArgumentException("Invalid JWT. JWT does not have a payload.");
+
+            // Header
+            var jwtHeader = DecodeJwtSegment(jwtSegments[0]);
+
+            // Payload
+            var jwtPayload = DecodeJwtSegment(jwtSegments[1]);
+
+            return new JwtContent { Header = jwtHeader, Payload = jwtPayload };
+        }
+
+        private static string DecodeJwtSegment(string jwtSegment)
+        {
+            jwtSegment = jwtSegment.Replace('-', '+').Replace('_', '/');
+            // Fixes padding by adding '=' until header length modulus 4 equals 0.
+            while ((jwtSegment.Length % 4) != 0)
+                jwtSegment += "=";
+
+            var jwtTokenBytes = Convert.FromBase64String(jwtSegment);
+            var jwtSegmentInJson = Encoding.UTF8.GetString(jwtTokenBytes);
+            return jwtSegmentInJson;
+        }
+
         /// <summary>
         /// Converts a DateTime to Unix timestamp in seconds past epoch.
         /// </summary>

src/Authentication/Authentication.Core/Utilities/UserProvidedTokenCredential.cs

@@ -3,6 +3,7 @@
 // ------------------------------------------------------------------------------
 
 using Azure.Core;
+using Microsoft.Graph.PowerShell.Authentication.Models;
 using System;
 using System.Text;
 using System.Threading;
@@ -16,7 +17,7 @@ public override AccessToken GetToken(TokenRequestContext requestContext, Cancell
         {
             cancellationToken.ThrowIfCancellationRequested();
             var token = Encoding.UTF8.GetString(GraphSession.Instance.InMemoryTokenCache.ReadTokenData());
-            var jwtPayload = JwtHelpers.DecodeToObject<Models.JwtPayload>(token);
+            var jwtPayload = JwtHelpers.DecodeToObject<JwtPayload>(token);
             var exp = jwtPayload?.Exp == null ? DateTimeOffset.Now.AddMinutes(55) : DateTimeOffset.FromUnixTimeSeconds(jwtPayload.Exp);
             return new AccessToken(token, exp);
         }

src/Authentication/Authentication.Test/Helpers/AuthenticationHelpersTests.cs

@@ -32,7 +32,7 @@ public AuthenticationHelpersTests()
         public async Task ShouldUseDelegateAuthProviderWhenUserAccessTokenIsProvidedAsync()
         {
             // Arrange
-            string accessToken = "ACCESS_TOKEN_VIA_DELEGATE_PROVIDER";
+            string accessToken = "eyJhbGciOiJIUzI1NiJ9.eyJSb2xlIjoiVGVzdCIsIklzc3VlciI6Iklzc3VlciIsIlVzZXJuYW1lIjoiVGVzdCIsImV4cCI6MTY3ODQ4ODgxNiwiaWF0IjoxNjc4NDg4ODE2fQ.hpYypwHAV8H3jb4KuTiLpgLWy9A8H2d9HG7SxJ8Kpn0";
             GraphSession.Instance.InMemoryTokenCache = new InMemoryTokenCache(Encoding.UTF8.GetBytes(accessToken));
             AuthContext userProvidedAuthContext = new AuthContext
             {

src/Authentication/Authentication/Microsoft.Graph.Authentication.nuspec

@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <package>
   <metadata>
-    <version>2.0.0-preview2</version>
+    <version>2.0.0-preview5</version>
     <id>Microsoft.Graph.Authentication</id>
     <description>Microsoft Graph PowerShell authentication module</description>
     <authors>Microsoft</authors>
@@ -29,11 +29,7 @@
     <file src="artifacts\Dependencies\Newtonsoft.Json.dll" target="Dependencies" />
     <file src="artifacts\Dependencies\Microsoft.Bcl.AsyncInterfaces.dll" target="Dependencies" />
     <file src="artifacts\Dependencies\Microsoft.IdentityModel.Abstractions.dll" target="Dependencies" />
-    <file src="artifacts\Dependencies\Microsoft.IdentityModel.JsonWebTokens.dll" target="Dependencies" />
     <file src="artifacts\Dependencies\Microsoft.Identity.Client.Extensions.Msal.dll" target="Dependencies" />
-    <file src="artifacts\Dependencies\Microsoft.IdentityModel.Tokens.dll" target="Dependencies" />
-    <file src="artifacts\Dependencies\Microsoft.IdentityModel.Logging.dll" target="Dependencies" />
-    <file src="artifacts\Dependencies\System.IdentityModel.Tokens.Jwt.dll" target="Dependencies" />
     <file src="artifacts\Dependencies\System.Memory.dll" target="Dependencies" />
     <file src="artifacts\Dependencies\System.Threading.Tasks.Extensions.dll" target="Dependencies" />
     <file src="artifacts\Dependencies\System.Diagnostics.DiagnosticSource.dll" target="Dependencies" />

src/Authentication/Authentication/Utilities/DependencyAssemblyResolver.cs

@@ -21,10 +21,6 @@ public static class DependencyAssemblyResolver
             { "Microsoft.Identity.Client", new Version("4.50.0") },
             { "Microsoft.Identity.Client.Extensions.Msal", new Version("2.26.0") },
             { "Microsoft.IdentityModel.Abstractions", new Version("6.27.0") },
-            { "Microsoft.IdentityModel.JsonWebTokens", new Version("6.27.0") },
-            { "Microsoft.IdentityModel.Logging", new Version("6.27.0") },
-            { "Microsoft.IdentityModel.Tokens", new Version("6.27.0") },
-            { "System.IdentityModel.Tokens.Jwt", new Version("6.27.0") },
             { "System.Security.Cryptography.ProtectedData", new Version("7.0.1") },
             { "Newtonsoft.Json", new Version("13.0.2") },
             { "System.Text.Json", new Version("7.0.2") },