IDX13002: Unable to validate token. TokenValidationParameters.RequireAudience is true but no AudienceRestrictions were found in the inbound token

[mpaine-act]

Test failed after upgrading NuGet packages.

1. Upgraded nuget Microsoft.IdentityModel.Tokens to 5.5.0
2. Test failed from repository .\Tests\Mvc.Tests\Saml2ControllerTests.cs, Saml2Controller_Acs_Throws_On_CommandResultHandled()
3. Saml2Controller_Acs_Throws_On_CommandResultHandled

Message:
Expected a <System.NotSupportedException> to be thrown, but found a <Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenException>: Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenException with message "IDX13002: Unable to validate token. TokenValidationParameters.RequireAudience is true but no AudienceRestrictions were found in the inbound token."
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(Saml2SecurityToken samlToken, String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Sustainsys.Saml2.Saml2P.Saml2Response.d__60.MoveNext() in Z:\Saml2\Sustainsys.Saml2\SAML2P\Saml2Response.cs:line 576
at System.Collections.Generic.List1..ctor(IEnumerable1 collection)
at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source) at Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary2 relayData) in Z:\Saml2\Sustainsys.Saml2\SAML2P\Saml2Response.cs:line 547
at Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState, IdentityProvider identityProvider, String relayState) in Z:\Saml2\Sustainsys.Saml2\WebSSO\AcsCommand.cs:line 147
at Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options) in Z:\Saml2\Sustainsys.Saml2\WebSSO\AcsCommand.cs:line 92
at Sustainsys.Saml2.Mvc.Saml2Controller.Acs() in Z:\Saml2\Sustainsys.Saml2.Mvc\Saml2Controller.cs:line 69
at Sustainsys.Saml2.Mvc.Tests.Saml2ControllerTests.<>c.<Saml2Controller_Acs_Throws_On_CommandResultHandled>b__8_1(Saml2Controller s) in Z:\Saml2\Tests\Mvc.Tests\Saml2ControllerTests.cs:line 222
at FluentAssertions.AssertionExtensions.<>c__DisplayClass4_0`1.b__0() in C:\projects\fluentassertions-vf06b\Src\FluentAssertions\AssertionExtensions.cs:line 38
at FluentAssertions.Specialized.ActionAssertions.InvokeSubjectWithInterception() in C:\projects\fluentassertions-vf06b\Src\FluentAssertions\Specialized\ActionAssertions.cs:line 118
.
Stack Trace:
at LateBoundTestFramework.Throw(String message) in LateBoundTestFramework.cs line: 16
at TestFrameworkProvider.Throw(String message) in TestFrameworkProvider.cs line: 40
at DefaultAssertionStrategy.HandleFailure(String message) in DefaultAssertionStrategy.cs line: 25
at AssertionScope.FailWith(String message, Object[] args) in AssertionScope.cs line: 224
at ActionAssertions.Throw[TException](String because, Object[] becauseArgs) in ActionAssertions.cs line: 41
at Saml2ControllerTests.Saml2Controller_Acs_Throws_On_CommandResultHandled() in Saml2ControllerTests.cs line: 222

Additional info

• .Net Framework 4.7 used for test
• Version of Asp.Net MVC 5.2.4

---

Note, setting RequireAudience to false in Sustainsys.Saml2\SAML2P\Saml2Response.cs line 565, fixes test -- but, is the correct default inside CreateClaims?

[AndersAbel]

Thank you for noticing, this has to be followed up. It might either be that the test data is to lazy - that an Audience should be added, or that the Audience validation settings has changed.

[mpaine-act]

Thank you. I am having another error related to the 5.5 update, where ValidateToken fails because a passed in token becomes NULL inside the token validation process, which is many how ValidateIssuer works. Step debugging through the .NET Standard and Full Framework versions both do it.

[mpaine-act]

Message:
Test method Sustainsys.Saml2.Tests.Saml2P.Saml2ResponseTests.Saml2Response_GetClaims_BadAuthnContext_IgnoredWhenConfigured threw exception:
System.ArgumentNullException: IDX10000: The parameter 'token' cannot be a 'null' or an empty object.
Parameter name: token
Stack Trace:
at Saml2SecurityTokenHandler.ReadSaml2Token(String token)
at Saml2PSecurityTokenHandler.ValidateTokenReplay(Nullable1 expirationTime, String securityToken, TokenValidationParameters validationParameters) in Saml2PSecurityTokenHandler.cs line: 39 at Saml2SecurityTokenHandler.ValidateToken(Saml2SecurityToken samlToken, String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Saml2SecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Saml2Response.CreateClaims(IOptions options, IdentityProvider idp)+MoveNext() in Saml2Response.cs line: 577 at List1.AddEnumerable(IEnumerable1 enumerable) at Enumerable.ToList[TSource](IEnumerable1 source)
at Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData) in Saml2Response.cs line: 542
at Saml2Response.GetClaims(IOptions options) in Saml2Response.cs line: 518
at Saml2ResponseTests.Saml2Response_GetClaims_BadAuthnContext_IgnoredWhenConfigured() in Saml2ResponseTests.cs line: 492