diff --git a/Solutions/AspNetCore.Authentication/src/SharePointPnP.IdentityModel/Extensions/S2S/Tokens/JsonWebSecurityTokenHandler.cs b/Solutions/AspNetCore.Authentication/src/SharePointPnP.IdentityModel/Extensions/S2S/Tokens/JsonWebSecurityTokenHandler.cs
index 7d2fa06fe..c3f10963b 100644
--- a/Solutions/AspNetCore.Authentication/src/SharePointPnP.IdentityModel/Extensions/S2S/Tokens/JsonWebSecurityTokenHandler.cs
+++ b/Solutions/AspNetCore.Authentication/src/SharePointPnP.IdentityModel/Extensions/S2S/Tokens/JsonWebSecurityTokenHandler.cs
@@ -1,4 +1,6 @@
using Microsoft.IdentityModel.Claims;
+using System;
+using System.Linq;
using System.ServiceModel.Security.Tokens;
using System.Xml;
@@ -412,6 +414,7 @@ private ClaimsIdentityCollection ValidateTokenCore(System.IdentityModel.Tokens.S
ClaimsIdentity claimsIdentity = new ClaimsIdentity("Federation");
if (!isActorToken && jsonWebSecurityToken.ActorToken != null)
{
+ ValidateActorTokenForAppOnly(jsonWebSecurityToken.ActorToken);
ClaimsIdentityCollection claimsIdentityCollection2 = this.ValidateActorToken(jsonWebSecurityToken.ActorToken);
if (claimsIdentityCollection2.Count > 1)
{
@@ -440,6 +443,24 @@ private ClaimsIdentityCollection ValidateTokenCore(System.IdentityModel.Tokens.S
return claimsIdentityCollection;
}
+ ///
+ ///Validates that the actor token is an app token by checking for the lack of user claims
+ ///
+ ///
+ private static void ValidateActorTokenForAppOnly(JsonWebSecurityToken actorToken)
+ {
+ if (actorToken != null)
+ {
+ if (actorToken.Claims.FirstOrDefault(x => x.ClaimType.Equals("scp")) != null
+ || actorToken.Claims.FirstOrDefault(x => x.ClaimType.Equals("upn")) != null
+ || actorToken.Claims.FirstOrDefault(x => x.ClaimType.Equals("unique_name")) != null
+ || actorToken.Claims.FirstOrDefault(x => x.ClaimType.Equals("altsecid")) != null)
+ {
+ throw new UnauthorizedAccessException("Invalid actor token.");
+ }
+ }
+ }
+
public override ClaimsIdentityCollection ValidateToken(System.IdentityModel.Tokens.SecurityToken token)
{
return this.ValidateTokenCore(token, false);