Skip to content

Fix missing else keyword in JwtSecurityTokenHandler key resolution#3518

Open
fre-berhane wants to merge 1 commit into
devfrom
freberhane/JWTSecurityFix
Open

Fix missing else keyword in JwtSecurityTokenHandler key resolution#3518
fre-berhane wants to merge 1 commit into
devfrom
freberhane/JWTSecurityFix

Conversation

@fre-berhane
Copy link
Copy Markdown

@fre-berhane fre-berhane commented Jun 2, 2026

Fix missing else keyword in JwtSecurityTokenHandler key resolution

  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • If any gains or losses in performance are possible, you've included benchmarks for your changes. More info
  • There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Summary of the changes (Less than 80 chars)

Description

Add missing 'else' at JwtSecurityTokenHandler.cs:1384 so that IssuerSigningKeyResolverUsingConfiguration takes priority over IssuerSigningKeyResolver and default kid-based resolution, matching the documented contract and the correct behavior already present in JsonWebTokenHandler.

Fixes #{bug number} (in this specific format)

Fix missing else keyword in JwtSecurityTokenHandler key resolution
1db5e15 
Add missing 'else' at JwtSecurityTokenHandler.cs:1384 so that
IssuerSigningKeyResolverUsingConfiguration takes priority over
IssuerSigningKeyResolver and default kid-based resolution, matching
the documented contract and the correct behavior already present
in JsonWebTokenHandler.

Without this fix, default key resolution silently overwrites the
keys returned by IssuerSigningKeyResolverUsingConfiguration when
IssuerSigningKeyResolver is null, defeating key-restriction,
key-revocation, and scope-gated key-selection policies.
@fre-berhane fre-berhane requested a review from a team as a code owner June 2, 2026 14:26
pmaytak
pmaytak reviewed Jun 2, 2026
View reviewed changes
Comment thread src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs
keys = validationParameters.IssuerSigningKeyResolverUsingConfiguration(token, jwtToken, jwtToken.Header.Kid, validationParameters, configuration);
}
if (validationParameters.IssuerSigningKeyResolver != null)
else if (validationParameters.IssuerSigningKeyResolver != null)
Copy link
Copy Markdown
Collaborator

@pmaytak pmaytak Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean there are missing test cases that need to be added?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pmaytak pmaytak pmaytak approved these changes

@iNinja iNinja iNinja approved these changes

@cpp11nullptr cpp11nullptr cpp11nullptr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fre-berhane @iNinja @cpp11nullptr @pmaytak