microsoft-authentication-library-for-dotnet/src/client/Microsoft.Identity.Client.KeyAttestation/Attestation/JwtClaimExtractor.cs at 5df662be983201ae06936dae65bdb356a3eaedc1 · AzureAD/microsoft-authentication-library-for-dotnet · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System;
using System.Collections.Generic;
using System.Text.Json;
using Microsoft.Identity.Client.Utils;

namespace Microsoft.Identity.Client.KeyAttestation.Attestation
{
    /// <summary>
    /// JWT claim extractor leveraging MSAL's existing helper utilities.
    /// </summary>
    internal static class JwtClaimExtractor
    {
        /// <summary>
        /// Extracts the 'exp' (expiration) claim from a JWT payload.
        /// </summary>
        /// <param name="jwt">The JWT string (format: header.payload.signature).</param>
        /// <param name="expiresOn">The parsed expiration time in UTC, or DateTimeOffset.MinValue on failure.</param>
        /// <returns>True if the exp claim was successfully extracted; false otherwise.</returns>
        internal static bool TryExtractExpirationClaim(string jwt, out DateTimeOffset expiresOn)
        {
            expiresOn = DateTimeOffset.MinValue;

            try
            {
                // Split JWT into parts
                var parts = jwt.Split('.');
                if (parts.Length < 2)
                    return false;

                // Use MSAL's Base64UrlHelpers to decode the payload (handles padding automatically)
                string payloadJson = Base64UrlHelpers.Decode(parts[1]);

                if (string.IsNullOrEmpty(payloadJson))
                    return false;

                // Use MSAL's JsonHelper to parse JSON (handles both System.Text.Json and Newtonsoft)
                var claims = JsonHelper.DeserializeFromJson<Dictionary<string, object>>(payloadJson);

                if (claims == null || !claims.TryGetValue("exp", out object expObj))
                    return false;

                // Parse the exp claim (Unix timestamp in seconds)
                // STJ deserializes numbers in Dictionary<string,object> as JsonElement, not long
                if (expObj is JsonElement jsonElement)
                {
                    if (jsonElement.TryGetInt64(out long elementLong))
                    {
                        expiresOn = DateTimeOffset.FromUnixTimeSeconds(elementLong);
                        return true;
                    }
                    // Handle number-as-string in JSON
                    if (jsonElement.ValueKind == JsonValueKind.String &&
                        long.TryParse(jsonElement.GetString(), out long parsedFromElement))
                    {
                        expiresOn = DateTimeOffset.FromUnixTimeSeconds(parsedFromElement);
                        return true;
                    }
                }

                // Fallback: direct long (shouldn't happen with STJ but kept for safety)
                if (expObj is long expLong)
                {
                    expiresOn = DateTimeOffset.FromUnixTimeSeconds(expLong);
                    return true;
                }

                // Handle case where exp comes as string (defensive)
                if (expObj is string expStr && long.TryParse(expStr, out long parsedExp))
                {
                    expiresOn = DateTimeOffset.FromUnixTimeSeconds(parsedExp);
                    return true;
                }
            }
            catch
            {
                // Silently fail: malformed JWT or parsing error
            }

            return false;
        }
    }
}