Remove virtual method call from constructor.

src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs

@@ -50,6 +50,7 @@ private struct AuthenticatedKeys
         private Lazy<AuthenticatedKeys> _authenticatedkeys;
         private CryptoProviderFactory _cryptoProviderFactory;
         private bool _disposed;
+        private Lazy<bool> _keySizeIsValid;
         private string _hmacAlgorithm;
         private Lazy<SymmetricSignatureProvider> _symmetricSignatureProvider;
         private DecryptionDelegate DecryptFunction;
@@ -76,7 +77,6 @@ public AuthenticatedEncryptionProvider(SecurityKey key, string algorithm)
             Key = key;
             Algorithm = algorithm;
             _cryptoProviderFactory = key.CryptoProviderFactory;
-
             if (SupportedAlgorithms.IsSupportedEncryptionAlgorithm(algorithm, key))
             {
                 if (SupportedAlgorithms.IsAesGcm(algorithm))
@@ -96,7 +96,7 @@ public AuthenticatedEncryptionProvider(SecurityKey key, string algorithm)
 
         private void InitializeUsingAesGcm()
         {
-            ValidateKeySize(Key, Algorithm);
+            _keySizeIsValid = new Lazy<bool>(ValidKeySize);
             EncryptFunction = EncryptWithAesGcm;
             DecryptFunction = DecryptWithAesGcm;
         }
@@ -110,13 +110,20 @@ private void InitializeUsingAesCbc()
             DecryptFunction = DecryptWithAesCbc;
         }
 
+        internal bool ValidKeySize()
+        {
+            ValidateKeySize(Key, Algorithm);
+            return true;
+        }
+
         private AuthenticatedEncryptionResult EncryptWithAesGcm(byte[] plaintext, byte[] authenticatedData, byte[] iv)
         {
             throw LogHelper.LogExceptionMessage(new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10715, Algorithm)));
         }
 
         private byte[] DecryptWithAesGcm(byte[] ciphertext, byte[] authenticatedData, byte[] iv, byte[] authenticationTag)
         {
+            _ = _keySizeIsValid.Value;
             byte[] clearBytes = new byte[ciphertext.Length];
             using (var aes = new AesGcm(GetKeyBytes(Key)))
             {

test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs

@@ -317,6 +317,27 @@ public static TheoryData<CreateTokenTheoryData> CreateJWEWithAesGcmTheoryData
                         JsonWebTokenHandler = new JsonWebTokenHandler(),
                         JwtSecurityTokenHandler = tokenHandler,
                         ExpectedException = ExpectedException.SecurityTokenEncryptionFailedException("IDX10616:", typeof(NotSupportedException))
+                    },
+                    new CreateTokenTheoryData
+                    {
+                        TestId = "AesGcm_InvalidDecryptionKeySize",
+                        TokenDescriptor =  new SecurityTokenDescriptor
+                        {
+                            SigningCredentials = KeyingMaterial.JsonWebKeyRsa256SigningCredentials,
+                            EncryptingCredentials = encryptionCredentials,
+                            Subject = new ClaimsIdentity(Default.PayloadClaims),
+                            TokenType = "TokenType"
+                        },
+                        JsonWebTokenHandler = new JsonWebTokenHandler(),
+                        JwtSecurityTokenHandler = tokenHandler,
+                        ValidationParameters = new TokenValidationParameters
+                        {
+                            IssuerSigningKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
+                            TokenDecryptionKey = KeyingMaterial.DefaultSymmetricSecurityKey_64,
+                            ValidAudience = Default.Audience,
+                            ValidIssuer = Default.Issuer
+                        },
+                        ExpectedException = ExpectedException.SecurityTokenDecryptionFailedException("IDX10653:")
                     }
                 };
             }