From 88afb8f49c1513c724162f967e838089c8ebb62e Mon Sep 17 00:00:00 2001
From: Brock Allen <brockallen@gmail.com>
Date: Tue, 31 Mar 2020 10:53:12 -0400
Subject: [PATCH] Use non-case sensitive string for any ids #3184 (#4234)

---
 src/IdentityServer4/host/Startup.cs                           | 2 +-
 src/IdentityServer4/src/Configuration/CryptoHelper.cs         | 4 ++--
 .../src/Extensions/ValidatedAuthorizeRequestExtensions.cs     | 2 +-
 .../src/Services/Default/DefaultBackChannelLogoutService.cs   | 2 +-
 .../src/Services/Default/DefaultHandleGenerationService.cs    | 2 +-
 .../src/Services/Default/DefaultTokenService.cs               | 2 +-
 .../src/Services/Default/DefaultUserSession.cs                | 2 +-
 src/IdentityServer4/src/Test/TestUserStore.cs                 | 2 +-
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/IdentityServer4/host/Startup.cs b/src/IdentityServer4/host/Startup.cs
index dde1c55e9f..f80e3ba783 100644
--- a/src/IdentityServer4/host/Startup.cs
+++ b/src/IdentityServer4/host/Startup.cs
@@ -161,7 +161,7 @@ public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBu
             var ecCert = new X509Certificate2("./keys/identityserver.test.ecdsa.p12", "changeit");
             var key = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey())
             {
-                KeyId = CryptoRandom.CreateUniqueId(16)
+                KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)
             };
 
             return builder.AddSigningCredential(
diff --git a/src/IdentityServer4/src/Configuration/CryptoHelper.cs b/src/IdentityServer4/src/Configuration/CryptoHelper.cs
index d9eedabd3b..c6dba7f253 100644
--- a/src/IdentityServer4/src/Configuration/CryptoHelper.cs
+++ b/src/IdentityServer4/src/Configuration/CryptoHelper.cs
@@ -24,7 +24,7 @@ public static RsaSecurityKey CreateRsaSecurityKey(int keySize = 2048)
         {
             return new RsaSecurityKey(RSA.Create(keySize))
             {
-                KeyId = CryptoRandom.CreateUniqueId(16)
+                KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)
             };
         }
 
@@ -38,7 +38,7 @@ public static ECDsaSecurityKey CreateECDsaSecurityKey(string curve = JsonWebKeyE
         {
             return new ECDsaSecurityKey(ECDsa.Create(GetCurveFromCrvValue(curve)))
             {
-                KeyId = CryptoRandom.CreateUniqueId(16)
+                KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)
             };
         }
 
diff --git a/src/IdentityServer4/src/Extensions/ValidatedAuthorizeRequestExtensions.cs b/src/IdentityServer4/src/Extensions/ValidatedAuthorizeRequestExtensions.cs
index 5da7eef119..db07e85ba5 100644
--- a/src/IdentityServer4/src/Extensions/ValidatedAuthorizeRequestExtensions.cs
+++ b/src/IdentityServer4/src/Extensions/ValidatedAuthorizeRequestExtensions.cs
@@ -108,7 +108,7 @@ public static string GenerateSessionStateValue(this ValidatedAuthorizeRequest re
 
             var clientId = request.ClientId;
             var sessionId = request.SessionId;
-            var salt = CryptoRandom.CreateUniqueId(16);
+            var salt = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex);
 
             var uri = new Uri(request.RedirectUri);
             var origin = uri.Scheme + "://" + uri.Host;
diff --git a/src/IdentityServer4/src/Services/Default/DefaultBackChannelLogoutService.cs b/src/IdentityServer4/src/Services/Default/DefaultBackChannelLogoutService.cs
index a50a8d2530..ebb9df852c 100644
--- a/src/IdentityServer4/src/Services/Default/DefaultBackChannelLogoutService.cs
+++ b/src/IdentityServer4/src/Services/Default/DefaultBackChannelLogoutService.cs
@@ -124,7 +124,7 @@ protected Task<IEnumerable<Claim>> CreateClaimsForTokenAsync(BackChannelLogoutMo
                 new Claim(JwtClaimTypes.Subject, client.SubjectId),
                 new Claim(JwtClaimTypes.Audience, client.ClientId),
                 new Claim(JwtClaimTypes.IssuedAt, Clock.UtcNow.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64),
-                new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)),
+                new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)),
                 new Claim(JwtClaimTypes.Events, json, IdentityServerConstants.ClaimValueTypes.Json)
             };
 
diff --git a/src/IdentityServer4/src/Services/Default/DefaultHandleGenerationService.cs b/src/IdentityServer4/src/Services/Default/DefaultHandleGenerationService.cs
index ac1dd14ee3..ec81caf42d 100644
--- a/src/IdentityServer4/src/Services/Default/DefaultHandleGenerationService.cs
+++ b/src/IdentityServer4/src/Services/Default/DefaultHandleGenerationService.cs
@@ -20,7 +20,7 @@ public class DefaultHandleGenerationService : IHandleGenerationService
         /// <returns></returns>
         public Task<string> GenerateAsync(int length)
         {
-            return Task.FromResult(CryptoRandom.CreateUniqueId(length));
+            return Task.FromResult(CryptoRandom.CreateUniqueId(length, CryptoRandom.OutputFormat.Hex));
         }
     }
 }
\ No newline at end of file
diff --git a/src/IdentityServer4/src/Services/Default/DefaultTokenService.cs b/src/IdentityServer4/src/Services/Default/DefaultTokenService.cs
index 42a17edb78..f902167731 100644
--- a/src/IdentityServer4/src/Services/Default/DefaultTokenService.cs
+++ b/src/IdentityServer4/src/Services/Default/DefaultTokenService.cs
@@ -194,7 +194,7 @@ public virtual async Task<Token> CreateAccessTokenAsync(TokenCreationRequest req
 
             if (request.ValidatedRequest.Client.IncludeJwtId)
             {
-                claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
+                claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)));
             }
 
             if (request.ValidatedRequest.SessionId.IsPresent())
diff --git a/src/IdentityServer4/src/Services/Default/DefaultUserSession.cs b/src/IdentityServer4/src/Services/Default/DefaultUserSession.cs
index b5db14dfec..2c724e4b94 100644
--- a/src/IdentityServer4/src/Services/Default/DefaultUserSession.cs
+++ b/src/IdentityServer4/src/Services/Default/DefaultUserSession.cs
@@ -150,7 +150,7 @@ public virtual async Task<string> CreateSessionIdAsync(ClaimsPrincipal principal
 
             if (!properties.Items.ContainsKey(SessionIdKey) || currentSubjectId != newSubjectId)
             {
-                properties.Items[SessionIdKey] = CryptoRandom.CreateUniqueId(16);
+                properties.Items[SessionIdKey] = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex);
             }
 
             IssueSessionIdCookie(properties.Items[SessionIdKey]);
diff --git a/src/IdentityServer4/src/Test/TestUserStore.cs b/src/IdentityServer4/src/Test/TestUserStore.cs
index 1574b59993..5084eb12af 100644
--- a/src/IdentityServer4/src/Test/TestUserStore.cs
+++ b/src/IdentityServer4/src/Test/TestUserStore.cs
@@ -134,7 +134,7 @@ public TestUser AutoProvisionUser(string provider, string userId, List<Claim> cl
             }
 
             // create a new unique subject id
-            var sub = CryptoRandom.CreateUniqueId();
+            var sub = CryptoRandom.CreateUniqueId(format: CryptoRandom.OutputFormat.Hex);
 
             // check if a display name is available, otherwise fallback to subject id
             var name = filtered.FirstOrDefault(c => c.Type == JwtClaimTypes.Name)?.Value ?? sub;