Incorporate community feedback from https://github.com/aspnet/Security/pull/112

src/Microsoft.AspNet.Authentication.OAuth/OAuthAuthenticationMiddleware.cs

@@ -63,6 +63,11 @@ public OAuthAuthenticationMiddleware(
                 throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.Exception_OptionMustBeProvided, nameof(Options.TokenEndpoint)));
             }
 
+            if (Options.Notifications == null)
+            {
+                Options.Notifications = new OAuthAuthenticationNotifications();
+            }
+
             if (Options.StateDataFormat == null)
             {
                 var dataProtector = dataProtectionProvider.CreateProtector(

src/Microsoft.AspNet.Authentication.OAuth/OAuthAuthenticationOptions.cs

@@ -7,7 +7,6 @@
 using System.Security.Claims;
 using Microsoft.AspNet.Http;
 using Microsoft.AspNet.Http.Authentication;
-using Microsoft.Framework.Internal;
 
 namespace Microsoft.AspNet.Authentication.OAuth
 {
@@ -83,7 +82,7 @@ public string Caption
         /// <summary>
         /// Gets or sets the <see cref="IOAuthAuthenticationNotifications"/> used to handle authentication events.
         /// </summary>
-        public IOAuthAuthenticationNotifications Notifications { get; [param: NotNull] set; } = new OAuthAuthenticationNotifications();
+        public IOAuthAuthenticationNotifications Notifications { get; set; } = new OAuthAuthenticationNotifications();
 
         /// <summary>
         /// A list of permissions to request.

src/Microsoft.AspNet.Authentication.OAuthBearer/OAuthBearerAuthenticationMiddleware.cs

@@ -2,12 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
-using System.IdentityModel.Tokens;
-using System.IdentityModel.Tokens.Jwt;
 using System.Net.Http;
-using Microsoft.AspNet.Authentication;
 using Microsoft.AspNet.Builder;
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
@@ -43,11 +39,6 @@ public OAuthBearerAuthenticationMiddleware(
                 Options.Notifications = new OAuthBearerAuthenticationNotifications();
             }
 
-            if (Options.SecurityTokenValidators == null)
-            {
-                Options.SecurityTokenValidators = new List<ISecurityTokenValidator> { new JwtSecurityTokenHandler() };
-            }
-
             if (string.IsNullOrEmpty(Options.TokenValidationParameters.ValidAudience) && !string.IsNullOrEmpty(Options.Audience))
             {
                 Options.TokenValidationParameters.ValidAudience = Options.Audience;

src/Microsoft.AspNet.Authentication.OAuthBearer/OAuthBearerAuthenticationOptions.cs

@@ -4,8 +4,8 @@
 using System;
 using System.Collections.Generic;
 using System.IdentityModel.Tokens;
+using System.IdentityModel.Tokens.Jwt;
 using System.Net.Http;
-using Microsoft.Framework.Internal;
 using Microsoft.IdentityModel.Protocols;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 
@@ -16,21 +16,12 @@ namespace Microsoft.AspNet.Authentication.OAuthBearer
     /// </summary>
     public class OAuthBearerAuthenticationOptions : AuthenticationOptions
     {
-        private ICollection<ISecurityTokenValidator> _securityTokenValidators;
-        private TokenValidationParameters _tokenValidationParameters;
-
         /// <summary>
         /// Creates an instance of bearer authentication options with default values.
         /// </summary>
         public OAuthBearerAuthenticationOptions() : base()
         {
             AuthenticationScheme = OAuthBearerAuthenticationDefaults.AuthenticationScheme;
-            BackchannelTimeout = TimeSpan.FromMinutes(1);
-            Challenge = OAuthBearerAuthenticationDefaults.AuthenticationScheme;
-            Notifications = new OAuthBearerAuthenticationNotifications();
-            RefreshOnIssuerKeyNotFound = true;
-            SystemClock = new SystemClock();
-            TokenValidationParameters = new TokenValidationParameters();
         }
 
         /// <summary>
@@ -54,15 +45,14 @@ public OAuthBearerAuthenticationOptions() : base()
         /// <summary>
         /// Gets or sets the challenge to put in the "WWW-Authenticate" header.
         /// </summary>
-        /// TODO - brentschmaltz, should not be null.
-        public string Challenge { get; set; }
+        public string Challenge { get; set; } = OAuthBearerAuthenticationDefaults.AuthenticationScheme;
 
         /// <summary>
         /// The object provided by the application to process events raised by the bearer authentication middleware.
         /// The application may implement the interface fully, or it may create an instance of OAuthBearerAuthenticationProvider
         /// and assign delegates only to the events it wants to process.
         /// </summary>
-        public OAuthBearerAuthenticationNotifications Notifications { get; set; }
+        public OAuthBearerAuthenticationNotifications Notifications { get; set; } = new OAuthBearerAuthenticationNotifications();
 
         /// <summary>
         /// The HttpMessageHandler used to retrieve metadata.
@@ -74,7 +64,7 @@ public OAuthBearerAuthenticationOptions() : base()
         /// <summary>
         /// Gets or sets the timeout when using the backchannel to make an http call.
         /// </summary>
-        public TimeSpan BackchannelTimeout { get; set; }
+        public TimeSpan BackchannelTimeout { get; set; } = TimeSpan.FromMinutes(1);
 
 #if DNX451
         /// <summary>
@@ -104,48 +94,24 @@ public OAuthBearerAuthenticationOptions() : base()
         /// Gets or sets if a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. This allows for automatic
         /// recovery in the event of a signature key rollover. This is enabled by default.
         /// </summary>
-        public bool RefreshOnIssuerKeyNotFound { get; set; }
+        public bool RefreshOnIssuerKeyNotFound { get; set; } = true;
 
         /// <summary>
         /// Used to know what the current clock time is when calculating or validating token expiration. When not assigned default is based on
         /// DateTimeOffset.UtcNow. This is typically needed only for unit testing.
         /// </summary>
-        public ISystemClock SystemClock { get; set; }
+        public ISystemClock SystemClock { get; set; } = new SystemClock();
 
         /// <summary>
-        /// Gets or sets the <see cref="SecurityTokenValidators"/> for validating tokens.
+        /// Gets the ordered list of <see cref="ISecurityTokenValidator"/> used to validate access tokens.
         /// </summary>
-        /// <exception cref="ArgumentNullException">if 'value' is null.</exception>
-        public ICollection<ISecurityTokenValidator> SecurityTokenValidators
-        {
-            get
-            {
-                return _securityTokenValidators;
-            }
-
-            [param: NotNull]
-            set
-            {
-                _securityTokenValidators = value;
-            }
-        }
+        public IList<ISecurityTokenValidator> SecurityTokenValidators { get; } = new List<ISecurityTokenValidator> { new JwtSecurityTokenHandler() };
 
         /// <summary>
-        /// Gets or sets the TokenValidationParameters
+        /// Gets or sets the parameters used to validate identity tokens.
         /// </summary>
         /// <remarks>Contains the types and definitions required for validating a token.</remarks>
         /// <exception cref="ArgumentNullException">if 'value' is null.</exception>
-        public TokenValidationParameters TokenValidationParameters
-        {
-            get
-            {
-                return _tokenValidationParameters;
-            }
-            [param: NotNull]
-            set
-            {
-                _tokenValidationParameters = value;
-            }
-        }
+        public TokenValidationParameters TokenValidationParameters { get; set; } = new TokenValidationParameters();
     }
 }

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs

@@ -141,7 +141,7 @@ protected override async Task<bool> HandleUnauthorizedAsync([NotNull] ChallengeC
                 RequestType = OpenIdConnectRequestType.AuthenticationRequest,
                 Resource = Options.Resource,
                 ResponseType = Options.ResponseType,
-                Scope = Options.Scope
+                Scope = string.Join(" ", Options.Scope)
             };
 
             // Omitting the response_mode parameter when it already corresponds to the default
@@ -827,17 +827,14 @@ private AuthenticationTicket ValidateToken(string idToken, OpenIdConnectMessage
 
             SecurityToken validatedToken = null;
             ClaimsPrincipal principal = null;
-            foreach (var validator in Options.SecurityTokenValidators)
+            if (Options.SecurityTokenValidator.CanReadToken(idToken))
             {
-                if (validator.CanReadToken(idToken))
+                principal = Options.SecurityTokenValidator.ValidateToken(idToken, validationParameters, out validatedToken);
+                jwt = validatedToken as JwtSecurityToken;
+                if (jwt == null)
                 {
-                    principal = validator.ValidateToken(idToken, validationParameters, out validatedToken);
-                    jwt = validatedToken as JwtSecurityToken;
-                    if (jwt == null)
-                    {
-                        Logger.LogError(Resources.OIDCH_0010_ValidatedSecurityTokenNotJwt, validatedToken?.GetType());
-                        throw new SecurityTokenException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0010_ValidatedSecurityTokenNotJwt, validatedToken?.GetType()));
-                    }
+                    Logger.LogError(Resources.OIDCH_0010_ValidatedSecurityTokenNotJwt, validatedToken?.GetType());
+                    throw new SecurityTokenException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0010_ValidatedSecurityTokenNotJwt, validatedToken?.GetType()));
                 }
             }
 

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs

@@ -2,10 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Collections.ObjectModel;
 using System.Diagnostics.CodeAnalysis;
-using System.IdentityModel.Tokens;
-using System.IdentityModel.Tokens.Jwt;
 using System.Net.Http;
 using System.Text;
 using Microsoft.AspNet.Builder;
@@ -60,10 +57,10 @@ public OpenIdConnectAuthenticationMiddleware(
             if (Options.StateDataFormat == null)
             {
                 var dataProtector = dataProtectionProvider.CreateProtector(
-                    typeof(OpenIdConnectAuthenticationMiddleware).FullName, 
-					typeof(string).FullName,
+                    typeof(OpenIdConnectAuthenticationMiddleware).FullName,
+                    typeof(string).FullName,
                     Options.AuthenticationScheme,
-					"v1");
+                    "v1");
 
                 Options.StateDataFormat = new PropertiesDataFormat(dataProtector);
             }
@@ -78,11 +75,6 @@ public OpenIdConnectAuthenticationMiddleware(
 
                 Options.StringDataFormat = new SecureDataFormat<string>(new StringSerializer(), dataProtector, TextEncodings.Base64Url);
             }
-
-            if (Options.SecurityTokenValidators == null)
-            {
-                Options.SecurityTokenValidators = new Collection<ISecurityTokenValidator> { new JwtSecurityTokenHandler() };
-            }
 
             // if the user has not set the AuthorizeCallback, set it from the redirect_uri
             if (!Options.CallbackPath.HasValue)