[Bug] Reduce allocations in Aad validation by not using string.Replace when it isn't necessary

[eerhardt]

Which version of Microsoft.IdentityModel are you using?
latest

Where is the issue?

• M.IM.JsonWebTokens
• M.IM.KeyVaultExtensions
• M.IM.Logging
• M.IM.ManagedKeyVaultSecurityKey
• M.IM.Protocols
• M.IM.Protocols.OpenIdConnect
• M.IM.Protocols.SignedHttpRequest
• M.IM.Protocols.WsFederation
• M.IM.TestExtensions
• M.IM.Tokens
• M.IM.Tokens.Saml
• M.IM.Validators
• M.IM.Xml
• S.IM.Tokens.Jwt
• Other (please describe)

Repro

In doing a allocation profile of validating a token 1,000 times, one area that stuck out was using string.Replace in a few places:

One case that can be fixed is:

azure-activedirectory-identitymodel-extensions-for-dotnet/src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs

Lines 386 to 393 in a1530a0

	private static bool IsValidIssuer(string validIssuerTemplate, string tenantId, string actualIssuer)
	{
	if (string.IsNullOrEmpty(validIssuerTemplate))
	return false;
	if (validIssuerTemplate.Contains(TenantIdTemplate))
	{
	return validIssuerTemplate.Replace(TenantIdTemplate, tenantId) == actualIssuer;

We should be able to do that comparison allocation free.

Similarly this check:

azure-activedirectory-identitymodel-extensions-for-dotnet/src/Microsoft.IdentityModel.Validators/AadTokenValidationParametersExtension.cs

Lines 76 to 97 in a1530a0

	#if NET6_0_OR_GREATER
	if (!string.IsNullOrEmpty(tokenIssuer) && !tokenIssuer.Contains(tenantIdFromToken, StringComparison.Ordinal))
	throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidIssuerException(LogHelper.FormatInvariant(LogMessages.IDX40004, LogHelper.MarkAsNonPII(tokenIssuer), LogHelper.MarkAsNonPII(tenantIdFromToken))));
	// creating an effectiveSigningKeyIssuer is required as signingKeyIssuer might contain {tenantid}
	var effectiveSigningKeyIssuer = signingKeyIssuer.Replace(AadIssuerValidator.TenantIdTemplate, tenantIdFromToken, StringComparison.Ordinal);
	var v2TokenIssuer = openIdConnectConfiguration.Issuer?.Replace(AadIssuerValidator.TenantIdTemplate, tenantIdFromToken, StringComparison.Ordinal);
	#else
	if (!string.IsNullOrEmpty(tokenIssuer) && !tokenIssuer.Contains(tenantIdFromToken))
	throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidIssuerException(LogHelper.FormatInvariant(LogMessages.IDX40004, LogHelper.MarkAsNonPII(tokenIssuer), LogHelper.MarkAsNonPII(tenantIdFromToken))));
	// creating an effectiveSigningKeyIssuer is required as signingKeyIssuer might contain {tenantid}
	var effectiveSigningKeyIssuer = signingKeyIssuer.Replace(AadIssuerValidator.TenantIdTemplate, tenantIdFromToken);
	var v2TokenIssuer = openIdConnectConfiguration.Issuer?.Replace(AadIssuerValidator.TenantIdTemplate, tenantIdFromToken);
	#endif
	// comparing effectiveSigningKeyIssuer with v2TokenIssuer is required as well because of the following scenario:
	// 1. service trusts /common/v2.0 endpoint
	// 2. service receieves a v1 token that has issuer like sts.windows.net
	// 3. signing key issuers will never match sts.windows.net as v1 endpoint doesn't have issuers attached to keys
	// v2TokenIssuer is the representation of Token.Issuer (if it was a v2 issuer)
	if (effectiveSigningKeyIssuer != tokenIssuer && effectiveSigningKeyIssuer != v2TokenIssuer)

Should be able to be done without the 2 string allocations that is happening.