[cherry pick] Use TokenValidationParameter copy constructor to make a deep copy

src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs

@@ -61,7 +61,7 @@ protected TokenValidationParameters(TokenValidationParameters other)
             IssuerSigningKey = other.IssuerSigningKey;
             IssuerSigningKeyResolver = other.IssuerSigningKeyResolver;
             IssuerSigningKeyResolverUsingConfiguration = other.IssuerSigningKeyResolverUsingConfiguration;
-            IssuerSigningKeys = other.IssuerSigningKeys;
+            IssuerSigningKeys = other.IssuerSigningKeys is not null ? new List<SecurityKey>(other.IssuerSigningKeys) : null;
             IssuerSigningKeyValidator = other.IssuerSigningKeyValidator;
             IssuerSigningKeyValidatorUsingConfiguration = other.IssuerSigningKeyValidatorUsingConfiguration;
             IssuerValidator = other.IssuerValidator;
@@ -72,7 +72,12 @@ protected TokenValidationParameters(TokenValidationParameters other)
             LogValidationExceptions = other.LogValidationExceptions;
             NameClaimType = other.NameClaimType;
             NameClaimTypeRetriever = other.NameClaimTypeRetriever;
-            PropertyBag = other.PropertyBag;
+            PropertyBag = other.PropertyBag switch
+            {
+                null => null,
+                Dictionary<string, object> dictionary => new Dictionary<string, object>(dictionary, dictionary.Comparer),
+                _ => new Dictionary<string, object>(other.PropertyBag)
+            };
             TryReadJwtClaim = other.TryReadJwtClaim;
             RefreshBeforeValidation = other.RefreshBeforeValidation;
             RequireAudience = other.RequireAudience;
@@ -86,7 +91,7 @@ protected TokenValidationParameters(TokenValidationParameters other)
             SignatureValidatorUsingConfiguration = other.SignatureValidatorUsingConfiguration;
             TokenDecryptionKey = other.TokenDecryptionKey;
             TokenDecryptionKeyResolver = other.TokenDecryptionKeyResolver;
-            TokenDecryptionKeys = other.TokenDecryptionKeys;
+            TokenDecryptionKeys = other.TokenDecryptionKeys is not null ? new List<SecurityKey>(other.TokenDecryptionKeys) : null;
             TokenReader = other.TokenReader;
             TokenReplayCache = other.TokenReplayCache;
             TokenReplayValidator = other.TokenReplayValidator;
@@ -105,12 +110,12 @@ protected TokenValidationParameters(TokenValidationParameters other)
             ValidateSignatureLast = other.ValidateSignatureLast;
             ValidateTokenReplay = other.ValidateTokenReplay;
             ValidateWithLKG = other.ValidateWithLKG;
-            ValidAlgorithms = other.ValidAlgorithms;
+            ValidAlgorithms = other.ValidAlgorithms is not null ? new List<string>(other.ValidAlgorithms) : null;
             ValidAudience = other.ValidAudience;
-            ValidAudiences = other.ValidAudiences;
+            ValidAudiences = other.ValidAudiences is not null ? new List<string>(other.ValidAudiences) : null;
             ValidIssuer = other.ValidIssuer;
-            ValidIssuers = other.ValidIssuers;
-            ValidTypes = other.ValidTypes;
+            ValidIssuers = other.ValidIssuers is not null ? new List<string>(other.ValidIssuers) : null;
+            ValidTypes = other.ValidTypes is not null ? new List<string>(other.ValidTypes) : null;
         }
 
         /// <summary>
@@ -204,11 +209,11 @@ public TimeSpan ClockSkew
         /// <summary>
         /// Returns a new instance of <see cref="TokenValidationParameters"/> with values copied from this object.
         /// </summary>
-        /// <returns>A new <see cref="TokenValidationParameters"/> object copied from this object</returns>
-        /// <remarks>This is a shallow Clone.</remarks>
+        /// <returns>A new <see cref="TokenValidationParameters"/> object copied from this object.</returns>
+        /// <remarks>This clone creates new instances for collection/dictionary properties but does not deep-clone referenced objects (for example, <see cref="SecurityKey"/> instances) or delegates.</remarks>
         public virtual TokenValidationParameters Clone()
         {
-            return new(this)
+            return new TokenValidationParameters(this)
             {
                 IsClone = true
             };

test/Microsoft.IdentityModel.Tokens.Tests/TokenValidationParametersTests.cs

@@ -277,14 +277,30 @@ public void Clone()
             TokenValidationParameters validationParametersClone = validationParameters.Clone();
             IdentityComparer.AreEqual(validationParametersClone, validationParameters, compareContext);
             if (validationParameters.IsClone)
-                compareContext.AddDiff("if (validationParameters.IsClone), IsCone should be false");
+                compareContext.AddDiff("if (validationParameters.IsClone), IsClone should be false");
 
             if (!validationParametersClone.IsClone)
-                compareContext.AddDiff("if (!validationParametersClone.IsClone), IsCone should be true");
+                compareContext.AddDiff("if (!validationParametersClone.IsClone), IsClone should be true");
 
             if (validationParametersClone.InstancePropertyBag.Count != 0)
                 compareContext.AddDiff("validationParametersClone.InstancePropertyBag.Count != 0), should be empty.");
 
+            // Ensure Clone() makes independent copies of mutable collections.
+            if (object.ReferenceEquals(validationParameters.IssuerSigningKeys, validationParametersClone.IssuerSigningKeys))
+                compareContext.AddDiff("IssuerSigningKeys should not be the same reference after Clone().");
+
+            int issuerSigningKeysCloneCount = ((ICollection<SecurityKey>)validationParametersClone.IssuerSigningKeys).Count;
+            ((List<SecurityKey>)validationParameters.IssuerSigningKeys).Add(KeyingMaterial.RsaSecurityKey_1024);
+            if (((ICollection<SecurityKey>)validationParametersClone.IssuerSigningKeys).Count != issuerSigningKeysCloneCount)
+                compareContext.AddDiff("IssuerSigningKeys in the clone should not change when the original collection is mutated.");
+
+            if (object.ReferenceEquals(validationParameters.PropertyBag, validationParametersClone.PropertyBag))
+                compareContext.AddDiff("PropertyBag should not be the same reference after Clone().");
+
+            validationParameters.PropertyBag["NewKey"] = obj;
+            if (validationParametersClone.PropertyBag.ContainsKey("NewKey"))
+                compareContext.AddDiff("PropertyBag in the clone should not change when the original dictionary is mutated.");
+
             TestUtilities.AssertFailIfErrors(compareContext);
         }