From a0fe15675480969a5a916e5cfafc3a13adac39dc Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Tue, 8 Apr 2025 13:35:35 -0400
Subject: [PATCH] Add Debug Checks

---
 .../Utilities/ServiceCollectionExtensions.cs         | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 1169e29cec..481499e74f 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -1,4 +1,5 @@
-using System.Net;
+using System.Diagnostics;
+using System.Net;
 using System.Reflection;
 using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
@@ -510,6 +511,15 @@ public static class ServiceCollectionExtensions
         services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)
             .Configure<IHttpMessageHandlerFactory>((options, httpMessageHandlerFactory) =>
             {
+                // Since we don't manually set the Backchannel and the Post stage configuration shouldn't have
+                // ran yet we don't expect this option to be set. If it is set, it was likely set with a
+                // handler already and won't respect the BackchannelHttpHandler we are about to set.
+                Debug.Assert(options.Backchannel is null);
+
+                // Do a few debug checks to make sure we are customizing the expected options configured above.
+                Debug.Assert(!options.TokenValidationParameters.ValidateAudience);
+                Debug.Assert(options.TokenValidationParameters.ValidTypes.Single() == "at+jwt");
+                Debug.Assert(options.TokenValidationParameters.NameClaimType == ClaimTypes.Email);
                 options.BackchannelHttpHandler = httpMessageHandlerFactory.CreateHandler();
             });