Set the SigningKey in JsonWebToken only after the signature has been …

…validated. Added test to prevent regressions. (#3111)

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateSignature.cs

@@ -104,8 +104,6 @@ internal static ValidationResult<SecurityKey> ValidateSignature(
 
             if (key is not null)
             {
-                jwtToken.SigningKey = key;
-
                 // If the key is found, validate the signature.
                 return ValidateSignatureWithKey(jwtToken, key, validationParameters, callContext);
             }
@@ -314,7 +312,11 @@ private static ValidationResult<SecurityKey> ValidateSignatureWithKey(
                     ValidateSignature);
 
                 if (valid)
+                {
+                    jsonWebToken.SigningKey = key;
+
                     return key;
+                }
                 else
                     return new SignatureValidationError(
                         new MessageDetail(

test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.ValidateSignatureTests.cs

@@ -66,6 +66,9 @@ public void ValidateSignature(JsonWebTokenHandlerValidateSignatureTheoryData the
 
                 Exception exception = validationError.GetException();
                 theoryData.ExpectedException.ProcessException(exception, context);
+
+                if (jsonWebToken is not null)
+                    Assert.Null(jsonWebToken.SigningKey);
             }
 
             TestUtilities.AssertFailIfErrors(context);