.Net Core API JWT Token Validation
Question
Implemented the JWT Bearer Token validation in.Net Core WEB API as mentioned below:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(opt =>
{
opt.Audience = Configuration["AAD:ResourceId"];
opt.Authority = $"{Configuration["AAD:Instance"]}{Configuration["AAD:TenantId"]}";
});
Doubt here is the above mentioned code will validate only the audience and authority? or it will validate all the parameters like expiration and signature etc. ?
Do we need to validate the signature explicitly to check the payload has been tampered?
2 answers
solution1
1 ACCPTED 2021-03-31 16:31:40
I think you're looking for this:
https://zhiliaxu.github.io/how-do-aspnet-core-services-validate-jwt-signature-signed-by-aad.html
Here zhiliaxu explains in details how and what is actually validated when using .AddJwtBearer() and his conclusions are:
Now it is clear that
- JWT signature is validated without providing any key or certification in our service's source code.
- JWT signing key is retrieved from the well-known URL https://login.microsoftonline.com/common/discovery/keys , based on JwtBearerOptions.Authority property.
- The signing key is cached in the JwtBearerHandler singleton instance, and so our ASP.NET Core service only needs to retrieve it once throughout its lifecycle.
Also based on this article we can take a look at the ValidateToken() documentation on MSDN: https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet Where you can find the different exceptions the method throws:
- SecurityTokenDecryptionFailedException: token was a JWE was not able to be decrypted.
- SecurityTokenEncryptionKeyNotFoundException: token 'kid' header claim is not null AND decryption fails.
- SecurityTokenException: token 'enc' header claim is null or empty.
- SecurityTokenExpiredException : token 'exp' claim is < DateTime.UtcNow.
- SecurityTokenInvalidAudienceException: token 'aud' claim did not match either ValidAudience or one of ValidAudiences.
- SecurityTokenInvalidLifetimeException: token 'nbf' claim is > 'exp' claim.
- SecurityTokenInvalidSignatureException: token.signature is not properly formatted.
- SecurityTokenNoExpirationException: TokenReplayCache is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time.
- SecurityTokenNotYetValidException : token 'nbf' claim is > DateTime.UtcNow.
- SecurityTokenReplayAddFailedException: token could not be added to the TokenReplayCache.
- SecurityTokenReplayDetectedException: token is found in the cache.
solution2
0 2021-10-31 12:25:12
It will validate issuer, audience and lifetime by default. There's a bunch of properties in TokenValidationParameters . If you create a new instance of that class, you'll see which fields are set to true/false. Or, you could add the following to your code, breakpoint and investigate yourself.
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{ ...
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false, ...
}; ..
} ...
NB authority and issuer are pretty much the same concept. Also, mind the difference between ValidIssuer and ValidateIssuer .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.