-
Notifications
You must be signed in to change notification settings - Fork 396
TokenValidationParameters.RequireAudience is not used correctly, use TokenValidationParameters.ValidateAudience or AudienceValidator
As reported in issue: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1547 neither JsonWebTokenHandler or JwtSecurityTokenHandler are honoring the property TokenValidationParameters.RequireAudience.
Setting the property to false, should allow for working around this issue when there are no audiences in the token. However a token without an audience will fail with the current runtime. There are two possible workarounds.
- Use the TokenValidationParameters.AudienceValidator delegate and check the audience on each token.
- Use the TokenValidationParameters.ValidateAudience property set to false.
Both of these solutions require caution as validating the audience of a token is a very important mitigation to prevent token forwarding. This attack can occur when two sites (S1, S2) trust the same identity provider and the identity provider uses the same security keys to sign tokens.
If the audience is not checked then S1 would accept tokens that were intended for S2. So please exercise caution when skipping audience validation.
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions