azure-activedirectory-identitymodel-extensions-for-dotnet icon indicating copy to clipboard operation
azure-activedirectory-identitymodel-extensions-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Token validation does not use require audience parameter

Open DaveBrue opened this issue 4 years ago • 5 comments

System.IdentityModel.Tokens.Jwt v6.8.0

var credentials = new SigningCredentials(new JsonWebKey("<insert RSA keypair>"), "RS256");

var handler = new JwtSecurityTokenHandler();
var jwt = handler.CreateEncodedJwt(new SecurityTokenDescriptor { SigningCredentials = credentials });
var token = handler.ReadJwtToken(jwt);
Assert.Empty(token.Audiences);

var parameters = new TokenValidationParameters { RequireAudience = false, IssuerSigningKey = credentials.Key };
handler.ValidateToken(jwt, parameters, out var _);
// SecurityTokenInvalidAudienceException
// IDX10208: Unable to validate audience. validationParameters.ValidAudience is null or whitespace and validationParameters.ValidAudiences is null.

The token doesn't have an audience and it throws an audience exception but the RequireAudience parameter is false so it shouldn't throw.

DaveBrue avatar Oct 29 '20 19:10 DaveBrue

@DaveBrue you pointed out an issue with our documentation and our code. Indeed we do not seem to do much with require audience parameter.

We added some wiki notes here

Note: When this item is fixed, update the wiki above.

brentschmaltz avatar Oct 29 '20 20:10 brentschmaltz

RequireAudience is used only for SAML and SAML2 right? The documentation on the property tries to state this

Gets or sets a value indicating whether SAML tokens must have at least one AudienceRestriction.

Should we expand the comment to explicitly state that it is not relevant for jwts?

keegan-caruso avatar Oct 30 '20 16:10 keegan-caruso

Should we expand the comment to explicitly state that it is not relevant for jwts?

Definitely not. Bugs should not be documented, bugs should be fixed.

It should be possible to validate a JWT token with logic along the lines of: "the audience is not required, but if you do send one, it should be correct".

KrisVandermotten avatar Oct 19 '21 08:10 KrisVandermotten

@KrisVandermotten @DaveBrue assigned to @sruke @sruke we need to have an additional check in ValidateAudience https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/161f199894c94092b780ab3ce965e31ae94c8b7e/src/Microsoft.IdentityModel.Tokens/Validators.cs#L87

Where if the Audience is null, we will not fault if RequireAudience is false. If the Audience is NOT null, then we will validate it regardless of the flag.

brentschmaltz avatar Nov 04 '21 21:11 brentschmaltz