CODEWITHSUNDEEP
c#.net-corejwtbearer-token
LokiDil
LokiDil

Reputation: 207

.Net Core API JWT Token Validation

Implemented the JWT Bearer Token validation in .Net Core WEB API as mentioned below:

 services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(opt =>
                {
                    opt.Audience = Configuration["AAD:ResourceId"];
                    opt.Authority = $"{Configuration["AAD:Instance"]}{Configuration["AAD:TenantId"]}";
                });

Doubt here is the above mentioned code will validate only the audience and authority ? or it will validate all the parameters like expiration and signature etc. ?

Do we need to validate the signature explicitly to check the payload has been tampered ?

Upvotes: 7

Views: 22186

Answers (2)

Pablo Recalde
Pablo Recalde

Reputation: 3571

I think you're looking for this:

https://zhiliaxu.github.io/how-do-aspnet-core-services-validate-jwt-signature-signed-by-aad.html

Here zhiliaxu explains in details how and what is actually validated when using .AddJwtBearer() and their conclusions are:

Now it is clear that

  • JWT signature is validated without providing any key or certification in our service’s source code.
  • JWT signing key is retrieved from the well-known URL https://login.microsoftonline.com/common/discovery/keys, based on JwtBearerOptions.Authority property.
  • The signing key is cached in the JwtBearerHandler singleton instance, and so our ASP.NET Core service only needs to retrieve it once throughout its lifecycle.

Also based on this article we can take a look at the ValidateToken() documentation on MSDN: https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet Where you can find the different exceptions the method throws:

  • SecurityTokenDecryptionFailedException: token was a JWE was not able to be decrypted.
  • SecurityTokenEncryptionKeyNotFoundException: token 'kid' header claim is not null AND decryption fails.
  • SecurityTokenException: token 'enc' header claim is null or empty.
  • SecurityTokenExpiredException: token 'exp' claim is < DateTime.UtcNow.
  • SecurityTokenInvalidAudienceException: token 'aud' claim did not match either ValidAudience or one of ValidAudiences.
  • SecurityTokenInvalidLifetimeException: token 'nbf' claim is > 'exp' claim.
  • SecurityTokenInvalidSignatureException: token.signature is not properly formatted.
  • SecurityTokenNoExpirationException: TokenReplayCache is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time.
  • SecurityTokenNotYetValidException: token 'nbf' claim is > DateTime.UtcNow.
  • SecurityTokenReplayAddFailedException: token could not be added to the TokenReplayCache.
  • SecurityTokenReplayDetectedException: token is found in the cache.

Upvotes: 11

Konrad Viltersten
Konrad Viltersten

Reputation: 39058

It will validate issuer, audience and lifetime by default. There's a bunch of properties in TokenValidationParameters. If you create a new instance of that class, you'll see which fields are set to true/false. Or, you could add the following to your code, breakpoint and investigate yourself.

.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{ ...
  options.TokenValidationParameters = new TokenValidationParameters
  {
    ValidateIssuer = false,
    ValidateAudience = false, ...
  }; ..
} ...

NB authority and issuer are pretty much the same concept. Also, mind the difference between ValidIssuer and ValidateIssuer.

Upvotes: 2

Related Questions