Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token validation does not use require audience parameter #1547

Open
DaveBrue opened this issue Oct 29, 2020 · 7 comments
Open

Token validation does not use require audience parameter #1547

DaveBrue opened this issue Oct 29, 2020 · 7 comments
Labels
Bug Product is not functioning as expected Customer reported Indicates issue was opened by customer P2 High, but not urgent. Needs to be addressed within the next couple of sprints

Comments

@DaveBrue
Copy link

System.IdentityModel.Tokens.Jwt v6.8.0

var credentials = new SigningCredentials(new JsonWebKey("<insert RSA keypair>"), "RS256");

var handler = new JwtSecurityTokenHandler();
var jwt = handler.CreateEncodedJwt(new SecurityTokenDescriptor { SigningCredentials = credentials });
var token = handler.ReadJwtToken(jwt);
Assert.Empty(token.Audiences);

var parameters = new TokenValidationParameters { RequireAudience = false, IssuerSigningKey = credentials.Key };
handler.ValidateToken(jwt, parameters, out var _);
// SecurityTokenInvalidAudienceException
// IDX10208: Unable to validate audience. validationParameters.ValidAudience is null or whitespace and validationParameters.ValidAudiences is null.

The token doesn't have an audience and it throws an audience exception but the RequireAudience parameter is false so it shouldn't throw.
@brentschmaltz
Copy link
Member

@DaveBrue you pointed out an issue with our documentation and our code.
Indeed we do not seem to do much with require audience parameter.

We added some wiki notes here

Note: When this item is fixed, update the wiki above.

@brentschmaltz brentschmaltz added Bug Product is not functioning as expected Customer reported Indicates issue was opened by customer P1 More important, prioritize highly labels Oct 29, 2020
@brentschmaltz brentschmaltz added this to the v6 Backlog milestone Oct 29, 2020
@brentschmaltz brentschmaltz mentioned this issue Oct 29, 2020
Closed
@keegan-caruso
Copy link
Contributor

keegan-caruso commented Oct 30, 2020
edited
Loading

RequireAudience is used only for SAML and SAML2 right? The documentation on the property tries to state this

Gets or sets a value indicating whether SAML tokens must have at least one AudienceRestriction.

Should we expand the comment to explicitly state that it is not relevant for jwts?

@KrisVandermotten
Copy link

Should we expand the comment to explicitly state that it is not relevant for jwts?

Definitely not. Bugs should not be documented, bugs should be fixed.

It should be possible to validate a JWT token with logic along the lines of: "the audience is not required, but if you do send one, it should be correct".

@brentschmaltz
Copy link
Member

brentschmaltz commented Nov 4, 2021
edited
Loading

@KrisVandermotten @DaveBrue assigned to @sruke
@sruke we need to have an additional check in ValidateAudience

azure-activedirectory-identitymodel-extensions-for-dotnet/src/Microsoft.IdentityModel.Tokens/Validators.cs

Line 87 in 161f199

public static void ValidateAudience(IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)

Where if the Audience is null, we will not fault if RequireAudience is false.
If the Audience is NOT null, then we will validate it regardless of the flag.

@jennyf19 jennyf19 added P2 High, but not urgent. Needs to be addressed within the next couple of sprints and removed P1 More important, prioritize highly labels Mar 27, 2024
@jennyf19 jennyf19 removed this from the v6 Backlog milestone Mar 27, 2024
@brentschmaltz brentschmaltz added .net9 and removed .net9 labels Mar 30, 2024
@vgribok
Copy link

vgribok commented May 29, 2024

AWS Cognito service-to-service (client credentials only) token does not have Audience. That's for example.

A workaround:

options.TokenValidationParameters = new TokenValidationParameters
                {
                    AudienceValidator = (_,_,_) => true
                };

@phillip-haydon
Copy link

4 Years and no fix...

@jennyf19
Copy link
Collaborator

jennyf19 commented Nov 8, 2024

4 Years and no fix...

good point @phillip-haydon - we will take a look, apologies for the delay.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Product is not functioning as expected Customer reported Indicates issue was opened by customer P2 High, but not urgent. Needs to be addressed within the next couple of sprints
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@KrisVandermotten @vgribok @phillip-haydon @brentschmaltz @DaveBrue @jennyf19 @keegan-caruso @sruke