Is there an existing issue for this?
Describe the bug
Using simple authentication configuration for Jwt Bearer authentication where only Authority (or MetadataAddress) is specified leads to configuration with degraded security.
This may be mostly a documentation issue, but maybe the behavior I describe below may in fact be not intended and something should be corrected here.
I'm currently in the process of migrating a net6.0 Asp.Net Core web api application to net 8.0. We use JwtBearer authentication.
Our configuration in net6.0 looks more or less like this:
// in Program.cs
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options => {
options.Authority = builder.Configuration["Authority"];
options.Audience = builder.Configuration["Audience"];
});This validates the audience against the provided value and validates the issuer and signing keys retrieved from authority's metadata address.
Now, I heard that since net 7, Jwt Bearer supports something called simplified authentication configuration ([1] seems to be basically the only "official" mention of this, I can't find it in product documentation). So naturally I want to use this, but in my case it's in net8.0 (I assume everything I describe is just as valid for net7.0).
Natural translation (at least to me) of my existing net6.0 code to simplified authentication configuration is this:
// in Program.cs
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme);
and appsettings.json:
{
"Authentication": {
"Schemes": {
"Bearer": {
"Authority": "https://authority-goes-here",
"Audience": "audience-goes-here"
}
}
}
}Seems straightforward, but we're in for a surprise, because the result of this is a configuration that does not validate the issuer. This is because the configuration section has no explicit issuers and therefore JwtBearerConfigureOptions class, which reads this, sets ValidateIssuer=false in TokenValidationParameters.
I'm not sure what the resolution here is. Maybe I'm missing something. Maybe validating the issuer is not that important, but then it is enabled by default in JwtBearerOptions.
[1] https://devblogs.microsoft.com/dotnet/asp-net-core-updates-in-dotnet-7-preview-5/
Expected Behavior
Issuer should be validated when using simplified authentication configuration and specifying Authority/MetadataAddress.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
net7.0 +
Anything else?
No response
Is there an existing issue for this?
Describe the bug
Using simple authentication configuration for Jwt Bearer authentication where only Authority (or MetadataAddress) is specified leads to configuration with degraded security.
This may be mostly a documentation issue, but maybe the behavior I describe below may in fact be not intended and something should be corrected here.
I'm currently in the process of migrating a net6.0 Asp.Net Core web api application to net 8.0. We use JwtBearer authentication.
Our configuration in net6.0 looks more or less like this:
This validates the audience against the provided value and validates the issuer and signing keys retrieved from authority's metadata address.
Now, I heard that since net 7, Jwt Bearer supports something called simplified authentication configuration ([1] seems to be basically the only "official" mention of this, I can't find it in product documentation). So naturally I want to use this, but in my case it's in net8.0 (I assume everything I describe is just as valid for net7.0).
Natural translation (at least to me) of my existing net6.0 code to simplified authentication configuration is this:
and appsettings.json:
{ "Authentication": { "Schemes": { "Bearer": { "Authority": "https://authority-goes-here", "Audience": "audience-goes-here" } } } }Seems straightforward, but we're in for a surprise, because the result of this is a configuration that does not validate the issuer. This is because the configuration section has no explicit issuers and therefore
JwtBearerConfigureOptionsclass, which reads this, setsValidateIssuer=falseinTokenValidationParameters.I'm not sure what the resolution here is. Maybe I'm missing something. Maybe validating the issuer is not that important, but then it is enabled by default in
JwtBearerOptions.[1] https://devblogs.microsoft.com/dotnet/asp-net-core-updates-in-dotnet-7-preview-5/
Expected Behavior
Issuer should be validated when using simplified authentication configuration and specifying Authority/MetadataAddress.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
net7.0 +
Anything else?
No response