JwtFormat: why does it add the token's issuer to the ValidIssuers property?

I'm taking a look at the source code of the JwtFormat class and I'm wondering why does it add the Issuer it recovers from the token to the list of ValidIssuers. Does that mean that it will accept all issuers as valid if I don't specify a key or provide a IssueValidator handler to the TokenValidationParameters that are being used?

Btw, I'm lookit at this class because I'm investigating an issue regarding the use of JWT tokens (azure ad v2.0) in a web api app that seems to be ignoring the ValidIssuer property:

app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions {
      AccessTokenFormat = new JwtFormat(
         GetTokenValidationParameters(),
         new OpenIdConnectCachingSecurityTokenProvider(authority)),
         Provider = new OAuthBearerAuthenticationProvider {
           OnValidateIdentity = ValidateIdentity
         }
 });

private TokenValidationParameters GetTokenValidationParameters() {
    return new TokenValidationParameters {
        ValidAudience = ConfigData.ClientId,
        ValidIssuer = "nobody",
        ValidIssuers = null,
        IssuerValidator = ValidateIssuer
    };
}

Thanks.

Luis

1 answer

  • answered 2017-11-12 20:13 Nikolaus

    I'm currently without Vs, because I'm writing on my mobile phone, there should be a ValidateIssuer Property in the TokenValidationParameters, but it looks like you set the IssuerValidator to ValidateIssuer, which should be true, so try it that way:

    private TokenValidationParameters GetTokenValidationParameters() {
        return new TokenValidationParameters {
                ValidAudience = ConfigData.ClientId,
                ValidIssuer = "nobody",
                ValidateIssuer = true
        };
    }