1

I have the following code in my asp.net core REST API configuration:

services
    .AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
    .AddJwtBearer(options =>
        {
            options.Authority = "https://login.microsoftonline.com/XXXTenantIDXXX";
            options.Audience = "XXXX clientId XXXX";
        });

services.AddMvc(o =>
    {
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .Build();
        o.Filters.Add(new AuthorizeFilter(policy));

It authenticates requests. It is working fine.

I am concerned and worried about jwt token forgery or jwt tokens that come from other AAD applications in the tenant.

I expect above code provides all the information to the asp.net core authentication to verify the jwt is valid and its audience is the right AAD application.

I wanted to confirm my expectation here and ask if I need to have additional logic (code) to verify the JWT token?

Allan Xu
  • 7,998
  • 11
  • 51
  • 122
  • There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ... – Melardev Nov 23 '18 at 19:15
  • @Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that? – Allan Xu Nov 23 '18 at 20:21
  • as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature https://www.jerriepelser.com/blog/using-roles-with-the-jwt-middleware/ – Melardev Nov 23 '18 at 20:49

1 Answers1

1

Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.

For example:

      services.AddAuthentication(auth =>
        {
            auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        }).AddJwtBearer(options =>
        {               
            options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
            options.IncludeErrorDetails = true;
            options.RequireHttpsMetadata = true;
            options.SaveToken = true;
            options.Validate(JwtBearerDefaults.AuthenticationScheme);
            options.TokenValidationParameters = new TokenValidationParameters()
            {
                ClockSkew = TimeSpan.FromMinutes(30),
                ValidateIssuer = true,
                ValidateAudience = true,
                ValidateLifetime = true,
                ValidateIssuerSigningKey = true,
                ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
                ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
                IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
                NameClaimType = ClaimTypes.NameIdentifier,
                RequireSignedTokens = true,
                RequireExpirationTime = true

            };
        });
Muheeb
  • 216
  • 2
  • 6