Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] Issuer is validated despite setting 'ValidateIssuer' to false

See original GitHub issue

Which version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version. Microsoft Identity Web 1.3.0

Where is the issue?

Web app
- Sign-in users
- Sign-in users and call web APIs
Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- Protected web APIs call downstream web APIs
Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
Other (please describe)

Is this a new or an existing app? a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Repro

Startup.cs

services.AddAuthentication()
                .AddMicrosoftIdentityWebApi(
                (jwtOpt) =>
                {
                    Configuration.Bind("AzureAdB2C", jwtOpt);
                    jwtOpt.TokenValidationParameters.ValidateIssuer = false;
                },
                (msIdOpt) => Configuration.Bind("AzureAdB2C", msIdOpt));

appsettings.json

 "AzureAdB2C": {
    "Instance": "https://mytenant.b2clogin.com",
    "ClientId": "ccb2a9f5-3b90-4f01-b4de-619daa1b9e49",
    "ClientSecret": "*****",
    "Domain": "mytenant.onmicrosoft.com",
    "SignUpSignInPolicyId": "B2C_1A_Signup_Signin"
  }

JWT

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "0kcuEIFYUmeulxXnEdH43prYHw3HVshbaNlXyRpgQb4"
}.{
  "iss": "https://mytenant.b2clogin.com/97d559f9-30de-42c5-b79a-1645d748e84d/v2.0/",
  "exp": 1606881975,
  "nbf": 1606874775,
  "aud": "3ff65921-74c1-4ec6-8c37-f012ca63811e",
  "tid": "fe2738ba-6955-4bcd-ba5d-a1fef14fc86a",
  "email": "johndoe@example.com",
  "given_name": "John",
  "family_name": "Doe",
  "name": "John Doe",
  "idp": "myIdP",
  "sub": "67d4fe2f-f68b-4580-ad78-5c0640f4cf30",
  "emails": [
    "johndoe@example.com"
  ],
  "scp": "user_impersonation",
  "azp": "48ff8d08-0206-4f8a-9c90-084e6eae7d36",
  "ver": "1.0",
  "iat": 1606874775
}.[Signature]

Expected behavior Since JwtBearerOptions.TokenValidationParameters.ValidateIssuer is set to false, I would expect the issuer not to be validated.

Actual behavior The issuer is validated anyway. This is a problem because it fails validation with the default AadIssuerValidator.

Possible solution Workaround (Register a dummy [or custom] IssuerValidator): Startup.cs

services.AddAuthentication()
                .AddMicrosoftIdentityWebApi(
                (jwtOpt) =>
                {
                    Configuration.Bind("AzureAdB2C", jwtOpt);
                    jwtOpt.TokenValidationParameters.IssuerValidator = (a, b, c) => a;
                },
                (msIdOpt) => Configuration.Bind("AzureAdB2C", msIdOpt));

Possible Solution: microsoft-identityweb/src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs, line 193

// If the developer registered an IssuerValidator, do not overwrite it
 if (options.TokenValidationParameters.ValidateIssuer && // <--- Add This
     options.TokenValidationParameters.IssuerValidator == null)
{
   // Instead of using the default validation (validating against a single tenant, as we do in line of business apps),
   // we inject our own multi-tenant validation logic (which even accepts both v1.0 and v2.0 tokens)
   MicrosoftIdentityIssuerValidatorFactory microsoftIdentityIssuerValidatorFactory =
   serviceProvider.GetRequiredService<MicrosoftIdentityIssuerValidatorFactory>();

   options.TokenValidationParameters.IssuerValidator =
   microsoftIdentityIssuerValidatorFactory.GetAadIssuerValidator(options.Authority).Validate;
}

Issue Analytics

State:
Created 3 years ago
Comments:7

Top GitHub Comments

1reaction

dkrasnovecommented, Dec 2, 2020

Thanks. Also FYI, this same bug exists in MicrosoftIdentityWebAppAuthenticationBuilderExtensions. There is also probably an issue with audience validation when ValidateAudience is set to false for identical reasons in the web API handler.

That’s all I’ve noticed for now!

0reactions

andresloncommented, Jul 14, 2022

error is happening again on 1.16.0 version 😦 it’s solved using the “Possible solution” written at the beginning of this thread

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi( (jwtOpt) => jwtOpt.TokenValidationParameters.ValidateIssuer = false, (msIdOpt) => builder.Configuration.Bind("AzureAd", msIdOpt ));

Top Results From Across the Web

Fail to validate issuer signing key for JWT

the issue is that asp.net core tries to validate the token issuer by default that you did not set up on jwt.io. Set...

TokenValidationParameters.ValidateIssuer Property

This boolean only applies to default issuer validation. If IssuerValidator is set, it will be called regardless of whether this property is true...

How to Validate JWTs in .NET

Learn how to validate a JSON Web Token (JWT) in different contexts using C# in .NET.

Validate Access Tokens

This guide on tokens shows you how to verify a token's signature, manage key rotation, and how to use a refresh token to...

net core - Signature validation failed. Unable to match key

ValidateToken(token, new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = key, ValidateIssuer = false, ValidateAudience ...