This question relates to JwtBearer token configuration on a .Net Core API project.
Recently a colleague of mine updated Identity Server 4 to v4 and as a result, there were some breaking changes to the way tokens were supplied, most importantly the removal of the aud
(audience) element in the token (ref: IDS4 docs).
I was advised to configure the following in an ASP.Net Core API Startup.cs, and I added additional checks of the token header (ValidTypes check) and Key, which had been tested by the previous use of an '.AddIdentityServerAuthentication(options => ...)
' configuration.
services.AddAuthentication(
options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}
)
.AddJwtBearer("Bearer",
options =>
{
options.Authority = "https://<<my_identity_server.com>>";
options.RequireHttpsMetadata = true;
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateAudience = false,
ValidTypes = new[] { "at+jwt" },
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("<<key/secret>>")),
};
});
Without these TokenValidationParameters settings, especially the 'ValidateAudience = false
', I get errors related to an empty audience ("The audience 'empty' is invalid"), so I have some confidence that these settings are being read and applied to some extent. However, if I change the correct expected header type ("at+jwt") or my key/secret value to an incorrect value, no errors result, and the API continues to returns results calls in to it. I have also attempted to add many TokenValidationParameter setting such as ValidateIssuer and ValidIssuer also without triggering errors on mismatch.
What am I missing that might be preventing these items from being tested properly?
question from:
https://stackoverflow.com/questions/65916981/jwtbearer-tokenvalidationparameters-dont-seem-to-be-tested 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…