Menu
I am using AspNet Core to build a web api and JWT tokens to authenticate users.
I see that in TokenValidationParameters the default value of ValidateIssuerSigningKey property is false.
Does it make any difference if we set it to true, when using the HMAC256 Symmetric key to sign and verify tokens (where there is no public-key added to the token like in case of RSA)?
services
.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(cfg =>
{
cfg.RequireHttpsMetadata = false;
cfg.SaveToken = true;
string jwtIssuer = configuration["JwtIssuer"];
SymmetricSecurityKey securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JwtKey"]));
cfg.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = jwtIssuer,
ValidAudience = jwtIssuer,
ValidateIssuerSigningKey = true,
IssuerSigningKey = securityKey,
ClockSkew = TimeSpan.Zero
};
});
Or is it necessary to set ValidateIssuerSigningKey to true only when using RSA keys?
Here is the code level documentation of this property:
//
// Summary:
// Gets or sets a boolean that controls if validation of the Microsoft.IdentityModel.Tokens.SecurityKey
// that signed the securityToken is called.
//
// Remarks:
// It is possible for tokens to contain the public key needed to check the signature.
// For example, X509Data can be hydrated into an X509Certificate, which can be used
// to validate the signature. In these cases it is important to validate the SigningKey
// that was used to validate the signature.
[DefaultValue(false)]
public bool ValidateIssuerSigningKey { get; set; }
504
ValidateIssuer, validates that the iss claim inside the access token matches the issuer(authority) that the API trusts (Ie, your token service). Verifies that the issuer of the token is what this API expects. ValidateAudience, validates that the aud claim inside the access token matches the audience parameter.
Based on looking at the Microsoft.IdentityModel.Tokens source code, I could find only one place where the ValidateIssuerSigningKey boolean property is used, here:
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Tokens/Validators.cs
Which ultimately causes this code block to be executed:
X509SecurityKey x509SecurityKey = securityKey as X509SecurityKey;
if (x509SecurityKey?.Certificate is X509Certificate2 cert)
{
DateTime utcNow = DateTime.UtcNow;
var notBeforeUtc = cert.NotBefore.ToUniversalTime();
var notAfterUtc = cert.NotAfter.ToUniversalTime();
if (notBeforeUtc > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew))
throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10248, notBeforeUtc, utcNow)));
LogHelper.LogInformation(LogMessages.IDX10250, notBeforeUtc, utcNow);
if (notAfterUtc < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate()))
throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10249, notAfterUtc, utcNow)));
LogHelper.LogInformation(LogMessages.IDX10251, notAfterUtc, utcNow);
}
I.e. that flag relates to X509 certificates only, and the testing of the time period they are valid for. So I suspect it does not affect tokens validated using HMAC256... unless the HMAC key was obtained from an X509 certificate!
58
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
