Skip to content

TokenValidationParameters.RequireAudience is not used correctly, use TokenValidationParameters.ValidateAudience or AudienceValidator

BrentSchmaltz edited this page Oct 29, 2020 · 1 revision

As reported in issue: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1547 neither JsonWebTokenHandler or JwtSecurityTokenHandler are honoring the property TokenValidationParameters.RequireAudience.

Setting the property to false, should allow for working around this issue when there are no audiences in the token. However a token without an audience will fail with the current runtime. There are two possible workarounds.

  1. Use the TokenValidationParameters.AudienceValidator delegate and check the audience on each token.
  2. Use the TokenValidationParameters.ValidateAudience property set to false.

Both of these solutions require caution as validating the audience of a token is a very important mitigation to prevent token forwarding. This attack can occur when two sites (S1, S2) trust the same identity provider and the identity provider uses the same security keys to sign tokens.

If the audience is not checked then S1 would accept tokens that were intended for S2. So please exercise caution when skipping audience validation.

Clone this wiki locally