-
Notifications
You must be signed in to change notification settings - Fork 401
ValidatingTokens
Token Validation for a bearer token has multiple parts. The token is validated by checking that this is for the application, was issued by a trustable Security Token Server (STS), that the token's lifetime is in range, and that it was not tampered. There can also be special validations for instance that signing keys, when embedded in the tokens are trusted, and that the token is not being replayed. Finally some protocols require specific validations
The validation steps are captured into Validators, which are all in one source file: Microsoft.IdentityModel.Tokens/Validators.cs
The validators are the following:
Validator | Description |
---|---|
ValidateAudience |
Ensures that the token is indeed for the application that validates the token (for me) |
ValidateIssuer |
Ensures that the token was issued by a STS I trust (from someone I TRUST) |
ValidateIssuerSigningKey |
Ensures the application validating the token trusts the key that was used to sign the token (this is a special case where the key is embedded in the token, usually this is not required) |
ValidateLifetime |
Ensures that the token is still (or already) valid. This is done by checking that the lifetime of the token (notbefore, expires) is in range |
ValidateSignature |
Ensures that the token has not been tampered |
ValidateTokenReplay |
Ensure the token is not replayed (this is a special case for some onetime use protocols) |
In addition to these validators, there are protocol specific validation rules. For example, OpenIdConnect requires the audience (‘aud’) claim to exist. See:Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectProtocolValidator.cs#L382
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions