Do I need to validate JWT tokens in asp.net core 2 REST API?












1















I have the following code in my asp.net core REST API configuration:



services
.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/XXXTenantIDXXX";
options.Audience = "XXXX clientId XXXX";
});

services.AddMvc(o =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
o.Filters.Add(new AuthorizeFilter(policy));


It authenticates requests. It is working fine.



I am concerned and worried about jwt token forgery or jwt tokens that come from other AAD applications in the tenant.



I expect above code provides all the information to the asp.net core authentication to verify the jwt is valid and its audience is the right AAD application.



I wanted to confirm my expectation here and ask if I need to have additional logic (code) to verify the JWT token?










share|improve this question

























  • There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...

    – Melardev
    Nov 23 '18 at 19:15











  • @Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?

    – Allan Xu
    Nov 23 '18 at 20:21











  • as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware

    – Melardev
    Nov 23 '18 at 20:49
















1















I have the following code in my asp.net core REST API configuration:



services
.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/XXXTenantIDXXX";
options.Audience = "XXXX clientId XXXX";
});

services.AddMvc(o =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
o.Filters.Add(new AuthorizeFilter(policy));


It authenticates requests. It is working fine.



I am concerned and worried about jwt token forgery or jwt tokens that come from other AAD applications in the tenant.



I expect above code provides all the information to the asp.net core authentication to verify the jwt is valid and its audience is the right AAD application.



I wanted to confirm my expectation here and ask if I need to have additional logic (code) to verify the JWT token?










share|improve this question

























  • There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...

    – Melardev
    Nov 23 '18 at 19:15











  • @Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?

    – Allan Xu
    Nov 23 '18 at 20:21











  • as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware

    – Melardev
    Nov 23 '18 at 20:49














1












1








1


2






I have the following code in my asp.net core REST API configuration:



services
.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/XXXTenantIDXXX";
options.Audience = "XXXX clientId XXXX";
});

services.AddMvc(o =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
o.Filters.Add(new AuthorizeFilter(policy));


It authenticates requests. It is working fine.



I am concerned and worried about jwt token forgery or jwt tokens that come from other AAD applications in the tenant.



I expect above code provides all the information to the asp.net core authentication to verify the jwt is valid and its audience is the right AAD application.



I wanted to confirm my expectation here and ask if I need to have additional logic (code) to verify the JWT token?










share|improve this question
















I have the following code in my asp.net core REST API configuration:



services
.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/XXXTenantIDXXX";
options.Audience = "XXXX clientId XXXX";
});

services.AddMvc(o =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
o.Filters.Add(new AuthorizeFilter(policy));


It authenticates requests. It is working fine.



I am concerned and worried about jwt token forgery or jwt tokens that come from other AAD applications in the tenant.



I expect above code provides all the information to the asp.net core authentication to verify the jwt is valid and its audience is the right AAD application.



I wanted to confirm my expectation here and ask if I need to have additional logic (code) to verify the JWT token?







asp.net-mvc asp.net-core-2.0 asp.net-core-webapi .net-security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 23 '18 at 19:12







Allan Xu

















asked Nov 16 '18 at 23:27









Allan XuAllan Xu

1,77111837




1,77111837













  • There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...

    – Melardev
    Nov 23 '18 at 19:15











  • @Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?

    – Allan Xu
    Nov 23 '18 at 20:21











  • as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware

    – Melardev
    Nov 23 '18 at 20:49



















  • There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...

    – Melardev
    Nov 23 '18 at 19:15











  • @Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?

    – Allan Xu
    Nov 23 '18 at 20:21











  • as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware

    – Melardev
    Nov 23 '18 at 20:49

















There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...

– Melardev
Nov 23 '18 at 19:15





There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...

– Melardev
Nov 23 '18 at 19:15













@Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?

– Allan Xu
Nov 23 '18 at 20:21





@Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?

– Allan Xu
Nov 23 '18 at 20:21













as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware

– Melardev
Nov 23 '18 at 20:49





as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware

– Melardev
Nov 23 '18 at 20:49












1 Answer
1






active

oldest

votes


















1














Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.



For example:



      services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
options.IncludeErrorDetails = true;
options.RequireHttpsMetadata = true;
options.SaveToken = true;
options.Validate(JwtBearerDefaults.AuthenticationScheme);
options.TokenValidationParameters = new TokenValidationParameters()
{
ClockSkew = TimeSpan.FromMinutes(30),
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
NameClaimType = ClaimTypes.NameIdentifier,
RequireSignedTokens = true,
RequireExpirationTime = true

};
});





share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53346684%2fdo-i-need-to-validate-jwt-tokens-in-asp-net-core-2-rest-api%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.



    For example:



          services.AddAuthentication(auth =>
    {
    auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    }).AddJwtBearer(options =>
    {
    options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
    options.IncludeErrorDetails = true;
    options.RequireHttpsMetadata = true;
    options.SaveToken = true;
    options.Validate(JwtBearerDefaults.AuthenticationScheme);
    options.TokenValidationParameters = new TokenValidationParameters()
    {
    ClockSkew = TimeSpan.FromMinutes(30),
    ValidateIssuer = true,
    ValidateAudience = true,
    ValidateLifetime = true,
    ValidateIssuerSigningKey = true,
    ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
    ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
    IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
    NameClaimType = ClaimTypes.NameIdentifier,
    RequireSignedTokens = true,
    RequireExpirationTime = true

    };
    });





    share|improve this answer




























      1














      Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.



      For example:



            services.AddAuthentication(auth =>
      {
      auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
      auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
      }).AddJwtBearer(options =>
      {
      options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
      options.IncludeErrorDetails = true;
      options.RequireHttpsMetadata = true;
      options.SaveToken = true;
      options.Validate(JwtBearerDefaults.AuthenticationScheme);
      options.TokenValidationParameters = new TokenValidationParameters()
      {
      ClockSkew = TimeSpan.FromMinutes(30),
      ValidateIssuer = true,
      ValidateAudience = true,
      ValidateLifetime = true,
      ValidateIssuerSigningKey = true,
      ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
      ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
      IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
      NameClaimType = ClaimTypes.NameIdentifier,
      RequireSignedTokens = true,
      RequireExpirationTime = true

      };
      });





      share|improve this answer


























        1












        1








        1







        Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.



        For example:



              services.AddAuthentication(auth =>
        {
        auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        }).AddJwtBearer(options =>
        {
        options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
        options.IncludeErrorDetails = true;
        options.RequireHttpsMetadata = true;
        options.SaveToken = true;
        options.Validate(JwtBearerDefaults.AuthenticationScheme);
        options.TokenValidationParameters = new TokenValidationParameters()
        {
        ClockSkew = TimeSpan.FromMinutes(30),
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
        ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
        IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
        NameClaimType = ClaimTypes.NameIdentifier,
        RequireSignedTokens = true,
        RequireExpirationTime = true

        };
        });





        share|improve this answer













        Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.



        For example:



              services.AddAuthentication(auth =>
        {
        auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        }).AddJwtBearer(options =>
        {
        options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
        options.IncludeErrorDetails = true;
        options.RequireHttpsMetadata = true;
        options.SaveToken = true;
        options.Validate(JwtBearerDefaults.AuthenticationScheme);
        options.TokenValidationParameters = new TokenValidationParameters()
        {
        ClockSkew = TimeSpan.FromMinutes(30),
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
        ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
        IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
        NameClaimType = ClaimTypes.NameIdentifier,
        RequireSignedTokens = true,
        RequireExpirationTime = true

        };
        });






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 23 '18 at 20:45









        MuheebMuheeb

        864




        864






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53346684%2fdo-i-need-to-validate-jwt-tokens-in-asp-net-core-2-rest-api%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Guess what letter conforming each word

            Port of Spain

            Run scheduled task as local user group (not BUILTIN)