Do not disable token validation checks
Do not disable token validation checks
Microsoft docsDescription
Token validation checks ensure that while validating tokens, all aspects are analyzed and verified. Turning off validation can lead to security holes by allowing untrusted tokens to make it through validation.
More details about best practices for token validation can be found on the library's wiki.
Cause
Setting the Microsoft.IdentityModel.Tokens.TokenValidationParameters properties RequireExpirationTime, ValidateAudience, ValidateIssuer, or ValidateLifetime to false.
How to fix violations
Set the Microsoft.IdentityModel.Tokens.TokenValidationParameters properties RequireExpirationTime, ValidateAudience, ValidateIssuer, and ValidateLifetime to true. Or, remove the assignment to false because the default value is true.
Example
using System;
using Microsoft.IdentityModel.Tokens;
class TestClass
{
public void TestMethod()
{
TokenValidationParameters parameters = new TokenValidationParameters();
parameters.RequireExpirationTime = false;
parameters.ValidateAudience = false;
parameters.ValidateIssuer = false;
parameters.ValidateLifetime = false;
}
}
using System;
using Microsoft.IdentityModel.Tokens;
class TestClass
{
public void TestMethod()
{
TokenValidationParameters parameters = new TokenValidationParameters();
parameters.RequireExpirationTime = true;
parameters.ValidateAudience = true;
parameters.ValidateIssuer = true;
parameters.ValidateLifetime = true;
}
}When to suppress
In the vast majority of cases, this validation is essential to ensure the security of the consuming app. However, there are some cases where this validation is not needed, especially in non-standard token types. Before you disable this validation, be sure you have fully thought through the security implications. For information about the trade-offs, see the token validation library's wiki.