Do not always skip token validation in delegates
Do not always skip token validation in delegates
Microsoft docsDescription
By setting critical TokenValidationParameter validation delegates to always return true, important authentication safeguards are disabled. Disabling safeguards can lead to incorrect validation of tokens from any issuer or expired tokens.
For more information about best practices for token validation, see the library's wiki.
Cause
The callback assigned to AudienceValidator or LifetimeValidator always returns true.
How to fix violations
- Improve the logic of the delegate so not all code paths return
true, which effectively disables that type of validation. - Throw
SecurityTokenInvalidAudienceExceptionorSecurityTokenInvalidLifetimeExceptionin failure cases when you want to fail validation and have other cases pass by returningtrue.
Example
using System;
using Microsoft.IdentityModel.Tokens;
class TestClass
{
public void TestMethod()
{
TokenValidationParameters parameters = new TokenValidationParameters();
parameters.AudienceValidator = (audiences, token, tvp) => { return true; };
}
}
using System;
using Microsoft.IdentityModel.Tokens;
class TestClass
{
public void TestMethod()
{
TokenValidationParameters parameters = new TokenValidationParameters();
parameters.AudienceValidator = (audiences, token, tvp) =>
{
// Implement your own custom audience validation
if (PerformCustomAudienceValidation(audiences, token))
return true;
else
return false;
};
}
}When to suppress
In some specific cases where you're utilizing the delegate for additional logging and it's for token types where the specific type of validation is not needed, it may make sense to suppress this warning. Before you disable this validation, be sure you have fully thought through the security implications. For information about the trade-offs, see the token validation library's wiki.