Validate issuer signing key?

[freeman-g]

In this repo, the only token validation is based on Audience:

            var tvps = new TokenValidationParameters
            {
                // In this app, the TodoListClient and TodoListService
                // are represented using the same Application Id - we use
                // the Application Id to represent the audience, or the
                // intended recipient of tokens.

                ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],

                // In a real application, you might use issuer validation to
                // verify that the user's organization (if applicable) has
                // signed up for the app.  Here, we'll just turn it off.

                ValidateIssuer = false,
            };

Is this actually secure? For a production app should we also be validating IssuerSigningKey as well? Or is that not necessary because the key is signed with a public/private key pair?

Thank you

[freeman-g]

FYI to any others with the same question, this article answers it:

https://blogs.msdn.microsoft.com/webdev/2017/04/06/jwt-validation-and-authorization-in-asp-net-core/

Authority is the address of the token-issuing authentication server. The JWT bearer authentication middleware will use this URI to find and retrieve the public key that can be used to validate the token’s signature. It will also confirm that the iss parameter in the token matches this URI.

....

If it’s set (Authority), the middleware assumes that it can go to that URI to get token validation information.

By using the Authority like this, the AAD tokens will be validated against the public key.

            .AddJwtBearer(jwtOptions =>
            {
                jwtOptions.Authority = "https://login.microsoftonline.com/<tenant id>/";
            });