You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 24, 2020. It is now read-only.
In this repo, the only token validation is based on Audience:
var tvps = new TokenValidationParameters
{
// In this app, the TodoListClient and TodoListService
// are represented using the same Application Id - we use
// the Application Id to represent the audience, or the
// intended recipient of tokens.
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
// In a real application, you might use issuer validation to
// verify that the user's organization (if applicable) has
// signed up for the app. Here, we'll just turn it off.
ValidateIssuer = false,
};
Is this actually secure? For a production app should we also be validating IssuerSigningKey as well? Or is that not necessary because the key is signed with a public/private key pair?
Thank you
The text was updated successfully, but these errors were encountered:
Authority is the address of the token-issuing authentication server. The JWT bearer authentication middleware will use this URI to find and retrieve the public key that can be used to validate the token’s signature. It will also confirm that the iss parameter in the token matches this URI.
....
If it’s set (Authority), the middleware assumes that it can go to that URI to get token validation information.
By using the Authority like this, the AAD tokens will be validated against the public key.
In this repo, the only token validation is based on Audience:
Is this actually secure? For a production app should we also be validating IssuerSigningKey as well? Or is that not necessary because the key is signed with a public/private key pair?
Thank you
The text was updated successfully, but these errors were encountered: