JwtBearer argument validation #844
Comments
|
Hem, what do you want to validate exactly? |
|
I was testing something and it null refd on Options.ConfigurationManager. That said, ConfigurationManager seems to be optional, we just forgot to check for null in one place. Are all the parameters really optional? |
|
I guess it was because of this line, which is not guarded against null values: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.JwtBearer/JwtBearerHandler.cs#L108
Yes (and one must be able to use the JWT bearer middleware without having an OIDC server) Currently, In this case, it's up to the developer to provide the appropriate token validation parameters (e.g the issuer name). |
|
It seems to me that Other then that, @Tratcher what else we should validate at the beginning of the server? |
|
The null ref was in OIDC. I filed this one because I realized Jwt had no validation either. The biggest problem I see is that it still starts if you provide no arguments (e.g. your config file was accidentally empty), it just doesn't work. Try debugging through it to see how it fails in this scenario and if there's any way to validate against it. It's problematic that there are too many different ways to configure it. |
|
If you simply call
It's a common trap so it would be great if a better error was returned, but I'm not sure there's an easy way to do that. |
On a related note, we should add more checks to ensure an authorization request or a logout request cannot be generated when the authorization/logout endpoint path resolved from the OIDC configuration or set from the Currently, if the authorization endpoint is undefined, the challenge is applied to the current address (e.g You can easily reproduce it by cloning the OpenIddict MVC samples and updating the server sample to disable the authorization endpoint: services.AddOpenIddict<ApplicationUser, IdentityRole<Guid>, ApplicationDbContext, Guid>()
// .EnableAuthorizationEndpoint("/connect/authorize")
// .EnableLogoutEndpoint("/connect/logout")
.EnableTokenEndpoint("/connect/token")
// .EnableUserinfoEndpoint("/connect/userinfo")
// .AllowAuthorizationCodeFlow()
// .AllowRefreshTokenFlow()
.AllowPasswordFlow()
.DisableHttpsRequirement(); |
|
OK. So sum it up: Both It could potential produce some test-ability issue. In some tests (like this one), set an I ran into the missing redirect url issue brought up by @PinpointTownes previously, too. I'll open a separate issue to address it. (#903) |
You mean for the OIDC middleware? Or does your remark also include the JWT middleware? |
|
Only applies to Jwt middleware. since this issue is addressing Jwt Middleware |
|
Then it's important to note that making |
|
That means |
|
The 'problem' with JWT is that there's no mandatory claim, so it's hard to make options like I guess you could update the JWT bearer middleware to throw an exception when Not to mention that there are multiple ways to register a signing key: via We might end up with a monstrous check: if (Options.TokenValidationParameters.RequireSignedTokens &&
string.IsNullOrEmpty(Options.MetadataAddress) &&
Options.Configuration == null &&
Options.ConfigurationManager == null &&
Options.TokenValidationParameters.IssuerSigningKey == null &&
Options.TokenValidationParameters.IssuerSigningKeyResolver == null &&
Options.TokenValidationParameters.IssuerSigningKeys == null &&
Options.TokenValidationParameters.IssuerSigningKeyValidator == null) {
// Throw an exception, as this likely indicates an invalid configuration.
} |
|
Thanks for the suggestion, @PinpointTownes . I'll look into this one. |
|
So in the end there may not be any practical validation we can do. That's a shame because it's really easy to not add your config settings. |
|
We looked into this and due to the flexibility of the JWT provider, we can't find a good reliable way to do this type of validation. |
Same as #795
The text was updated successfully, but these errors were encountered: