search

AzureAD / azure-activedirectory-identitymodel-extensions-for-dotnet

IdentityModel extensions for .Net
MIT License
1.06k stars 401 forks source link

Is the information on http://jwt.io/ outdated? #311

Closed ghost closed 8 years ago

ghost commented 8 years ago

It http://jwt.io/, it states:

are unsupported by System.IdentityModel.Tokens.Jwt. But in the code, you have these algorithms supported.

Also what about these checks:

are these still unsupported?

Pinging @mgonto (based on https://github.com/jsonwebtoken/jsonwebtoken.github.io).

brentschmaltz commented 8 years ago

@jasonwilliams200OK yes the info on jwt.io is stale

The Id_token validation is split into different layers since the specs require different checks. For simple jwt validation (JwtSecurityTokenHandler.ValidateToken) will check Lifetime (nbf and exp). 'iat' value was thought to be in the application domain of checks. 'jti' is required for 'client auth' see: http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

The OpendIdConnectProtocolValidator by default requires 'aud' or 'azp' (logic is defined in spec) 'exp' 'iss'

The 'sub' check is OFF by default.

see: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/KDev/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectProtocolValidator.cs#L366

There is a delegate available if you want to perform additional checks see: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/KDev/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectProtocolValidator.cs#L45

ghost commented 8 years ago

@brentschmaltz, thanks for the info. So should all the bullets in the following snapshot be green:

image

If so, (and the fact that you know the correct details) would you please send a PR for https://github.com/jsonwebtoken/jsonwebtoken.github.io/blob/fc37628/views/libraries/net.jade, to reflect the current status? Basically it is just about changing the icon class name from icon-budicon-501 to icon-budicon-500. :)

Secondly, I see you are using HashAlgorithm.Create method to generate algorithm and since ES256 and friends are not listed on MSDN page, that might be the source of confusion (or is it so that those algorithms are actually supported with different names by System.Security.Cryptography.HashAlgorithm.Create but not supported by System.IdentityModel.Tokens.Jwt didn't had their support at some point in time)?

mildly cc'ing @bartonjs, @sokket for the second question about whether System.Security.Cryptography.HashAlgorithm.Create support ES256, ES384 and ES512 algorithms with some different name or support at all. :smile:

brentschmaltz commented 8 years ago

@jasonwilliams200OK about the hash algorithm. There are three parts associated with signatures: a hash algorithm, signature algorithm and a key. ES256 and RS256 both use SHA256, which is supported by System.Cryptography.

tushargupta51 commented 8 years ago

closing this issue since the changes in jsonwebtoken repo has been merged.

ghost commented 8 years ago

@tushargupta51, can you take a look at https://github.com/jsonwebtoken/jsonwebtoken.github.io/pull/134 and advise if that revert is appropriate?

tushargupta51 commented 8 years ago

@jasonwilliams200OK commented on that PR. Revert is not appropriate.