Dev

[jastrnad]

Hello Brent! We want to use your cool library for Skype purposes, but we don't use parameter Audience. I added option to TokenValidationParameters.cs to disable it. I can give you more info on Lync.

Best regards, Jan Strnad

[brandwe]

This is awesome. Thanks @jastrnad. I've assigned Brent. Have you submitted a Contribution Agreement yet? Yes, even if you are internal to Microsoft you have to sign it :-) Should take a few seconds.

[brentschmaltz]

Jan,

Thanks for the kind words. There is a way to disable Audience validation, but it is not as clean as you suggest. If you set TokenValidationParameters.AudienceUriMode = AudienceUriMode.Never, the 'aud' claim is not needed or checked.
Interestingly, we have moved away from the tri state for Audience - { Never, Always, Bearer } to a bool. You should see that in the next release.

[jastrnad]

Cool, this means, we can use it without modification :) Yes, I signed Contribution Agreement. Thx

[jastrnad]

I've found bug, that's why I was not able to use it. Here is bugfix and I also added test case.

Hope you will like it and approve it :) Thx, Jan

[brentschmaltz]

For security reasons we felt that a JWT must have an issuer, by default we check it. We allowed for turning off checking since the number of issuers could be large or unknown at this layer. We still required the 'iss' claim to be non-null since it is a property on the Claims returned. We felt that this was a potential blocker for users so we made the method virtual. How do you feel about deriving and overriding the method?

[jastrnad]

Ahh, ok, that seems reasonable. We wanted to use library without modification. But yes, overriding is an option for us.

[brentschmaltz]

@jastrnad

This is a good item to open on the owin branch.

[jastrnad]

What's point of owin branch?

[brentschmaltz]

That is a feature branch for new work.