Closed godefroi closed 3 years ago
ycrumeyrolle
commented
3 years ago The AzureAD JWKS does not specify the signature algorithm used. When you specify the validation policy, do you specify the signature algorithm ?
var policy = new TokenValidationPolicyBuilder()
.RequireSignature(key, SignatureAlgorithm.RsaSha256) // <= this is required
// ...
.Build();Based on the title of the issue ("when no signature algorithm is specified"), I assume the answer is "No".
This is by design for avoiding security flaw as descriped in this article: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/.
We are working on the version 2.0 and this part has been redesigned. The RequireSignature() overloads without algorithm will be removed, forcing the developer to set an algorithm.
godefroi
commented
3 years ago Ah, no, I haven't been specifying the algorithm; I didn't realize that that was necessary (and after reading the article, it definitely should be). After specifying that, it's working great. Thanks!
ycrumeyrolle
commented
3 years ago The current design flaw is that we try to guess the algorithm from the JWK. The fact that you open an issue probably means that it may be confusing for developers. The v2.0 will enforce the algorithm definition, but I still would like to give the opportunity to keep it dynamic like with access token from Google. Thanks for your feedback!
I am attempting to validate an access token coming from Azure AD B2C, and the validation is failing even though jwt.io successfully validates the signature. This is version 1.9.0.
In
SignatureValidationPolicy.cs, line 101,Jwk.CanUseForSignature()is called with "RS256" assignatureAlgorithm, and it returns true, because theSignatureAlgorithmproperty returns null. Then, on line 103,algends up null because bothalgorithmandkey.SignatureAlgorithmare null. That means that the code never tries to validate the signature, andInvalidSignatureis the result.