Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Issuer is validated despite setting 'ValidateIssuer' to false #797

Closed
1 of 8 tasks
dkrasnove opened this issue Dec 2, 2020 · 7 comments
Closed
1 of 8 tasks

[Bug] Issuer is validated despite setting 'ValidateIssuer' to false #797

dkrasnove opened this issue Dec 2, 2020 · 7 comments
Assignees
@jennyf19
Labels
bug Something isn't working fixed P1
Milestone
1.4.0

Comments

@dkrasnove
Copy link

dkrasnove commented Dec 2, 2020
edited
Loading

Which version of Microsoft Identity Web are you using?
Note that to get help, you need to run the latest version.
Microsoft Identity Web 1.3.0

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe)

Is this a new or an existing app?
a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Repro

Startup.cs

services.AddAuthentication()
                .AddMicrosoftIdentityWebApi(
                (jwtOpt) =>
                {
                    Configuration.Bind("AzureAdB2C", jwtOpt);
                    jwtOpt.TokenValidationParameters.ValidateIssuer = false;
                },
                (msIdOpt) => Configuration.Bind("AzureAdB2C", msIdOpt));

appsettings.json

 "AzureAdB2C": {
    "Instance": "https://mytenant.b2clogin.com",
    "ClientId": "ccb2a9f5-3b90-4f01-b4de-619daa1b9e49",
    "ClientSecret": "*****",
    "Domain": "mytenant.onmicrosoft.com",
    "SignUpSignInPolicyId": "B2C_1A_Signup_Signin"
  }

JWT

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "0kcuEIFYUmeulxXnEdH43prYHw3HVshbaNlXyRpgQb4"
}.{
  "iss": "https://mytenant.b2clogin.com/97d559f9-30de-42c5-b79a-1645d748e84d/v2.0/",
  "exp": 1606881975,
  "nbf": 1606874775,
  "aud": "3ff65921-74c1-4ec6-8c37-f012ca63811e",
  "tid": "fe2738ba-6955-4bcd-ba5d-a1fef14fc86a",
  "email": "johndoe@example.com",
  "given_name": "John",
  "family_name": "Doe",
  "name": "John Doe",
  "idp": "myIdP",
  "sub": "67d4fe2f-f68b-4580-ad78-5c0640f4cf30",
  "emails": [
    "johndoe@example.com"
  ],
  "scp": "user_impersonation",
  "azp": "48ff8d08-0206-4f8a-9c90-084e6eae7d36",
  "ver": "1.0",
  "iat": 1606874775
}.[Signature]

Expected behavior
Since JwtBearerOptions.TokenValidationParameters.ValidateIssuer is set to false, I would expect the issuer not to be validated.

Actual behavior
The issuer is validated anyway. This is a problem because it fails validation with the default AadIssuerValidator.

Possible solution
Workaround (Register a dummy [or custom] IssuerValidator):
Startup.cs

services.AddAuthentication()
                .AddMicrosoftIdentityWebApi(
                (jwtOpt) =>
                {
                    Configuration.Bind("AzureAdB2C", jwtOpt);
                    jwtOpt.TokenValidationParameters.IssuerValidator = (a, b, c) => a;
                },
                (msIdOpt) => Configuration.Bind("AzureAdB2C", msIdOpt));

Possible Solution:
microsoft-identityweb/src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs, line 193

// If the developer registered an IssuerValidator, do not overwrite it
 if (options.TokenValidationParameters.ValidateIssuer && // <--- Add This
     options.TokenValidationParameters.IssuerValidator == null)
{
   // Instead of using the default validation (validating against a single tenant, as we do in line of business apps),
   // we inject our own multi-tenant validation logic (which even accepts both v1.0 and v2.0 tokens)
   MicrosoftIdentityIssuerValidatorFactory microsoftIdentityIssuerValidatorFactory =
   serviceProvider.GetRequiredService<MicrosoftIdentityIssuerValidatorFactory>();

   options.TokenValidationParameters.IssuerValidator =
   microsoftIdentityIssuerValidatorFactory.GetAadIssuerValidator(options.Authority).Validate;
}
@dkrasnove
Copy link
Author

Possibly related to #168

@jmprieur jmprieur added investigate bug Something isn't working and removed investigate labels Dec 2, 2020
@jmprieur
Copy link
Collaborator

jmprieur commented Dec 2, 2020
edited
Loading

Thanks @dkrasnove for this heads-up and your suggestion.

@jennyf19 jennyf19 mentioned this issue Dec 2, 2020
Merged
@jennyf19
Copy link
Collaborator

jennyf19 commented Dec 2, 2020

Thanks @dkrasnove. i have a linked PR above w/your suggestion. I think this will go in our 1.4 release next week.

@jennyf19 jennyf19 added this to the 1.4.0 milestone Dec 2, 2020
@jennyf19 jennyf19 self-assigned this Dec 2, 2020
@dkrasnove
Copy link
Author

dkrasnove commented Dec 2, 2020
edited
Loading

Thanks. Also FYI, this same bug exists in MicrosoftIdentityWebAppAuthenticationBuilderExtensions. There is also probably an issue with audience validation when ValidateAudience is set to false for identical reasons in the web API handler.

That's all I've noticed for now!

@jennyf19
Copy link
Collaborator

jennyf19 commented Dec 2, 2020

@dkrasnove yes, good point. have added it as well. thanks again.

@jennyf19 jennyf19 added fixed and removed In progress labels Dec 3, 2020
@jmprieur jmprieur added the P1 label Dec 8, 2020
@jennyf19
Copy link
Collaborator

jennyf19 commented Dec 9, 2020

Included in 1.4 Release.

@jennyf19 jennyf19 closed this as completed Dec 9, 2020
@andreslon
Copy link

error is happening again on 1.16.0 version :(
it's solved using the "Possible solution" written at the beginning of this thread

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi( (jwtOpt) => jwtOpt.TokenValidationParameters.ValidateIssuer = false, (msIdOpt) => builder.Configuration.Bind("AzureAd", msIdOpt ));

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jennyf19 jennyf19

Labels
bug Something isn't working fixed P1
Projects
None yet
Milestone
1.4.0
Development

No branches or pull requests
4 participants
@andreslon @jmprieur @jennyf19 @dkrasnove