Link Search Menu Expand Document
×
Topics

Broken JWT Authorization in .NET

Play SecureFlag Play .NET Labs on this vulnerability with SecureFlag!

Prevention

ASP.NET Core natively provides JWT authentication through the middleware Microsoft.AspNetCore.Authentication.JwtBearer package.

The JWT bearer authentication can be enabled in the app’s Startup.Configure method by using the UseJwtBearerAuthentication extension method, or by setting the scheme to JwtBearerDefaults.AuthenticationScheme using services.AddAuthentication().

The authentication options TokenValidationParameters describe how JWT tokens will be validated. The class supports a large number of parameters, some of them are illustrated in the code snippet below:

var tokenValidationParameters = new TokenValidationParameters
{
    RequireSignedTokens = true,
    IssuerSigningKey = new SymmetricSecurityKey(key),
    ValidateLifetime = true
};
  • RequireSignedTokens indicates whether a SecurityToken can be considered valid if not signed. Set to true to enable basic validation for JWT tokens.
  • IssuerSigningKey is the key used for validating incoming JWT tokens. By specifying a key here, the token can be validated without assistance from the issuing server.
  • ValidateLifetime enforces lifetime validation, true by default.

It’s vital that if a symmetric key is used as IssuerSigningKey, it must be a strong secret with sufficient entropy to avoid being compromised by attackers forging valid tokens.

Other parameters can be used to enforce stricter validation if required:

  • ValidateIssuer enforces issuer validation, requires a list of valid issuers to be specified.
  • ValidateAudience validates that the aud claim inside the JWT matches the expected audience.

References

Auth0 - Critical vulnerabilities in JSON Web Token libraries Auth0 - JWT Debugger MSDN - JWT Validation and Authorization in ASP.NET Core