ValidateIssuer option in OpenID connect authentication

Question

We are using OIDC library and for now we allow only MSA account login. So we have configured parameters ValidateIssuer = true and Validissuers = https://login.microsoftonline.com/..” However, we now need to onboard other AAD tenants (for example : [email protected]) to our application so we decided to set ValidateIssuer = false.

Since my application is already backed up by custom authorization, I am finding it difficult to understand the purpose of this flag altogether. Basically my question is under what circumstances one would not like to set this flag to false ? And what risk one might ran into if set to false ?

I looked at AAD docs published here and still not able to find convincing response from the comments over sample code snippet :

        // ValidateIssuer set to false to allow work accounts from any organization to sign in to your application
        // To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name or Id (example: contoso.onmicrosoft.com)
        // To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
        TokenValidationParameters = new TokenValidationParameters()
        {
            ValidateIssuer = false
        },

Answer 1

As the other answer already mentioned, if you leave ValidateIssuer = false, then OIDC middleware will not try to validate the issuer tenant and it would effectively mean that your application is open for anyone with a user in Azure AD.

Some suggestions on tackling multi-tenant case

1. If you know the list of valid issuers ahead of time, make use of a list of issuers in TokenValidationParameters.ValidIssuers. Example:

     ValidIssuers = new List<string>()
     {
         "https://sts.windows.net/6d9c0c36-c30e-442b-b60a-ca22d8994d14/",
         "https://sts.windows.net/f69b5f46-9a0d-4a5c-9e25-54e42bbbd4c3/",
         "https://sts.windows.net/fb674642-8965-493d-beee-2703caa74f9a/"
     }
   

2. If valid issuers for your application are dynamic or if you want to write some logic to gather that list, you can write an implementation for TokenValidationParameters.IssuerValidator which has your custom logic. You just need to set a delegate that will be used to validate the issuer.

       TokenValidationParameters validationParameters = new TokenValidationParameters
       {            
           ValidateIssuer = true,
   
           // Set this to a delegate and write your own custom implementation there. See code sample URL ahead for more details.
           IssuerValidator = AadIssuerValidator.ValidateAadIssuer
       };
   

3. If neither case makes sense, and your validation logic is unrelated to the tenant to which caller belongs, set TokenValidationParameters.ValidateIssuer to false, but make sure you add your custom logic at the end for example in SecurityTokenValidated notifications.

Sample Code

Build a multi-tenant SaaS web application using Azure AD & OpenID Connect

Look closely at these files in this sample:

• App_Start/Startup.Auth.cs
• Utils/AadIssuerValidator.cs