What bearerOption.SaveToken property used for in the configuration of JwtAuthentication in aspnet core 2 ?
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(bearer =>
{
bearer.TokenValidationParameters.IssuerSigningKey = signingKey as SecurityKey;
bearer.TokenValidationParameters.ValidIssuer = Configuration["Jwt:Issuer"];
bearer.TokenValidationParameters.ValidAudience = Configuration["Jwt:Audience"];
bearer.TokenValidationParameters.ClockSkew = TimeSpan.Zero;
bearer.TokenValidationParameters.ValidateLifetime = true;
bearer.TokenValidationParameters.ValidateAudience = true;
bearer.TokenValidationParameters.ValidateIssuer = true;
bearer.TokenValidationParameters.ValidateIssuerSigningKey = true;
bearer.TokenValidationParameters.RequireExpirationTime = true;
bearer.TokenValidationParameters.RequireSignedTokens = true;
// ******
bearer.SaveToken = true;
// ******
});
bearer.SaveToken is used to indicate whether the server must save the token server side to validate them. So even when a user has a properly signed and encrypted token, it'll not pass token validation if it is not generated by the server. This is a security reinforcement so even when the signing key is compromised, your application is not.
Downside:
It is a property that defines whether the bearer token should be stored in the AuthenticationProperties after a successful authorization.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With