When is JWTSecurityTokenHandler.ValidateToken() actually valid?

Question

I am attempting to create a token validation method that returns true if a JWT token is valid based on the signature. I don't think I really need to validate everything in the token but what actually signifies a token is valid after calling ValidateToken()? The existence of a principle? The out referenced token contains certain values? Not sure when to return true from this method.

public bool ValidateToken(string tokenString) {     var validationParameters = new TokenValidationParameters()     {         ValidIssuer = "My Company",         ValidAudience = ApplicationId,         IssuerSigningKey = JsonWebTokenSecretKey     };      SecurityToken token = new JwtSecurityToken();     var tokenHandler = new JwtSecurityTokenHandler();     var principal = tokenHandler.ValidateToken(tokenString, validationParameters, out token);      return principal != null; } 

Answer 1

I check all of the claims values manually. I've been searching for a definitive answer to your same question but the only thing I have seen is that the ValidateToken function will throw an Exception if something is wrong, so I begin by wrapping the call in a try-catch and return false from the catch.

That's just my "first-pass" at validating the token, though. Afterwards I do a little more heavy lifting to check certain values manually. For example, I make sure that the unique_name value in the claims section actually exists as a user in my database, that the user has not been deactivated, and other proprietary system stuff like that.

    public static bool VerifyToken(string token)     {         var validationParameters = new TokenValidationParameters()         {             IssuerSigningToken = new BinarySecretSecurityToken(_key),             ValidAudience = _audience,             ValidIssuer = _issuer,             ValidateLifetime = true,             ValidateAudience = true,             ValidateIssuer = true,             ValidateIssuerSigningKey = true         };          var tokenHandler = new JwtSecurityTokenHandler();         SecurityToken validatedToken = null;         try         {             tokenHandler.ValidateToken(token, validationParameters, out validatedToken);         }         catch(SecurityTokenException)         {             return false;          }         catch(Exception e)         {              log(e.ToString()); //something else happened             throw;         }         //... manual validations return false if anything untoward is discovered         return validatedToken != null;     } 

The last line, return validatedToken != null, is purely superstition on my part. I've never seen the validatedToken be null.