Menu
I am using AspNet Core to build a web api and JWT tokens to authenticate users.
Where can I specify in TokenValidationParameters that the alg in token should match HS256 (and never none)?
services
.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(cfg =>
{
cfg.RequireHttpsMetadata = false;
cfg.SaveToken = true;
string jwtIssuer = configuration["JwtIssuer"];
SymmetricSecurityKey securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JwtKey"]));
cfg.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = jwtIssuer,
ValidAudience = jwtIssuer,
ValidateIssuerSigningKey = true,
IssuerSigningKey = securityKey,
ClockSkew = TimeSpan.Zero
};
});
And does the library, by default, reject incoming tokens with alg set to none?
340
According to the comment by default middleware doesn't allow "alg": "none". Seems that is due to the exploit mentioned in the question.
Regarding rejecting: I've tried to pass the token with with "alg": "none" and got invalid_token in the response (Microsoft.AspNetCore.Authentication.JwtBearer 2.1.0).
By the way, specification requires implementation of HS256 and "none" algorithms.
161
answered Jan 01 '26 20:01
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
