none
JSON Web Token Handler - validating token's signature without issuer RRS feed

  • Question

  • I am using the following NuGet package to validate JSON Web Tokens.

    Id: System.IdentityModel.Tokens.Jwt
    Version: 4.0.2.202250711

    Tokens are signed by applying HS256. 

    However, using JwtSecurityTokenHandler's validateToken method, the token can only be validated if it contains an issuer claim ('iss') even if ValidateIssuer = false in the TokenValidationParameters.

    The following ArgumentException is thrown:

    Additional information: IDX10221: Unable to create claims from securityToken, 'issuer' is null or empty.

    According to the RFC issuer is not required for validating tokens, so this behavior is strange. 

    As a workaround, I can create a custom subclass and override the ValidateSignature method so that it adds iss claim to the token if issuer is not present, but I believe it shall not be considered as an acceptable solution. 

        class CustomJwtSecurityTokenHandler : JwtSecurityTokenHandler
        {
            protected override JwtSecurityToken ValidateSignature(string token,
                TokenValidationParameters validationParameters)
            {
                var jwt = base.ValidateSignature(token, validationParameters);
                if (String.IsNullOrEmpty(jwt.Issuer))
                {
                    jwt.Payload.AddClaim(new Claim("iss", "default")); // this is a hack
                }
                return jwt;
            }
        }

    Can you confirm this is a bug?


    Example JWT:  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.rYCxfe5xe8m2H6SjCIj7axcoPm0Z5LYJXyjmt7qyLXM"

    that corresponds to

    {
      "alg": "HS256",
      "typ": "JWT"
    }.{
      "sub": "1234567890",
      "name": "John Doe",    
      "admin": true
    }.

    HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload),
    qwertyuiop123456)

    secret: qwertyuiop123456


    Here is a sample program to reproduce the issue:

    using System.IdentityModel.Tokens;
    using System.ServiceModel.Security.Tokens;
    using System.Text;
    
    namespace JWT
    {
        internal class Program
        {
    
            private static void Main(string[] args)
            {
                var jwtIssuer = "MyIssuer";
                var jwtAudience = "no_audience";
    
                var validationParams = new TokenValidationParameters()
                {
                    ValidateLifetime = false,
                    ValidAudience = jwtAudience,
                    ValidIssuer = jwtIssuer,
                    ValidateIssuer = false,
                    ValidateAudience = false,
                    IssuerSigningToken = new BinarySecretSecurityToken(Encoding.ASCII.GetBytes("qwertyuiop123456"))
                };
    
                var jwtOnTheWire =
                    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.rYCxfe5xe8m2H6SjCIj7axcoPm0Z5LYJXyjmt7qyLXM";
    
                SecurityToken validatedToken;
    
                var handler = new JwtSecurityTokenHandler();
                handler.ValidateToken(jwtOnTheWire, validationParams, out validatedToken);
    
            }
        }
    }


    Monday, May 11, 2015 11:50 AM

Answers

  • Hello attila s,

    With your provided code, I reproduce this issue as you mentions, since this library seems to be a extend libraries, I suggest you contact the owner of this library and post this feedback to them. Or you could post this issue to: https://connect.microsoft.com/VisualStudio/feedback/LoadSubmitFeedbackForm

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, May 12, 2015 4:27 AM
    Moderator

All replies

  • Hello attila s,

    With your provided code, I reproduce this issue as you mentions, since this library seems to be a extend libraries, I suggest you contact the owner of this library and post this feedback to them. Or you could post this issue to: https://connect.microsoft.com/VisualStudio/feedback/LoadSubmitFeedbackForm

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, May 12, 2015 4:27 AM
    Moderator
  • I am having the same problem, with version 4.0.2.206211351 of the package. The link for posting the issue to visual studio didn't lead me to anywhere that I could see a response, was there a response somewhere on any other ways of getting around the issue?
    Tuesday, August 18, 2015 8:10 PM