Where can I specify in TokenValidationParameters that the algorithm in JWT token should match HS256?

3
votes

I am using AspNet Core to build a web api and JWT tokens to authenticate users.

Where can I specify in TokenValidationParameters that the alg in token should match HS256 (and never none)?

    services
        .AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(cfg =>
        {
            cfg.RequireHttpsMetadata = false;
            cfg.SaveToken = true;
            string jwtIssuer = configuration["JwtIssuer"];
            SymmetricSecurityKey securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JwtKey"]));
            cfg.TokenValidationParameters = new TokenValidationParameters
            {
                ValidIssuer = jwtIssuer,
                ValidAudience = jwtIssuer,
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = securityKey,
                ClockSkew = TimeSpan.Zero
            };
        });

And does the library, by default, reject incoming tokens with alg set to none?

1
securityasp.net-core.net-corejwt
any luck with this?Kashif Hanif

1 Answers

1
votes

According to the comment by default middleware doesn't allow "alg": "none". Seems that is due to the exploit mentioned in the question.

Regarding rejecting: I've tried to pass the token with with "alg": "none" and got invalid_token in the response (Microsoft.AspNetCore.Authentication.JwtBearer 2.1.0).

By the way, specification requires implementation of HS256 and "none" algorithms.