Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JwtBearerOptions.Audience does not get populated from appsettings.json #59790

Open
1 task done
MHHenriksen opened this issue Jan 9, 2025 · 2 comments
Open
1 task done
Assignees
Labels
area-security enhancement This issue represents an ask for new feature or an enhancement to an existing one
Milestone

Comments

@MHHenriksen
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

I'm trying to simplify our auth config code as per minimal API examples, and stumbled upon this quirk: The framework doesn't automatically populate JwtBearerOptions.Audience from appsettings.json like most of the other properties.

I'm not 100% sure if this is by design, because there are also other properties of JwtBearerOptions (for example AutomaticRefreshInterval) that are not populated automatically from appsettings.json by JwtBearerConfigureOptions.cs or JwtBearerPostConfigureOptions.cs, but it certainly was surprising behaviour to me. Then again, according to a search all this property is used for is to set TokenValidationParameters.ValidAudience, so it's not exactly a showstopper.

But it does lead to the weird situation that you can't get away with only using configuration keys belonging to the same type, i.e. only Authority+Audience from JwtBearerOptions due to the above issue, or only ValidIssuer+ValidAudience from TokenValidationParameters because JwtBearerOptions.MetadataAddress won't be populated automatically in this case. The only combination that works without extra or redundant config is JwtBearerOptions.Authority+TokenValidationParameters.ValidAudience (which is confusing enough to autistic individuals like myself to write an issue for it :P).

Expected Behavior

JwtBearerOptions.Audience (and indeed all basic properties of JwtBearerOptions) should be possible to set from simplified authentication configuration as per https://learn.microsoft.com/en-us/aspnet/core/fundamentals/minimal-apis/security?view=aspnetcore-9.0#configuring-authentication-strategy

Steps To Reproduce

        var builder = WebApplication.CreateBuilder();
        builder.Configuration.AddInMemoryCollection(new Dictionary<string, string?>
            {
                ["Authentication:DefaultScheme"] = "Bearer",
                ["Authentication:Schemes:Bearer:Authority"] = "https://example.com",
                ["Authentication:Schemes:Bearer:Audience"] = "example-audience",
            });

        builder.Services.AddAuthentication().AddJwtBearer();
        var serviceProvider = builder.Services.BuildServiceProvider();

        var jwtBearerOptions = serviceProvider.GetRequiredService<IOptionsMonitor<JwtBearerOptions>>().Get(JwtBearerDefaults.AuthenticationScheme);
        Assert.That(jwtBearerOptions.Authority, Is.EqualTo("https://example.com"));
        Assert.That(jwtBearerOptions.Audience, Is.EqualTo("example-audience")); // Fails
        Assert.That(jwtBearerOptions.MetadataAddress, Is.EqualTo("https://example.com/.well-known/openid-configuration"));
        Assert.IsTrue(jwtBearerOptions.TokenValidationParameters.ValidateIssuer);
        Assert.IsTrue(jwtBearerOptions.TokenValidationParameters.ValidateAudience);

Exceptions (if any)

No response

.NET Version

8.0 (but also all other versions as far as I can tell from code)

Anything else?

No response

@halter73
Copy link
Member

halter73 commented Jan 13, 2025

Does setting a ValidAudience or ValidAudences array as demonstrated in https://learn.microsoft.com/en-us/aspnet/core/fundamentals/minimal-apis/security?view=aspnetcore-9.0#configuring-authentication-strategy work for you? It sets TokenValidationParameters.ValidAudience or TokenValidationParameters.ValidAudiences respectively rather than Audience, but it should have the same impact on token validation inside of the JwtBearerHandler. We read these values from configuration here?

Even if that does work, I think we should consider reading Audience from config too since this is supported by Microsoft.Identity.Web and a top-level Authority property works. We should consider doing the same for OpenIdConnectOptions.

@MHHenriksen
Copy link
Author

MHHenriksen commented Jan 14, 2025

Yes, that works, but I ended up setting JwtBearerOptions.Audience in code from a separate custom config section, just to be safe and explicit about what our app expects and supports. I was just very annoyed by the asymmetry of which properties get populated automatically :P

@MackinnonBuck MackinnonBuck added the enhancement This issue represents an ask for new feature or an enhancement to an existing one label Jan 16, 2025
@MackinnonBuck MackinnonBuck added this to the Backlog milestone Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-security enhancement This issue represents an ask for new feature or an enhancement to an existing one
Projects
None yet
Development

No branches or pull requests

3 participants