JwtBearerOptions.Audience does not get populated from appsettings.json #59790
Labels
area-security
enhancement
This issue represents an ask for new feature or an enhancement to an existing one
Milestone
Is there an existing issue for this?
Describe the bug
I'm trying to simplify our auth config code as per minimal API examples, and stumbled upon this quirk: The framework doesn't automatically populate JwtBearerOptions.Audience from appsettings.json like most of the other properties.
I'm not 100% sure if this is by design, because there are also other properties of JwtBearerOptions (for example AutomaticRefreshInterval) that are not populated automatically from appsettings.json by JwtBearerConfigureOptions.cs or JwtBearerPostConfigureOptions.cs, but it certainly was surprising behaviour to me. Then again, according to a search all this property is used for is to set TokenValidationParameters.ValidAudience, so it's not exactly a showstopper.
But it does lead to the weird situation that you can't get away with only using configuration keys belonging to the same type, i.e. only Authority+Audience from JwtBearerOptions due to the above issue, or only ValidIssuer+ValidAudience from TokenValidationParameters because JwtBearerOptions.MetadataAddress won't be populated automatically in this case. The only combination that works without extra or redundant config is JwtBearerOptions.Authority+TokenValidationParameters.ValidAudience (which is confusing enough to autistic individuals like myself to write an issue for it :P).
Expected Behavior
JwtBearerOptions.Audience (and indeed all basic properties of JwtBearerOptions) should be possible to set from simplified authentication configuration as per https://learn.microsoft.com/en-us/aspnet/core/fundamentals/minimal-apis/security?view=aspnetcore-9.0#configuring-authentication-strategy
Steps To Reproduce
Exceptions (if any)
No response
.NET Version
8.0 (but also all other versions as far as I can tell from code)
Anything else?
No response
The text was updated successfully, but these errors were encountered: