When setting up JWT Bearer token validation, I came across a behavior that I could not find documented anywhere.

Environment:

.NET Core 3 Web API

Expected Behavior:

Only issuers listed as ValidIssuers are allowed to access the API.

Example usage

services
    .AddAuthentication()
    .AddJwtBearer(options =>
    {
        options.Audience = /* clientID */;
        options.Authority = /* authority */;

        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidIssuers = new[] { /* list of valid issuers */ },
            ValidateIssuer = true,
            ValidAudiences = new[] { /* list of valid audiences */},
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
        };
    });

Relevant docs:

https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters.validissuers?view=azure-dotnet

Observed Behavior:

An additional validator is included in the ValidIssuers list in the JWTBearerHandler implementation. Thus, the list of ValidIssuers that I provided is not the final list of ValidIssuers that is used for the comparison.

Relevant source code:

https://github.com/dotnet/aspnetcore/blob/master/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs#L95

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 2471c08b-befe-8e1a-df08-f13e116c231e
• Version Independent ID: 0d827d33-2906-6352-9398-13863def9354
• Content: Microsoft identity platform access tokens - Microsoft identity platform
• Content Source: articles/active-directory/develop/access-tokens.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @hpsin
• Microsoft Alias: hirsin