4

I'm fairly new to ASP.NET Core.

I'm using JWT to authenicate a web api.

In most JWT code on online tutorials, we can find Issuer and Audience property metioned as shown below.

var tokenDescriptor = new SecurityTokenDescriptor
                {
                    Issuer = configuration["Jwt:Issuer"],
                    Audience = configuration["Jwt:Audience"],
               ...
                }

jwt.TokenValidationParameters = new TokenValidationParameters
        {
                ValidateIssuer = true,
                ValidateAudience = true,
                ...
        };

Can anyone please explain, what is use of both these, is it to validate the JWT Server and JWT Client

And also how to validate these

jps
  • 20,041
  • 15
  • 75
  • 79
ADev01
  • 41
  • 1
  • 2

2 Answers2

1

If you register the following service the authentication middleware will then validate on your behalf.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>  
    {  
        options.TokenValidationParameters = new TokenValidationParameters  
        {  
              ValidateIssuer = true,  
              ValidateAudience = true,   
              ValidIssuer = issuer // your issuer,  
              ValidAudience = audience // your audience
         };  
     }
Yeasin Arafat
  • 36
  • 4
  • I have done that, if i'm not wrong, ValidateAudience means request has to be from the same domain, isnt? If that is the case, it not working even from other domains its working – ADev01 Aug 29 '21 at 05:08
  • lets suppose, while generating the token, I have provided the audience value "https://MyClientApp.com" and now I have generated the token and I copied the token and tried to pass from my other application which has the url "https://MyOtherApp.com", My understanding is that It should reject the token because when the token was issued at that time audience was MyClientApp.com and now it is used by MyOtherApp.com. But If multiple audience are there, How we can list them. – Sukhraj Mar 16 '23 at 15:53
0

The Issuer and Audience is the standard claim fields for the JWT token:

  • Issuer: Identifies principal that issued the JWT.
  • Audience: Identifies the recipients that the JWT is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the aud claim when this claim is present, then the JWT must be rejected.

More detail information, you can check the Standard fields.

Then, for the ValidateIssuer and ValidAudience property, if you set the value to ture, the issuer and audience will be validated during token validation.

Here are some relate article about using JWT authentication with Issuer and Audience, you can refer them:

JWT Authentication In ASP.NET Core

Authentication And Authorization In ASP.NET 5 With JWT And Swagger

Zhi Lv
  • 18,845
  • 1
  • 19
  • 30