Home > Enterprise >  What is the meaning of ValidateIssuer and ValidateAudience in JWT?
What is the meaning of ValidateIssuer and ValidateAudience in JWT?

Time:01-06

I am developing an web api with jwt based authorization. The login endpoint returns the jwt token when credentials are correct.

I have configured the following values:

ValidateIssuer = false, 
ValidateAudience = false,
ValidateIssuerSigningKey = true

I want to understand how they work.

  1. ValidateIssuer: Is this property value automatically set or needs to be programmatically set? How does the validation work? How does the code know what is the current server to be able to validate?

  2. ValidateAudience: By audience I believe it means the users of the application. Since my users can be from client (browser, mobile app) then how does this work?

CodePudding user response:

The default value for both flags is true, see the source code here

What they do is

  • ValidateIssuer, validates that the iss claim inside the access token matches the issuer(authority) that the API trusts (Ie, your token service). Verifies that the issuer of the token is what this API expects.

  • ValidateAudience, validates that the aud claim inside the access token matches the audience parameter. Meaning, that the token received is meant for this API.

So, I recommend that you keep them true:

        .AddJwtBearer(opt =>
        {
            opt.Authority = _configuration["openid:authority"];
            opt.Audience = "paymentapi";

Page link:https//www.codepudding.com/Enterprise/252463.html

Prev:PHP query first shuffle their data by USER IDs, then shuffle the rest of the data
Next:Using .NET 4.x in Unity on Ubuntu 18.04.6 LTS
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding