Merge pull request CactuseSecurity#3629 from tpurschke/develop

tpurschke · web-flow · commit 2c212bae1bf5 · 2025-08-27T16:18:03.000+02:00
hotfix audience validation in develop
diff --git a/roles/lib/files/FWO.Middleware.Client/JwtReader.cs b/roles/lib/files/FWO.Middleware.Client/JwtReader.cs
@@ -63,13 +63,12 @@ public async Task<bool> Validate()
 				{
 					RequireExpirationTime = true,
 					RequireSignedTokens = true,
+					ValidateLifetime = true,
 					ValidateAudience = true,
+                    ValidAudiences = [FWO.Basics.JwtConstants.Audience],
 					ValidateIssuer = true,
-					ValidateLifetime = true,
-					ValidAudience = FWO.Basics.JwtConstants.Audience,
 					ValidIssuer = FWO.Basics.JwtConstants.Issuer,
 					IssuerSigningKey = jwtPublicKey,
-					
 				};
 
 				JsonWebTokenHandler handler = new ();
diff --git a/roles/middleware/files/FWO.Middleware.Server/Program.cs b/roles/middleware/files/FWO.Middleware.Server/Program.cs
@@ -128,7 +128,9 @@ await Task.Factory.StartNew(async() =>
         RequireExpirationTime = true,
         RequireSignedTokens = true,
         ValidateAudience = true,
-        ValidateIssuer = false,
+        ValidAudiences = [FWO.Basics.JwtConstants.Audience],
+        ValidateIssuer = true,
+        ValidIssuers = [FWO.Basics.JwtConstants.Issuer],
         ValidateLifetime = true,
         RoleClaimType = "role",
         IssuerSigningKey = ConfigFile.JwtPublicKey
