JWT token validation ignores ValidAudiences from config in some scenarios

[steve-sap]

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectPostConfigureOptions.cs

Line 63 in 0585ae7

if (string.IsNullOrEmpty(options.TokenValidationParameters.ValidAudience) && !string.IsNullOrEmpty(options.ClientId))

When using the app.settings configuration for JWT, e.g.

"Authentication": {
    "Schemes": {
      "Bearer": {
        "ValidAudiences": [
          "my audience"
        ],
        "ValidIssuer": "dotnet-user-jwts"
      },

• scenario 1: calling AddJwtBearer without options

builder.Services.AddAuthentication()
    .AddJwtBearer()

result: the JWT token validation is successful.

• scenario 2: calling AddJwtBearer with TokenValidationParameters options

builder.Services.AddAuthentication()
    .AddJwtBearer(options =>
        {
            options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
            {
                ValidateIssuer = true,
                ValidateAudience = true,
                ValidateLifetime = true,
                ValidateIssuerSigningKey = true
            };
        });

result: the JWT token validation fails
WWW-Authenticate: Bearer error="invalid_token", error_description="The audience 'my audience' is invalid"

• scenario 3: calling AddJwtBearer with TokenValidationParameters options and specifying Audience

builder.Services.AddAuthentication()
    .AddJwtBearer(options =>
        {
            options.Audience = "my audience";
            options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
            {
                ValidateIssuer = true,
                ValidateAudience = true,
                ValidateLifetime = true,
                ValidateIssuerSigningKey = true
            };
        });

result: the JWT token validation is successful.