-
Notifications
You must be signed in to change notification settings - Fork 397
Use of TokenValidationParameters.ValidateIssuerSigningKey
TokenValidationParameters.ValidateIssuerSigningKey
Purpose: to provide additional checks on the security key that signed a token.
Default: false
TokenValidationParameters.ValidateIssuerSigningKey is used when you need to perform additional validation of the security key that was used to validate the signature of the token that was validated.
Normally this is not required because the user / runtime must set IssuerSigningKey or IssuerSigningKeys or in the case of custom security key retrieval the delegate IssuerSigningKeyResolver ( Definition ) for keys to be available for validating the signature on the token. By default, all tokens are required to be signed RequireSignedTokens. It is assumed that only keys from trusted sources are set.
If you need custom validation of the security key that signed the token you can:
-
set TokenValidationParameters.ValidateIssuerSigningKey to true.
- The default behavior is applicable to X509SecurityKey and checks that the certificate is not expired. No CRL or other checks are made.
-
set the delegate IssuerSigningKeyValidator ( Definition ) which will be called as part of validation.
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions