CA5404: Do not disable token validation checks
| Value | |
|---|---|
| Rule ID | CA5404 |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
Cause
Setting TokenValidationParameters properties RequireExpirationTime, ValidateAudience, ValidateIssuer, or ValidateLifetime to false.
Rule description
Token validation checks ensure that while validating tokens, all aspects are analyzed and verified. Turning off validation can lead to security holes by allowing untrusted tokens to make it through validation.
More details about best practices for token validation can be found on the library's wiki.
How to fix violations
Set TokenValidationParameters properties RequireExpirationTime, ValidateAudience, ValidateIssuer, or ValidateLifetime to true. Or, remove the assignment to false because the default value is true.
When to suppress warnings
In the vast majority of cases, this validation is essential to ensure the security of the consuming app. However, there are some cases where this validation is not needed, especially in non-standard token types. Before you disable this validation, be sure you have fully thought through the security implications. For information about the trade-offs, see the token validation library's wiki.
Pseudo-code examples
using System;
using Microsoft.IdentityModel.Tokens;
class TestClass
{
public void TestMethod()
{
TokenValidationParameters parameters = new TokenValidationParameters();
parameters.RequireExpirationTime = false;
parameters.ValidateAudience = false;
parameters.ValidateIssuer = false;
parameters.ValidateLifetime = false;
}
}
Solution
using System;
using Microsoft.IdentityModel.Tokens;
class TestClass
{
public void TestMethod()
{
TokenValidationParameters parameters = new TokenValidationParameters();
parameters.RequireExpirationTime = true;
parameters.ValidateAudience = true;
parameters.ValidateIssuer = true;
parameters.ValidateLifetime = true;
}
}
Povratne informacije
Pošalјite i prikažite povratne informacije za