Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce strict token validation everywhere. #58

Merged
merged 3 commits into from
Jan 22, 2019
Merged

Enforce strict token validation everywhere. #58

merged 3 commits into from
Jan 22, 2019

Conversation

laura-rodriguez
Copy link
Collaborator

As per our JWT spec validate that alg claim is RS256.

@laura-rodriguez laura-rodriguez requested review from nbarbettini and a team January 17, 2019 18:56
lilyhaverstein-okta
lilyhaverstein-okta approved these changes Jan 18, 2019
View reviewed changes
Copy link

@lilyhaverstein-okta lilyhaverstein-okta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Okta.AspNet.Abstractions/StrictTokenHandler.cs Outdated

if (jwtToken.Header?.Alg == null || jwtToken.Header?.Alg != SecurityAlgorithms.RsaSha256)
{
throw new SecurityTokenValidationException("The alg must be RS256.");
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick: Just calling it "the alg" sounds a bit slangy. Maybe "The JWT token's alg property" or "The JWT token's signing algorithm"?

Okta.AspNet.Abstractions/StrictSecurityTokenValidator.cs Outdated
{
private readonly JwtSecurityTokenHandler _handler;

public StrictSecurityTokenValidator(OktaWebOptions options)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Do we need the options constructor parameter? Seems like it isn't used.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch, this is not needed.

Okta.AspNet.Abstractions/StrictSecurityTokenValidator.cs
public int MaximumTokenSizeInBytes
{
get => _handler.MaximumTokenSizeInBytes;
set => throw new NotImplementedException();
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we should throw something other than NotImplementedException. Usually when I see that I see it as either a bug in the library that threw it, or an indication that a feature is only partially implemented. But in our case the code is complete, it's just that the property is readonly.

Maybe NotSupportedException? Up to you.

@laura-rodriguez laura-rodriguez merged commit 983ebc8 into master Jan 22, 2019
@laura-rodriguez laura-rodriguez deleted the lr-verify-alg-claim-is-rs256 branch January 22, 2019 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lilyhaverstein-okta lilyhaverstein-okta lilyhaverstein-okta approved these changes

@nbarbettini nbarbettini Awaiting requested review from nbarbettini

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@laura-rodriguez @lilyhaverstein-okta