azureazure-active-directoryazure-ad-msalmsal.jspassport-azure-ad

Azure AD token validation - why validate issuer?


I have an API service that uses Azure AD tokens for authentication and authorization. I plan to use https://github.com/AzureAD/passport-azure-ad library for this and need to use BearerStrategy - https://github.com/AzureAD/passport-azure-ad#42-bearerstrategy. I'm confused by the validateIssuer property. validateIssuer and issuer configurations need to be used together if I understand the docs correctly. issuer is a URL that contains the tenant id and the AD version(1 or 2) used to issue the token. As the API service who will validate token, why would the API service care about the AD version that was used to issue the token? And hence why would it validate the issuer url, when it should care only about the tenant id? I'm trying to understand why must the entire issuer url be verified and not just the tenant id.


Solution

  • In the API service the validators are defined in the library source file like Microsoft.IdentityModel.Tokens/Validators.cs. which validates the token based on the token validation parameters (Issuer, ValidateIssuer, signature etc..).

    The issuer contains the URL for the actual tenant with the v1.0 and v2.0 endpoints. Tokens always needs to match the endpoint they're requested from, and the tokens always match the format expected by the Web API your client will call using that token.

    Why You need to validate the issuer because many services can generate tokens but you only want to trust certain source(s).

    If we leave ValidateIssuer then middleware will not try to validate the issuer tenant and it would effectively mean that your application is open for anyone with a user in Azure AD.

    For more information about the token validation please refer the documents Validateissuer and issuer