问题
We are using OIDC library and for now we allow only MSA account login. So we have configured parameters ValidateIssuer = true and Validissuers = https://login.microsoftonline.com/..” However, we now need to onboard other AAD tenants (for example : abc@dell.com) to our application so we decided to set ValidateIssuer = false.
Since my application is already backed up by custom authorization, I am finding it difficult to understand the purpose of this flag altogether. Basically my question is under what circumstances one would not like to set this flag to false ? And what risk one might ran into if set to false ?
I looked at AAD docs published here and still not able to find convincing response from the comments over sample code snippet :
// ValidateIssuer set to false to allow work accounts from any organization to sign in to your application
// To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name or Id (example: contoso.onmicrosoft.com)
// To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false
},
回答1:
As the other answer already mentioned, if you leave ValidateIssuer = false, then OIDC middleware will not try to validate the issuer tenant and it would effectively mean that your application is open for anyone with a user in Azure AD.
Some suggestions on tackling multi-tenant case
If you know the list of valid issuers ahead of time, make use of a list of issuers in
TokenValidationParameters.ValidIssuers. Example:ValidIssuers = new List<string>() { "https://sts.windows.net/6d9c0c36-c30e-442b-b60a-ca22d8994d14/", "https://sts.windows.net/f69b5f46-9a0d-4a5c-9e25-54e42bbbd4c3/", "https://sts.windows.net/fb674642-8965-493d-beee-2703caa74f9a/" }If valid issuers for your application are dynamic or if you want to write some logic to gather that list, you can write an implementation for
TokenValidationParameters.IssuerValidatorwhich has your custom logic. You just need to set a delegate that will be used to validate the issuer.TokenValidationParameters validationParameters = new TokenValidationParameters { ValidateIssuer = true, // Set this to a delegate and write your own custom implementation there. See code sample URL ahead for more details. IssuerValidator = AadIssuerValidator.ValidateAadIssuer };If neither case makes sense, and your validation logic is unrelated to the tenant to which caller belongs, set
TokenValidationParameters.ValidateIssuerto false, but make sure you add your custom logic at the end for example inSecurityTokenValidatednotifications.
Sample Code
Build a multi-tenant SaaS web application using Azure AD & OpenID Connect
Look closely at these files in this sample:
- App_Start/Startup.Auth.cs
- Utils/AadIssuerValidator.cs
回答2:
This flag allows the OpenID Connect authentication handler to make sure the person who logs in to your application comes from a known AAD tenant. If you set it to false, this validation doesn't happen. What it effectively means is that anyone accessing your application and logging in successfully when being redirected to AAD will be allowed in your application.
In summary, I'd say the only two circumstances you want to set this flag to false are if:
- you don't know in advance which tenants can connect to your application; or
- you want to allow people from every single AAD tenant to connect to your application.
Also, I'd be curious to know what you mean by "the application is already backed up by custom authorization".
Cheers
来源:https://stackoverflow.com/questions/55767757/validateissuer-option-in-openid-connect-authentication