Search code examples
openid-connectkatanaadalidentityserver3

How can I get OpenIdConnectAuthenticationMiddleware to validate the signing certificate validity dates?

I am using Microsoft's OpenIdConnectAuthenticationMiddleware against IdentityServer3 in a hybrid flow. I'll skip the IdentityServer3 setup code (as I don't think there's an issue there), but here's the relying party startup code:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "Cookies"
});

var options = new OpenIdConnectAuthenticationOptions
{
    Authority = "https://localhost:44300/",
    ClientId = "hybridclient",
    ClientSecret = "secret",
    RedirectUri = "https://localhost:44301/",
    ResponseType = "code id_token",
    SignInAsAuthenticationType = "Cookies",
    Scope = "openid profile"
};

app.UseOpenIdConnectAuthentication(options);

I've noticed that when IdentityServer3 is using an expired certificate for signing--which it allows, but dutifully logs as a warning--the expiration on the certificate is ignored and the authentication is permitted. This seems wrong.

I don't know whose responsibility this would be (OpenIdConnectAuthenticationMiddleware? ADAL?) as it seems to me to be an easy authentication failure when the signing cert is expired. I've looked at the code all the way down through Katana to the JwtSecurityTokenHandler in ADAL and I can't see that the expiration is checked.

I can roll something myself, either in the TokenValidationParameters.IssuerSigningKeyResolver or the SecurityTokenValidated notification on OpenIdConnectAuthenticationNotifications, but it seems like this should be something built-in.

Is there a way to have the Microsoft OIDC middleware validate the signing cert expiration? Or am I missing something?

Update: Given Brent's answer, this is apparently a gap in the functionality of JwtSecurityTokenHandler that Microsoft would like to fill. I can only say I see this currently, with v4.0.0 installed (as its a dependency of the Microsoft.Owin.Security.OpenIdConnect NuGet package).

Solution

  • You would need derive from JwtSecurityTokenHandler, override ValidateIssuerSecurityKey and check the signature. OpenIdConnectOptions.SecurityTokenHandlers can be used to set the handler.

    When fixed, this will be easier. https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/329