I write API for SPA using ASP .NET Core WebAPI. I understand the features and settings of jwt.

By default, audience verification is enabled. Looking for the value of this parameter did not understand why it may be necessary to use it. Usually, in the usage examples, the url (probably the client application) or the list of clients id or the group name "web" are indicated. If even in a special way to do logic for different audiences, why not use roles? And how nice it is to make the distinction of this logic is not very clear.

I decided to remove this check from myself, but why did they even check the non-critical parameter by default?

    1 answer 1

    Audience determines that the token is issued specifically for use by your application.

    Suppose a token provider is some kind of Windows Azure AD or Google. You have disabled the Audience check.

    The attacker registers his application in AD / Google, luring the user to it.

    Gets a valid token with Audience = "left application". And with this token comes to you in the API.

    And you start it up (because Audience is not checked), and start giving it the user's secret data that your application stores, and allow it to perform actions on behalf of the user. Although the user did not give consent to this.

    And with validation - everything is OK, the attacker will wrap up at the first request.

    • Probably I do not understand the process well. 'Receives a valid token with Audience = "left application"', but if the user removed Audience when creating the token, it will not be available to the user and the attacker will not be able to add his Audience there either due to the presence of a signature. This situation is clear, stole a token - got access to the user's resource. And can the process be more detailed if there is an Audience in the token and validation, how should it be checked? If I take and simply compare the value that I gave to the user with the value that came to me when a resource was requested, the attacker would gain access in the same way. - AndreyMagnificent
    • 2
      @AndreyMagnificent in the example from the response token does not create you, that it will not define you, but stronny service. To understand that a third-party service issued a token to your application, and not to any other, you need to check the token's Audience field on your own. - tym32167
    • 2
      @AndreyMagnificent in the scheme with JWT token can be issued by one application, and checked - by another. For example, you can log in to SO through Google. The token is issued by Google, with audience = "so". SO only trusts tokens issued by Google to log on SO. If he trusted tokens with a different audience, then the owners of other sites where you went through Google could use tokens to work on SO on your behalf. - PashaPash