RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5405 below:

CA5405: Do not always skip token validation in delegates (code analysis) - .NET

Property Value Rule ID CA5405 Title Do not always skip token validation in delegates Category Security Fix is breaking or non-breaking Non-breaking Enabled by default in .NET 9 No Cause

The callback assigned to AudienceValidator or LifetimeValidator always returns true.

Rule description

By setting critical TokenValidationParameter validation delegates to always return true, important authentication safeguards are disabled. Disabling safeguards can lead to incorrect validation of tokens from any issuer or expired tokens.

For more information about best practices for token validation, see the library's wiki.

How to fix violations

Improve the logic of the delegate so not all code paths return true, which effectively disables that type of validation.
Throw SecurityTokenInvalidAudienceException or SecurityTokenInvalidLifetimeException in failure cases when you want to fail validation and have other cases pass by returning true.

When to suppress warnings

In some specific cases where you're utilizing the delegate for additional logging and it's for token types where the specific type of validation is not needed, it may make sense to suppress this warning. Before you disable this validation, be sure you have fully thought through the security implications. For information about the trade-offs, see the token validation library's wiki.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5405
// The code that's violating the rule is on this line.
#pragma warning restore CA5405

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5405.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples Violation

using System;
using Microsoft.IdentityModel.Tokens;

class TestClass
{
    public void TestMethod()
    {
        TokenValidationParameters parameters = new TokenValidationParameters();
        parameters.AudienceValidator = (audiences, token, tvp) => { return true; };
    }
}

Solution

using System;
using Microsoft.IdentityModel.Tokens;

class TestClass
{
    public void TestMethod()
    {
        TokenValidationParameters parameters = new TokenValidationParameters();
        parameters.AudienceValidator = (audiences, token, tvp) =>
        {
            // Implement your own custom audience validation
            if (PerformCustomAudienceValidation(audiences, token))
                return true;
            else
                return false;
        };
    }
}

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4