CA5405: Do not always skip token validation in delegates
| Property | Value |
|---|---|
| Rule ID | CA5405 |
| Title | Do not always skip token validation in delegates |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
The callback assigned to AudienceValidator or LifetimeValidator always returns true.
Rule description
By setting critical TokenValidationParameter validation delegates to always return true, important authentication safeguards are disabled. Disabling safeguards can lead to incorrect validation of tokens from any issuer or expired tokens.
For more information about best practices for token validation, see the library's wiki.
How to fix violations
- Improve the logic of the delegate so not all code paths return
true, which effectively disables that type of validation. - Throw
SecurityTokenInvalidAudienceExceptionorSecurityTokenInvalidLifetimeExceptionin failure cases when you want to fail validation and have other cases pass by returningtrue.
When to suppress warnings
In some specific cases where you're utilizing the delegate for additional logging and it's for token types where the specific type of validation is not needed, it may make sense to suppress this warning. Before you disable this validation, be sure you have fully thought through the security implications. For information about the trade-offs, see the token validation library's wiki.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5405
// The code that's violating the rule is on this line.
#pragma warning restore CA5405
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5405.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
Violation
using System;
using Microsoft.IdentityModel.Tokens;
class TestClass
{
public void TestMethod()
{
TokenValidationParameters parameters = new TokenValidationParameters();
parameters.AudienceValidator = (audiences, token, tvp) => { return true; };
}
}
Solution
using System;
using Microsoft.IdentityModel.Tokens;
class TestClass
{
public void TestMethod()
{
TokenValidationParameters parameters = new TokenValidationParameters();
parameters.AudienceValidator = (audiences, token, tvp) =>
{
// Implement your own custom audience validation
if (PerformCustomAudienceValidation(audiences, token))
return true;
else
return false;
};
}
}
