CA5405: Do not always skip token validation in delegates

Property Value
Rule ID CA5405
Title Do not always skip token validation in delegates
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

The callback assigned to AudienceValidator or LifetimeValidator always returns true.

Rule description

By setting critical TokenValidationParameter validation delegates to always return true, important authentication safeguards are disabled. Disabling safeguards can lead to incorrect validation of tokens from any issuer or expired tokens.

For more information about best practices for token validation, see the library's wiki.

How to fix violations

  • Improve the logic of the delegate so not all code paths return true, which effectively disables that type of validation.
  • Throw SecurityTokenInvalidAudienceException or SecurityTokenInvalidLifetimeException in failure cases when you want to fail validation and have other cases pass by returning true.

When to suppress warnings

In some specific cases where you're utilizing the delegate for additional logging and it's for token types where the specific type of validation is not needed, it may make sense to suppress this warning. Before you disable this validation, be sure you have fully thought through the security implications. For information about the trade-offs, see the token validation library's wiki.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5405
// The code that's violating the rule is on this line.
#pragma warning restore CA5405

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5405.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

using System;
using Microsoft.IdentityModel.Tokens;

class TestClass
{
    public void TestMethod()
    {
        TokenValidationParameters parameters = new TokenValidationParameters();
        parameters.AudienceValidator = (audiences, token, tvp) => { return true; };
    }
}

Solution

using System;
using Microsoft.IdentityModel.Tokens;

class TestClass
{
    public void TestMethod()
    {
        TokenValidationParameters parameters = new TokenValidationParameters();
        parameters.AudienceValidator = (audiences, token, tvp) =>
        {
            // Implement your own custom audience validation
            if (PerformCustomAudienceValidation(audiences, token))
                return true;
            else
                return false;
        };
    }
}