Home > database >  Are the authentication tokens validated for every request by the ASP.NET Core Web API?
Are the authentication tokens validated for every request by the ASP.NET Core Web API?

Time:07-07

I have the following configuration in my ASP.NET Core Web API:

// Adds Microsoft Identity platform (AAD v2.0) support to protect this Api
services.AddMicrosoftIdentityWebApiAuthentication(configuration);

services.AddControllers(options =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .RequireClaim("email")
        .Build();
    options.Filters.Add(new AuthorizeFilter(policy));
});

I have an Angular client application that sends the AuthToken with each request. I don't believe that the Web API should validate the AuthToken for every single request as that would impact the performance as it might be contacting the Microsoft validate endpoint.

Are the authentication tokens validated for every request by the ASP.NET Core Web API?

CodePudding user response:

Yes, the tokens are validated by every request. But there is no "Microsoft validate endpoint", it does the validation completely in-memory most of the time.

What actually happens at runtime:

  1. App startup
  2. App downloads metadata from "authority-uri/.well-known/openid-configuration" (for example: https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration)
  3. This JSON contains the "jwks_uri" (for example https://login.microsoftonline.com/organizations/discovery/v2.0/keys)
  4. App downloads the keys from that URL

Later a request is received:

  1. App validates signature using one of those keys it downloaded earlier (it uses the one where "kid" matches in the token header)
  2. Other validation is done

If I recall correctly the metadata is cached in memory for 24 hours by default. It automatically refreshes it when needed.

In short, most of the time there are no requests at all to Microsoft endpoints. Your app validates the token in-memory using only some CPU time. Your DB queries will most likely completely eclipse the overhead of token validation.

CodePudding user response:

Auth tokens should be validated on every request to a sensitive endpoint to ensure that the user accessing an endpoint is authorized to access it. The impact on performance should be negligible. If tokens are not validated any user could make a request with a fraudulent token and your API would still service the request, allowing unauthenticated users to access the endpoint.

  • Related