CA5404: Do not disable token validation checks
Property | Value |
---|---|
Rule ID | CA5404 |
Title | Do not disable token validation checks |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 8 | No |
Cause
Setting TokenValidationParameters properties RequireExpirationTime
, ValidateAudience
, ValidateIssuer
, or ValidateLifetime
to false
.
Rule description
Token validation checks ensure that while validating tokens, all aspects are analyzed and verified. Turning off validation can lead to security holes by allowing untrusted tokens to make it through validation.
More details about best practices for token validation can be found on the library's wiki.
How to fix violations
Set TokenValidationParameters properties RequireExpirationTime
, ValidateAudience
, ValidateIssuer
, or ValidateLifetime
to true
. Or, remove the assignment to false
because the default value is true
.
When to suppress warnings
In the vast majority of cases, this validation is essential to ensure the security of the consuming app. However, there are some cases where this validation is not needed, especially in non-standard token types. Before you disable this validation, be sure you have fully thought through the security implications. For information about the trade-offs, see the token validation library's wiki.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5404
// The code that's violating the rule is on this line.
#pragma warning restore CA5404
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5404.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
using System;
using Microsoft.IdentityModel.Tokens;
class TestClass
{
public void TestMethod()
{
TokenValidationParameters parameters = new TokenValidationParameters();
parameters.RequireExpirationTime = false;
parameters.ValidateAudience = false;
parameters.ValidateIssuer = false;
parameters.ValidateLifetime = false;
}
}
Solution
using System;
using Microsoft.IdentityModel.Tokens;
class TestClass
{
public void TestMethod()
{
TokenValidationParameters parameters = new TokenValidationParameters();
parameters.RequireExpirationTime = true;
parameters.ValidateAudience = true;
parameters.ValidateIssuer = true;
parameters.ValidateLifetime = true;
}
}