Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does MSAL.net handle nonce validation by default? #4935

Open
anhhnguyen206 opened this issue Sep 19, 2024 · 1 comment
Open

Does MSAL.net handle nonce validation by default? #4935

anhhnguyen206 opened this issue Sep 19, 2024 · 1 comment
Labels
answered question

Comments

@anhhnguyen206
Copy link

Hi,

This is more like a question than an issue but I didn't see a discussion place for generic question so I open this. Feel free to close and redirect me to a better place to ask.

We're doing pentesting of our application. We noticed that in the token payload that we received as the AuthenticationResult, we have a nonce value which is a random string. I'm curious if this is generated by the library and is it also validated by the library?

Thanks,
@bgavrilMS
Copy link
Member

bgavrilMS commented Sep 19, 2024
edited
Loading

Clients (and the SDK) do not parse access tokens. They could be encrypted. Only the resource (the audience) parses access tokens.

Tokens are cached, the same token can be used multiple times to call a resource.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anhhnguyen206 @bgavrilMS