ValidatingTokens

Token Validation for has multiple parts. The token is validated by checking that it is for the application, that it was issued by a trusted Identity Provider (IDP), that the token's lifetime is in range, and that it was not tampered with. There can also be special validations. For instance, it is possible to validate that signing keys (when embedded in a token) are trusted and that the token is not being replayed. Finally, some protocols require specific validations.

Dynamically obtaining SecurityKey for validating signatures

Normally we obtain SecurityKeys for you by reaching out to the IDP (Discovery or Metadata). Sometimes it is necessary to obtain keys dynamically at runtime. Perhaps they are in a database, cached somewhere or Mutual TLS is being used. Here is how to do that. Dynamically obtaining signing keys at runtime

Validators

The validation steps are captured into Validators, which are all in one source file: Microsoft.IdentityModel.Tokens/Validators.cs

The validators are the following:

Validator	Description
ValidateAudience	Ensures that the token is indeed for the application that validates the token (for me)
ValidateIssuer	Ensures that the token was issued by a STS I trust (from someone I TRUST)
ValidateIssuerSigningKey	Ensures the application validating the token trusts the key that was used to sign the token (this is a special case where the key is embedded in the token, usually this is not required)
ValidateLifetime	Ensures that the token is still (or already) valid. This is done by checking that the lifetime of the token (notbefore, expires) is in range
ValidateTokenReplay	Ensure the token is not replayed (this is a special case for some onetime use protocols)

Protocol specific validators

In addition to these validators, there are protocol specific validation rules. For example, OpenIdConnect requires the audience (‘aud’) claim to exist. See:Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectProtocolValidator.cs#L382