C Sharp Audience Validator Always True
Description
Detects insecure JWT token validation in C# applications where AudienceValidator or LifetimeValidator delegates are implemented without proper validation logic. This vulnerability allows authentication bypass since token validation will always succeed regardless of the token's content or validity.
Detection Strategy
• Identifies usage of Microsoft.IdentityModel.Tokens library in the codebase
• Locates assignments to AudienceValidator or LifetimeValidator delegates
• Checks if the assigned validator function lacks meaningful validation logic
• Reports a vulnerability when validator implementations will always return true or have no validation checks
Vulnerable code example
using Microsoft.IdentityModel.Tokens;
class TokenValidator {
public void ConfigureTokenValidation() {
var parameters = new TokenValidationParameters();
// UNSAFE: Always returning true bypasses audience validation
parameters.AudienceValidator = (audiences, token, tvp) => true;...✅ Secure code example
using System;
using Microsoft.IdentityModel.Tokens;
class TokenValidator {
private readonly string[] _validAudiences = { "myapi1", "myapi2" }; // Valid audience list
public void ConfigureTokenValidation() {
var parameters = new TokenValidationParameters();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.