Webhook Security Risk in Tutorial: Missing JWT validation

[firedigger]

I have noticed a security issue in the provided tutorial code 10.3-simple-webhook-dotnet-securing-v2.zip, which involves setting up a webhook that is left unprotected. While JWT attributes are verified, the integrity of the JWT itself via its signature is not, leaving an attacker a very easy way to construct a JWT that will bypass the security checks. I have downloaded the sample and reproduced the issue.

Here’s a simple example of how token-based validation could be added to the webhook handler:

private async Task<RSAParameters> GetRSAParameters(string kid)
{
    using var jsonDocument = JsonDocument.Parse(await httpClientFactory.CreateClient().GetStringAsync("https://login.microsoftonline.com/common/discovery/v2.0/keys"));
    var key = jsonDocument.RootElement.GetProperty("keys").EnumerateArray().First(k => k.GetProperty("kid").GetString() == kid);
    return new RSAParameters
    {
        Modulus = Base64UrlEncoder.DecodeBytes(key.GetProperty("n").GetString()),
        Exponent = Base64UrlEncoder.DecodeBytes(key.GetProperty("e").GetString())
    };
}

var validationResult = await tokenHandler.ValidateTokenAsync(token, new TokenValidationParameters
{
    ValidateIssuerSigningKey = true,
    IssuerSigningKey = new RsaSecurityKey(await GetRSAParameters(parsedToken.Header.Kid)),
    ValidateIssuer = true,
    ValidIssuer = $"https://sts.windows.net/{tid}/",
    ValidateAudience = true,
    ValidAudience = configuration["ClientId"],
    ValidateLifetime = true
});

I have uploaded a full sample to my github and I am also willing to submit a pull request.

[firedigger]

I found out that the repo maintainer has fixed the issue in the SaaS template at 7 months ago.
Azure/Commercial-Marketplace-SaaS-Accelerator@d59b49d
with similar code. I think the only thing left is to make sure to refer all the existing tutorials to that up-to-date sample.