- Unintended exposure of IdentityTokenValidator >= 5.8.0 and < 6.5.4
Versions of auth0.net and associated NuGet Package Auth0.AuthenticationAPI from 5.8.0 to 6.5.3 inclusive include a class named IdentityTokenValidator with a public ValidateAsync method, that only performs limited validation suitable for auth0 issued tokens.
You are affected by this vulnerability if all of the following conditions apply:
- You are using
IdentityTokenValidatorto validate untrusted ID tokens - You are using a version of Auth0.AuthenticationAPI
6.5.3or earlier
Developers should not use the IdentityTokenValidator class to validate untrusted ID tokens. See https://auth0.com/docs/tokens/guides/id-token/validate-id-token for our recommendations for validating ID tokens. https://jwt.io/ is a good resource on open source JWT validation libraries and their capabilities. Note that additional logic may be required based upon your use case.
Developers using the auth0.net and associated NuGet Package Auth0.AuthenticationAPI 6.5.3 or earlier should upgrade to the latest version 6.5.4 to prevent accidental usage of the IdentityTokenValidator class.
No. This fix patches the client library that your application runs, but will not impact your users, their current state, or any existing sessions.
- This update marks the
IdentityTokenValidator.ValidateAsyncmethod deprecated and moves the previous internal logic there to an internal method. - If you do not receive a compiler error when using this update you are not affected.
- If you receive a compiler error telling you to check SECURITY-NOTICE.md please follow the "How to fix that?" steps above.
- Dennis Detering (Spike Reply GmbH)