Harden WebHostSample dev-mode JWT auth to prevent accidental production exposure (FireWatch ce3d20a9)#140
Merged
himanshusainig merged 2 commits intoJun 17, 2026
Conversation
…on exposure (FireWatch ce3d20a9)
The WebHostSample TokenController is an anonymously reachable JWT issuer paired
with a Startup.ConfigureJwtBearerOptons branch that, when ASPNETCORE_ENVIRONMENT
is Development, disables every JWT validation (issuer, audience, lifetime,
signing-key). Together they allow any caller who can reach a Development-mode
deployment of this sample to mint a token that the sample host will accept.
FireWatch verdict on ce3d20a9 (IMPORTANT, NOT_EXPLOITABLE_BY_DESIGN):
WebHostSample is the explicit sample project with InMemoryProvider; the
symmetric key is below the 256-bit HMAC-SHA256 floor (IDX10720 rejects it);
no real production system runs this code. The real risk is downstream
consumers who clone the repo, swap in a real backing store, and ship without
removing the dev-mode auth.
This PR adds defensive hardening to protect those downstream consumers:
1. TokenController.cs - file-level "DO NOT USE IN PRODUCTION" banner + an
[Obsolete] attribute on the class so any consumer extending/referencing it
gets a compiler warning.
2. Startup.cs - the dev-mode TokenValidationParameters block is wrapped in
#if DEBUG. The preprocessor strips the entire 'if (...) { ... } else'
prefix in Release builds, leaving only the production branch which
enforces real Authority / Audience checks. Verified by building both
configurations with 0 errors.
3. README.md - explicit warning in the Authorization section pointing at
both TokenController and the dev-mode JWT branch and stating that both
must be removed before any non-sample deployment.
Each layer is independently sufficient to prevent the accidental-production
shipping scenario; combined they offer defense in depth.
This is the "Accept as Not Exploitable + hardening PR" arm of the plan agreed
with the user for finding ce3d20a9. The Partner Portal feedback is being
submitted separately.
FireWatch finding: https://firewatch-pilot-fd-atb3ceg5egfxc9gg.b02.azurefd.net/Services/fbfae0f8-2ef1-47f4-94e5-029d635c2081/scimreferencecode/ce3d20a9-a7b4-472b-bf96-1b46a1018423
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Author
|
@microsoft-github-policy-service agree [company="Microsoft"] |
Contributor
Author
|
@microsoft-github-policy-service agree company="Microsoft" |
- [Obsolete] now uses error: true — compile error, not suppressible warning - Added clarifying comment for the Release-build code block Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
FireWatch finding:
ce3d20a9· IMPORTANT · CWE-295/CWE-287: Improper AuthenticationSummary
The WebHostSample project contains two dangerous patterns for downstream consumers who clone this repo and swap in a real backing store:
/scim/tokenASPNETCORE_ENVIRONMENT=DevelopmentWhile not exploitable as-is (sample project with InMemoryProvider, symmetric key below HMAC-SHA256 floor), downstream consumers shipping without removing these patterns would have a fully open SCIM endpoint.
Fix (3 layers of defense in depth)
[Obsolete]on TokenController + file-level banner — generates compiler warning CS0618 for any consumer referencing or extending it#if DEBUGguard on dev-mode TokenValidationParameters — Release builds physically cannot ship the bypass (preprocessor strips the code)Each layer is independently sufficient; combined they provide defense in depth. Verified by building both Debug and Release configurations with 0 errors.