Skip to content

Harden WebHostSample dev-mode JWT auth to prevent accidental production exposure (FireWatch ce3d20a9)#140

Merged
himanshusainig merged 2 commits into
AzureAD:masterfrom
Jordancle:jordanle/FireWatch-WebHostSampleHardening
Jun 17, 2026
Merged

Harden WebHostSample dev-mode JWT auth to prevent accidental production exposure (FireWatch ce3d20a9)#140
himanshusainig merged 2 commits into
AzureAD:masterfrom
Jordancle:jordanle/FireWatch-WebHostSampleHardening

Conversation

@Jordancle

@Jordancle Jordancle commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

FireWatch finding: ce3d20a9 · IMPORTANT · CWE-295/CWE-287: Improper Authentication

Summary

The WebHostSample project contains two dangerous patterns for downstream consumers who clone this repo and swap in a real backing store:

  1. TokenController — anonymously reachable JWT issuer at /scim/token
  2. Startup.ConfigureJwtBearerOptons — disables every JWT validation check when ASPNETCORE_ENVIRONMENT=Development

While not exploitable as-is (sample project with InMemoryProvider, symmetric key below HMAC-SHA256 floor), downstream consumers shipping without removing these patterns would have a fully open SCIM endpoint.

Fix (3 layers of defense in depth)

  1. [Obsolete] on TokenController + file-level banner — generates compiler warning CS0618 for any consumer referencing or extending it
  2. #if DEBUG guard on dev-mode TokenValidationParameters — Release builds physically cannot ship the bypass (preprocessor strips the code)
  3. README.md warning in the Authorization section — explicit guidance to delete TokenController before production deployment

Each layer is independently sufficient; combined they provide defense in depth. Verified by building both Debug and Release configurations with 0 errors.

…on exposure (FireWatch ce3d20a9)

The WebHostSample TokenController is an anonymously reachable JWT issuer paired
with a Startup.ConfigureJwtBearerOptons branch that, when ASPNETCORE_ENVIRONMENT
is Development, disables every JWT validation (issuer, audience, lifetime,
signing-key). Together they allow any caller who can reach a Development-mode
deployment of this sample to mint a token that the sample host will accept.

FireWatch verdict on ce3d20a9 (IMPORTANT, NOT_EXPLOITABLE_BY_DESIGN):
  WebHostSample is the explicit sample project with InMemoryProvider; the
  symmetric key is below the 256-bit HMAC-SHA256 floor (IDX10720 rejects it);
  no real production system runs this code. The real risk is downstream
  consumers who clone the repo, swap in a real backing store, and ship without
  removing the dev-mode auth.

This PR adds defensive hardening to protect those downstream consumers:

  1. TokenController.cs - file-level "DO NOT USE IN PRODUCTION" banner + an
     [Obsolete] attribute on the class so any consumer extending/referencing it
     gets a compiler warning.

  2. Startup.cs - the dev-mode TokenValidationParameters block is wrapped in
     #if DEBUG. The preprocessor strips the entire 'if (...) { ... } else'
     prefix in Release builds, leaving only the production branch which
     enforces real Authority / Audience checks. Verified by building both
     configurations with 0 errors.

  3. README.md - explicit warning in the Authorization section pointing at
     both TokenController and the dev-mode JWT branch and stating that both
     must be removed before any non-sample deployment.

Each layer is independently sufficient to prevent the accidental-production
shipping scenario; combined they offer defense in depth.

This is the "Accept as Not Exploitable + hardening PR" arm of the plan agreed
with the user for finding ce3d20a9. The Partner Portal feedback is being
submitted separately.

FireWatch finding: https://firewatch-pilot-fd-atb3ceg5egfxc9gg.b02.azurefd.net/Services/fbfae0f8-2ef1-47f4-94e5-029d635c2081/scimreferencecode/ce3d20a9-a7b4-472b-bf96-1b46a1018423

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Jordancle

Copy link
Copy Markdown
Contributor Author

@microsoft-github-policy-service agree [company="Microsoft"]

@Jordancle

Copy link
Copy Markdown
Contributor Author

@microsoft-github-policy-service agree company="Microsoft"

Comment thread Microsoft.SCIM.WebHostSample/Controllers/TokenController.cs Outdated
Comment thread Microsoft.SCIM.WebHostSample/Startup.cs
- [Obsolete] now uses error: true — compile error, not suppressible warning
- Added clarifying comment for the Release-build code block

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@himanshusainig himanshusainig merged commit 0602e0f into AzureAD:master Jun 17, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants