CODEWITHSUNDEEP
authenticationasp.net-corejwtopenid-connectaspnet-contrib
Fernando Medeiros
Fernando Medeiros

Reputation: 139

ASP.NET Core RC2 Jwt Token KID error

I'm getting this exception when trying to authenticate with JwtBearerAuthentication:

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6IldYVDdGSUU3SlI5U1A0R09SUlVJSUMxX0pSTDJPVkhNRzkyVjFYVl8iLCJ0eXAiOiJKV1QifQ.eyJNYXN0ZXIiOiIxIiwiY2FzYSI6IjEiLCJ1bmlxdWVfbmFtZSI6InRlc3RlIiwianRpIjoiOWNiYmUzMDEtYjdhYy00MDQ5LTlhZjAtNzQ2MzhhNDZiYjg5IiwidXNhZ2UiOiJhY2Nlc3NfdG9rZW4iLCJjb25maWRlbnRpYWwiOnRydWUsInNjb3BlIjoib2ZmbGluZV9hY2Nlc3MiLCJzdWIiOiI4ZDRmNTdiOS1kMDk0LTRhYmUtOTcxNi03Y2Y1NTcyYTg0M2EiLCJhenAiOiJkdXgiLCJuYmYiOjE0NjQyODM1ODYsImV4cCI6MTQ2NDI4NzE4NiwiaWF0IjoxNDY0MjgzNTg2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjUwMDAvIn0.nzT0K30EIbhW4OX4sq3w038c6C5U8LzJHMwszMVFvc6J18aaTUMuKx1txTzUnscZvTcHoMTV7Dyvlj9qCoVpJjnQmqhlP8Q2g-gVSPzKmX6TxB9lT4IF1hrneGj-4p1vRr9HRWb1JftMMnLwY1tfxJYcofvRTBzdofSfVtKRB1FR215VRFxUb8x4ipnICexZiSELEEC8GIN2koOVzoUAMZLQIkTVtKXV7gwi-lF0ECZem28FQ4ar2cmZPrQr0z0B8b-YemPhcLzJplIdCpDx8XHhLIIqLWO5ep7cK29HON8_LobvbXDCXrwUqJbNt2m5wtKYJ5qodfL5aWeo9Y09Wg.

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': 'WXT7FIE7JR9SP4GORRUIIC1_JRL2OVHMG92V1XV_', 
token: '{"alg":"RS256","typ":"JWT","kid":"WXT7FIE7JR9SP4GORRUIIC1_JRL2OVHMG92V1XV_"}.{"Master":"1","casa":"1","unique_name":"teste","jti":"9cbbe301-b7ac-4049-9af0-74638a46bb89","usage":"access_token","confidential":true,"scope":"offline_access","sub":"8d4f57b9-d094-4abe-9716-7cf5572a843a","azp":"dux","nbf":1464283586,"exp":1464287186,"iat":1464283586,"iss":"http://localhost:5000/"}'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Error: Exception occurred while processing message.

I'm using OpenIdConnectServer to issue tokens

        // Add a new middleware issuing tokens.
        app.UseOpenIdConnectServer(options =>
        {
            options.AllowInsecureHttp = true;
            options.Provider = new AuthorizationProvider();
            options.UseJwtTokens();                
        });

        // Add a new middleware validating access tokens issued by the server.
        app.UseJwtBearerAuthentication(new JwtBearerOptions
        {
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            RequireHttpsMetadata = false,                                
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateAudience = false,
                ValidateIssuer = false,
                ValidateIssuerSigningKey = false
            }
        });

Upvotes: 2

Views: 4469

Answers (1)

K&#233;vin Chalet
K&#233;vin Chalet

Reputation: 42070

For some reasons, IdentityModel (the library behind the JWT bearer middleware) seems to ignore your ValidateIssuerSigningKey = false directive (which is extremely bad in practice, since everybody could forge a fake token that would be accepted by the JWT bearer middleware).

To fix this issue (and make your API really secure), configure the Authority property to allow the JWT bearer middleware to download the signing key from the OpenID Connect server middleware:

app.UseJwtBearerAuthentication(new JwtBearerOptions {
    Authority = "http://localhost:5000/", // base address of your OIDC server.
    Audience = "http://localhost:5000/", // base address of your API.
    RequireHttpsMetadata = false
});

Upvotes: 3

Related Questions