Reputation: 2994
JWT token not validating on remote server , Unable to match 'kid' Errror
I am using asp.net core with openiddict , for authorization i am using jwtmiddleware
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
RequireHttpsMetadata = false,
Authority= "http://localhost"
});
but for some reason its throwing this error, any help will be appreciated.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[7] Bearer was not authenticated. Failure message: IDX10501: Signature validat ion failed. Unable to match 'kid': '7FG4SQ4TIATESTLI-ZDHTLRYPWIEDU_RA1FVG91D', token: '{"alg":"RS256","typ":"JWT","kid":"7FG4SQ4TIATESTLI-ZDHTLRYPWIEDU_RA1FVG9 1D"}.{"unique_name":"asd","email":"asd","AspNet.Identity.SecurityStamp":"eb93ee4 4-6dbf-41b8-b1d6-157e4aa23ea7","jti":"4f0f5395-e565-4489-8baf-6361d5c4cb94","usa ge":"access_token","confidential":true,"scope":["offline_access","profile","emai l","roles"],"sub":"9125d8c5-5739-4f46-8747-e3423a464969","azp":"firebaseApp","nb f":1466997962,"exp":1466999762,"iat":1466997962,"iss":"http://localhost:5000/"}' . warn: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.A uthorization.AuthorizeFilter'. warn: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.A uthorization.AuthorizeFilter'.
Upvotes: 3
Views: 3746
Answers (2)
Reputation: 177
If you are using a third party STS(not identityserver or Auth0 for example) then you can use a BackChannelHandler to make it easier to debug the http result from the middleware:
app.UseJwtBearerAuthentication(new JwtBearerOptions() {
...
BackchannelHttpHandler = new BackChannelHandler()
...
}
Then
using System.Net.Http;
using System.Threading;
using System.Threading.Tasks;
namespace Application.API.Utilities
{
public class BackChannelHandler : HttpMessageHandler
{
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
HttpClient client = new HttpClient(new HttpClientHandler(), disposeHandler: false);
client.DefaultRequestHeaders.Add("Accept", "application/json");
var res = await client.GetAsync(request.RequestUri);
return res;
}
}
}
In my case the default return type for the jwks and openid-configuration endpoints was text/html instead of application/json. By adding an Accept header when making the request from the custom handler everything works.
Upvotes: 2
Reputation: 49789
Authority should contains the base address of your OIDC server. You should specify Authority URL with port (5000 in your case accordingly to "iss" claim in token info):
Authority="http://localhost:5000"You may disable Authority validation by setting
ValidateIssuerSigningKey = false. JwtBearerOptions contains property TokenValidationParameters, that aggregate settings about validations:app.UseJwtBearerAuthentication(new JwtBearerOptions { ... TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = false} }
Upvotes: 2
Related Questions
- What's the meaning of the "kid" claim in a JWT token?
- Can I use a globally unique userid for 'sub' claim in OIDC ID Token?
- Receiving the error message of IDX10501: Signature validation failed. Unable to match keys when using Azure AD
- SecurityTokenSignatureKeyNotFoundException when validating JWT signature
- How to retrieve ClaimsPrincipal from JWT in asp.net core
- Signature validation failed. Unable to match 'kid'
- Invalid Signature Key IdentityServer4
- Google identiy toolkit token validation exception with .NET JSON web token handler