CODEWITHSUNDEEP
asp.netauthenticationasp.net-web-apijwt
user2297037
user2297037

Reputation: 1217

WebApi call always unauthorized

I am implementing access token validation on my Asp .Net WebApi, but although I am trying to disable any kind of check, I always get 401 Unauthorized. I have only added the code that follows and the Authorize attribute in the controller:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        TokenValidationParameters validationParameters =
            new TokenValidationParameters
            {
                ValidateIssuer = false,
                ValidateIssuerSigningKey = false,
                RequireSignedTokens = false,
                RequireExpirationTime = false,
                ValidateAudience = false,
                ValidateLifetime = false,
                ValidateActor = false
            };

        app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions()
        {
            TokenValidationParameters = validationParameters
        });
    }
}

In addition this is the Global.asax

{
    protected void Application_Start()
    {
        AreaRegistration.RegisterAllAreas();
        GlobalConfiguration.Configure(WebApiConfig.Register);
        FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
        RouteConfig.RegisterRoutes(RouteTable.Routes);
        BundleConfig.RegisterBundles(BundleTable.Bundles);
    }
}

I am sure that the token I am using works, because if I use ADFS validation instead of this manual validation the flow works correctly.

UPDATE Enabling debug info I noted I'm getting the following error.

Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0x84371F65121DD3A5362C77EF61C5CC4EE5AD3807) )

Upvotes: 1

Views: 584

Answers (1)

user2297037
user2297037

Reputation: 1217

First I added diagnostic on Owin

  <system.diagnostics>
<switches>
  <add name="Microsoft.Owin" value="Verbose" />
</switches>

Then I added the IssuerSigningToken among the TokenValidationParameters since the middleware was trying to validate the token. I found this solution thanks to this answer https://stackoverflow.com/a/35835672/2297037.

Upvotes: 2

Related Questions