JWT validation works in .NET Core, fails in .NET Framework

Question

Similar to the problem mentioned here, I have an issue where JWT validation works when running on .NET Core 2.2 (on macOS and on Windows) but fails to run on .NET Framework 4.7.2; there, it throws an exception:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: 'IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey , KeyId: '. Exceptions caught: ''. token: '{"typ":"JWT","alg":"RS256"}.{"sub":"username","scope":"examplescope","roles":["examplerole"],"iss":"https://example.com/","exp":1556788122,"iat":1555316893}'.'
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) in C:\agent1_work\109\s\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line 979
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) in C:\agent1_work\109\s\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line 722
at JWTTest.Program.Main(String[] args) in C:\Users\User\source\repos\JWTTest\JWTTestCore\Program.cs:line 35

Test program:

using System;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Security.Cryptography;
using Microsoft.IdentityModel.Logging;
using Microsoft.IdentityModel.Tokens;

namespace JWTTest {
    class Program {
        static void Main(string[] args) {
            // Validation parameters
            //var rsa = new RSACryptoServiceProvider(); // this works in .NET Core on macOS but not on Windows ...
            var rsa = RSA.Create();
            rsa.KeySize = 2048;
            rsa.ImportParameters(new RSAParameters {
                  Modulus = Convert.FromBase64String("AM/Nh9cX8U+8ZeOcKyodBcZun1dgQysFZWLplOof9SpHt45vmh7gy3FxhLQEj2NrhV44AiymRxr1mmZ7K9K105MfDe/QAAFBy715/NHmKZxH7QvypiiPMf2jwpb+n/Ss0oUZ68zPSfO9aZwhUBWO+J7NBnWEwoq3Bxda5IQPMRkMohD5VZ0IPvUotcg6k7cOoRamvOiDyVQ58uVx+Wd+vucdVo6uT/kMKlBZoahU/hnREfNZojf0lAkzcxOlZcKbms/+Mu8vb/jeZSGYZpykL0c3ohGJ49NteFIXggx8AH6E8ROpijq2NeA7AK3Y+33LEJmSwOdNnZ1ZaY515AqeN/S+ay4Ra15V91qdu4ph1B+G5aKV3rcu0v1Y6/eG5dgHPIBRaf7sGVG7rCDOgrfbjaEdNvqX1TgNnmfogZElFt2qs5VVWKE5zEuOEkOngTEuvlJAsTgh/Uw/OS7vinbSmtGXFhKS2teatITyuNALaPeFAdA9qz9c90IJs9vbf9Uf9FFWvfrer9lhDhLUuehKJTt8vBtoqea46nf3IGthLeiGQmrVSEytoTGW67gGpVo8Xd+iat5ilhciNWX1/rscv66cg0S1IK7A/oXqWJO/WNq6EzFxI/f/0klMrcC8M5qioiiwNMvpAj/6KDZSxoII+rS9RDz/E0xWprkErrIa7aVv"),
                  Exponent = Convert.FromBase64String("AQAB")
            });
            var validationParameters = new TokenValidationParameters {
                ClockSkew = TimeSpan.FromMinutes(1),
                ValidateAudience = false,
                ValidateIssuer = true,
                ValidIssuer = "https://example.com/",
                IssuerSigningKey = new RsaSecurityKey(rsa)
            };

            // Verify token
            IdentityModelEventSource.ShowPII = true;
            JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
            var token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VybmFtZSIsInNjb3BlIjoiZXhhbXBsZXNjb3BlIiwicm9sZXMiOlsiZXhhbXBsZXJvbGUiXSwiaXNzIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS8iLCJleHAiOjE1NTY3ODgxMjIsImlhdCI6MTU1NTMxNjg5M30.XHowlwvKX73I2KqKFInaadAGZNtj7UVvjh1EuodnttlUOmC59Q6XPSwrKkATLqicl46c7ItYGl75Mj5PVy03tOXXlxgsgoP81t1WM08QeHlrbPvay1aSFqcj7JcnX6fu9qiXzRhhh2XYw5UrT8-R3kIQMQA7d4cnT6Z1oeoHzV38ywi3rv3BapwuFtrFmSXHHsQMcTUK_Whf-5CEPj6O9CEdCXKFh05McGZDBoYBgZpn7d2H2EJNV9KhsasafsD7TVs6w3myOfc3HaqtHhFDUmpzwmWZdzn-i0zSxz1qussd9ovDaf03zkd7OWtau9_44T1KkWVK8GlAxuXnuPmCuh76ELQjpNqQerRL-F4EYkUwUJEQHFf2IolpCx4i2pDkzyax-fL4ZwjsncWNUJdXyex3Pk-OcSD11lJl0UWRE5gh-pOeEd1Ybhxu4z42Vet1rAM3VWXXyJQzAz2diVTJIbvaG3uq4-HxoBTkvfpXLj_2RN_oSTkyD8JoBIHQtMT1h7eZhHbxFLsxLoGNQVWJmyU_BPCs282m41n2Jd4ezR1M1XlLUixk8v1M1Rjxg3s7c8Q_PezmXzv3IrK8ftrmfb73uBwTxJukOeFk3yC7e7ZLhYJsBlJsyeGfJF8ayNSjxwkrXJN3JVZMOzZCQNnl3zc8AL6gjloFFlhgB5nlxJU";
            // exception is thrown on the next line:
            var user = handler.ValidateToken(token, validationParameters, out SecurityToken validatedToken);

            foreach (var role in user.Claims.Where(c => c.Type == ClaimTypes.Role)) {
                Console.WriteLine("Role: " + role.Value);
            }
        }
    }
}

The JWT is generated with this Java library but I'm not sure if that matters; according to jwt.io it is valid. (The link says invalid signature, but that's a bug in the website; just add a newline at the end of the public key to trigger the verification.) I've tried tokens generated by RS256 and RS512 algorithms but that doesn't make a difference.

I'm not sure if it depends on the Visual Studio setup;

• macOS Mojave 10.14.4; Visual Studio for Mac 7.7.3 (build 43); .NET Core SDK version 2.2.105 (works)
• Windows 10, Version 1809; Visual Studio 2017, v15.9.11
  • .NET Core SDK 2.2.106 (works)
  • .NET Framework 4.7.2 (doesn't work)

Answer 1

No the Java libray should not be the problem. The issue is mentioned in the same link you attached. You need to override and use custom key verification since there is some kind of error attached with RSA decryptions in the library.

Take a look at this and this for more info [again its the same link you attached from].

The issue was referenced into another issue and it was closed. Possibly it should be fixed, unless some packages are not updated or in the version mentioned there.