2

I'm getting this exception when trying to authenticate with JwtBearerAuthentication:

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6IldYVDdGSUU3SlI5U1A0R09SUlVJSUMxX0pSTDJPVkhNRzkyVjFYVl8iLCJ0eXAiOiJKV1QifQ.eyJNYXN0ZXIiOiIxIiwiY2FzYSI6IjEiLCJ1bmlxdWVfbmFtZSI6InRlc3RlIiwianRpIjoiOWNiYmUzMDEtYjdhYy00MDQ5LTlhZjAtNzQ2MzhhNDZiYjg5IiwidXNhZ2UiOiJhY2Nlc3NfdG9rZW4iLCJjb25maWRlbnRpYWwiOnRydWUsInNjb3BlIjoib2ZmbGluZV9hY2Nlc3MiLCJzdWIiOiI4ZDRmNTdiOS1kMDk0LTRhYmUtOTcxNi03Y2Y1NTcyYTg0M2EiLCJhenAiOiJkdXgiLCJuYmYiOjE0NjQyODM1ODYsImV4cCI6MTQ2NDI4NzE4NiwiaWF0IjoxNDY0MjgzNTg2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjUwMDAvIn0.nzT0K30EIbhW4OX4sq3w038c6C5U8LzJHMwszMVFvc6J18aaTUMuKx1txTzUnscZvTcHoMTV7Dyvlj9qCoVpJjnQmqhlP8Q2g-gVSPzKmX6TxB9lT4IF1hrneGj-4p1vRr9HRWb1JftMMnLwY1tfxJYcofvRTBzdofSfVtKRB1FR215VRFxUb8x4ipnICexZiSELEEC8GIN2koOVzoUAMZLQIkTVtKXV7gwi-lF0ECZem28FQ4ar2cmZPrQr0z0B8b-YemPhcLzJplIdCpDx8XHhLIIqLWO5ep7cK29HON8_LobvbXDCXrwUqJbNt2m5wtKYJ5qodfL5aWeo9Y09Wg.

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': 'WXT7FIE7JR9SP4GORRUIIC1_JRL2OVHMG92V1XV_', 
token: '{"alg":"RS256","typ":"JWT","kid":"WXT7FIE7JR9SP4GORRUIIC1_JRL2OVHMG92V1XV_"}.{"Master":"1","casa":"1","unique_name":"teste","jti":"9cbbe301-b7ac-4049-9af0-74638a46bb89","usage":"access_token","confidential":true,"scope":"offline_access","sub":"8d4f57b9-d094-4abe-9716-7cf5572a843a","azp":"dux","nbf":1464283586,"exp":1464287186,"iat":1464283586,"iss":"http://localhost:5000/"}'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Error: Exception occurred while processing message.

I'm using OpenIdConnectServer to issue tokens

        // Add a new middleware issuing tokens.
        app.UseOpenIdConnectServer(options =>
        {
            options.AllowInsecureHttp = true;
            options.Provider = new AuthorizationProvider();
            options.UseJwtTokens();                
        });

        // Add a new middleware validating access tokens issued by the server.
        app.UseJwtBearerAuthentication(new JwtBearerOptions
        {
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            RequireHttpsMetadata = false,                                
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateAudience = false,
                ValidateIssuer = false,
                ValidateIssuerSigningKey = false
            }
        });
Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
Fernando Medeiros
  • 139
  • 1
  • 9
  • Adding more details would be useful: are you running your app behind IIS? IIS Express? Are you seeing a warning message in the output window at startup time? – Kévin Chalet May 26 '16 at 18:29
  • @Pinpoint I'm running on Kestrel and I receive the message " No explicit signing credentials have been registered." "An existing key was automatically added to the signing credentials list" – Fernando Medeiros May 26 '16 at 18:31
  • @Pinpoint It used to work on RC1, but I was setting TokenValidationParameter.ValidateSignature to false (It seems not to exist anymore) – Fernando Medeiros May 26 '16 at 18:35

1 Answers1

3

For some reasons, IdentityModel (the library behind the JWT bearer middleware) seems to ignore your ValidateIssuerSigningKey = false directive (which is extremely bad in practice, since everybody could forge a fake token that would be accepted by the JWT bearer middleware).

To fix this issue (and make your API really secure), configure the Authority property to allow the JWT bearer middleware to download the signing key from the OpenID Connect server middleware:

app.UseJwtBearerAuthentication(new JwtBearerOptions {
    Authority = "http://localhost:5000/", // base address of your OIDC server.
    Audience = "http://localhost:5000/", // base address of your API.
    RequireHttpsMetadata = false
});
Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • Thank you for this answer and for creating this awesome implementation of OpenIdConnect :) – Fernando Medeiros May 26 '16 at 18:41
  • Haha, thanks for the kind words! On a related note, since your authorization server and your API are part of the same app, you might want to try the new validation middleware and use opaque tokens (the new default format). Unlike the JWT bearer middleware, the validation middleware doesn't require setting the authority/audience: http://stackoverflow.com/a/33147208/542757 – Kévin Chalet May 26 '16 at 18:47
  • 1
    I'm also getting this same error after upgrading to ASP.NET Core 1.0 RTM. At first it seems that this answer does not resolve the issue. What exactly is the kid that does not match? – Antti Simonen Jul 06 '16 at 08:57