60

I have the following code which was working when I was using System.IdentityModel.Tokens.Jwt, Version=4.0.20622.1351

private static void ConfigureAzureAD(IAppBuilder appBuilder)
{
    appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication(
        new WindowsAzureActiveDirectoryBearerAuthenticationOptions
        {
            Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
            TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
            {
                ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
            }
        });
}

However as soon as I upgraded this package to the latest one which is version 5 it no longer compiles complaining Reference to type 'TokenValidationParameters' claims it is defined in System.IdentityModel.Token.Jwt but it could not be found.

Also if you try the following compiler will warn you that Audience is obsolete:

 private static void ConfigureAzureAD(IAppBuilder appBuilder)
    {
        appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                Audience = ConfigurationManager.AppSettings["ida:Audience"]
            });
    }

I downgraded this DLL again and used the version 4.0.20622.1351, it started compiling.

Has there been a syntax change for Configuring the Azure Active Directory?

On Github I could not find a single project using the latest package 5.0.0 and all of them are using the previous package 4.0.20622.1351. Can anyone shed some light on this using the latest System.IdentityModel.Tokens.Jwt 5.0.0 or direct me to some project on Github using the latest package?

MHOOS
  • 5,146
  • 11
  • 39
  • 74
  • Had the same problem. Looking at https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet it seems that 5.0 is only for ASP.NET Core. – Martin Aug 16 '16 at 10:51

5 Answers5

30

TokenValidationParameters is in assembly: Microsoft.IdentityModel.Tokens

It looks like you are using Katana (the first version of asp.net OWIN offering). Katana does not support 5.0.0. You need to stick with 4.x.

The latest version of asp.net takes a dependency on S.IM.xx and M.IM.xxx 5.0. https://github.com/aspnet

Brent Schmaltz
  • 1,151
  • 6
  • 7
  • 10
    That's not the answer to the question. Problem is fully clear and I am looking for some fix. I don't care in which assembly that TokenValidationParameters is. I expect the code to be working when I upgrade the package. – MHOOS Jun 30 '16 at 16:22
  • @MHOOS. You need to know in which assembly TVP is present if you are doing this `new System.IdentityModel.Tokens.TokenValidationParameters` in your code. Also, its a major version upgrade and there are breaking changes as explained here: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/master/CHANGELOG.md#major-changes-from-4x. Samples can be found here: https://github.com/Azure-Samples?utf8=%E2%9C%93&query=aspnetcore – ezile Jun 30 '16 at 18:34
  • Also, it seems you are using Katana. That does not support 5.x. – ezile Jun 30 '16 at 18:36
  • 21
    @brent-schmaltz and @ezile I think you're missing the point. Nuget reports that v5.0.0 is an upgrade to v4.0.2.x. But a) there is no link to project info in order to discover the changelog.md (most packages have such a link), b) it's more than a breaking change; it's a "you need to move your entire platform over if you want to update this package" change, c) you can set the Nuget package to require "not any later than version X" dependencies, and d) may I introduce you to the `System.ObsoleteAttribute` decoration? It's been in .NET since 1.0. It's really helpful in cases like this. – Alan McBee Aug 06 '16 at 00:53
  • @ezile - Yeah, there's a problem with the samples. They reference the 4.0.0 version of System.IdentityModel.Tokens.Jwt. If you upgrade to 5.1.2, the sample (e.g. active-directory-dotnet-webapi-manual-jwt-validation) crashes. – Quark Soup Feb 18 '17 at 14:45
  • 9
    I agree, this is a fairly big fail on Microsoft's part. This is clearly not bringing the package forward, but a different paradigm altogether. It's unfortunate that they didn't separate the namespaces and create a separate set of classes. – John Fager Apr 04 '17 at 19:43
  • The issue has nothing to do with Katana. I'm constructing a fresh MVC 4 Win API service and have run into the exact same problem. – Quark Soup Jun 04 '17 at 22:39
  • 2
    @MikeDoonsebury If you're using the OWIN packages with Web API, it's Katana. It's not well-documented that's the case, though. – Nate Barbettini Aug 24 '17 at 00:01
  • Does anyone know if a fix for this is on its way, or if MS is just ignoring the problem? – ruffen Oct 03 '17 at 10:07
  • This is diabolical. Just ran into this issue using OWIN 3.1, having added a reference to the Twilio nuget package, and finding that my `TokenValidationParameters` is no longer working. Let's hope that the OWIN 4.0 Preview is in a good state. – Brendan Green Dec 21 '17 at 06:16
  • 1
    The accepted answer today should be @Nate Barbettini's as the released Katana components can be made to work with some minor namespace changes https://stackoverflow.com/a/45851021/11635 IMO – Ruben Bartelink Feb 19 '18 at 23:37
  • What is Katana? Literally NONE of any of these packages related to Owin or JWT have the word Katana in them. Also, shouldn't NuGet enforce package dependencies so that this doesn't happen? Like... if you update a package from v4 to v5, that shouldn't break everything. It should force the upgrade of dependent packages so they continue to work. – Triynko Feb 10 '20 at 21:26
19

Short version: Make sure you use version 4.0 or later of the Microsoft.Owin packages, such as Microsoft.Owin.Security.Jwt.

As the other answers mentioned, there was a breaking change in System.IdentityModel.Tokens.Jwt from version 4.0 to 5.0. This caused problems because some packages like Microsoft.IdentityModel.Protocols depended on version 5.0, while older Katana/OWIN packages like Microsoft.Owin.Security.Jwt were still hardcoded to depend on version 4.0.

The good news is that this is being fixed in the new Katana 4.0 release. The 4.0 packages (such as Jwt and Cookies) have been published to NuGet as prerelease packages and will be available as stable packages soon.

Nate Barbettini
  • 51,256
  • 26
  • 134
  • 147
  • 4
    We dropped IdentityModel 5.2.0-preview1 with Katana 4.0-alpha1 on nuget.org. See: https://www.nuget.org/packages/Microsoft.Owin.Security.OpenIdConnect/4.0.0-alpha1 and https://www.nuget.org/packages/Microsoft.IdentityModel.Tokens/5.2.0-preview1-408290725 – Brent Schmaltz Sep 14 '17 at 03:16
  • @BrentSchmaltz Nice, excited to see those 4.0 packages making progress towards stable! Updated my answer. – Nate Barbettini Jan 04 '18 at 23:52
  • @ThomasLevesque released on Feb 19 – Ruben Bartelink Feb 19 '18 at 11:04
  • I just pulled the latest versions available on NuGet and this fails. Not sure why. I didn't chose 4 or 5, simply accepted whatever latest (non-prerelease) was offered to me. – NitinSingh Aug 06 '18 at 13:50
  • @NitinSingh There might be an existing package in your project that is requesting the 4.0 version. – Nate Barbettini Aug 06 '18 at 17:38
  • The existing references built just 1.5 month back were having compiling code, now when a new dev checks out the branch and update all packages, he is unable to build... We are wondering if packages change like that, what will happen to code in production when we have to deploy a hot fix... Things like this will delay वे too long than the solution development – NitinSingh Aug 06 '18 at 18:57
7

I don't know when or if this will ever be fixed, but I hope it will. I've already posted these issues on the Github site for the AAD extensions and on the Katana site. You can follow along with the discussions and progress on those sites, and if you care to, you can always post your interest in seeing this addressed.

I can't understand how this was not seen as an issue before release. "Upgrade to .Net Core" is not a reasonable solution. My app has no chance of doing that for a good while, as do most non-trivial projects.

ChrisW
  • 9,151
  • 1
  • 20
  • 34
  • 1
    Is there a specific reason why you need to upgrade to M.IM 5.0? S.IM 4.x is a supported release that works with Katana. – Brent Schmaltz Jul 08 '16 at 16:33
  • 24
    It's the tao of Nuget. I like to keep my Nuget upgrades window clean. I have sooo many Nuget items added to this project, and there are many projects that I work on, that I can't remember "oh, this item is a breaking upgrade." If you apply it, you'll break your app. I think a better approach would have been to release a separate Nuget project, not as an upgrade. Call it 5.0 or whatever, but not have it been an upgrade. That would have been cleaner. An upgrade may break a project, but with 5.0 there's no amount of my coding that can fix it. So its not an upgrade; its a new product – ChrisW Jul 09 '16 at 17:52
  • 1
    Xhris, I hear you. We wanted to keep the packages logically together as they represent our IdentityModel for Core offering. We are fixing Katana to use the 5.x version. So, I a couple of months this will all go away. – Brent Schmaltz Jul 07 '17 at 03:30
  • @BrentSchmaltz, any update when Katana fix will be available? – Michael Freidgeim Sep 12 '17 at 13:50
  • @BrentSchmaltz, a couple of months :) – devmiles.com Oct 25 '17 at 12:51
  • So much for this being fixed in a couple of months, it's now late January 2018 and this is still an issue. – Justin Jan 30 '18 at 19:47
  • @Justin fixed now ;) Can we upvote Nate's answer to de-emphasize this now-misleading answer please. – Ruben Bartelink Feb 19 '18 at 23:39
  • @BrentSchmaltz I just pulled an update and its still not working (after an year of your original comment) – NitinSingh Aug 06 '18 at 13:47
6

So I am also experiencing the same issue today. After looking down to the bottom of it I think I know the answer.

In short it is the issue with Katana project (http://katanaproject.codeplex.com/) being failed to comply with the current changes of Windows Azure Active Directory IdentityModel Extensions for .Net (https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet)

For more details, TokenValidationParameters was there in System.IdentityModel.Tokens.Jwt assembly verion 4.0 but it has been moved out in version 5.0. The new home for it is now in assembly Microsoft.IdentityModel.Tokens.

Sorry I can not provide a fix it is a design change from which the Katana code base needs to be dramatically refactored.

Thuc Nguyen
  • 1,621
  • 1
  • 11
  • 10
0

Katana currently will not work with the 5.x version of IdentityModel. https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet

However, there is work underway to fix this. Timeline is not set yet.

Brent Schmaltz
  • 1,151
  • 6
  • 7
  • 3
    I have this issue, but don't have a package called 'Katana' installed, Were the authors dumb enough to name the package differently from the project name?? If so, what is the name of the thing that Needs removed? How can I get this to work with 5.1, as I don't see any sense in doing new implementations in the old/obsolete way. – Traderhut Games Jul 05 '17 at 21:01
  • 1
    It appears that 6.22 MILLION people downloaded this, and one would presume are also out of luck with their projects. There doesn't seem to be any examples online of anyone using this updated version. I may have to ask that question instead. :-( – Traderhut Games Jul 05 '17 at 21:25
  • Katana was a development name for a version of asp.net that use the OWIN pipeline. It is the precursor to the current asp.net Core. As an intern step, the IdentityModel libraries were modified to support Katana. The 5.x versions have .Net Standard targets. You can not use them against the shipping version of Katana. An updated version of Katana is due out shortly to fix this issue. – Brent Schmaltz Jul 26 '17 at 14:24
  • 2
    I am not using Katana as far as I can see. I just tried to move to dotNet Core, and stopped when I found that too much of what I need in EntityFrameworkCore is not even close to being implemented. – Bruce Patin Aug 30 '17 at 18:31
  • @BrentSchmaltz - This was last year, I worked for a different company then, sorry, I really have no idea if I got it resolved... – Traderhut Games Aug 21 '18 at 16:47