1

In .net core 2.2 when i containerize the app i get a Bearer error="invalid_token", error_description="The signature is invalid"

It is working fine when i host it on windows using IIS/IIS express.

My code -- The token generator is IBM API Connect it uses RSA 256 Algorithm to generate the key

 var rsa = new RSACryptoServiceProvider();
 string exponentvalue = "AQAB";
 var e = Base64UrlEncoder.DecodeBytes(exponentvalue);
 var N = "public key  put your value here"
 var modulus = Base64UrlEncoder.DecodeBytes(N);
 rsa.ImportParameters(
     new RSAParameters()
     {
             Modulus = modulus,
             Exponent = e
    });
  var signingKey = new RsaSecurityKey(rsa);

var tokenValidationParameters = new TokenValidationParameters
          {
              // The signing key must match!
              ValidateIssuerSigningKey = true,
              IssuerSigningKey = signingKey,

              // Validate the JWT Issuer (iss) claim
              ValidateIssuer = false,
              ValidIssuer = issuer,

              // Validate the JWT Audience (aud) claim
              ValidateAudience = false,
              ValidAudience = audience,

              // Validate the token expiry
              //ValidateLifetime = true,

              // If you want to allow a certain amount of clock drift, set that here:
              //ClockSkew = TimeSpan.FromMinutes(1)
          };

Any idea why it wouldn't be working on a container hosted either locally on docker or AKS?

loga0060
  • 81
  • 1
  • 9
  • Might be related: https://stackoverflow.com/questions/41986995/implement-rsa-in-net-core/42006084 – BartoszKP Feb 08 '19 at 10:38
  • @BartoszKP I tried your suggestion but would this work with only having the public key to do validation? do i need to create a pfx? – loga0060 Feb 09 '19 at 18:19
  • If I understand correctly you shouldn't rely on this class at all, if comes to portability. – BartoszKP Feb 10 '19 at 22:07
  • Due to the fact that the most preferable way for `RSACryptoServiceProvider` class appliance would be Windows platform with full `.Net` core support, as per discussion [here](https://stackoverflow.com/questions/41986995/implement-rsa-in-net-core/42006084), mentioned by @ BartoszKP in the comments, the further research might be about Windows containers implementation in container or orchestration based environments. You can find more related information in separate Stack [thread](https://stackoverflow.com/questions/42158596/can-windows-containers-be-hosted-on-linux). If you can provide current a – Nick_Kh Feb 08 '19 at 10:39

1 Answers1

6

After few days of researching and trying different things have finally Resolved my issue.

First Issue was as mentioned by @bartonjs here implement RSA in .NET core I had to use RSA.Create() Instead of RSACryptoServiceProvider().

Second Issue as recommended in above post i was implementing it with (using) statement which was not working in Linux. From @bartonjs comments on this post https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/994 it looks like a bug introduced "We might have accidentally introduced an error where post-dispose is the same as freshly created, where it thinks it needs to just make up a key on first (next, in this case) use."

Final code that works both on Linux and Windows

public class JwtConfiguration : IDisposable
    {
        /// <summary>
        /// Configures the JWT Token Validation parameters.
        /// </summary>
        /// <param name="Configuration">
        /// ASP.NET Core Configuration object instance.
        /// </param>
        /// <returns>
        /// A TokenValidationParameters object instance.
        /// </returns>
        private RSA _publicRsa;
        private SecurityKey _issuerSigningKey;

        public TokenValidationParameters GetTokenValidationParameters(IConfiguration Configuration)
        {

            var issuer = Configuration["Jwt:Issuer"];
            if (string.IsNullOrWhiteSpace(issuer))
            {
                throw new MissingJwtTokenParameterException("Missing Jwt:Issuer value.");
            }

            var audience = Configuration["Jwt:Audience"];
            if (string.IsNullOrWhiteSpace(audience))
            {
                throw new MissingJwtTokenParameterException("Missing Jwt:Audience value.");
            }

            var secretKey = Configuration["Jwt:Key"];
            if (string.IsNullOrWhiteSpace(secretKey))
            {
                throw new MissingJwtTokenParameterException("Missing Jwt:Key value.");
            }

            string exponentvalue = "AQAB";
            var e = Base64UrlEncoder.DecodeBytes(exponentvalue);
            var modulus = Base64UrlEncoder.DecodeBytes(secretKey);
            _publicRsa = RSA.Create();
            _publicRsa.KeySize = 3072;
            _publicRsa.ImportParameters(
            new RSAParameters()
            {
                Modulus = modulus,
                Exponent = e
            });

            _issuerSigningKey = new RsaSecurityKey(_publicRsa);

            var tokenValidationParameters = new TokenValidationParameters
            {
                // The signing key must match!
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = _issuerSigningKey,

                // Validate the JWT Issuer (iss) claim
                ValidateIssuer = true,
                ValidIssuer = issuer,

                // Validate the JWT Audience (aud) claim
                ValidateAudience = true,
                ValidAudience = audience,

                //Validate the token expiry
                ValidateLifetime = true,

                // If you want to allow a certain amount of clock drift, set that here:
                ClockSkew = TimeSpan.FromMinutes(1)
            };

            return tokenValidationParameters;

        }



        #region IDisposable Support
        private bool disposedValue = false; // To detect redundant calls

        protected virtual void Dispose(bool disposing)
        {
            if (!disposedValue)
            {
                if (disposing)
                {
                    // TODO: dispose managed state (managed objects).
                    _publicRsa?.Dispose();
                }

                // TODO: free unmanaged resources (unmanaged objects) and override a finalizer below.
                // TODO: set large fields to null.

                disposedValue = true;
            }
        }

        // TODO: override a finalizer only if Dispose(bool disposing) above has code to free unmanaged resources.
         ~JwtConfiguration() {
           // Do not change this code. Put cleanup code in Dispose(bool disposing) above.
           Dispose(false);
         }

        // This code added to correctly implement the disposable pattern.
        public void Dispose()
        {
            // Do not change this code. Put cleanup code in Dispose(bool disposing) above.
            Dispose(true);
            // TODO: uncomment the following line if the finalizer is overridden above.
            GC.SuppressFinalize(this);
        }
        #endregion

    }
loga0060
  • 81
  • 1
  • 9