Validate an externally created JWT with no key Id using System.IdentityModel.Tokens.Jwt

Question

Given that there is no way to influence the JWT as it is created externally, how can I verify the signature of the token when it does not contain a kid.

This is the relevant code:

private bool ValidateToken(string authToken)
{
    var tokenHandler = new JwtSecurityTokenHandler();
    var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(_secretKey));
    var validationParameters = new TokenValidationParameters()
    {
        ValidAudience = "clientid",
        ValidIssuer = _issuer,
        ValidateAudience = false,
        ValidateIssuer = false,
        IssuerSigningKey = new SymmetricSecurityKey(hmac.Key),
    };

    try
    {
        tokenHandler.ValidateToken(authToken, validationParameters, out SecurityToken validatedToken);
    }
    catch (Exception ex)
    {
        //handle exception
    }
    return true;
}

However this throws an exception:

{
"IDX10503: Signature validation failed. 
    Token does not have a kid. 
    Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. 
        For more details, see https://aka.ms/IdentityModel/PII.]'.
    Number of keys in TokenValidationParameters: '1'. 
    Number of keys in Configuration: '0'. 
    Exceptions caught:
        '[PII of type 'System.Text.StringBuilder' is hidden. 
            For more details, see https://aka.ms/IdentityModel/PII.]'.
        token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. 
            For more details, see https://aka.ms/IdentityModel/PII.]'."
}

Why does Microsoft insist on there being a key id in the token? Is there a way to ignore the missing kid?

Example token (edited to remove data):

header:

{
  "alg": "HS256",
  "typ": "JWT",
  "ver": 1,
  "typ_2": "ref"
}

payload:

{
  "jti": "<token_id>",
  "client_id": "<client_id>",
  "client_name": "<client>",
  "ref_token": "<ref_token>",
  "ref_token_type": "Full",
  "zone": "<zone>",
  "endusertype": "system",
  "nbf": 1643639617,
  "exp": 1643643217,
  "iat": 1643639617,
  "iss": "<issuer>"
}

Edit: removed IssuerSigningKeys to avoid confusion.

I **guess** it is because you configured IssuerSigningKey and IssuerSigningKeys. The error also says: *Number of keys in TokenValidationParameters: '2'* so the validator now wants to choose from two keys, but has no keyId to make that choice. Try with just setting IssuerSigningKey. — jps, Feb 01 '22 at 14:07
@jps Sorry for the confusion, I added IssuerSigningKeys as a possible solution to the issue. It gives the same error with only IssuerSigningKey - except of course _Number of keys in TokenValidationParameters: '1'_ — Haukland, Feb 01 '22 at 14:12
@DanielA.White To avoid a man-in-the-middle attack. I first send a request to the server to get the token and then use the token in later requests — Haukland, Feb 01 '22 at 14:17
that seems like overkill. if you are doing TLS requests thru your system, then it should be reasonably safe. — Daniel A. White, Feb 01 '22 at 14:20
Are you sure you got the correct key and use the correct encoding. There is a [similar Q/A](https://stackoverflow.com/questions/67663848/idx10503-signature-validation-failed-token-does-not-have-a-kid-keys-tried-s) and in the accepted answer they say it was an encoding problem and the errror message is misleading. — jps, Feb 01 '22 at 14:20
@jps After validating the encoding and scratching my head for quite some time I managed to get a hold of the external party and they confirmed that the key was indeed wrong and that they did not include a `kid` in the jwt as they did not intend for consumers to validate the token. — Haukland, Feb 03 '22 at 11:05

score 1 · Answer 1 · answered Feb 03 '22 at 11:05

After validating the encoding and scratching my head for quite some time I managed to get a hold of the external party and they confirmed that the key was indeed wrong - the "key" was only intended to be used in the api-call in which the consumer asks for a token, to "authenticate" the consumer. They did not include a kid in the jwt as they did not intend for consumers to validate the token.

This does however not answer the question.

score 0 · Answer 2 · edited May 14 '23 at 08:07

0

PII is hidden.Add:

IdentityModelEventSource.ShowPII = true;

edited May 14 '23 at 08:07

moken

3,227
8
13
23

answered May 12 '23 at 06:53

Thanh Tùng Phạm

11
2

3

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 12 '23 at 10:48

Validate an externally created JWT with no key Id using System.IdentityModel.Tokens.Jwt

2 Answers2