search

AzureAD / azure-activedirectory-identitymodel-extensions-for-dotnet

IdentityModel extensions for .Net
MIT License
1.06k stars 401 forks source link

IDX10685 when using JWK key to sign JWT via jsontokenhandler on Linux #1613

Open NiklasEderoth opened 3 years ago

NiklasEderoth commented 3 years ago

Hi,

Im trying to sign a JWT with an ES256 JWK key in a docker container without success, if i run it on Win10 it works fine, any suggestions on what to do?

Code:

var jwk = new JsonWebKey
{
    Kid = "demo-cert",
    Crv = "P-256",
    Kty = "EC",
    D = "usnn5g_UhlVLgE7ArfoJzrt7iOfD-5sGd7k0-xT6hig",  //key for test, (not a production key ;) ) 
    X = "_-ErIw1kC7uuZJPoRQYV99VKz7lWabeneXMZFV0v31o",  
    Y = "usnn5g_UhlVLgE7ArfoJzrt7iOfD-5sGd7k0-xT6hig" 
};

var handler = new JwtSecurityTokenHandler();
var tokenDescriptor = new SecurityTokenDescriptor
{
    Issuer = "PLACEHOLDER",
    Subject = new ClaimsIdentity(new[] { new Claim("sub", "PLACEHOLDER") }),
    Expires = DateTime.UtcNow.AddSeconds(3600),
    Claims = new Dictionary<string,object>()
};
tokenDescriptor.Claims.Add("extra claim", "PLACEHOLDER");
tokenDescriptor.SigningCredentials = new SigningCredentials(jwk, SecurityAlgorithms.EcdsaSha256);
token = handler.CreateToken(tokenDescriptor);  //throws IDX10685 on this line
var jwt = handler.WriteToken(token);

Console output on Linux:

System.Security.Cryptography.CryptographicException: IDX10685: Unable to Sign, Internal SignFunction is not available.
   at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.SignatureFunctionNotFound(Byte[] _)
   at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.Sign(Byte[] bytes)
   at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.Sign(Byte[] input)
   at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateJwtSecurityTokenPrivate(String issuer, String audience, ClaimsIdentity subject, Nullable`1 notBefore, Nullable`1 expires, Nullable`1 issuedAt, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials, IDictionary`2 claimCollection, String tokenType)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateToken(SecurityTokenDescriptor tokenDescriptor)

Environment: Windows10 -> Working Ubuntu 20.04 -> Not working Docker Alpine -> Not working

Runtime: Aspnetcore 5.0.4

SDK Net 5.0.201

Regards

brentschmaltz commented 3 years ago

@NiklasEderoth we may not be converting the JsonWebKey to an ECDsaSecurityKey correctly. Could you try specifying an ECDsaSecurityKey when creating the SigningCredentials?