Open dezfowler opened 11 months ago
Do all the Microsoft.IdentityModel assemblies have the same version?
@dezfowler this is a bug
Do all the Microsoft.IdentityModel assemblies have the same version?
Yes.
Note that the KeyVaultSecurityKey
part is not relevant. This happens if one tries to use ValidateTokenAsync
with JwtSecurityToken
regardless of the parameters.
Note that the
KeyVaultSecurityKey
part is not relevant. This happens if one tries to useValidateTokenAsync
withJwtSecurityToken
regardless of the parameters.
That may be a separate bug. It is relevant in this case; the required method is specifically not implemented in the KeyVaultSignatureProvider which is used with the KeyVaultSecurityKey. The method is implemented in other providers and works fine.
Note that this is related to JsonWebToken and the JsonWebTokenHandler, not JwtSecurityToken.
I'll open a separate one.
I assume this repros on 7.0.0 as well?
I assume this repros on 7.0.0 as well?
@jennyf19 It does.
@jennyf19 we probably want to fix this.
Which version of Microsoft.IdentityModel are you using?
6.32.0, 7.0.0
Where is the issue?
Is this a new or an existing app?
c. This is a new app or an experiment.
Repro
Expected behavior
Verification succeeds.
Actual behavior
A "Not Implemented" exception is thrown.
Possible solution
This fails because JsonWebTokenHandler wants to use this overload of Verify which is not implemented in the KeyVaultSignatureProvider.
It's possible to get this to work by using a custom crypto factory and derived version of KeyVaultSignatureProvider which has an implementation of the method similar to...
Although a full implementation of this seems to need to be much more complex with lots of guards e.g. here.
Additional context / logs / screenshots / links to code N/A