search

AzureAD / azure-activedirectory-identitymodel-extensions-for-dotnet

IdentityModel extensions for .Net
MIT License
1.03k stars 385 forks source link

[Bug] Issue with migration from S.IM.Tokens.Jwt 7.3.1 to 7.4.0 #2670

Open GorazdDim opened 1 week ago

GorazdDim commented 1 week ago

I have my own application that I use as an Identity Provider. That application runs on .NET 6 and uses JWT bearer authentication. It uses S.IM.Tokens.Jwt 6.0.35. Because of some other dependency I cannot migrate my Identity Provider application to .NET 8.

I have another application that relies on my Identity Provider for authentication and authorization. This application is a MVC API application. That application used to run on .NET 6 and while migrating to .NET 8 I encountered this issue. If i directly specify the version for S.IM.Tokens.Jwt to be >= 7.4.0 every call to an authorized endpoint of this application returns a "401 Unauthorized" response with a 'Www-Authenticate: Bearer error="invalid_token", error_description= "The signature key was not found"'. In the logs it gives the following error:

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature. at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Bearer was not authenticated. Failure message: IDX10500: Signature validation failed. No security keys were provided to validate the signature.

If i directly specify the version of S.IM.Tokens.Jwt to be <= 7.3.1 then my problem is solved and everything related to authentication and authorization works as it should.

markuspalme commented 4 days ago

I have the same issue with Okta authentication and can confirm that it's indeed the 7.3.1 to 7.4.0 upgrade that breaks the application. The release notes don't show anything suspicious that might explain the error.