Support for IdentityServer4 Tokens in IdentityServer3.AccessTokenValidation (bis)

[wijnsema]

This is the same problem as case #108. I'm opening a new issue since #108 is already closed.

I keep getting this error when validating the IS4 token on a .NET Full Framework Web Api using IdentityServer3.AccessTokenValidation.

System.InvalidOperationException: Sequence contains no elements
   at System.Linq.Enumerable.First[TSource](IEnumerable`1 source)
   at IdentityServer3.AccessTokenValidation.DiscoveryDocumentIssuerSecurityTokenProvider.<RetrieveMetadata>b__1(JsonWebKey key) in c:\local\identity\server3\AccessTokenValidation\source\AccessTokenValidation\Plumbing\DiscoveryDocumentIssuerSecurityTokenProvider.cs:line 152
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ResolveIssuerSigningKey(String token, SecurityToken securityToken, SecurityKeyIdentifier keyIdentifier, TokenValidationParameters validationParameters) in c:\workspace\WilsonForDotNet45Release\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line 1295
   at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) in c:\workspace\WilsonForDotNet45Release\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line 940
   at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken) in c:\workspace\WilsonForDotNet45Release\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line 671
   at Microsoft.Owin.Security.Jwt.JwtFormat.Unprotect(String protectedText)
   at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.<AuthenticateCoreAsync>d__0.MoveNext()
    ProcessId=17344
    DateTime=2016-11-16T11:37:30.4829567Z

My Identity Server 4 is working OK in a number of other scenarios.

I tried using https, since there is no RequireHttpsMetadata = false option in the IdentityServer3.AccessTokenValidation middleware, but that didn't help. Also tried the .SetSigningCredential(cert), didn't work either.

Isn't this a bug? The log shows an InvalidOperationException because there are no elements in the sequence. It would be better to check the sequence and generate a more informative error message.

No criticism, just trying to help.

Ronald Wijnsema

[leastprivilege]

OK - I can repro the issue.

It happens when using raw RSA keys in IS4 (e.g. by using the temporary signing credential feature). You can workaround the issue by using an X509 certificate to sign your tokens instead.

Will track here https://github.com/IdentityServer/IdentityServer3.AccessTokenValidation/issues/125

and close this.

[leastprivilege]

It turns out this is more than a simple change.

Do you have this scenario? Or are you just temporarily using raw RSA keys because you call AddTemporarySigningCredential ?

[wijnsema]

Hello Dominick,

Thanks for picking up this so quickly.

I used the X509 certificate workaround you suggested, and it's working now. It was a little bit of a hassle (one more magic step, for me that is), but it's a reasonable thing to do. Also, I'm still in a development environment, as are many other developers using IS4 I suppose.

For the future I feel this is a common scenario, so it would be nice if it could be fixed in the future.

As far as I'm concerned you can close this case.

Ronald Wijnsema

[leastprivilege]

done in v2.13.0