leastprivilege
commented
8 years ago Are you sure producer and consumer use the same key material. Check our samples where it is working and compare.
Closed stewart-noll-q2 closed 8 years ago
leastprivilege
commented
8 years ago Are you sure producer and consumer use the same key material. Check our samples where it is working and compare.
jkhines
commented
8 years ago I had the same problem using ASP.NET Core 1.0, which was fixed by the solution in this article: http://stackoverflow.com/questions/38239261/cannot-validate-accesstoken-with-identityserver
Namely, manually implementing IssuerSigningKeyResolver:
var certificate = new X509Certificate2(Convert.FromBase64String("MII123...ABC"));
app.UseJwtBearerAuthentication(
new JwtBearerOptions
{
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = "https://mydomain.com/resources",
ValidIssuer = "https://mydomain.com",
IssuerSigningKey = new X509SecurityKey(certificate),
IssuerSigningKeyResolver = (string token, SecurityToken securityToken, string kid, TokenValidationParameters validationParameters) => new List<X509SecurityKey> { new X509SecurityKey(certificate) }
}
});
stewart-noll-q2
commented
8 years ago Thanks @jkhines. Your IssuerSigningKeyResolver fix solved the problem for us as well.
pjt33
commented
7 years ago One possible cause, which may not be your problem but which turned out to be mine with a similar issue, is disagreement over the key ID. Microsoft.IdentityModel.Tokens.X509SecurityKey uses the certificate thumbprint in base 16 as its KeyId. The KeyId in your example (and in my case, where the source was Azure Active Directory rather than IdentityServer) uses the certificate thumbprint in (a version of) base 64.
One workaround is to create a subclass of X509SecurityKey whose constructor computes the base 64 key ID and overwrites the KeyId value set by the superclass constructor. A better solution, if possible, would be to get the keys from a source which uses the same key ID format. In my case that was possible with Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever and then
myTokenValidationParameters.IssuerSigningKeys = myOpenIdConnectionConfiguration.SigningKeys;
brockallen
commented
7 years ago You can also just set the Kid manually:
leastprivilege
commented
7 years ago v5 of the JWT handler require you to set the key ID explicitly for RSA keys.
That may have been the case before as well - but we always used x509 cert before where this is not necessary.
derekgreer
commented
7 years ago Check our samples where it is working and compare.
I couldn't find a sample that uses JWT (see examples). Can you provide a link to a sample that uses JWT?
leastprivilege
commented
7 years ago I am confused - why are you pointing to a different repo - our samples are here:
https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Clients/src/SampleApi
leastprivilege
commented
7 years ago Also - please open a new issue if you still have a problem.
derekgreer
commented
7 years ago Well, that's embarrassing. Sorry about that.
larserikfinholt
commented
7 years ago We got the same error, but our problem was that the issuer and authority urls had differnet casing. https://myserver/sts and https://myserver/Sts
Successfully creating a JWT token using a cert from my local machine but when it comes time to validate the token via middleware on
ourmy local IdentityService instance I'm getting the following exception...IDX10501: Signature validation failed. Unable to match 'kid': 'cBS9UBUP5ATqBHfEBK9p1LwuJtM'At a bit of a standstill since it's not quite obvious where I went wrong. Any direction or thoughts on next steps would be greatly appreciated. Here's my log output