Closed stewart-noll-q2 closed 8 years ago
Are you sure producer and consumer use the same key material. Check our samples where it is working and compare.
I had the same problem using ASP.NET Core 1.0, which was fixed by the solution in this article: http://stackoverflow.com/questions/38239261/cannot-validate-accesstoken-with-identityserver
Namely, manually implementing IssuerSigningKeyResolver:
var certificate = new X509Certificate2(Convert.FromBase64String("MII123...ABC"));
app.UseJwtBearerAuthentication(
new JwtBearerOptions
{
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = "https://mydomain.com/resources",
ValidIssuer = "https://mydomain.com",
IssuerSigningKey = new X509SecurityKey(certificate),
IssuerSigningKeyResolver = (string token, SecurityToken securityToken, string kid, TokenValidationParameters validationParameters) => new List<X509SecurityKey> { new X509SecurityKey(certificate) }
}
});
Thanks @jkhines. Your IssuerSigningKeyResolver fix solved the problem for us as well.
One possible cause, which may not be your problem but which turned out to be mine with a similar issue, is disagreement over the key ID. Microsoft.IdentityModel.Tokens.X509SecurityKey
uses the certificate thumbprint in base 16 as its KeyId
. The KeyId
in your example (and in my case, where the source was Azure Active Directory rather than IdentityServer) uses the certificate thumbprint in (a version of) base 64.
One workaround is to create a subclass of X509SecurityKey
whose constructor computes the base 64 key ID and overwrites the KeyId
value set by the superclass constructor. A better solution, if possible, would be to get the keys from a source which uses the same key ID format. In my case that was possible with Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever
and then
myTokenValidationParameters.IssuerSigningKeys = myOpenIdConnectionConfiguration.SigningKeys;
You can also just set the Kid
manually:
v5 of the JWT handler require you to set the key ID explicitly for RSA keys.
That may have been the case before as well - but we always used x509 cert before where this is not necessary.
Check our samples where it is working and compare.
I couldn't find a sample that uses JWT (see examples). Can you provide a link to a sample that uses JWT?
I am confused - why are you pointing to a different repo - our samples are here:
https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Clients/src/SampleApi
Also - please open a new issue if you still have a problem.
Well, that's embarrassing. Sorry about that.
We got the same error, but our problem was that the issuer and authority urls had differnet casing. https://myserver/sts and https://myserver/Sts
Successfully creating a JWT token using a cert from my local machine but when it comes time to validate the token via middleware on
ourmy local IdentityService instance I'm getting the following exception...IDX10501: Signature validation failed. Unable to match 'kid': 'cBS9UBUP5ATqBHfEBK9p1LwuJtM'
At a bit of a standstill since it's not quite obvious where I went wrong. Any direction or thoughts on next steps would be greatly appreciated. Here's my log output