Error validating token signature generated by IdentityServer4

[jamal]

I'm trying to set up IdentityServer4.AccessTokenValidation, but it's failing to validate the signature from a token generated by by IdentityServer.

Here's the error and stacktrace

info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[1]
      Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6IjEyQzExNDk2NEI3NDIyODQzMjJEMDBFQzczOUM3NjY4QjJEMzE0Q0MiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJFc0VVbGt0MElvUXlMUURzYzV4MmFMTFRGTXcifQ.eyJuYmYiOjE0ODMyMDIzMTMsImV4cCI6MTQ4MzIwNTkxMywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJNaWRhaXJTZXJ2aWNlIl0sImNsaWVudF9pZCI6ImNsaWVudCIsInNjb3BlIjpbIk1pZGFpclNlcnZpY2UiXX0.WKIBanA3lSje-pq_RQ-AiJTM8x8t9almxeP_QY4rtyMdCRqARhHOv0syFVvEiUFfS9lES7oB-62c1NWXjgqy5rbr4XnLBb9HS-ZKmd5oM8Qwgic9NGaOFCUZUy1jPo35_Gn2sqFzACoGGToyQeCnQ5odrb1ZZEb3moRQMi4dqTCmEwdlMzO1KseyWfGddyZ7x7cq7c2ftVCinS6lXNdLdhpNG5JHH6VHxk3WGrpnZ03w1LGLshDPWPxotnBNTW3rGjtRU5sUgdudait-syiiHCdD5-abJgX1sLGinsi9SUnfOZ5pxxrebqXRSyKpBnVbOfhorHeP-IwDEq88CaSvEw.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()

The token I am using:

 eyJhbGciOiJSUzI1NiIsImtpZCI6IjEyQzExNDk2NEI3NDIyODQzMjJEMDBFQzczOUM3NjY4QjJEMzE0Q0MiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJFc0VVbGt0MElvUXlMUURzYzV4MmFMTFRGTXcifQ.eyJuYmYiOjE0ODMyMDIzMTMsImV4cCI6MTQ4MzIwNTkxMywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJNaWRhaXJTZXJ2aWNlIl0sImNsaWVudF9pZCI6ImNsaWVudCIsInNjb3BlIjpbIk1pZGFpclNlcnZpY2UiXX0.WKIBanA3lSje-pq_RQ-AiJTM8x8t9almxeP_QY4rtyMdCRqARhHOv0syFVvEiUFfS9lES7oB-62c1NWXjgqy5rbr4XnLBb9HS-ZKmd5oM8Qwgic9NGaOFCUZUy1jPo35_Gn2sqFzACoGGToyQeCnQ5odrb1ZZEb3moRQMi4dqTCmEwdlMzO1KseyWfGddyZ7x7cq7c2ftVCinS6lXNdLdhpNG5JHH6VHxk3WGrpnZ03w1LGLshDPWPxotnBNTW3rGjtRU5sUgdudait-syiiHCdD5-abJgX1sLGinsi9SUnfOZ5pxxrebqXRSyKpBnVbOfhorHeP-IwDEq88CaSvEw

I attempted using both an X509 cert and the temporary cert, but both fail with the same issue. I was able to manually set up the MS JWT Middleware with the X509 cert and get that working, but using the IS4 Middleware failed.

Here's an example of what I mean:

            app.UseIdentityServer();
            app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
            {
                RequireHttpsMetadata = false,
                ApiName = "testapi"
            });

            app.UseJwtBearerAuthentication(new JwtBearerOptions
            {
                Audience = "testapi",
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateActor = false,
                    ValidateIssuer = false,
                    IssuerSigningKey = new X509SecurityKey(_cert),
                    IssuerSigningKeyResolver = (string token, SecurityToken securityToken, string kid, TokenValidationParameters validationParameters) => 
                        new List<X509SecurityKey> { new X509SecurityKey(_cert) }
                }
            });

[brockallen]

Are you sure it's not a caching issue in the middleware in the API? For example, if you change something and restart the app, the in-mem key is changed and then the web api is still using the prior cached one.

[jamal]

@brockallen Yeah, I checked a few times to make sure this was not the case. Even switched to using a cert file instead of using temporary signing.

[brockallen]

In that case, I don't know. More debugging is needed. Do the samples work for you? Also, can you see the keys in the discovery document?

[leastprivilege]

Still an issue?

[ghost]

Yes. Still an issue. I have the same problem. If you configure "AddMvcCore" instead of "AddMvc" to get it to work. I had sort of the same configuration as the IdentityServer4.Sample Javascript client example.

[ghost]

Perhaps a Mvc configuration issue?

[wallymathieu]

What happens when you add app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions before app.UseMvc( ?

[leastprivilege]

You are missing the Authority property in the code sample above.

[wallymathieu]

services.AddMvc() instead of services.AddMvcCore().AddAuthorization().AddJsonFormatters() as demonstrated in the branch mvc works fine.

The order in configure as demonstrated in the branch order in configure does not work.

[ghost]

Perhaps there should be documentation about the order?

[leastprivilege]

Which order?

Of course the authentication MW must come before MVC. The pipeline is a linked list.

Or is there a different issue?

[ghost]

Yes, well, it was not obvious to someone who is new to MVC core that's how it works.

[brockallen]

Yes, well, it was not obvious to someone who is new to MVC core that's how it works.

That's one of the most fundamental aspects of the middleware/pipeline design. That's beyond our purview, IMO.

[jamal]

I apologize about the delay in response to this ticket. I agree that documenting the order is not necessary, this is a well understood concept for anyone who has worked with a similar Middleware model.

I also wanted to add that my issue isn't due to the order. UseMvc is the last directive in my configuration. I will have to try AddMvcCore instead and see if it makes a difference.

In the meantime, I have worked around the issue by configuring the JwtBearer middleware directly, so IS is only handling the token endpoint in my case for now.

[leastprivilege]

So are you saying the the MS JWT MW can validate the token - but ours can't.

This would surprise me - since internally we are using the MS JWT MW.