search

IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core
Apache License 2.0
544 stars 214 forks source link

Questions: How to specify security keys? #89

Closed jacobslusser closed 7 years ago

jacobslusser commented 7 years ago

I'm currently getting an error on my protected API along the lines of: "Signature validation failed. No security keys were provided to validate the signature."

I'm sure I'm missing something simple, but I can't seem to figure out how to specify the security keys / signing credentials. In my IdentityServer I have some standard boilerplate:

services.AddIdentityServer()
    .AddInMemoryClients(GetClients())
    .AddInMemoryApiResources(GetApiResources())
    .AddDeveloperSigningCredential();

services.AddTransient<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>()
        .AddTransient<IProfileService, ProfileService>();

This appears to sign the JWT with the key generated at tempkey.rsa.

On my protected API, I've added this standard boilerplate:

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
    .AddIdentityServerAuthentication(options =>
    {
        options.ApiName = "...";
    });
app.UseAuthentication();

which results in the error mentioned at the start of my issue.

Presumably I have to specify a signing key--tempkey.rsa--somewhere in my protected API so it can validate the signature, but I cannot seem to figure out how to do that. In other JWT libraries, it is something like this: 

 app.UseJwtBearerAuthentication(new JwtBearerOptions
            {
                Audience = "testapi",
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateActor = false,
                    ValidateIssuer = false,
                    IssuerSigningKey = new X509SecurityKey(_cert) // Here is where cert is specified
                }
            });

But I can't seem to find the same with the IdentityServer4.AccessTokenValidation.

P.S. From some of my research I have a feeling someone is going to teach me about "kid" and the "metadata" endpoint that is going to blow my mind.

jacobslusser commented 7 years ago

Answering my own question (I think)...

I needed to specify the Authority property on my configuration (and the RequireHttpsMetadata property if running locally without HTTPS) which my protected API will then use to call back to my IdentityServer. First, by calling .well-known/openid-configuration to get the JWKS endpoint and then to get the actual signing information by calling well-known/openid-configuration/jwks (assuming default configuration). And that is how it has enough information to perform the validation.

As I understand it, and from my testing, IdentityServer4.AccessTokenValidation will cache that information so it is not hitting IdentityServer to validate every request.

P.S. My hunch was right and this was all related to "kid" and "metadata". The openid-configuration endpoint is sometimes called the "metadata" endpoint. The "kid" tag in a JWT header is a way of indicating which signing key was used when the server supports multiple keys. The "kid" is used in combination with the openid-configuration/jwks endpoint to get the correct signing credentials for validation.