IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core
Apache License 2.0
544 stars 214 forks source link

Access token validation fail, IDX10500 #93

Closed cjwik closed 6 years ago

cjwik commented 7 years ago

Have a identity service, a javascript client and api I like to access in a secure way.

Javascript client can logon, but when I try to access the api does it fails. It seems that it is the validation of the accesstoken that fail in the api. All of this works locally with localhost. I have cert in personal storage locally and have also upload the cert to Azure. I can verify that the identity service on Azure can find and load the cert.

(Have MASK the url) public void ConfigureServices(IServiceCollection services) { services.AddCors(o => { o.AddPolicy("default", policy => { policy.AllowAnyOrigin() .AllowAnyHeader() .AllowAnyMethod() .WithExposedHeaders("WWW-Authenticate"); }); }); services.AddAuthentication(o => { o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(o => { o.Authority = "https://MASK/identityservice"; o.Audience = "api1"; o.RequireHttpsMetadata = false; }); services.AddMvc(); }

public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseCors("default"); app.UseAuthentication(); app.UseMvc(); }

And the log on Azure

(Have MASK some name and url)

2017-10-22 18:03:09.888 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESJN6A6D" started. 2017-10-22 18:03:09.926 +00:00 [Information] Microsoft.AspNetCore.Hosting.Internal.WebHost: Request starting HTTP/1.1 GET http://MASK/IdentityServiceTestApi/identity
2017-10-22 18:03:10.110 +00:00 [Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6IjUyRUU1NEY2NzQwN0M1RTdDNjNGMDRDQURDNjZCNzExOEJENDZCQzgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJVdTVVOW5RSHhlZkdQd1RLM0dhM0VZdlVhOGcifQ.eyJuYmYiOjE1MDg2OTUzNzYsImV4cCI6MTUwODY5ODk3NiwiaXNzIjoiaHR0cHM6Ly9zb25kZXJkZXZlbG9wbWVudC5uY2ZpbmFuY2Uuc2UvaWRlbnRpdHlzZXJ2aWNlIiwiYXVkIjpbImh0dHBzOi8vc29uZGVyZGV2ZWxvcG1lbnQubmNmaW5hbmNlLnNlL2lkZW50aXR5c2VydmljZS9yZXNvdXJjZXMiLCJhcGkxIl0sImNsaWVudF9pZCI6ImpzX0lkZW50aXR5U2VydmljZVRlc3RDbGllbnRKYXZhU2NyaXB0Iiwic3ViIjoiMTg4IiwiYXV0aF90aW1lIjoxNTA4NjkwNzQ5LCJpZHAiOiJsb2NhbCIsIm5hbWUiOiJBbGljZSBTbWl0aCIsInJvbGUiOiJteVJvbGUiLCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIiwiYXBpMSJdLCJhbXIiOlsicHdkIl19.NoXtdq8K5t1_iA9RqN2BITo2w__8xEymG2bXCDmsGRpPm09fRtmIesR5_xaBE4ndGvVlsZbkQJDpFRLKgfX7OKV9Kb7qu_NF5F_kzc2lv3FMPZDGzZGOcAwtHrAYnYGQkEYW8KvWXRdfhEiyaXP-F1tufOGXXctD5T_8LW4kIben_kUpP4OFj4B3jTEJy-2Ft1_vkC7eqbuH0lQwepSNZFIZ4zB7wxifN0HHOeHJh7Rn1O-QgVFpNFqBZXpNLjjSRNg87ZK6kuig0C7OJwaZGfBBsLOqbv4sP_uD1UZdjnA5SkpNbBIcUuVIGyoKQMwWpHtOvXAyUrRAILj3jRgSzbDMlBH5MilVj6OXxE7bK60Jr2I8HB0vagGb1e1xJz6mT3rzm5AjE9UbjBtiOow3MlTR2YYcQmkUv_S8Xewnc7GeDbFxZkJjOXIKnmfpjNzviUf73AC7bL1fK8jmk3mXmrIGZxInPB8Z1i_l4n1rFFdiso_zDHf8YLp36og7DUmvwhLNFKRpXiMyjngyzq1OEc2L2yI7MotLZ-h45ZnoP4iDjU1OGttsoj1w4PxrIWHeOZCwjCxqUnXurpHY02yRUEgJPbsykenqw-WnL5O1I-HrSkyXc4r4r1XPJTT-GF3JUIzfkdhipF4Bb1wpq8ua3s3nP_NdNL9XE-S3TuMZBnk. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10500: Signature validation failed. No security keys were provided to validate the signature. at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.d__6.MoveNext() 2017-10-22 18:03:10.115 +00:00 [Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Bearer was not authenticated. Failure message: IDX10500: Signature validation failed. No security keys were provided to validate the signature. 2017-10-22 18:03:10.325 +00:00 [Debug] Microsoft.AspNetCore.Routing.Tree.TreeRouter: Request successfully matched the route with name '(null)' and template 'Identity'. 2017-10-22 18:03:10.361 +00:00 [Debug] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Executing action MASK.IdentityServiceTestApi.Controllers.IdentityController.Get (MASK.IdentityServiceTestApi) 2017-10-22 18:03:10.374 +00:00 [Information] Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Authorization failed for user: (null). 2017-10-22 18:03:10.375 +00:00 [Information] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. 2017-10-22 18:03:10.376 +00:00 [Information] Microsoft.AspNetCore.Mvc.ChallengeResult: Executing ChallengeResult with authentication schemes (). 2017-10-22 18:03:10.391 +00:00 [Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: AuthenticationScheme: Bearer was challenged. 2017-10-22 18:03:10.393 +00:00 [Information] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Executed action MASK.IdentityServiceTestApi.Controllers.IdentityController.Get (MASK.IdentityServiceTestApi) in 29.7643ms 2017-10-22 18:03:10.404 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESJN6A6D" completed keep alive response. 2017-10-22 18:03:10.405 +00:00 [Information] Microsoft.AspNetCore.Hosting.Internal.WebHost: Request finished in 479.1014ms 401 2017-10-22 18:04:34.004 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv: Connection id "0HL8PESCISJ8E" received FIN. 2017-10-22 18:04:34.004 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESCISJ8E" disconnecting. 2017-10-22 18:04:34.004 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv: Connection id "0HL8PESCISJ8E" sending FIN. 2017-10-22 18:04:34.005 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESCISJ8E" stopped. 2017-10-22 18:04:34.005 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv: Connection id "0HL8PESCISJ8D" received FIN. 2017-10-22 18:04:34.005 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESCISJ8D" disconnecting. 2017-10-22 18:04:34.005 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv: Connection id "0HL8PESCISJ8D" sending FIN. 2017-10-22 18:04:34.005 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv: Connection id "0HL8PESCISJ8F" received FIN. 2017-10-22 18:04:34.005 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESCISJ8F" disconnecting. 2017-10-22 18:04:34.005 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv: Connection id "0HL8PESCISJ8F" sending FIN. 2017-10-22 18:04:34.008 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESCISJ8D" stopped. 2017-10-22 18:04:34.008 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESCISJ8F" stopped. 2017-10-22 18:04:34.007 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv: Connection id "0HL8PESBPJ074" received FIN. 2017-10-22 18:04:34.007 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESBPJ074" disconnecting. 2017-10-22 18:04:34.007 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv: Connection id "0HL8PESBPJ074" sending FIN. 2017-10-22 18:04:34.008 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESBPJ074" stopped. 2017-10-22 18:04:34.006 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv: Connection id "0HL8PESJN6A6D" received FIN. 2017-10-22 18:04:34.006 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESJN6A6D" disconnecting. 2017-10-22 18:04:34.006 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv: Connection id "0HL8PESJN6A6D" sending FIN. 2017-10-22 18:04:34.006 +00:00 [Debug] Microsoft.AspNetCore.Server.Kestrel: Connection id "0HL8PESJN6A6D" stopped.

leastprivilege commented 7 years ago

Did you fix it?

Otherwise this is a question for Micrsoft - you are using their code to validate the token.

cjwik commented 7 years ago

No, have put his on the side for now. Not sure how to outline the question here for Microsoft.

leastprivilege commented 6 years ago

Make sure you read (and understand) the readme for scenarios where this handler is useful and configuration options:

https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/release/README.md

leastprivilege commented 6 years ago

@cjwik will close this issue - feel free to open / re-open once you know more about your problem.