search

NetDevPack / Security.Jwt

Jwt Manager. Set of components to deal with Jwt Stuff. Automate your key rotating, add support for jwks_uri. Store your cryptography keys in a secure place.
MIT License
271 stars 38 forks source link

.NET 8.0 incompatibility with HS256 #47

Closed sherlock1982 closed 5 months ago

sherlock1982 commented 10 months ago

I use IJwtService with the following code to generate access token:

        var credentials = await jwtService.GetCurrentSigningCredentials();
        var tokenDescriptor = _jwtSecurityTokenHandler.CreateJwtSecurityToken(_issuer, _issuer,
            new ClaimsIdentity(claims), expires: DateTime.UtcNow.AddMinutes(60), signingCredentials: credentials);

I get here:

System.NotSupportedException: 'IDX10621: 'Microsoft.IdentityModel.Tokens.SymmetricSignatureProvider' supports: 'Microsoft.IdentityModel.Tokens.SecurityKey' of types: 'Microsoft.IdentityModel.Tokens.AsymmetricSecurityKey' or 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey'. SecurityKey received was of type 'Microsoft.IdentityModel.Tokens.JsonWebKey'.'

Might be related to

Workaround is not to use HS256

brunobritodev commented 10 months ago

I encountered the same issue and solved it by cleaning old keys from the ASP.NET DataProtection folder, eg: C:\Users\<user>\AppData\Local\ASP.NET\DataProtection-Keys. It's a workaround. But I'm don't know why the parameters of the Key became blank after the upgrade to .NET 8. It needs a further investigation

anderjoy commented 9 months ago

I encountered the same problem but I didn't update to .net 8.0. I use persistence with entity framework (MSSQL). The key parameters were left blank for no apparent reason. We resolved this by deleting the table and restarting the API (workaround).

I encountered the same problem but I didn't update to .net 8.0. I use persistence with entity framework (MSSQL). The key parameters were left blank for no apparent reason. We resolved this by deleting the table and restarting the API (workaround).

kirill-gerasimenko-da commented 9 months ago

Having the same issue here. Will try to clear up the table as others suggested.

sherlock1982 commented 6 months ago

Well If it helps here's an example.

I create a key in .NET 7 and here's what I got in Parameters JSON in .NET 8 (Something that should become ):

{\"AdditionalData\":{},\"Alg\":null,\"Crv\":null,\"D\":null,\"DP\":null,\"DQ\":null,\"E\":null,\"K\":\"CMUA71g93z9hiS8rt9NvOjBbZybfb--E2Z6AQXXKgaEzgH3LPscuSZbxfgkYctXxuiY9JGBsAOZF1huACm0aEw\",\"KeyId\":\"P99aRZA-6lJvOdxziITJ6A\",\"KeyOps\":[],\"Kid\":\"P99aRZA-6lJvOdxziITJ6A\",\"Kty\":\"oct\",\"N\":null,\"Oth\":null,\"P\":null,\"Q\":null,\"QI\":null,\"Use\":null,\"X\":null,\"X5c\":[],\"X5t\":null,\"X5tS256\":null,\"X5u\":null,\"Y\":null,\"KeySize\":512,\"HasPrivateKey\":false,\"CryptoProviderFactory\":{\"CryptoProviderCache\":{},\"CustomCryptoProvider\":null,\"CacheSignatureProviders\":true,\"SignatureProviderObjectPoolCacheSize\":64}}

Natively created key in .NET 8

{\"k\":\"gnq_e_lwxyCCg5BYsEKkG55pmO6_5ovKvSPr3aQ3fAVpVaSDkLeSklKDtJFPfpzESafCje0Qj1gsomig0PYBug\",\"key_ops\":[],\"kid\":\"yOxMeogeghirusdCfGdqBA\",\"kty\":\"oct\",\"oth\":[],\"x5c\":[]}

Well the thing is that this is of course incompatible. Are there any conversion procedures we can apply?

Any recommendations to avoid it in the future? Maybe serialize in manually? This is the place where we convert KeyMaterial to JsonWebKey. Maybe we can somehow make this more stable?

JsonWebKey class is Microsoft.IdentityModel.Tokens versions 6.26.1 vs 7.4.0

sherlock1982 commented 6 months ago

Ok I found a fix. Can you please make a new build?

public JsonWebKey GetSecurityKey()
{
    return JsonSerializer.Deserialize<JsonWebKey>(Parameters, new JsonSerializerOptions() { 
        PropertyNameCaseInsensitive = true,
    });
}