search

aspnet / AspNetKatana

Microsoft's OWIN implementation, the Katana project
Apache License 2.0
968 stars 334 forks source link

OAuthBearerAuthenticationHandler invalid bearer token received #362

Open iamkarlson opened 4 years ago

iamkarlson commented 4 years ago

Hi, When I switched on logs for authentication I started receiving these messages without stating a reason why it's invalid:

w3wp[15608]: 2020-06-23 15:09:18.4038|WARN|Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware|Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.AuthenticateCoreAsync|invalid bearer token received

However, everything works pretty well and I can get all the data from tokens and deserialize claims, etc.

What I understood from the code is that this occurs when asp.net can't properly deserialize an auth ticket from the context (https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.OAuth/OAuthBearerAuthenticationHandler.cs#L62). Is there any chance that a proper reason specified in the message? I tried to figure out how can I do that myself but it seems that it's stuck on decrypting ticket from the binary.

Tratcher commented 4 years ago

However, everything works pretty well and I can get all the data from tokens and deserialize claims, etc.

Were these tokens issued by the local OAuth server or from somewhere else?

How are you wiring up the middleware? UseJwtBearerAuthentication?

iamkarlson commented 4 years ago

They are being issued by Azure B2C. Middleware configuration:

            TokenValidationParameters tvps = new TokenValidationParameters
            {
                ValidAudience = AppSettingConstant.ClientId,
                AuthenticationType = AppSettingConstant.DefaultPolicy
            };
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
            {
                AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(AppSettingConstant.WellKnownMetadata)),
            });
Tratcher commented 4 years ago

You're right that the layering and error reporting here isn't great. Looking through it I don't see why you'd get that error vs an exception, I don't see where the original error is suppressed. Trying it under the debugger with first chance exceptions enabled may give you a clue what the original error is and where it's being captured.

iamkarlson commented 4 years ago

What do you mean trying it under debugger? I'm running it in the debug mode for quite a while and there's no error/exception popping up at all.