search

aspnet / Security

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.27k stars 599 forks source link

X509SecurityKey validation failed. The associated certificate is not yet valid. #1843

Closed blowdart closed 6 years ago

blowdart commented 6 years ago

From @pauloevpr on August 22, 2018 0:35

I have had an issue with X509 certificate validations. Whenever a new certificate is issue, Authentication middleware fails to valid the certificate reporting that the certificate is not yet valid.

Here is how I am setting up authentication:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options => {
        options.Authority = authority;
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = authority,
            ValidAudience = scope,
            NameClaimType = "name"
        };
    });

This is the exception I find when using a recently issued certificate:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSigningKeyException: IDX10248: X509SecurityKey validation failed. The associated certificate is not yet valid. ValidFrom: '08/22/2018 07:20:29', Current time: '08/22/2018 00:27:11'. at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateIssuerSecurityKey(SecurityKey key, JwtSecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

It is clear for me that it is a timezone issue. Validation is being based on the UTC time instead of the local server time (in my case UTC +10).

It seems that this is a known issue which has been fixed here . However, Microsoft.AspNetCore.App v2.1.3 (current latest version) does not seem to use the latest Microsoft.IdentityModel.Tokens assembly.

Copied from original issue: aspnet/Home#3444

blowdart commented 6 years ago

@Eilon We should update the dependency for preview 2.

Eilon commented 6 years ago

OK, we'll triage this afternoon.

HaoK commented 6 years ago

Dupe of https://github.com/aspnet/Universe/issues/1098

HaoK commented 6 years ago

Well not a dupe, but will be fixed with the update to Identity Model