Closed kennethversaw closed 1 year ago
frederikprijck
commented
1 year ago Hey,
I just updated our sample to .NET6 and it runs without any issues: https://github.com/auth0-samples/auth0-aspnetcore-mvc-samples/pull/78, including our end-to-end tests to verify the login flow works.
Would you have more information about your situation and how to reproduce it ?
Thanks
kennethversaw
commented
1 year ago I literally just cloned it, changed the appsettings.json file to my account and bumped it to .net 6. I noticed that you updated the version of "Auth0.AspNetCore.Authentication" to 1.1.0 so I did that and now the error message has a little bit more information. Not sure if it helps or not but I posted it below.
SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Number of keys in TokenValidationParameters: '4'. Number of keys in Configuration: '0'. Exceptions caught: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler
frederikprijck
commented
1 year ago Sorry for not getting back sooner, we gave improved visibility on our sample repositories so this shouldn't happen anymore!
Did you manage to resolve this, or are you still experiencing issues?
If you literally cloned the repository, I would expect the issue to originate outside of the application, as it works fine for me.
I recommend investigating any rules/actions you have, as well as any specific tenant configuration that could cause this.
kennethversaw
commented
1 year ago No it still isn't working. Is there tech support or something that could help me?
frederikprijck
commented
1 year ago Yes, you can typically reach out to your point of contact with Auth0.
The sample is currently using dotnet 6 on the master branch, if that does not work for you as-is, I believe there may be other reasons at play.
Do you have any rules or extensions enabled in Auth0 that could interfere with the kid claim?
frederikprijck
commented
1 year ago Closing, let me know if you need further assistance.
jchannon
commented
1 year ago I get exactly the same error on .NET7, it's a default MVC template application with the Auth0 SDK package added. Go to /account/login, it redirects to Auth0, login and then when it comes back to the app you get the error mentioned. Here's a sample app that shows the error (I've remove my Auth0 settings from appsettings.json). https://github.com/jchannon/auth0autherror/
frederikprijck
commented
1 year ago @jchannon , I ran your sample and it works fine. Could it be that you have HS256 enabled instead of RS256 (See Application Settings in Auth0, then Advanced -> OAuth)? Once I enable HS256 I get the same error.
Given that RS256 is what we recommend, would it be possible for you to use RS256?
jchannon
commented
1 year ago That's exactly what it was!
Thanks, wouldn't have spotted that =)
On Wed, 20 Sept 2023 at 06:56, Frederik Prijck @.***> wrote:
@jchannon https://github.com/jchannon , I ran your sample and it works fine. Could it be that you have HS256 enabled instead of RS256 (See Application Settings in Auth0, then Advanced -> OAuth)? Once I enable HS256 I get the same error.
Given that RS256 is what we recommend, would it be possible for you to use RS256?
— Reply to this email directly, view it on GitHub https://github.com/auth0-samples/auth0-aspnetcore-mvc-samples/issues/77#issuecomment-1727079901, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAZVJTRNULCXSTXOEMJBYLX3KHSBANCNFSM6AAAAAAUCARMNY . You are receiving this because you were mentioned.Message ID: @.*** com>
jchannon
commented
1 year ago @frederikprijck side question: how do you configure the LoginPath/LogoutPath with the options available? I want to change the default from /account/login to just /login
frederikprijck
commented
1 year ago Not sure what you are asking. Account/Login is your own endpoint, that has nothing to do with the SDK. You can change that just like you change any other endpoint in ASP.NET.
jchannon
commented
1 year ago Account/Login is the default signin url that ASP.NET Authentication uses but I don't see in .AddAuth0WebAppAuthentication to be able to change it in the options
frederikprijck
commented
1 year ago Account/Login is the default signin url that ASP.NET Authentication uses
/Account/Login on its own has nothing to do with ASP.NET authentication and is nothing but a random endpoint that happens to use that path, which then kicks of the authentication process because it calls HttpContext.ChallengeAsync, see https://github.com/jchannon/auth0autherror/blob/main/WebApplication7Auth0/Controllers/AccountController.cs#L29. This could be any route, for that matter.
/Account/Login maps to the Login action in the Account controller, which is https://github.com/jchannon/auth0autherror/blob/main/WebApplication7Auth0/Controllers/AccountController.cs#L23. This is done because of this configuration: https://github.com/jchannon/auth0autherror/blob/main/WebApplication7Auth0/Program.cs#L34-L37
You can change this using the corresponding attributes in Web API, see https://learn.microsoft.com/en-us/aspnet/web-api/overview/web-api-routing-and-actions/routing-in-aspnet-web-api.
In this case, you can just change the Login action to have a specific HttpGet attribute that controls its route url by setting it to /login:
[HttpGet("/login")]
public async Task Login(string returnUrl = "/")
{
var authenticationProperties = new LoginAuthenticationPropertiesBuilder()
.WithRedirectUri(returnUrl)
.Build();
await HttpContext.ChallengeAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
}
/Account/Login on its own has nothing to do with ASP.NET authentication
/Account/Login on its own has everything to do with ASP.NET authentication, that path is defined in the CookieAuthenticationOptions however decompiling AddAuth0WebAppAuthentication Auth0 calls AddCookie which has Action<CookieAuthenticationOptions> configureOptions method arg that isn't exposed where we could change the CookieAuthenticationOptions.LoginPath
frederikprijck
commented
1 year ago Alright, I get what you mean. Sorry about that, I was focussing on the application. Login works perfectly fine if you do what I mentioned above, but it will redirect to the incorrect URL because of the wrongly configured LoginPath on the cookie options when trying to access protected routes when not logged in.
What you want is explained here: https://github.com/auth0/auth0-aspnetcore-authentication/issues/54#issuecomment-1036245697, which comes down to taking control over the cookie registration yourself.
I wasn't aware of the default value for LoginPath on the CookieOptions, thanks for elaborating on that. That's good info to know if this question comes up again. Appologies for the entirly inaccurate response.
Just sharing this if anyone ever wonders: https://github.com/dotnet/aspnetcore/blob/2ce54c68b2abfa66974a4e75cf80e61203180ce4/src/Security/Authentication/Cookies/src/CookieAuthenticationDefaults.cs#L27
jchannon
commented
1 year ago Perfect, thanks!
I cloned the project and pulled it to my local environment. I changed the Target Framework to :
Then I ran the project. It started and clicked "Login". It took me to the Auth0 login window. After I clicked Login it returned:
An unhandled exception occurred while processing the request. SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'System.Text.StringBuilder'. Exceptions caught: 'System.Text.StringBuilder'. token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'. System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token, TokenValidationParameters validationParameters)
Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()