search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.58k stars 10.06k forks source link

OpenIdConnectProtocolException: IDX21314: OpenIdConnectProtocol requires the jwt token to have an 'aud' claim. #57938

Open dradovic opened 2 months ago

dradovic commented 2 months ago

Is there an existing issue for this?

Describe the bug

I'm trying to implement an OIDC with a 3rd-party using the Authorization Code Grant and I'm getting a OpenIdConnectProtocolException: IDX21314: OpenIdConnectProtocol requires the jwt token to have an 'aud' claim. and I'm trying to understand what's going on.

Stepping into the OnTokenValidated event, I see that the TokenValidatedContext.Principal actually contains the 'aud' claim, while the TokenValidatedContext.SecurityToken does not.

So I guess I have two questions

  1. Why do I get this error although the claim is contained in the Principal?
  2. Is the 3rd party IdP doing something that does not correspond to the OAuth 2.0 RFC 6749, section 4.1 or do I need to configure OIDC differently?

Expected Behavior

No error should be thrown, as 'aud' is present in the Principal.

Steps To Reproduce

Hard to provide a repro as you'd need to sign-up for an account at the 3rd party. But here's my OIDC configuration:

services.AddAuthentication()
    .AddOpenIdConnect("Bexio", options =>
    {
        options.ClientId = ...
        options.ClientSecret = ...
        options.Authority = ...
        options.Configuration = new OpenIdConnectConfiguration
        {
            AuthorizationEndpoint = ...
            TokenEndpoint = ...
            UserInfoEndpoint = ...
            Issuer = ...
        };
        options.ResponseType = OpenIdConnectResponseType.Code;
        options.Scope.Add("openid");
        options.Scope.Add("email");
        options.TokenValidationParameters = new TokenValidationParameters // https://github.com/dotnet/aspnetcore/issues/8067
        {
            IssuerSigningKeyResolver = (token, securityToken, kid, parameters) =>
            {
                var client = new HttpClient();
                var response = client.GetAsync(BexioDefaults.JwkEndpoint).Result;
                var responseString = response.Content.ReadAsStringAsync().Result;
                var keys = JsonConvert.DeserializeObject<BexioDefaults.JwkKeys>(responseString)!;
                return keys.Keys;
            },
        };
    });

Exceptions

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: IDX21314: OpenIdConnectProtocol requires the jwt token to have an 'aud' claim. The jwt did not contain an 'aud' claim, jwt: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateIdToken(OpenIdConnectProtocolValidationContext validationContext)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateTokenResponse(OpenIdConnectProtocolValidationContext validationContext)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: IDX21314: OpenIdConnectProtocol requires the jwt token to have an 'aud' claim. The jwt did not contain an 'aud' claim, jwt: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateIdToken(OpenIdConnectProtocolValidationContext validationContext)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateTokenResponse(OpenIdConnectProtocolValidationContext validationContext)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

.NET Version

8.0.401

Anything else?

I would highly appreciate it if someone having more background in OIDC than me could look into this and shed some light.

mkArtakMSFT commented 2 months ago

Thanks for contacting us. Can you please share the complete exception info (message + stacktrace)?

dradovic commented 2 months ago

@mkArtakMSFT thanks for looking into this. I've updated the Exceptions section of my description.