search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.4k stars 10k forks source link

Microsoft.AspNetCore.Authentication.JwtBearer Old IdentityModel reference breaks Microsoft.IdentityModel.JsonWebTokens behavior. #57940

Closed rcollette closed 1 month ago

rcollette commented 1 month ago

Is there an existing issue for this?

Describe the bug

Microsoft.AspNetCore.Authentication.JwtBearer is pulling in older references for Microsoft.IdentityModel.Protocols and Microsoft.IdentityModel.OpenIdConnect.

image

When using JwtBearer Authentication configured like the following

    private void ConfigureJwtBearerAuthentication(IServiceCollection services)
    {
        // Do not specify the scheme here since we want multiple scheme names.
        services.AddAuthentication()

            // See https://developer.okta.com/blog/2018/03/23/token-authentication-aspnetcore-complete-guide
            // JWT bearer authentication will use the OIDC well-known endpoint
            .AddJwtBearer(
                JwtBearerDefaults.AuthenticationScheme,
                configureOptions: options =>
                {
                    // The address of the authorization server
                    options.Authority = _jwtBearerAuthenticationConfiguration.Authority;
...

Validation of tokens will fail with the following error

IDX10500: Signature validation failed. No security keys were provided to validate the signature

My workaround was to explicitly reference packages in my project

    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.0.2"/>
    <PackageReference Include="Microsoft.IdentityModel.Protocols" Version="8.0.2" />
    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.0.2" />

Expected Behavior

Releases of the Microsoft.AspNetCore.Authentication.JwtBearer package should be in concert with the rest of Microsoft.AspNetCore packages and have peer references that match as do other Microsoft.AspNetCore packages

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

8.0.401

Anything else?

Rider IDE

.NET SDK: Version: 8.0.401 Commit: 811edcc344 Workload version: 8.0.400-manifests.56cd0383 MSBuild version: 17.11.4+37eb419ad

Runtime Environment: OS Name: Mac OS X OS Version: 14.6 OS Platform: Darwin RID: osx-arm64 Base Path: /usr/local/share/dotnet/sdk/8.0.401/

.NET workloads installed: Configured to use loose manifests when installing new manifests. There are no installed workloads to display.

Host: Version: 8.0.8 Architecture: arm64 Commit: 08338fcaa5

.NET SDKs installed: 7.0.404 [/usr/local/share/dotnet/sdk] 8.0.100 [/usr/local/share/dotnet/sdk] 8.0.101 [/usr/local/share/dotnet/sdk] 8.0.200 [/usr/local/share/dotnet/sdk] 8.0.203 [/usr/local/share/dotnet/sdk] 8.0.204 [/usr/local/share/dotnet/sdk] 8.0.300 [/usr/local/share/dotnet/sdk] 8.0.302 [/usr/local/share/dotnet/sdk] 8.0.303 [/usr/local/share/dotnet/sdk] 8.0.400 [/usr/local/share/dotnet/sdk] 8.0.401 [/usr/local/share/dotnet/sdk]

.NET runtimes installed: Microsoft.AspNetCore.App 7.0.14 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 8.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 8.0.1 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 8.0.2 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 8.0.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 8.0.4 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 8.0.5 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 8.0.6 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 8.0.7 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 8.0.8 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.NETCore.App 7.0.14 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 8.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 8.0.1 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 8.0.2 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 8.0.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 8.0.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 8.0.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 8.0.6 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 8.0.7 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 8.0.8 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

Other architectures found: None

Environment variables: Not set

mkArtakMSFT commented 1 month ago

Thanks for contacting us. What you've done is correct and that's exactly what we recommend customers to do in this case.

The reason we had decided not to update our dependencies in a patch was because updating could have caused other breaking changes in customer apps. Hence, there was no clear "better option" given the situation. We have fixed this in .NET 9 though.