.NET 9: `dotnet user-jwts` not working

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.

https://asp.net

MIT License

35.5k stars 10.04k forks source link

.NET 9: `dotnet user-jwts` not working #58996

Open Zhiyuan-Amos opened 2 days ago

Zhiyuan-Amos commented 2 days ago

Is there an existing issue for this?

[x] I have searched the existing issues

Describe the bug

I followed the MSDN and upon sending the HTTP Request with the Bearer token, the server returns 401. The WWW-Authenticate response header shows Bearer error="invalid_token", error_description="The signature key was not found".

Expected Behavior

Server returns 200.

Steps To Reproduce

Followed the exact steps in the MSDN

Exceptions (if any)

No response

.NET Version

9.0.100

Anything else?

RID: win-arm64 It used to work on .NET 8.

oussamatecnique commented 1 day ago

can you add more details please... like how the jwt token used in this call look like, and the appsettings.developement authentication details such validissuer and the code of authentication injection. this could be the issue the validIssuer used by the command line dotnet user-jwts, is not what your app expect.

Zhiyuan-Amos commented 1 day ago

I'm aware of these possible concerns as I understand these security concepts and I had it working on .NET 8. I have attached the code from following the instructions in the above documentation https://github.com/Zhiyuan-Amos/MyJWT for ease of repro: Just create the JWT using dotnet user-jwts create and send it to the /secret endpoint.

Edit: I downgraded my project to .NET 8 (also downgraded Microsoft.AspNetCore.Authentication.JwtBearer to 8.0.11), and using dotnet user-jwts create and send it to the /secret endpoint works.

oussamatecnique commented 19 hours ago

you are right it's not working on dotnet9 I debugged deeply I found 2 issues: 1st issue: in JwtBearerConfigureOptions

in dotnet9 the IssuersigningKeys is not loaded from secrets.json, because of a parameter called ValidIssuers.

the difference reside in this commit: https://github.com/dotnet/aspnetcore/commit/cc5bc6b56dc0a6e6f1ca103acff5afd9c71973ba

this can be fixed by adding this to your asppsettings: "ValidIssuers": [ "dotnet-user-jwts" ] 2nd issue: if you apply solution above the token validation throws a different error. Authentication failed: IDX10517: Signature validation failed. The token's kid is missing. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,

I am not sure now jsonwebTokenValidator is checking also kid which is empty when you assign IssuerSigninKey by byte[]