search

mattmorg55 / Owin.Security.Keycloak

Keycloak Authentication Middleware for the C# OWIN Pipeline
http://keycloak.jboss.org
MIT License
17 stars 20 forks source link

IDX10501: Signature validation failed. Unable to match 'kid' #10

Closed antonio-petrov closed 5 years ago

antonio-petrov commented 5 years ago

Problem:

I keep getting an error saying that IDX10501: Signature validation failed. Unable to match 'kid': when I try to log in. If I enter WRONG credentials I get an error that the login is unsuccessful, however when I enter the correct credentials, I get that error.

Whole Error:

IDX10501: Signature validation failed. Unable to match 'kid': 'f70df3b4-ef47-409b-b910-a71879a72fb8', token: '{"alg":"HS256","typ":"JWT","kid":"f70df3b4-ef47-409b-b910-a71879a72fb8"}.{"jti":"b034043e-7cdb-4a06-9900-0e461a0d6305","exp":1541425624,"nbf":0,"iat":1541423824,"iss":"https://example.com:8443/auth/realms/demo","aud":"WebApplication2","sub":"58ee5d30-cbe5-48b4-ba3e-64bde27c1660","typ":"Refresh","azp":"WebApplication2","auth_time":0,"session_state":"1a883da9-ce31-4679-8ba5-45c72bb6e8fc","realm_access":{"roles":["offline_access","test_role","uma_authorization"]},"resource_access":{"realm-management":{"roles":["view-identity-providers","view-realm","manage-identity-providers","impersonation","realm-admin","create-client","manage-users","query-realms","view-authorization","query-clients","query-users","manage-events","manage-realm","view-events","view-users","view-clients","manage-authorization","manage-clients","query-groups"]},"endress2":{"roles":["administirs"]},"broker":{"roles":["read-token"]},"endress":{"roles":["uma_protection"]},"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"scope":"openid email profile"}'.

What I have tried:

I have downloaded the sample project and I have edited the settings in the Startup.cs, I keep getting the error described above.

I have tried both running the project on my computer using Visual Studio 2017 and publishing the project and using it on my local IIS. Both methods lead to the same result.

I have also tried to activate the user registration. The registration works by creating the user (I can see it through the admin panel), however I still get the same error (I assume after being redirected).

I have tried debugging the project using the sample project and noticed that it fails on the third call of the method var jwt = ValidateSignature(securityToken, validationParameters);.

This is what my Startup class looks like at the moment:

  public class Startup
{
    const string persistentAuthType = "keycloak_cookies"; // Or name it whatever you want
    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = persistentAuthType
        });

        // You may also use this method if you have multiple authentication methods below,
        // or if you just like it better:
        app.SetDefaultSignInAsAuthenticationType(persistentAuthType);

        app.UseKeycloakAuthentication(new KeycloakAuthenticationOptions
        {
            Realm = "demo",
            ClientId = "WebApplication2",
            ClientSecret = "d1f3bd81-cf25-44af-812b-887c7e24a443",
            KeycloakUrl = "https://example.com:8443/auth",
            //ResponseType = "id_token token",
            AuthenticationType = persistentAuthType,
            //AuthenticationMode = AuthenticationMode.Active,
            SignInAsAuthenticationType = persistentAuthType, // Not required with SetDefaultSignInAsAuthenticationType
            //Token validation options - these are all set to defaults
            AllowUnsignedTokens = false,
            DisableIssuerSigningKeyValidation = false,
            DisableIssuerValidation = false,
            DisableAudienceValidation = false,
            TokenClockSkew = TimeSpan.FromSeconds(2),
        });
    }

Realm settings: enter image description here

Realm keys: enter image description here

Client credentials: Client credentials

Client settings: enter image description here

highbyte commented 5 years ago

By the error message it looks like you encountered a similar problem as I had. If the Keycloak server is version 4.5 and you are using the latest version of the library you could try setting the option

KeycloakAuthenticationOptions.DisableRefreshTokenSignatureValidation = true

What the fix does is described here https://github.com/mattmorg55/Owin.Security.Keycloak/pull/9

antonio-petrov commented 5 years ago

Thank you, it appears that I have downloaded the library just before your commit that fixes the problem. This resolved my issue.