Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Bearer error="invalid_token", error_description="The signature is invalid"

I have a angular application that request a token from azure. The login went well and I get a token. This token is now send from the angular app to a net core webapi application. Net core should verify this token but failed. I think the webapi should also contact azure to validate the token because it has no knowledge of the private and public key that is needed to verify the token.

At the moment it is not clear why it is failing. Both angular app and the webapi are running local on my computer.

The error is: Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: 'IDX10500: Signature validation failed. No security keys were provided to validate the signature.'

my net core 2 config is:

var tokenValidationParameters = new TokenValidationParameters
            {

                RequireExpirationTime = true,
                RequireSignedTokens = false,
                ValidateIssuerSigningKey = true,
                ValidateIssuer = true,
                ValidIssuer = "8d708afe-2966-40b7-918c-a39551625958",
                ValidateAudience = true,
                ValidAudience = "https://sts.windows.net/a1d50521-9687-4e4d-a76d-ddd53ab0c668/",
                ValidateLifetime = false,
                ClockSkew = TimeSpan.Zero
            };
            services.AddAuthentication(options =>
            {
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;

            }).AddJwtBearer(options =>
            {

                options.Audience = "8d708afe-2966-40b7-918c-a39551625958";
                options.ClaimsIssuer = "https://sts.windows.net/a1d50521-9687-4e4d-a76d-ddd53ab0c668/";
                options.RequireHttpsMetadata=false;
                options.TokenValidationParameters = tokenValidationParameters;
                options.SaveToken = true;
            });
like image 706
Thom Kiesewetter Avatar asked Feb 23 '18 09:02

Thom Kiesewetter


1 Answers

That is quite a lot of configuration you have :)

The two mandatory settings are the Audience and Authority:

services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(o =>
    {
        o.Audience = "8d708afe-2966-40b7-918c-a39551625958";
        o.Authority = "https://login.microsoftonline.com/a1d50521-9687-4e4d-a76d-ddd53ab0c668/";
    });

You are missing the Authority so it does not know where to load the signing public keys from.

like image 137
juunas Avatar answered Sep 20 '22 11:09

juunas