Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cannot Validate AccessToken with IdentityServer

We are using IdentityServer for authentication and we are validating the access token using JwtSecurityTokenHandler ValidateToken. This used to work fine, but after we upgraded our client application to ASP.NET Core 1.0 RTM (from RC1), the validation fails. The received error is:

IDX10501: Signature validation failed. Unable to match 'kid'

When I look at the KeyID of the used certificate and the kid of the token, I can see that they are different. I checked the IdentityServer jwks-endpoint to check that I had the correct certificate and noticed that the kid and certificate key id are different from that endpoint too. From what I've understood, they are supposed to be the same?

Any ideas why the code broke during the upgrade since the certificate, token and IdentityServer are still the same and only the client app core was upgraded.

EDIT (More information)
I suspect that ValidateIssuerSigningKey is false by default and the key has not even been validated before (thus it was working). Now it seems that the ValidateIssuerSigningKey is being ignored (as bad practice?) and thus the validation fails.

Workaround/Fix
By setting the IssuerSigningKeyResolver manually and giving the key to use in validation explicitly, fixes the issue and validation passes. Not sure how good the workaround is and why the default doesn't work, but at least I can move on for now.

simplified code...

new JwtSecurityTokenHandler().ValidateToken(authTokens.AccessToken,
  new TokenValidationParameters()
  {
    IssuerSigningKeys = keys,
    ValidAudience = audience,
    ValidIssuer = issuer,
    IssuerSigningKeyResolver = (arbitrarily, declaring, these, parameters) => new List<X509SecurityKey> { securityKey }
   }, out securityToken);
like image 329
Antti Simonen Avatar asked Jul 07 '16 06:07

Antti Simonen


Video Answer


1 Answers

The Client and API should refer to the same instance of IdentityServer. We are running IdentityServerHost in Azure, which has different slots (main and staging) and two applications inconsistently referred to different slots. The Client received access token issued by IdSrv-main provider and passed it to API, that expected it from different provider IdSrv-staging. API validated it and returned error.

The problem is that the errror doesn't give a hint to the actual cause of the issue. MS should provide much more detailed error message to help debugging. The current error message is not sufficient to identify the cause.

like image 78
Michael Freidgeim Avatar answered Oct 11 '22 00:10

Michael Freidgeim