JWT SecurityTokenInvalidSignatureException using RS256 PII is hidden

Question

Please help! I'm having trouble validating a JWT token signed with RS256 using Microsoft's System.IdentityModel.Tokens.Jwt library.

This token validates just fine on JWT.io.

This is the error:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'. Exceptions caught: '[PII is hidden]'. token: '[PII is hidden]'.

This is the sample code (i used LinqPad, with the System.IdentityModel.Tokens.Jwt v5.2.2 NuGet package):

void Main() {     var cText =         "-----BEGIN CERTIFICATE-----\n" +         "MIIBljCCAUACCQCIDMpqK7WfWDANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJV\n" +          "UzETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UECgwJTHV4b3R0aWNhMRowGAYD\n" +         "VQQLDBFMdXhvdHRpY2EgZXllY2FyZTAeFw0xODA1MjMxNTE1MjdaFw0yODA1MjAx\n" +         "NTE1MjdaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYD\n" +         "VQQKDAlMdXhvdHRpY2ExGjAYBgNVBAsMEUx1eG90dGljYSBleWVjYXJlMFwwDQYJ\n" +         "KoZIhvcNAQEBBQADSwAwSAJBAKuMYcirPj81WBtMituJJenF0CG/HYLcAUOtWKl1\n" +         "HchC0dM8VRRBI/HV+nZcweXzpjhX8ySa9s7kJneP0cuJiU8CAwEAATANBgkqhkiG\n" +         "9w0BAQsFAANBAKEM8wQwlqKgkfqnNFcbsZM0RUxS+eWR9LvycGuMN7aL9M6GOmfp\n" +         "QmF4MH4uvkaiZenqCkhDkyi4Cy81tz453tQ=\n" +         "-----END CERTIFICATE-----";      var c = new X509Certificate2(Encoding.ASCII.GetBytes(cText));     var p = new TokenValidationParameters();     p.IssuerSigningKeyResolver = (s, securityToken, identifier, parameters)         => new[] { new X509SecurityKey(c) };     var h = new JwtSecurityTokenHandler();     var token = @"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJuLmNoaWVmZm8iLCJleHAiOjE1MjcyMzg4ODEsImlzcyI6Imx1eCJ9.BAaYzLwokmdKqLi6zKjGIpDXd__dZxi5PUWWHS3PSLPDYAInzPbEK8o4WxunoGD7eA0qtQNaxNpzeOc3BHrd4w";     h.ValidateToken(token, p, out SecurityToken _); } 

Finally it would be nice to also know how to remove the [PII is hidden] so I can see more detail on the error. Setting the enableLoggingKnownPii and logKnownPII to true in the app.config or even the machine.config file did not seem to make a difference.

Answer 1

It turns out that the KeySize for X509SecurityKey needs to be at least 1024 in length for verifying. This is not obvious from the exception, since it is hidden with the [PII is hidden] filter.

Adding the following line made the exception text a lot more useful (add to ConfigureServices method in Startup.cs):

IdentityModelEventSource.ShowPII = true; 

The new exception text:

'System.ArgumentOutOfRangeException: IDX10631: The 'Microsoft.IdentityModel.Tokens.X509SecurityKey' for verifying cannot be smaller than '1024' bits. KeySize: '512'.

Increasing the length of the assymetric key to 1024 solved the problem.

Answer 2

You can increase your Key length as shown below in appsettings.json file.

"Jwt": {     "Key": "pintusharmaqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqweqwe",     "Issuer": "pintusharma.com"   }