Menu
I am getting the following error when I execute the JwtSecurityTokenHandler().ValidateToken() function:
Here is my pseudo-code:
var jwtToken = {...}
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters {...};
var claimsPrincipal = tokenHandler.ValidateToken(jwtToken, validationParameters);
And here is the error:
Jwt10316: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'.
Exceptions caught:
'System.InvalidOperationException: Jwt10518: AsymmetricSecurityKey.GetHashAlgorithmForSignature( 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' ) threw an exception.
AsymmetricSecurityKey: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'
SignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256', check to make sure the SignatureAlgorithm is supported.
Exception: 'System.NotSupportedException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' not supported in this context.
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetHashAlgorithmForSignature(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)'.
---> System.NotSupportedException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' not supported in this context.
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetHashAlgorithmForSignature(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)
--- End of inner exception stack trace ---
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(SecurityKey key, String algorithm, Byte[] encodedBytes, Byte[] signature)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(JwtSecurityToken jwt, Byte[] signatureBytes, IEnumerable`1 signingTokens)'.
System.NotSupportedException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256'
The weird part is that right beyond this portion of the error message are the claims that were encoded into the token. As a work-around, I am doing some text parsing and re-constructing my ClaimsPrincipal, but I shouldn't have to do this.
Any ideas how to enable the sha256 for this context?
UPDATE: Since I have not had any movement on this issue (except for gaining a tumbleweed badge) I will add some more details Maybe someone can help me work through where the problem is coming from. I have to assume that since nobody else is experiencing this problem is has to be user error on my part somewhere. Please tell me if anything sounds incorrect.
My guess is that since we are failing jwt validation, then perhaps it has something to do with the cert on the validation machine / idP.
Example:
var jwtToken = response.AccessToken;
var store = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = store.Certificates.Find(X509FindType.FindByThumbprint, "thinktecture identityserver 2.Configuration => Key Configuration => Signing Thumbprint>", false)[0];
store.Close();
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
AllowedAudience = "<thinktecture identityserver 2.Configuration => Relying Party => Realm/Scope Name>",
ValidIssuer = "<thinktecture identityserver 2.Configuration => General Configuration => Site ID>",
SigningToken = new X509SecurityToken(cert)
};
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(jwtToken, validationParameters);
Notice my use of the following placeholders showing where the data is being populated from:
Is there anything you can see that I am doing wrong in this instance?
UPDATE 2
I ran into this code: http://pastebin.com/DvQz8vdb and after running my JWT through it I gave me the same error: Basically it's saying it only supports "RS256", "HS384", or "HS512". Perhaps this is my problem.. my JWT is coming back HS256, not RS256 or HS >256 (384/512)
How can I change the signing algorithm from HS256 to say HS512?
And at this point I'm thinking we are back to the Identity Server Issue?
349
Ran into this old post by coincidence, but as I had a similar problem almost a year ago I will mention my findings from back then. Basicly the way to "force" IdSrv V2 to use the signing certificate is to make sure that there is no symmetric signing key defined for the Relying Party. As long as it is defined, it will always use the symmetric signing key. See my blog post on it for more details.
Hope this can help others ending up here :-)
60
I can finally close this out. It appears that the signing cert actually has nothing to do with the jwt in the oAuth2 protocol under IdentityServer. No matter what cert I used, I got the error.
I have resolved the issue by using the Symmetric Signing Key to validate the jwt, not the Signing Certificate found under the Key Configuration section of IdentityServer.
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
