Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.NET 9: dotnet user-jwts not working #58996

Closed
1 task done
Zhiyuan-Amos opened this issue Nov 16, 2024 · 9 comments · Fixed by #59425
Closed
1 task done

.NET 9: dotnet user-jwts not working #58996

Zhiyuan-Amos opened this issue Nov 16, 2024 · 9 comments · Fixed by #59425
Assignees
@halter73
Labels
area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI bug This issue describes a behavior which is not expected - a bug. feature-userjwts The `dotnet user-jwts` CLI tool
Milestone
9.0.x

Comments

@Zhiyuan-Amos
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

I followed the MSDN and upon sending the HTTP Request with the Bearer token, the server returns 401. The WWW-Authenticate response header shows Bearer error="invalid_token", error_description="The signature key was not found".

Expected Behavior

Server returns 200.

Steps To Reproduce

Followed the exact steps in the MSDN

Exceptions (if any)

No response

.NET Version

9.0.100

Anything else?

RID: win-arm64
It used to work on .NET 8.
@oussamatecnique
Copy link

oussamatecnique commented Nov 16, 2024
edited
Loading

can you add more details please... like how the jwt token used in this call look like, and the appsettings.developement authentication details
such validissuer and the code of authentication injection.
this could be the issue the validIssuer used by the command line dotnet user-jwts, is not what your app expect.

@Zhiyuan-Amos
Copy link
Author

Zhiyuan-Amos commented Nov 17, 2024
edited
Loading

I'm aware of these possible concerns as I understand these security concepts and I had it working on .NET 8. I have attached the code from following the instructions in the above documentation https://github.com/Zhiyuan-Amos/MyJWT for ease of repro: Just create the JWT using dotnet user-jwts create and send it to the /secret endpoint.

Edit: I downgraded my project to .NET 8 (also downgraded Microsoft.AspNetCore.Authentication.JwtBearer to 8.0.11), and using dotnet user-jwts create and send it to the /secret endpoint works.

@oussamatecnique
Copy link

oussamatecnique commented Nov 17, 2024
edited
Loading

you are right it's not working on dotnet9 I debugged deeply I found 2 issues:
1st issue:
in JwtBearerConfigureOptions

in dotnet9 the IssuersigningKeys is not loaded from secrets.json, because of a parameter called ValidIssuers.

the difference reside in this commit:
cc5bc6b

this can be fixed by adding this to your asppsettings:
"ValidIssuers": [
"dotnet-user-jwts"
]
2nd issue:
if you apply solution above the token validation throws a different error.
Authentication failed: IDX10517: Signature validation failed. The token's kid is missing. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,

I am not sure now jsonwebTokenValidator is checking also kid which is empty when you assign IssuerSigninKey by byte[]

@ig33kmor3
Copy link

+1 I also had to rollback to the latest version of 8.x.x to resolve this problem. Works fine on 8.x.x

@gepa21
Copy link

gepa21 commented Nov 20, 2024

the problem is that with this change the issuer is not added to the issuers list and the GetIssuerSigningKeys() method only cares about the issuers list to search for signing keys

@Estyn
Copy link

Estyn commented Dec 8, 2024

If anyone else is looking for a quick and dirty work around, the following worked for me.

builder.Services.AddAuthentication("Bearer").AddJwtBearer(o =>
{
    o.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
         ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuers = [builder.Configuration.GetSection("Authentication:Schemes:Bearer:ValidIssuer").Get<string>()],
        ValidAudiences = builder.Configuration.GetSection("Authentication:Schemes:Bearer:ValidAudiences").Get<string[]>(),
         IssuerSigningKey = new SymmetricSecurityKey(Convert.FromBase64String(builder.Configuration.GetSection("Authentication:Schemes:Bearer:SigningKeys:0").GetValue<string>("Value")))
    };
});

@michielpost
Copy link
Contributor

If anyone else is looking for a quick and dirty work around, the following worked for me.

builder.Services.AddAuthentication("Bearer").AddJwtBearer(o =>
{
o.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuers = [builder.Configuration.GetSection("Authentication:Schemes:Bearer:ValidIssuer").Get()],
ValidAudiences = builder.Configuration.GetSection("Authentication:Schemes:Bearer:ValidAudiences").Get<string[]>(),
IssuerSigningKey = new SymmetricSecurityKey(Convert.FromBase64String(builder.Configuration.GetSection("Authentication:Schemes:Bearer:SigningKeys:0").GetValue("Value")))
};
});

Thanks. I've also ran into this issue and this workaround solved it for me.

@mkArtakMSFT mkArtakMSFT added bug This issue describes a behavior which is not expected - a bug. area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI feature-userjwts The `dotnet user-jwts` CLI tool and removed investigate area-security labels Dec 10, 2024
@mkArtakMSFT mkArtakMSFT added this to the 9.0.x milestone Dec 10, 2024
@mkArtakMSFT mkArtakMSFT moved this to 9.0.x in Servicing Dec 10, 2024
@rblackmore
Copy link

you are right it's not working on dotnet9 I debugged deeply I found 2 issues: 1st issue: in JwtBearerConfigureOptions

in dotnet9 the IssuersigningKeys is not loaded from secrets.json, because of a parameter called ValidIssuers.

the difference reside in this commit: cc5bc6b

this can be fixed by adding this to your asppsettings: "ValidIssuers": [ "dotnet-user-jwts" ] 2nd issue: if you apply solution above the token validation throws a different error. Authentication failed: IDX10517: Signature validation failed. The token's kid is missing. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,

I am not sure now jsonwebTokenValidator is checking also kid which is empty when you assign IssuerSigninKey by byte[]

Replacing the ValidIssuer with ValidIssuers array instead, in the appsettings.Development.json file fixed this for me, Thank you.

@halter73 halter73 mentioned this issue Dec 11, 2024
Merged
@coderabsolute
Copy link

Tokens are generated through the Firebase Authentication. This is the configuration on my side, but I got

Authentication failed: IDX10500: Signature validation failed. No security keys were provided to validate the signature.

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = "https://securetoken.google.com/your-domain-com"; // Matches the issuer
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidIssuer = "https://securetoken.google.com/your-domain-com",
            ValidateAudience = true,
            ValidAudience = "your-domain-com",
            ValidateLifetime = true
        };

        options.Events = new JwtBearerEvents
        {
            OnAuthenticationFailed = context =>
            {
                Console.WriteLine($"Authentication failed: {context.Exception.Message}");
                return Task.CompletedTask;
            },
            OnTokenValidated = context =>
            {
                Console.WriteLine("Token validated successfully");
                return Task.CompletedTask;
            }
        };
    });


 builder.Services.AddAuthorization();

I'm using these packages and I read somewhere that there could be an issue with the versioning - but I'm not sure.

<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.3.0" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.11" />

Is anyone facing a similar issue with Firebase? If it works for you, please send me the version of your packages so that I can also use them.

@github-project-automation github-project-automation bot moved this from 9.0.x to Done in Servicing Dec 13, 2024
@halter73 halter73 mentioned this issue Dec 14, 2024
Merged
10 tasks
This was referenced Dec 14, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@halter73 halter73

Labels
area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI bug This issue describes a behavior which is not expected - a bug. feature-userjwts The `dotnet user-jwts` CLI tool
Projects
Servicing
Status: Done
Milestone
9.0.x
Development

Successfully merging a pull request may close this issue.

Fix loading dotnet user-jwts config dotnet/aspnetcore