[Bug] AspNetCore 7.0 WebApi Authentication Fails (JWT) - Missing Method
See original GitHub issueWhich version of Microsoft.IdentityModel are you using? 6.27.0 (the latest stable version throws the exception)
Where is the issue?
- M.IM.JsonWebTokens
- M.IM.KeyVaultExtensions
- M.IM.Logging
- M.IM.ManagedKeyVaultSecurityKey
- M.IM.Protocols
- M.IM.Protocols.OpenIdConnect
- M.IM.Protocols.SignedHttpRequest
- M.IM.Protocols.WsFederation
- M.IM.TestExtensions
- M.IM.Tokens
- M.IM.Tokens.Saml
- M.IM.Validators
- M.IM.Xml
- S.IM.Tokens.Jwt
- Other (please describe)
Is this a new or an existing app? The app is in production and I have upgraded to a new version of Microsoft.IdentityModel.*
Repro
builder.Services.AddAuthentication(o => {
o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.TokenValidationParameters = new TokenValidationParameters
{
ClockSkew = TimeSpan.Zero,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SettingsUtil.Settings.CellaretApiSigningKey)),
ValidateAudience = true,
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ValidAudience = SettingsUtil.Settings.CellaretApiAudience,
ValidIssuer = SettingsUtil.Settings.CellaretApiIssuer
};
});
Expected behavior After being issued a valid JWT token (verified by 3rd party site - jwt.io) and my current above code stop working after NuGet package updates, any web api controller with the [Authorize] attribute incorrectly responds with a 401, despite the valid token being passed as “Bearer”. I noticed this issue only after I had updated a number of NuGet packages and finally determined that this package was the culprit through inspection of my console output. It appears the new package is missing a method:
Method not found: 'Boolean Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableConfiguration
System.MissingMethodException: Method not found: 'Boolean Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableConfiguration(Microsoft.IdentityModel.Tokens.TokenValidationParameters, Microsoft.IdentityModel.Tokens.BaseConfiguration, Microsoft.IdentityModel.Tokens.BaseConfiguration ByRef)'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
Bearer was not authenticated. Failure message: Method not found: 'Boolean Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableConfiguration(Microsoft.IdentityModel.Tokens.TokenValidationParameters, Microsoft.IdentityModel.Tokens.BaseConfiguration, Microsoft.IdentityModel.Tokens.BaseConfiguration ByRef)'.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Bearer was not authenticated. Failure message: Method not found: 'Boolean Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableConfiguration(Microsoft.IdentityModel.Tokens.TokenValidationParameters, Microsoft.IdentityModel.Tokens.BaseConfiguration, Microsoft.IdentityModel.Tokens.BaseConfiguration ByRef)'.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]
AuthenticationScheme: Bearer was challenged.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished HTTP/1.1 GET https://localhost:7075/helloworld - - - 401 0 - 52.4040ms
Actual behavior A 401 response is returned for all API requests, despite valid JWT tokens being passed.
Possible solution I downgraded to 6.27.0 and this resolved my issue.
Additional context / logs / screenshots / links to code None.
Issue Analytics
- State:
- Created 5 months ago
- Reactions:4
- Comments:17 (6 by maintainers)
Top GitHub Comments
The problem is still happening to me, upgrading from Microsoft.IdentityModel.Tokens 6.27.0 to the latest version. The error I get (when debugging the library) is: IDX10720: Unable to create KeyedHashAlgorithm for algorithm ‘HS256’, the key size must be greater than: ‘256’ bits, key has ‘192’ bits. (Parameter ‘keyBytes’)’ In Microsoft.IdentityModel.Tokens Class: CryptoProviderFactory Method ValidateKeySize(byte[] keyBytes, string algorithm, int expectedNumberOfBytes)
Clearly 24 characters and not 32 SecretKey is my issue “JwtIssuerOptions”: { “SecretKey”: “XXXXXXXXXXXXXXXXXXXXXXXX” },
Even if var signinKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtIssuerOptions.SecretKey)); var signInCredentials = new SigningCredentials(signinKey, SecurityAlgorithms.HmacSha256);
My question is, what this is not a breaking change ? This is not related to missing method
@brentschmaltz FYI, I had to release a new OpenIddict version referencing 6.25.1 as I kept receiving similar reports.
Given that it’s not the first time we see such issues in Wilson, you should strongly consider abandoning
[InternalsVisibleTo]
for your internal helpers or consider them public and avoid breaking changes in minor versions. Alternatively, you could embed your helpers in each assembly to eliminate this kind of problem (it’s the approach used in OpenIddict and it’s always been flawless).