Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
IDX10511 and IDX10634 errors when using custom JWT Bearer with AzureAD Bearer
See original GitHub issueI am using AzureAD authentication along with a custom JWT Bearer auth. I’m using Microsoft.Identity.Web to facilitate the AzureAD auth. I’m not sure if this issue should be posted there so I’m posting it here since the call stack for the error is from Microsoft.IdentityModel.Tokens.
I should note that the authentication for both works as expected. It seems that this error only happens when using the non-default auth scheme. The error happens irrespective of which scheme is defined as the default - i.e. if I switch the default scheme and use an endpoint with the non-default auth scheme the error is present (switching from services.AddAuthentication("CustomJWTBearerToken") to services.AddAuthentication(AzureADDefaultsJwtBearerAuthenticationScheme)
Environment:
- .NET Core 3.1.12
- System.IdentityModel.Tokens.Jwt v6.8.0
- Microsoft.Identity.Web v1.6.0
Here is my code.
In Startup:
public void ConfigureServices(IServiceCollection services)
{
// elided for brevity
services.AddProtectedWebApi(Configuration, subscribeToJwtBearerMiddlewareDiagnosticsEvents: Environment.IsLocal());
services.AddControllers(config =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
config.Filters.Add(new AuthorizeFilter(policy));
})
.AddNewtonsoftJson();
// elided for brevity
Here is the class for the AuthenticationExtensions extension method:
public static class AuthenticationExtensions
{
// Value taken from https://github.com/aspnet/AADIntegration/blob/26c7e2cdf2fb7977c0d06becd8332aebc82177ee/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/AzureADDefaults.cs#L33
public const string AzureADDefaultsJwtBearerAuthenticationScheme = "AzureADJwtBearer";
public static IServiceCollection AddProtectedWebApi(this IServiceCollection services, IConfiguration configuration,
bool subscribeToJwtBearerMiddlewareDiagnosticsEvents = false)
{
services.AddAuthentication("CustomJWTBearerToken")
.AddJwtBearer("CustomJWTBearerToken", options =>
{
ConfigureCustomJwtBearerConfigurationOptions(services, configuration, options);
})
.AddMicrosoftIdentityWebApi(configuration,
jwtBearerScheme: AzureADDefaultsJwtBearerAuthenticationScheme,
subscribeToJwtBearerMiddlewareDiagnosticsEvents);
// configure the options for validating AzuerAD Jwt Bearer Access Tokens
services.Configure<JwtBearerOptions>(AzureADDefaultsJwtBearerAuthenticationScheme, ConfigureAzureADJwtBearerAuthenticatonOptions);
// update the default authorization policy to accept all authentication schemes
// https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-2.2#use-multiple-authentication-schemes
services.AddAuthorization(options =>
{
var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
"CustomJWTBearerToken",
AzureADDefaultsJwtBearerAuthenticationScheme)
.RequireAuthenticatedUser();
options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
});
return services;
}
private static void ConfigureCustomJwtBearerConfigurationOptions(IServiceCollection services,
IConfiguration configuration, JwtBearerOptions options)
{
var tmoSection = configuration.GetSection("AppSettings:TokenManagementOptions");
var audience = tmoSection.GetValue<string>("Audience");
var issuer = tmoSection.GetValue<string>("Issuer");
var key = tmoSection.GetValue<string>("Key");
options.Audience = audience;
options.ClaimsIssuer = issuer;
options.IncludeErrorDetails = true;
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ClockSkew = TimeSpan.FromMinutes(5),
ValidateLifetime = true,
ValidateAudience = true,
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidIssuer = issuer,
ValidAudience = audience,
IssuerSigningKey = new SymmetricSecurityKey(Convert.FromBase64String(key)) {KeyId = "some key id here" },
NameClaimType = "preferred_username",
RequireSignedTokens = true,
ValidTypes = new[] { JwtConstants.TokenType }
};
// validate that the options have been configured correctly
options.Validate();
}
private static void ConfigureAzureADJwtBearerAuthenticatonOptions(JwtBearerOptions options)
{
// Microsoft.Identity.Web uses 'ClientId' as Audience and performs AudienceValidation
// So, we don't need to explicitly initialize a value for ValidAudiences
options.TokenValidationParameters.ValidateAudience = true;
options.TokenValidationParameters.ValidateIssuer = true;
// set the NameClaimType so the ASP.NET Identity is wired appropriately to pull the identity from the AzureAdToken
options.TokenValidationParameters.NameClaimType = "preferred_username;
// Microsoft.Identity.Web implementation sets all other relevant settings for us
// validate that the options have been configured correctly
options.Validate();
}
}
Scenario 1 - using “CustomJWTBearerToken” as default auth scheme end executing endpoint using AzureADDefaultsJwtBearerAuthenticationScheme.
Stack trace from Debug output:
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'. , KeyId: elided-for-security
'.
kid: 'elided-for-security'.
Exceptions caught:
'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'.'
is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
'.
token: '{"typ":"JWT","alg":"RS256","kid":"elided-for-security"}.jwt body elided'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
jwt auth failed
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: CustomJWTBearerToken was not authenticated. Failure message: IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'. , KeyId: elided-for-security
'.
kid: 'elided-for-security'.
Exceptions caught:
'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'.'
is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
'.
token: '{"typ":"JWT","alg":"RS256","kid":"elided-for-security"}.jwt body elided'.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: CustomJWTBearerToken was not authenticated. Failure message: IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'. , KeyId: elided-for-security
'.
kid: 'elided-for-security'.
Exceptions caught:
'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'.'
is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
'.
token: '{"typ":"JWT","alg":"RS256","kid":"elided-for-security"}.jwt body elided'.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Successfully validated the token.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization was successful.
Microsoft.AspNetCore.Routing.EndpointMiddleware: Information: Executing endpoint 'Portal.Controllers.TokenController.GetTokenAsync (Portal)'
Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker: Information: Route matched with {action = "GetToken", controller = "Token", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] GetTokenAsync() on controller Portal.Controllers.TokenController (Portal).
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: CustomJWTBearerToken was not authenticated. Failure message: IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'. , KeyId: elided-for-security
'.
kid: 'elided-for-security'.
Exceptions caught:
'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'.'
is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
'.
token: '{"typ":"JWT","alg":"RS256","kid":"elided-for-security"}.jwt body elided'.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization was successful.
Scenario 2 - using AzureADDefaultsJwtBearerAuthenticationScheme as default auth scheme end executing endpoint using “CustomJWTBearerToken”.
Stack trace from Debug output:
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'. , KeyId: elided-for-security
'.
kid: 'elided-for-security'.
Exceptions caught:
'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'.'
is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
'.
token: '{"alg":"HS256","kid":"elided-for-security","typ":"JWT"}.jwt body elided'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AzureADJwtBearer was not authenticated. Failure message: IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'. , KeyId: elided-for-security
'.
kid: 'elided-for-security'.
Exceptions caught:
'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'elided-for-security', InternalId: 'elided-for-security'.'
is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
'.
token: '{"alg":"HS256","kid":"elided-for-security","typ":"JWT"}.jwt body elided'.
jwt message received
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Successfully validated the token.
jwt token validated
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization was successful.
Microsoft.AspNetCore.Routing.EndpointMiddleware: Information: Executing endpoint 'Portal.Controllers.CacheController.GetStringAsync (Portal)'
Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker: Information: Route matched with {action = "GetString", controller = "Cache", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] GetStringAsync(System.String) on controller Portal.Controllers.CacheController (Portal).
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization was successful.
Issue Analytics
- State:
- Created 3 years ago
- Comments:12 (4 by maintainers)
Top Results From Across the Web
"IDX10511: Signature validation failed" for Azure AD SPA ...
I didn't think it was a configuration issue because I've never seen any configuration that specifies signature. So I started looking through ......
Read more >Access Token validating fails with JWTSecurityTokenHandler
Check the new token from azure with jwt.io. If the aud is equal the registered application id the token can be successfull validated....
Read more >Signature validation failed. Keys tried: '[PII is hidden]'. Error ...
Got :"IDX10511: Signature validation failed. Keys tried: '[PII is hidden]'. Error when trying to call Azure Function App from Android App.
Read more >JWT Token Validation Policy Walkthrough using Azure AD
This article provides step-by-step instructions to configure Azure to work with the JWT Token Validation policy. Please note, this is considered a custom...
Read more >Untitled
IDX10511 and IDX10634 errors when using custom JWT Bearer with . ... 2021 · I am using AzureAD authentication along with a custom...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@jennyf19 can you help out here?
@udlose ill have to debug through this … give me a bit of time.