Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ValidateIssuerSigningKey shouldn't be called if the signing key is null and TokenValidationParameters.RequireSignedTokens is false

See original GitHub issue

When we upgrade from netcoreapp2.0 to netcoreapp2.1 our JWT authentication for unsigned tokens fails with

18:23:57 INF] Failed to validate the token.
System.ArgumentNullException: IDX10000: The parameter 'securityKey' cannot be a 'null' or an empty object.
Parameter name: securityKey
   at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateIssuerSecurityKey(SecurityKey key, JwtSecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
[18:23:57 INF] Bearer was not authenticated. Failure message: IDX10000: The parameter 'securityKey' cannot be a 'null' or an empty object.
Parameter name: securityKey

Our config looks like this which works on netcoreapp2.0 and fails on netcoreapp2.1

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
            {
                options.Audience = _config.JWTAudience;
                
                X509Certificate2 x509Certificate2 = new X509Certificate2(Convert.FromBase64String(_config.Key));

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuerSigningKey = true,
                    ValidateIssuer = true,
                    ValidateAudience = true,
                    ValidIssuer = _config.JWTIssuer,
                    IssuerSigningKey = new X509SecurityKey(x509Certificate2),
                    RequireSignedTokens = !_config.AllowUnsignedTokens
                };
            });

Normal signed tokens work correctly on both netcoreapp2.0 to netcoreapp2.1, has the configuration settings change to support unsigned tokens?

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
brentschmaltzcommented, Apr 26, 2019

@holytshirt Our handlers should not call ValidateIssuerSigningKey if the key is null AND TokenValidationParameters.RequireSignedTokens is false.

1reaction
brentschmaltzcommented, Jul 5, 2018

@holytshirt we are here to serve 😃, so don’t worry about hassling us. I will leave this open as we need to think about this a bit more.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Ignore JWT Bearer token signature (i.e. don't validate token)
In case you only want to skip the key validation you just need to set ValidateIssuerSigningKey = false and assign the SignatureValidator =...
Read more >
ValidateIssuerSigningKey shouldn't be called if the signing ...
ValidateIssuerSigningKey shouldn't be called if the signing key is null and TokenValidationParameters.RequireSignedTokens is false.
Read more >
TokenValidationParameters.ValidateIssuerSigningKey ...
This boolean only applies to default signing key validation. If IssuerSigningKeyValidator is set, it will be called regardless of whether this property is...
Read more >
System.IdentityModel.Tokens.Jwt.xml 2.0.0.17
Provides signing and verifying operations when working with an <see ... <param name="disposing">true, if called from Dispose(), false, if invoked inside a ...
Read more >
Validissuer tokenvalidationparameters
ValidateIssuerSigningKey shouldn't be called if the signing key is null and TokenValidationParameters. UseJsonWebTokens(); I configured the jwt ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

JwtSecurityTokenHandler.CreateJwtSecurityToken renaming Claim Type Names.

Next page

Dotnet Core 2.1 broke WriteToken() on Linux kernels (ObjectDisposedException)