Cannot Validate AccessToken with IdentityServer
Asked Answered
M

1

6

We are using IdentityServer for authentication and we are validating the access token using JwtSecurityTokenHandler ValidateToken. This used to work fine, but after we upgraded our client application to ASP.NET Core 1.0 RTM (from RC1), the validation fails. The received error is:

IDX10501: Signature validation failed. Unable to match 'kid'

When I look at the KeyID of the used certificate and the kid of the token, I can see that they are different. I checked the IdentityServer jwks-endpoint to check that I had the correct certificate and noticed that the kid and certificate key id are different from that endpoint too. From what I've understood, they are supposed to be the same?

Any ideas why the code broke during the upgrade since the certificate, token and IdentityServer are still the same and only the client app core was upgraded.

EDIT (More information)
I suspect that ValidateIssuerSigningKey is false by default and the key has not even been validated before (thus it was working). Now it seems that the ValidateIssuerSigningKey is being ignored (as bad practice?) and thus the validation fails.

Workaround/Fix
By setting the IssuerSigningKeyResolver manually and giving the key to use in validation explicitly, fixes the issue and validation passes. Not sure how good the workaround is and why the default doesn't work, but at least I can move on for now.

simplified code...

new JwtSecurityTokenHandler().ValidateToken(authTokens.AccessToken,
  new TokenValidationParameters()
  {
    IssuerSigningKeys = keys,
    ValidAudience = audience,
    ValidIssuer = issuer,
    IssuerSigningKeyResolver = (arbitrarily, declaring, these, parameters) => new List<X509SecurityKey> { securityKey }
   }, out securityToken);
Mandle answered 7/7, 2016 at 6:57 Comment(3)
Describe in more detail what you have running and what you updated. maybe related to github.com/IdentityServer/IdentityServer3/issues/3040Sapless
Sounds like the same issue. Anyway, I got it resolved by setting the IssuerSigningKeyResolver manually and giving the key to use in validation explicitly. I still wonder why the default doesn't work, but at least I got it working with this fix.Mandle
We got the same error, but our problem was that the issuer and authority urls had differnet casing. myserver/sts and myserver/StsNodose
B
2

The Client and API should refer to the same instance of IdentityServer. We are running IdentityServerHost in Azure, which has different slots (main and staging) and two applications inconsistently referred to different slots. The Client received access token issued by IdSrv-main provider and passed it to API, that expected it from different provider IdSrv-staging. API validated it and returned error.

The problem is that the errror doesn't give a hint to the actual cause of the issue. MS should provide much more detailed error message to help debugging. The current error message is not sufficient to identify the cause.

Blackfish answered 18/9, 2017 at 12:17 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.