Authentication fails with "Unprotect ticket failed" for Asp.Net Core WebApi

N

2

15

When I use Bearer token with an AspNetCore controller protected with [Authorize], I get the log message:

info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[7]
      Identity.Application was not authenticated. Failure message: Unprotect ticket failed

I'm trying to understand what this means and what can be causing this.

The Startup class of the Api is has the following setup. Api uses AspNet Identity Core.

public void ConfigureServices(IServiceCollection services)
{
    services.AddDbContext<UserAccountDbContext>(options => options.UseSqlServer(connectionString,
                                                                                     sql => sql.MigrationsAssembly(MigrationsAssembly)));

    services.AddIdentity<UserAccount, IdentityRole>()
                    .AddEntityFrameworkStores<UserAccountDbContext>();

    services.AddTransient<UserManager<UserAccount>>();

    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

    services.AddAuthorization();

    services.AddAuthentication("Bearer")
            .AddJwtBearer("Bearer", options =>
                                             {
                                                options.Authority = _configuration.OAuth2.ServerUri;
                                                options.RequireHttpsMetadata = false;
                                                options.Audience = "api";
                                            });
        }

And:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseAuthentication();
    app.UseMvc();
}

The response to the caller is Unauthorized (401) without any explanation.

EDIT:

I think this has something to do with cookies as the comment suggested. I see a cookie Identity.Application. I cleared this and tried but didn't help. I think this may have something to do with the way my token server and the Api server are setup (both of which are using AspNet Identity).

I have one Mvc project running as the Idp on localhost:5000. Then my user manager Api which has the protected controller is hosted on localhost:5001. When I try to access the protected controller, I get redirected to the login page in the IdP project (which I think is what sets the cookie). Then I try to use the token with the controller I get the above mentioned error.

If I delete the cookies between getting the token and making the Api call, I get the following log:

2019-02-11 23:35:15.3711  [INFO] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
      Executing ChallengeResult with authentication schemes ().
2019-02-11 23:35:15.3711  [INFO] Executing ChallengeResult with authentication schemes ().
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[12]
      AuthenticationScheme: Identity.Application was challenged.
2019-02-11 23:35:15.3711  [INFO] AuthenticationScheme: Identity.Application was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]

Nertie answered 11/2, 2019 at 15:12 Comment(10)

You probably have an old cookie on the given domain, or changed something in your security configuration. Simply clear the cookies and authenticate again. – Chesson 11/2, 2019 at 15:16

I tried clearing cookies in Postman, but I still get the error, I'm adding a bit more information. Could you please what I'm doing wrong. – Nertie 11/2, 2019 at 15:25

Postman sends Chrome's cookies as well. – Chesson 11/2, 2019 at 15:26

I deleted all the cookies between getting the token and using it, then the request doesn't complete with the api. I added more details about the setup. – Nertie 11/2, 2019 at 15:32

ever figure this out? – Spermous 18/3, 2019 at 8:47

@ChaimEliyah See if the below works. I really can't quite remember how I resolved it. It was painful... – Nertie 18/3, 2019 at 14:6

oh. shoot, I didn't see you were using JWT, unfortuantely I won't be able to test that for awhile. I am getting this with Cookie auth – Spermous 19/3, 2019 at 0:25

In my case, I was sending a callback url with https while my client was configured to use http. Hope this helps someone. – Creuse 30/4, 2019 at 6:26

Facing this issue right now in my team. Apparently, using a cookie is unecessary if you use JWT. In fact, the cookie will take precedence in signalR, causing the issue (outdated cookie). Unfortunately, I don<t have enough information to post a proper answer yet. – Habitue 15/12, 2021 at 22:9

@chaimeliyah, did you ever figure out the issue with the cookies? – Cruel 21/12, 2023 at 10:44

E

9

When I spin up a development server on port 5000, I also got the "Unprotect ticket failed" error message. In Chrome I had a number of cookies lying around from another project which also ran at 5000. Deleted all cookies and error message gone.

Ephemerid answered 2/3, 2020 at 15:54 Comment(0)

A

2

This can occur when you have traffic balanced across two web servers and have not configured Data Protection to share keys.

More below:

The anti-forgery token could not be decrypted

Absorptance answered 14/3, 2022 at 21:16 Comment(0)

Recommended topics

Hot tags