I'm using the updated Azure Mobile Apps and the authentication providers like Google, Microsoft, Twitter, and Facebook for authenticating users to my website. All of this is working well and upon authenticating with my Azure Mobile App instance, I get back a valid JWT token representing the authenticated user. This token I'm turning around and sending as a Authentication Bearer token to the server to authenticate requests to another ASP.NET Core API service. All of this is working just fine.
The problem is getting the JWT validated on the server using the correct signing key value. For a test - if I take my JWT token to https://jwt.io/ and paste in my secret key from Azure using the correct algorithm HS256 I still can't get past the "Invalid Signature" error. In the same area, if I call my ASP.NET Core API service which has app.UseJwtBearerAuthentication from Microsoft.AspNetCore.Authentication.JwtBearer configured I get the same 401 error back from endpoints stating the following:
401 Unauthorized: Bearer error="invalid_token", error_description="The signature is invalid"
According to Azure Mobile Apps offline WEBSITE_AUTH_SIGNING_KEY and some other sites I'm supposed to use the WEBSITE_AUTH_SIGNING_KEY from https://[Azure-Mobile-Site-Here].scm.azurewebsites.net/Env.cshtml I have gotten the value and tried to use it 10 ways from Sunday as the IssuerSigningKey on the server but to no success. I always get the same error.
Here is the configuration I have on the server. I've tried to narrow it down as much as possible, decompiling code and only turning on the minimum flags to validate. I can't get anything through.
private void ConfigureAuth(IApplicationBuilder app)
{
//Didn't work attempt #1
//byte[] keyBytes = Encoding.UTF8.GetBytes("975BE84E150ABlahBlahBlahA2527E1AAC80606");
//if (keyBytes.Length < 64)
//{
// Array.Resize(ref keyBytes, 64);
//}
//Didn't work attempt #2
//byte[] keyBytes = _UTF8Encoder.GetBytes("975BE84E150ABlahBlahBlahA2527E1AAC80606");
//Didn't work attempt #3
//var keyAsBytes = Convert.FromBase64String("975BE84E150ABlahBlahBlahA2527E1AAC80606");
//Didn't work attempt #4
//var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("975BE84E150ABlahBlahBlahA2527E1AAC80606"));
var signingKey = new SymmetricSecurityKey(keyBytes);
var tokenValidationParameters = new TokenValidationParameters
{
RequireExpirationTime = false,
RequireSignedTokens = false,
SaveSigninToken = false,
ValidateActor = false,
ValidateAudience = false,
ValidateIssuer = false,
ValidateLifetime = false,
//The signing key must match!
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
};
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = tokenValidationParameters
});
}
As a note above, I've already tried making ValidateIssuerSigningKey = false to try and bypass this all and it didn't work. I still get the same error; it's like the bit didn't have an affect on the outcome.
I feel lost and guessing at this point as I'm not even sure that WEBSITE_AUTH_SIGNING_KEY is the correct signingKey and if it's not I'm spinning my wheels for nothing.
What is the proper secret / signing key used in generating the JWT token for an Azure Mobile App instance and how do I encorporate it correctly in the middleware configuration on the server to validate the token?
