1

I'm getting the following logged error pertaining to JWT creation and validation.

IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo', InternalId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo'.'
is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms

Below is code for generating the JWT.

var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_config["JwtSecret"]);

var tokenDescriptor = new SecurityTokenDescriptor
{
    Subject = new ClaimsIdentity(new[] { new System.Security.Claims.Claim("id", user.Email) }),
    Expires = DateTime.UtcNow.AddHours(5),
    SigningCredentials = new SigningCredentials(
        new SymmetricSecurityKey(key), 
        SecurityAlgorithms.HmacSha256Signature)
};

return tokenHandler.WriteToken(tokenHandler.CreateToken(tokenDescriptor));

Below is the code for validating the JWT.

var config = context.RequestServices.GetService<IConfiguration>();
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.ReadJwtToken(jwt);

_ = tokenHandler.ValidateToken(jwt, new()
{
    ValidateIssuerSigningKey = true,
    IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(config["JwtSecret"])),
    ValidateIssuer = false,
    ValidateAudience = false,
    ClockSkew = TimeSpan.Zero // Tokens expire exactly at token expiration time
 }, out var validatedToken);

What is wrong with the way we are creating the SigningCredentials? (We're using a supported algorithm)

Edit

It's coming clear that this error is coming from the framework, and not form our own parsing of the JWT. So, we're trying to figure out what's wrong with the JWT we're generating.

We are also getting this type of error:

IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: ....
Chris
  • 2,959
  • 1
  • 30
  • 46
  • 1
    The PII message seems to be a red-herring, I think they're just reusing the same message to hide your `SecurityKey` (which is not PII, but really shouldnt be printed anywhere either). – Dai Sep 30 '22 at 18:15
  • `ValidateIssuer = false, ValidateAudience = false,` <-- **yikes** - using `false` for these 2 options basically means anyone can use any fake token. Why did you disable audience and issuer validation? – Dai Sep 30 '22 at 18:23
  • https://stackoverflow.com/questions/39497822/how-can-i-use-x509securitykey-for-asp-net-core-jwt-validation – Dai Sep 30 '22 at 18:26
  • 1
    @Dai I reviewed that question - and the problem was using an Asymmetric key with an HMAC algorithm. We are using a symmetric key, which should fine. – Chris Sep 30 '22 at 18:45
  • What version of .NET are you using, and what version of `Microsoft.IdentityModel.Tokens` and `System.IdentityModel.Tokens.Jwt` (and/or `Microsoft.IdentityModel.JsonWebTokens`) are you using? – Dai Sep 30 '22 at 18:50
  • FWIW, I copied and pasted your code into Linqpad 7 (.NET 6), replaced your secret with my own `const string` and it _just works_ I'm using `Microsoft.IdentityModel.JsonWebTokens` version 6.23.1 and `Microsoft.IdentityModel.Tokens` version 6.23.1 and `System.IdentityModel.Tokens.Jwt` (also version 6.23.1) and HS256 works fine... – Dai Sep 30 '22 at 18:58
  • @Dai .net 6.0, and 6.23.1 of those libraries – Chris Sep 30 '22 at 19:06
  • Works for me in dotnetfiddle: https://dotnetfiddle.net/qzxp1i – Dai Sep 30 '22 at 19:17
  • How are you getting those logged `IDX10503` and `IDX10634` events? You aren't passing around any `ILogger`... – Dai Sep 30 '22 at 19:37
  • @Dai From the framework itself through (see my question edit). Serilog is registered at the program level. – Chris Sep 30 '22 at 19:39

0 Answers0