Identityserver4: Singature validation failed. Unable to match keys

Created on 14 Feb 2019  路  6Comments  路  Source: IdentityServer/IdentityServer4

Issue / Steps to reproduce the problem

I've installed my existing project on a new machine and token validation simply broke on me without me installing any new dependencies on either client or server. The authentification works, my client app gets the token. However any API request returns 403.

This is the message I'm getting:

[13:47:48 INF] Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: 
kid: '838C00F625D924AEF157677ECFF1BE1C4F5E92FB', 
token: '{
"alg":"RS256","kid":"838C00F625D924AEF157677ECFF1BE1C4F5E92FB","typ":"JWT","x5t":"g4wA9iXZJK7xV2d-z_G-HE9ekvs"}.{"nbf":1550148313,"exp":1550151913,"iss":"http://localhost:5000","aud":["http://localhost:5000/resources","api"],"client_id":"webclient","sub":"1","auth_time":1550147628,"idp":"local", "scope":["openid","profile","api"],"amr":["pwd"]}'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

For ages I've used a self signed PFX certificate and loaded it into IdSrv4 on Startup:

services.AddIdentityServer()
   .AddSigningCredential(myCert)
  // ...

The certificate loading process works and since I haven't changed anything here either, I don't believe this causes the issue.

I've looked through both oidc-client & IdentityServer4 issue trackers but all I could find were

  • this -> not related,
  • this -> also not related

IdSrv4 versions:

  • IdentityServer4 (2.3.2),
  • IdentityServer4.AccessTokenvalidation(2.7.0)

oidc-client versions:

  • I tried 1.4.1, 1.5.4 & 1.6.1

Any help would be greatly appreciated!

question
Source
picture maxmantz

All 6 comments

I'd write a sample to manually that uses the JwtSecurityTokenHandler to validate that JWT and use that same cert you have. Otherwise, not sure since the error is coming from a Microsoft component. You did say you changed machines, so are you sure it's really the same cert? Expired? All the standard environmental questions come up...

brockallen picture brockallen on 14 Feb 2019

Yes it is the same certificate used with all machines. All environment messages appeared fine and firewalls are not the problem. The certificate expiry date is five years from now, so it is still valid.

Oddly enough, using AddDeveloperSingingCredential() instead of AddSigningCredential() runs into the same issue, so I guess the certificate is not to blame. What else could cause this?

Would I have to write a custom JwtSecurityTokenHandler? Are there any samples on how to do this?

maxmantz picture maxmantz on 14 Feb 2019

I fixed the issue by completely deleting my local git repository and pulling it again from scratch. Somehow it all works now.

Thanks for the quick help, Brock and my apologies for the issue.

maxmantz picture maxmantz on 14 Feb 2019
👎7

Odd

brockallen picture brockallen on 14 Feb 2019 
 .AddIdentityServerAuthentication(options =>
 {
    // options.Authority = Authority;
  }

my case is if not set authority here, will cause this problem, since from

lust4life picture lust4life on 28 Mar 2019
👍1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 11 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cixonline picture cixonline  路  3Comments
user1336 picture user1336  路  3Comments
wangkanai picture wangkanai  路  3Comments
krgm03 picture krgm03  路  3Comments
ekarlso picture ekarlso  路  3Comments