Using this code:
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Authority = "http://localhost:9000"; // OpenIddict running there
options.Audience = "demo-resource-server";
if (Env.IsDevelopment())
options.RequireHttpsMetadata = false;
});
I always get 401 Unauthorized even when my token is valid. Any ideas why?
I am using asymmetric RSA keys.
What do the logs say?
Sadly no logs, so I don't know how I'd tackle debugging this.
OpenIddict is running on ASP.NET Core 2.0, and the token was obtained through the Implicit flow.
Enable the ASP.NET Core logs. There's definitely something that would help explain what's going on.
I thought logging was enabled by default? So far all I got is:
Hosting environment: Development
Content root path: ...\DemoResourceServer
Now listening on: http://localhost:5000
Application started. Press Ctrl+C to shut down.
Make sure the log level is low enough. You should at least see the HTTP request.
Sorry, totally forgot about that. Debug logs:
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
Failed to validate the token [JWT]
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': 'RB7KZAZSDKKEKZ275TF5RI5SLCMCU1XK9CLJTWZ7',
token: '{"alg":"RS256","typ":"JWT","kid":"RB7KZAZSDKKEKZ275TF5RI5SLCMCU1XK9CLJTWZ7"}.{"sub":"5adccd94-3978-45d9-b897-8b3c4010836d","name":"admin","role":"Administrator","token_usage":"access_token","jti":"37a08fdb-10e5-4052-9fb1-414fa166e9f3","scope":"openid","aud":"demo-resource-server","azp":"client-app","nbf":1513989512,"exp":1513993112,"iat":1513989512,"iss":"http://localhost:9000/"}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__6.MoveNext()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
Failed to validate the token [JWT].
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': 'RB7KZAZSDKKEKZ275TF5RI5SLCMCU1XK9CLJTWZ7',
token: '{"alg":"RS256","typ":"JWT","kid":"RB7KZAZSDKKEKZ275TF5RI5SLCMCU1XK9CLJTWZ7"}.{"sub":"5adccd94-3978-45d9-b897-8b3c4010836d","name":"admin","role":"Administrator","token_usage":"access_token","jti":"37a08fdb-10e5-4052-9fb1-414fa166e9f3","scope":"openid","aud":"demo-resource-server","azp":"client-app","nbf":1513989512,"exp":1513993112,"iat":1513989512,"iss":"http://localhost:9000/"}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__6.MoveNext()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]
AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]
AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action DemoResourceServer.Controllers.TestController.Closed (DemoResourceServer) in 355.3909ms
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action DemoResourceServer.Controllers.TestController.Closed (DemoResourceServer) in 355.3909ms
dbug: Microsoft.AspNetCore.Server.Kestrel[9]
Connection id "0HLA9K9DPCTSQ" completed keep alive response.
dbuginfo: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 619.5867ms 401
: Microsoft.AspNetCore.Server.Kestrel[9]
Connection id "0HLA9K9DPCTSQ" completed keep alive response.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 619.5867ms 401
Seems to be a problem validating key ID. I just checked the kid given by OpenIddict .well-known/jwks and it is different from the one in my token. I'm only using one key, so I'm not sure why OpenIddict is generating a token with a different kid.
Do you use ephemeral keys?
Oops, had a bad environment check. Sorry for dragging this out and thanks for the quick replies!