I'm currently struggling with the a JWT I'm receiving from google+ log in service. I'm trying to make several authentication services compatible with my solution, but the JWT I'm getting from google doesn't seem to work the same way as the one I retrieve from Auth0.
Made a test to simulate the behavior:
public void TestMethod1()
{
var handler = new JwtTokensConfig.MyJwtSecurityTokenHandler();
const string encodedToken = <JWT>;
const string issuer = "accounts.google.com";
IIssuerSecurityTokenProvider provider = new SymmetricKeyIssuerSecurityTokenProvider(issuer,
new FederationConfig.SymetricKey {Base64Url = <SECRET>}.Bytes);
var securityToken = provider.SecurityTokens.First();
var validationParameters = new TokenValidationParameters()
{
ValidIssuer = issuer,
AllowedAudience = "<CLIENTID>,
SigningToken = securityToken
};
handler.ValidateToken(encodedToken, validationParameters);
}
Removed the sensitive data and replaced it with <>.
When I'm running this test, I receive the following error:
Test method UnitTestProject1.UnitTest1.TestMethod1 threw exception:
System.IdentityModel.Tokens.SecurityTokenValidationException: Jwt10316: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.InMemorySymmetricSecurityKey'.
Exceptions caught:
'System.InvalidOperationException: Jwt10532: SymmetricSecurityKey.GetKeyedHashAlgorithm( 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ) threw and exception.
SymmetricSecurityKey: 'System.IdentityModel.Tokens.InMemorySymmetricSecurityKey'
SignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', check to make sure the SignatureAlgorithm is supported.
Exception: 'System.InvalidOperationException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' not supported in this context.
at System.IdentityModel.CryptoHelper.CreateKeyedHashAlgorithm(Byte[] key, String algorithm)
at System.IdentityModel.Tokens.InMemorySymmetricSecurityKey.GetKeyedHashAlgorithm(String algorithm)
at System.IdentityModel.Tokens.SymmetricSignatureProvider..ctor(SymmetricSecurityKey key, String algorithm)'. ---> System.InvalidOperationException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' not supported in this context.
at System.IdentityModel.CryptoHelper.CreateKeyedHashAlgorithm(Byte[] key, String algorithm)
at System.IdentityModel.Tokens.InMemorySymmetricSecurityKey.GetKeyedHashAlgorithm(String algorithm)
at System.IdentityModel.Tokens.SymmetricSignatureProvider..ctor(SymmetricSecurityKey key, String algorithm)
--- End of inner exception stack trace ---
at System.IdentityModel.Tokens.SymmetricSignatureProvider..ctor(SymmetricSecurityKey key, String algorithm)
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(SecurityKey key, String algorithm, Byte[] encodedBytes, Byte[] signature)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(JwtSecurityToken jwt, Byte[] encodedBytes, Byte[] signatureBytes, IEnumerable`1 signingTokens)
I'm suspecting that this might be related to the fact that the Google JWT returns with the decoding algorithm of "alg": "RS256", but I can't say for sure. The one I get from Auth0 works just fine.
The way I'm getting the token is by using the google+ sign in method (https://developers.google.com/+/web/signin/javascript-flow) then passing the JWT to a different callback site. This page has been added to my REDIRECT URIS on the google project.
If you see anything that is missing, let me know! Any feedback is greatly appreciated.
