Bearer was not authenticated: Signature validation failed

Question

I am using Identity Server 4 to protect my APIs (Implicit Flow Mode) which are accessed by angular application. Every thing is working fine, however at specific period the access token suddenly became invalid even before its expiry.

Configuration:

Here is the Identity Server Startup file:

 var identityBuilder = services.AddIdentityServer().AddInMemoryStores().SetTemporarySigningCredential();

 identityBuilder.AddInMemoryScopes(identitySrvConfig.GetScopes());
 identityBuilder.AddInMemoryClients(identitySrvConfig.GetClients());

Protecting the APIs:

   app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            Authority = identityOptions.Authority,
            ScopeName = "userProfile_api",


            RequireHttpsMetadata = false
        });

Investigation:

The issue was the bearer was not authenticated

Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match 'kid': 'e4f3534e5afd70ba74c245fe2e39c724', token

After some investigation, it appears that identity server is generating a new key which was causing the signature validation to fail.

In the log, I can see when the two warning events at end happening, then I see "Repository contains no viable default key" and "a new key should be added to the ring"

Questions

Why would there no be a key at anytime when the key lifetime is almost 3 months even I am using temporary signing (SetTemporarySigningCredential) and I am not restarting the server?

Creating key {a2fffa4a-345b-4f3b-bae7-454d567a1aee} with creation date 2017-03-03 19:15:28Z, activation date 2017-03-03 19:15:28Z, and expiration date 2017-06-01 19:15:28Z.

How can I solve this issue?

Get a real signing cert instead of the temporary one - then test again. — leastprivilege, Mar 04 '17 at 06:25
are you also restarting the API project? I think that that middleware caches the discovery document. I may be wrong. — Lutando, Mar 07 '17 at 10:24

score 2 · Accepted Answer · answered Mar 09 '17 at 15:18

2

Creating a self signing certificate and removing the temporary signing on identity server fixed the issue.

var signingCertificate = new X509Certificate2("ReplaceByCertificatePath, "ReplaceByPasswordCertificate");
var identityBuilder = services.AddIdentityServer().AddInMemoryStores().SetSigningCredential(signingCertificate);

identityBuilder.AddInMemoryScopes(IdentitySrvConfig.GetScopes());
identityBuilder.AddInMemoryClients(IdentitySrvConfig.GetClients());

answered Mar 09 '17 at 15:18

Hussein Salman

7,806
15
60
98

Why temp signing didn't work? Is this mentioned anywhere in the doc? – dragonfly02 Nov 21 '17 at 14:26
Its working, but sometimes tokens were invalid even before its expiry. This was noticed weeks after we were using the temp signing and was not an easy catch. – Hussein Salman Nov 21 '17 at 17:22
I’m having the same problem e.g. token expired before its expiration. Why did temp signing cause this if you know? – dragonfly02 Nov 21 '17 at 17:35
Sorry, I don't have an answer for this question, but seems the temp signing is causing such inconsistent behavior. – Hussein Salman Nov 21 '17 at 17:53
How did you test this? I am going to make the changes as you suggested but not sure how to test it efficiently – dragonfly02 Nov 21 '17 at 19:28
I used to have logging enabled and I was using seq server to log all actions at the Debug Level. Seq server provides you with an interface to search for specific parameters or attributes in your log history. I looked into that to make sure that same issue of the token expiry (with the same error) is not happening again. – Hussein Salman Nov 21 '17 at 20:27

Bearer was not authenticated: Signature validation failed

1 Answers1