18

in my .net core 2.2 microservice, I try to extract claims from a JWT token to do some authorization. authentication is done on another part of the system so I don't need to do it at this point.

I am using this code in the Startup.cs:

  services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(options =>
            {
                var signingKey = Encoding.UTF8.GetBytes("SECRET_KEY");
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = false,
                    ValidateAudience = false,
                    IssuerSigningKey = new SymmetricSecurityKey(signingKey)
                };
            });

On the controller I have this code:

    [Authorize]
    [HttpPost]
    public async Task<ActionResult<CreateResponse>> Create()
    {
        var userIdClaim = HttpContext.User.Claims.Where(x => x.Type == "empId").SingleOrDefault();
        return Ok($"Your User ID is {userIdClaim.Value} and you can create invoices!");
    }

I always get this error message and "Unauthorized" response:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'. Exceptions caught: '[PII is hidden]'. token: '[PII is hidden]'.

abatishchev
  • 98,240
  • 88
  • 296
  • 433
aumanjoa
  • 905
  • 1
  • 11
  • 30

1 Answers1

45

You can see the hidden details in development by adding the following to Configure() in the Startup class:

if (env.IsDevelopment())
{
     IdentityModelEventSource.ShowPII = true; 
}

Once you have the full message check the key being used is correct for the token.

user1069816
  • 2,763
  • 2
  • 26
  • 43