8

I am trying to validate a valid JWT using this code below but am getting a strange error

"IDX10501: Signature validation failed. Unable to match key: 
kid: 'System.String'.
Exceptions caught:
 'System.Text.StringBuilder'. 
token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'."

Here is my validation method

 ClaimsPrincipal principal = null;
         var token = "JWT GOES HERE"
            try
            {
                string sec = "000uVmTXj5EzRjlnqruWF78JQZMT";                    
                var securityKey = new SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(sec));

                var now = DateTime.UtcNow;
                SecurityToken securityToken;
               
                string tokenIssuer = "https://MyIssuer.com";             

                TokenValidationParameters validationParameters = new TokenValidationParameters()
                {                     
                    ValidIssuer = tokenIssuer,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,                        
                    IssuerSigningKey = securityKey
                };
                 JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
                principal = handler.ValidateToken(token, validationParameters, out securityToken); <---Errors here
}

Here is the value of my JWT. I am using the correct issuer

{
  "alg": "RS256",
  "kid": "dev",
  "x5t": "Sm7aAUSt4Fdv7X1b9jQDf8XwbvQ",
  "pi.atm": "xxe8"
}.{
  "scope": [],
  "client_id": "ClientABC",
  "iss": "https://MyIssuer.com",
  "jti": "1JLDz",
  "sub": "ClientABC",
  "exp": 1601609852
}.[Signature]

What am I missing here? Is the the SymmetricSecurityKey since this algorithm is RS256? Am I missing something in my TokenValidationParameter?

Update After futher investigation I am getting the error of.

IDX10501: Signature validation failed. Unable to match key: 
kid: 'dev'.
Exceptions caught:
 'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: '', InternalId: 'TdfWgWjCVeM60F3C5TOogJuka1aR5FA_xchwhY9MHH4'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
   at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
CodeMan03
  • 570
  • 3
  • 18
  • 43

3 Answers3

3

try to use SecurityAlgorithms.HmacSha256

Example when you issue the token:

Users user = _context.Users.FirstOrDefault(c => c.UserName == userName && c.Password == password); 
            if(user == null)
            {
                return Unauthorized();
            }

            Claim[] claims = new Claim[]
            {
                new Claim("Id", user.Id.ToString()),
                new Claim("Name", user.Name),
                new Claim("Email", user.Email),
            };

            var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("000uVmTXj5EzRjlnqruWF78JQZMT"));

            var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);

            var token = new
                JwtSecurityToken(
                                "MyProject",
                                "MyClient",
                                claims,
                                expires: DateTime.Now.AddMinutes(30),
                                signingCredentials: signingCredentials);

            return Ok(new JwtSecurityTokenHandler().WriteToken(token));

If you are using .net core app, then in Startup.cs, in ConfigureServices method write this code to validate the token:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.RequireHttpsMetadata = false;
                    options.SaveToken = true;
                    options.TokenValidationParameters = new TokenValidationParameters()
                    {
                        ValidateIssuer = true,
                        ValidateAudience = true,
                        ValidAudience = "MyClient",
                        ValidIssuer = "MyProject",
                        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("000uVmTXj5EzRjlnqruWF78JQZMT"))
                    };
                });

Also don't forget to add the following lines to the Configure method in Startup.cs

app.UseAuthentication();
app.UseAuthorization();
amal50
  • 981
  • 2
  • 21
  • 35
0

The issue is that you are trying to use a symmetric key with an asymmetric algorithm. The RSA algorithm requires both a public and a private key.

Try using a symmetric algorithm instead, like HS256 (HMAC-SHA256).

Harris Mirza
  • 76
  • 1
  • 14
0

Having come here looking for answers myself, let me share another scenario which may crop up in a production setting. So we were having this same cryptic authentication error. In our case, the client application was using our development environment's Token service to generate their bearer token and then sending it to production.

I don't know why it didn't outright just deny instead of failing on "Unable to match Key kid", but using the production token service solved it for us. So be sure to verify that first, since it's a relatively quick and simple thing to do.

Captain Kenpachi
  • 6,960
  • 7
  • 47
  • 68