OpenIddict Decryption of key failure

Question

As the title says, getting an:

"IDX10609: Decryption failed. No Keys tried: token: 'System.String'."

Error when trying to authenticate. Using Openiddict for the auth server. I'm sure I've got something configured wrong within it or the api server but I can't figure out what. I've been trying different combinations and just stuck at the moment. this is auth server config:

   public void ConfigureServices(IServiceCollection services) {
            services.AddDbContext<TrustContext>(options =>
            {
                options.UseSqlServer(Configuration.GetConnectionString("Trust"), b => b.MigrationsAssembly("Application.Trust"));
                options.UseOpenIddict();
            });

            services.AddDefaultIdentity<AspNetUsers>()
                .AddEntityFrameworkStores<TrustContext>()
                .AddDefaultTokenProviders();
            services.Configure<IdentityOptions>(options =>
            {
                options.ClaimsIdentity.UserNameClaimType = Claims.Name;
                options.ClaimsIdentity.UserIdClaimType = Claims.Subject;
                options.ClaimsIdentity.RoleClaimType = Claims.Role;
            });

            services.AddOpenIddict()

                // Register the OpenIddict core components.
                .AddCore(options =>
                {
                    options.UseEntityFrameworkCore()
                           .UseDbContext<TrustContext>();
                   
                })
                .AddServer(options =>
                {
                    options.IgnoreEndpointPermissions()
                            .IgnoreGrantTypePermissions()
                            .IgnoreScopePermissions();
                    // Enable the authorization, logout, token and userinfo endpoints.
                    options.SetAuthorizationEndpointUris("/connect/authorize")
                           .SetLogoutEndpointUris("/connect/logout")
                           .SetTokenEndpointUris("/connect/token")
                           .SetUserinfoEndpointUris("/connect/userinfo");
                    options.RegisterScopes(Scopes.Email, Scopes.Profile, Scopes.Roles, Scopes.OpenId);
                    options.AllowAuthorizationCodeFlow()
                            .AllowPasswordFlow()
                            .AllowImplicitFlow()
                            .AllowHybridFlow()
                          .AllowRefreshTokenFlow();
                    options.AddDevelopmentEncryptionCertificate()
                           .AddDevelopmentSigningCertificate();
                    options.AcceptAnonymousClients();

                    options.UseAspNetCore()
                           .EnableAuthorizationEndpointPassthrough()
                           .EnableLogoutEndpointPassthrough()
                           .EnableTokenEndpointPassthrough()
                           .EnableUserinfoEndpointPassthrough()
                           .EnableStatusCodePagesIntegration();
                    
                })

                .AddValidation(options =>
                {
                    options.UseLocalServer();

                    options.UseAspNetCore();
                });

API server config:

  IConfigurationManager<OpenIdConnectConfiguration> configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>($"https://localhost:44395/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
            OpenIdConnectConfiguration openIdConfig = configurationManager.GetConfigurationAsync(CancellationToken.None).Result;

            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.IncludeErrorDetails = true;
                    options.TokenValidationParameters.ValidateIssuer = true;
                    options.TokenValidationParameters.ValidateAudience = false;
                    options.TokenValidationParameters.ValidateIssuerSigningKey = false;
                    options.TokenValidationParameters.ValidIssuer = "https://localhost:44395";
                    options.TokenValidationParameters.ValidAudiences = new[] { "resource_server_1" };
                    options.TokenValidationParameters.IssuerSigningKeys = openIdConfig.SigningKeys;
                    options.Events = new JwtBearerEvents()
                    {
                        OnAuthenticationFailed = c =>
                        {
                            c.NoResult();

                            c.Response.StatusCode = 500;
                            c.Response.ContentType = "text/plain";


                            return c.Response.WriteAsync("An error occured processing your authentication. " + c.Exception.Message);
                        }
                    };
                });

I've had it working with keycloak being the auth server but when I swapped over to OpenIddict I end up with the above error. I think possibly I'm missing a signing key or maybe something is wrong in my config/client configuration?

Answer 1

In OpenIddict 3.0, access tokens are encrypted by default. To fix the error you're seeing, you can either:

• Register the encryption key in the JWT handler options (options.TokenValidationParameters.TokenDecryptionKey).

• Disable access token encryption:

services.AddOpenIddict()
    .AddServer(options =>
    {
        options.DisableAccessTokenEncryption();
    });

Note: in 3.0, the recommended option is to use the OpenIddict validation handler instead of the JWT handler developed by Microsoft.