Unauthorized (Invalid Token) when authenticating with JWT Bearer Token after update to .NET 6

Question

After updating the package Microsoft.AspNetCore.Authentication.JwtBearer from version 3.1.14 to 6.0.1, requests with authentication fail with 401 Unauthorized "invalid token".

What needs to be changed with the new package version?

Downgrading the Nuget package Microsoft.IdentityModel.Tokens 6.18.0 -> 6.10.0 has helped me with Method not found Microsoft.IdentityModel.Tokens.InternalValidators.ValidateLifetimeAndIssuerAfterSignatureNotValidatedJwt — Alexander Farber, May 25 '22 at 19:32

Mo B. · Accepted Answer · 2022-01-20T13:18:16.980

80

This seems to be a bug. Adding an event handler (JwtBearerEvents), the failure could be identified as a MissingMethodException:

Method not found: 'Void Microsoft.IdentityModel.Tokens.InternalValidators.ValidateLifetimeAndIssuerAfterSignatureNotValidatedJwt(Microsoft.IdentityModel.Tokens.SecurityToken, System.Nullable`1<System.DateTime>, System.Nullable`1<System.DateTime>, System.String, Microsoft.IdentityModel.Tokens.TokenValidationParameters, System.Text.StringBuilder)'.

with stack trace

at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()",

Simply adding the current version of System.IdentityModel.Tokens.Jwt solved the problem.

Update: Please also note the comment by @Rubenisme below.

edited Jan 20 '22 at 13:18

answered Jan 04 '22 at 13:03

Mo B.

5,307
3
25
42

16

Thanks, your fix works, and was easy to search for, but you can also do something else. This issue is identified here: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1792 and as ericbl states there, it can also be fixed by removing an explicit reference to Microsoft.IdentityModel.Tokens. I tested both fixes on my application. – Rubenisme Jan 13 '22 at 15:23
3

I confirm that removing the explicit reference works and imho it is the best solution. – Vočko Jan 20 '22 at 06:13
3

Both fixes work. However, if you're unable to remove explicit reference to Microsoft.IdentityModel.Tokens then adding explicit for System.IdentityModel.Tokens.Jwt will solve the issue. Guess those 2 override each other or something – Cubelaster Feb 10 '22 at 12:13
Which `JwtBearerEvents` event did you tap into to get the `MissingMethodException`? I'm getting a similar error, but your solution didn't fix it. I would like to get some more detail and this seems like the best approach. I tried the `OnAuthenticationFailed` method, but it never fires. – Matt Ruwe Sep 28 '22 at 18:34
1

@MattRuwe I can't remember which one exactly fired, but I just tapped into all possible events. – Mo B. Sep 28 '22 at 19:22
@MoB. I did try looking at all of the events, but didn't see anything worthwhile. FWIW, the `OnTokenValidated` event is firing, but I still get a 401 response. – Matt Ruwe Sep 28 '22 at 21:49
1

@MattRuwe If you run the code in debug and have a console output, set the log level to debug and you'll see the missing method exception in there too. I find that easier than wiring up event handlers. – Ryan O'Neill Sep 29 '22 at 10:36
I have installed System.IdentityModel.Tokens.Jwt to solve the same and error gone from my local machine but I'm still getting the same error on server how can I solve it I am using devops to release my code. – Himanshu Aggarwal Nov 23 '22 at 04:56

score 11 · Answer 2 · answered Mar 23 '22 at 10:13

11

Although I guess you found the right solution, but I thought my answer might be a help for some problems.

After spending a whole day investigating on the same problem and finding no solutions, I decided to upgrade these libraries to match same version: 6.16.0 (on Mar 23, 2022)

Microsoft.IdentityModel.JsonWebTokens
Microsoft.IdentityModel.Logging
Microsoft.IdentityModel.Protocols
Microsoft.IdentityModel.Protocols.OpenIdConnect
Microsoft.IdentityModel.Tokens

And the problem disappeared.

answered Mar 23 '22 at 10:13

Shojajou

195
6
15

2

It worked for me, i had to update all this references to the same version, thanks – thepanch Apr 29 '22 at 19:42
This worked for me too. For some strange reasons, the previously referred versions were not identical, and I had to force them as you suggested. – NinjaCross Dec 23 '22 at 11:27
Wow thanks, that saved my day! – uvbkq Jul 06 '23 at 16:44

shA.t · Answer 3 · 2023-05-20T06:50:47.970

4

I had a same problem in a project that I upgraded it from .NetCore 2.2 to .Net 6.0. I also update all packages and so on...

In my case I remove below reference from my project and it works fine!

<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="6.25.0" />

For more details read this from here (on GitHub).

edited May 20 '23 at 06:50

answered Nov 06 '22 at 15:38

shA.t

16,580
5
54
111

score 1 · Answer 4 · answered Mar 22 '23 at 01:32

For me the problem was slightly different but related so I'll add it here in case anyone gets here looking for a solution to Method not found: 'Microsoft.IdentityModel.Tokens.BaseConfiguration Microsoft.IdentityModel.Tokens.TokenValidationParameters.get_Configuration()

There seems to be a bug with Microsoft.Identity.Web 1.19.0. Downgrading to 1.18.0 fixed it for me.

Unauthorized (Invalid Token) when authenticating with JWT Bearer Token after update to .NET 6

4 Answers4

Linked