Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error validating identity token #75

Closed
dlmsoftdev opened this issue Jul 4, 2018 · 9 comments
Closed

Error validating identity token #75

dlmsoftdev opened this issue Jul 4, 2018 · 9 comments

Comments

@dlmsoftdev
Copy link

First of all, I'm a newbie in security and so in Open ID Connect.
I used your library to manage authentication for one of my application and encounter an error when I call the LoginAsync method.

Source code

  var options = new OidcClientOptions()
            {
                Authority = AuthenticationInfo.GardianWebSsoBaseUrl(),
                ClientId = AuthenticationInfo.ClientId,
                ClientSecret = AuthenticationInfo.ClientSecret,
                Scope = AuthenticationInfo.Scope,
                RedirectUri = AuthenticationInfo.RedirectUri,
                ResponseMode = OidcClientOptions.AuthorizeResponseMode.Redirect,
                Flow = OidcClientOptions.AuthenticationFlow.AuthorizationCode,
                Browser = new WpfEmbeddedBrowser(),
                LoadProfile = false,
                ProviderInformation = new ProviderInformation
                {
                    IssuerName = AuthenticationInfo.GetIssuerUrl(),
                    AuthorizeEndpoint = AuthenticationInfo.GetAuthorizationUrl(),
                    TokenEndpoint = AuthenticationInfo.GetAccessTokenUrl(),
                    KeySet = GetKeySet()
                    /*UserInfoEndpoint = AuthenticationInfo.GetUserInfoUrl(),*/
                    /*EndSessionEndpoint = AuthenticationInfo.GetEndSessionUrl(),*/
                }
            };

            var serilog = new LoggerConfiguration()
            .MinimumLevel.Verbose()
            .Enrich.FromLogContext()
            .WriteTo.Console(outputTemplate: "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message}{NewLine}{Exception}{NewLine}")
            .CreateLogger();

            options.LoggerFactory.AddSerilog(serilog);

            OidcClient oidcClient = new OidcClient(options);
            var result = await oidcClient.LoginAsync(new LoginRequest());

Log of the error

[13:37:08 Debug] IdentityModel.OidcClient.IdentityTokenValidator
Added signing key with kid: "?????????????????????????????"

[13:37:08 Error] IdentityModel.OidcClient.OidcClient
Error validating token response: Error validating identity token: Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]', 
token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.
   à System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   à System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   à IdentityModel.OidcClient.IdentityTokenValidator.ValidateSignature(String identityToken, JwtSecurityTokenHandler handler, TokenValidationParameters parameters)
   à IdentityModel.OidcClient.IdentityTokenValidator.<ValidateAsync>d__4.MoveNext()

Note : I have never been able to retrieve discovery information from the authority so I had to fill manually the ProviderInformation (even keyset that I retrieve calling the "certificate url" (.../jwk_uri?realm=sesame)

Can you provide me some help
Thanks in advance.
@leastprivilege
Copy link
Contributor

Try setting

IdentityModelEventSource.ShowPII = true

@dlmsoftdev
Copy link
Author

Sorry I did it but didn't find something relevant. I joined the log with the flag set to true.
Note : I replace "url" and "aud" by ??????

[09:02:57 Error] IdentityModel.OidcClient.OidcClient
Error validating token response: Error validating identity token: Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: '6g3X80imLE+Xet1NAeus9AnDSLg=', 
token: '{"alg":"RS256","typ":"JWT","cty":"JWT","kid":"6g3X80imLE+Xet1NAeus9AnDSLg="}.{"tokenName":"id_token","azp":"???????","sub":"i87100","scope":{"sub":"i87100","updated_at":"0"},"at_hash":"XyMmp5P5KKjMJ9omh7n_0Q","iss":"https://??????:443/?????/oauth2/sesame","iat":1530774176,"auth_time":1530774176,"exp":1530810176,"tokenType":"JWTToken","nonce":"923b5260f9ab7a8a313858b0f0398cf3","realm":"/sesame","aud":["???????"],"amr":["sesame"],"c_hash":"IB4VSCM5IWksi3FJ8BzY2w","ops":"e63632ec-70ac-4804-8acc-c48a7260f520"}'.
   à System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   à System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   à IdentityModel.OidcClient.IdentityTokenValidator.ValidateSignature(String identityToken, JwtSecurityTokenHandler handler, TokenValidationParameters parameters)
   à IdentityModel.OidcClient.IdentityTokenValidator.<ValidateAsync>d__4.MoveNext()

@leastprivilege
Copy link
Contributor

Well - it says it can't find the key referenced in the JWT.

@dlmsoftdev
Copy link
Author

dlmsoftdev commented Jul 5, 2018
edited

Yes I saw but in the log, the token contains the right key no ? Or is the log contains the expected key and not the sent key ?

token: '{"alg":"RS256","typ":"JWT","cty":"JWT","kid":"6g3X80imLE+Xet1NAeus9AnDSLg="}

To be sure to understand : This error message is here to prevent that the ID Token has been provided by the right "OpenID Provider", right ?
And for this, you compare the ID Token kid field to the certificate (keyset parameter of OidcClientOptions) kid field ?
So if I compare these 2 fields, there must be different, am I right ?

@dlmsoftdev
Copy link
Author

Sorry I finally understood reading the log.

  • sent : "D+7z/W9NCOIoe61tLNwK6jpV7do="
  • expected : "6g3X80imLE+Xet1NAeus9AnDSLg="
    => I will try to understand why the kid is not the expected one.
    Thanks

@leastprivilege
Copy link
Contributor

any update?

@bearkat2173
Copy link

Turns out this is the same message that will be reported when the issuer signs the token with an algorithm other than RSA. Apparently ECDSA will be available soon:
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#487

@Ionesta
Copy link

Ionesta commented Aug 14, 2018

@dlmsoftdev I would be very happy to find out what was the problem. I have a similar one and I can't figure out what's the problem.

@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 21, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@leastprivilege @Ionesta @bearkat2173 @dlmsoftdev