-
-
Notifications
You must be signed in to change notification settings - Fork 764
Invalid algorithm specified #1903
Comments
okay, so this is strange.. when i created a console app, it works..
|
So I was barking up the wrong tree, with the logging, i know that the problem is when the JwtSecurityTokenHandler.WriteToken(jwt) is when the problem starts |
more logging indicates that it is at the JwtSecurityTokenHandler.WriteToken. However, when I compare the jwt being passed in, the only difference between the two output is the nonce and the iat. IdSvr is running on the same server as my test console application, and they're referencing the same cert. I don't really understand how it can work in one and not the other. Perhaps the token.jwt package is different. |
the only difference was the json.net version, made them the same version and console still gets me a result and idsvr still bombs out |
Sorry - no idea what's going on. Keep us posted. |
The only difference I can tell between the owin self hosted identity server and the console app is that one uses Unfortunately, that's not what's causing an issue. I forced each of the apps to use one and then the other, and the same results happen. IdentityServer crashes, and console app keeps chugging along |
looking at the stacktrace for anyone interested:
I was able to get the source for everything up to |
A bit more debugging shows that the problem is only happening in idsvr. I created a new self hosted owin project,stuck the same code as the console app, and it also completes without a hitch. |
I stuck the same piece of code before idsvr gets started and it still works, going to to start moving it around to see if i can find when it starts breaking |
okay, so if i stick my test code before |
soooooooooo.. |
|
opened a ticket with kentor: Sustainsys/Saml2#303 |
Okay, I feel like an idiot now.. but in case anyone else runs into this problem... I had added the GlobalEnableSha256XmlSignatures because my app would blow up every time i connected to the dev IdP, and it turns out I needed to enable the option. HOWEVER. the production server has no such issues, so enabling it only caused me two days of grief. If you're getting this error and you have GlobalEnableSha256XmlSignatures turned on, just rip that line of code out and everything will be hunky dory. |
okay, so never mind.. i was able to get it to work because the signon cookie was still there. A new session blew up in my face when trying to verify the xml sig. I think I found a work around while troubleshooting this that can go on the kentor side. |
I don't know why the cert doesn't work, but after I created a new cert and specified |
@tonyeung - I had a similar issue, I am working with Okta and I changed the Signature Algorithm on my app to use RSA_SHA1, I could then remove the call to |
I tried the solution proposed by @tonyeung, but I then have the following exception: What I didn't do is to "generate a request with the certreq.exe". To be honest, I do not understand what I have to do here since I'm trying to make the whole thing work on my localhost with a self-signed certificate. Any help would be greatly appreciated. |
Any update on this? I'm using the ComponentSpace SAML library. It's also adding signatures via CryptoConfig.AddAlgorithm and breaking IdentityServer. |
I've now applied a workaround in Kentor.AuthServices to this (see Sustainsys/Saml2#303). It's basically the same black magic as the .NET Framework does when no SHA256 xml signature algorithm is registered. |
@AndersAbel Any idea when the workaround will get pushed to Nuget? |
Within a week. I'm working on some more stuff that I want to have included in a release. |
Kentor.AuthServices 0.19.0 is now released and contains this fix. For an explanation of the issue, please see https://coding.abel.nu/2016/06/why-enabling-sha256-support-for-xml-signatures-breaks-jwt-signing/ |
I´m getting this error when I move the IS to another IIS server, different from dev; I'm stuck with this issue. |
@danielmeza Please open a new issue as this one is closed since mid last year. |
When trying to get my JWT token signed, I get this error:
I'm guessing it has something to do with the cert i'm using. This is a cert we got from a trusted CA and not self signed. The cert algorithm is sha256RSA according to the cert properties.
Am I doing something wrong?
When I tried researching this it sounds like it might be the Cryto Service Provider on the Win2012 server we're using. If that's the case, is there any way to make this work other than requesting (and paying for) a new cert?
My code when assigning the cert to SigningCertificate on the options:
The text was updated successfully, but these errors were encountered: