Jwt - IDX10500: Signature validation failed. No security keys were provided to validate the signature.

[makcakaya]

v 2.0.1

I am trying to get Controller.User set by using JWT authentication but I don't want to validate anything (because I do it in another app already).

I am getting following exception:

Failed to validate the token eyJhbGciOiJSU...
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.

// Inside ConfigureServices()
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateActor = false,
                        ValidateAudience = false,
                        ValidateIssuer = false,
                        ValidateIssuerSigningKey = false,
                        ValidateLifetime = false
                    };
                    options.Validate();
                });

// Inside Configure()

 app.UseAuthentication();

What might be the problem? As I said I don't want any validation but the library throws a validation exception.

[Tratcher]

There are some validations that can't be turned off. @brentschmaltz

[makcakaya]

@Tratcher Thanks for the info. So I should write a middleware that populates Controller.User based on JWT but without validation, right? Does this sound like a good solution?

[Tratcher]

Is the other validation code guaranteed to run first?

[makcakaya]

@Tratcher The other validation code is completely separate, it is in another application (AWS Gateweay Authorizer), and yes it will run first.

[makcakaya]

This middleware seems to do the job for me. I am sharing it here in case anyone else needs it.

  public sealed class JwtMiddleware
    {
        private static readonly string Bearer = "bearer";
        private readonly JwtSecurityTokenHandler _handler = new JwtSecurityTokenHandler();
        private readonly RequestDelegate _next;

        public JwtMiddleware(RequestDelegate next)
        {
            _next = next;
        }

        public async Task Invoke(HttpContext context)
        {
            var token = context.Request.Headers[HeaderNames.Authorization].ToString();
            if (!token.ToLower().StartsWith(Bearer))
            {
                throw new InvalidOperationException(string.Format("Expected {0} at the start of the token.", Bearer));
            }

            var jwt = _handler.ReadJwtToken(token.Substring(Bearer.Length).TrimStart());
            context.User = new ClaimsPrincipal(new ClaimsIdentity(jwt.Claims));

            await _next(context);
        }
    }

Then in your Startup.cs:

app.UseMiddleware<JwtMiddleware>();

Now, in your controller you can get the User as usual:

var userId = User.Claims.First(c => c.Type == JwtRegisteredClaimNames.Sub);

[brentschmaltz]

@Tratcher @makcakaya you can set the delegate TokenValidationParameters.SignatureValidator to just return a JwtSecurityToken.

So you want to delegate the validation to an off box service?
We should work on a way to make this natural. We currently have a way to validate the signature off box, but not the entire token. We will need async for that.

[makcakaya]

@brentschmaltz Thanks for the info.

Just to make my case clear, the validation of JWT is done in another application (call it application A) (AWS Custom Authorization). If only the validation succeeds, then that application (A) passes/redirects the original request to my application (application B). So there is no request from B to A for authorization.