OpenId connect fails with SecurityTokenInvalidSignatureException on latest coreclr

[Praburaj]

[12:16:17][xunit-test]         <h1>An unhandled exception occurred while processing the request.</h1>
[12:16:17][xunit-test]                 <div class="titleerror">SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: &#x27;System.IdentityModel.Tokens.X509SecurityKey - (thumbprint) : 92B88C3DD981BF1EBCB244FCFA63C007706C79E0<br />
[12:16:17][xunit-test] System.IdentityModel.Tokens.RsaSecurityKey<br />
[12:16:17][xunit-test] System.IdentityModel.Tokens.X509SecurityKey - (thumbprint) : 3270BF5597004DF339A4E62224731B6BD82810A6<br />
[12:16:17][xunit-test] System.IdentityModel.Tokens.RsaSecurityKey<br />
[12:16:17][xunit-test] &#x27;.<br />
[12:16:17][xunit-test] Exceptions caught:<br />
[12:16:17][xunit-test]  &#x27;System.ArgumentNullException: Value cannot be null.<br />
[12:16:17][xunit-test] Parameter name: SafeHandle cannot be null.<br />
[12:16:17][xunit-test]    at System.StubHelpers.StubHelpers.SafeHandleAddRef(SafeHandle pHandle, Boolean&amp; success)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.Interop.CryptCreateHash(SafeProvHandle hProv, Int32 algId, SafeKeyHandle hKey, CryptCreateHashFlags dwFlags, SafeHashHandle&amp; phHash)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.CreateHashHandle(SafeProvHandle hProv, Byte[] hash, Int32 calgHash)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.VerifySign(SafeProvHandle hProv, SafeKeyHandle hKey, Int32 calgKey, Int32 calgHash, Byte[] hash, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.Security.Cryptography.RSACryptoServiceProvider.VerifyData(Byte[] buffer, Object halg, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.RSACryptoServiceProviderProxy.VerifyData(Byte[] signingInput, Object hash, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.AsymmetricSignatureProvider.Verify(Byte[] input, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)<br />
[12:16:17][xunit-test] System.ArgumentNullException: Value cannot be null.<br />
[12:16:17][xunit-test] Parameter name: SafeHandle cannot be null.<br />
[12:16:17][xunit-test]    at System.StubHelpers.StubHelpers.SafeHandleAddRef(SafeHandle pHandle, Boolean&amp; success)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.Interop.CryptCreateHash(SafeProvHandle hProv, Int32 algId, SafeKeyHandle hKey, CryptCreateHashFlags dwFlags, SafeHashHandle&amp; phHash)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.CreateHashHandle(SafeProvHandle hProv, Byte[] hash, Int32 calgHash)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.VerifySign(SafeProvHandle hProv, SafeKeyHandle hKey, Int32 calgKey, Int32 calgHash, Byte[] hash, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.Security.Cryptography.RSACryptoServiceProvider.VerifyData(Byte[] buffer, Object halg, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.AsymmetricSignatureProvider.Verify(Byte[] input, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)<br />
[12:16:17][xunit-test] System.ArgumentNullException: Value cannot be null.<br />
[12:16:17][xunit-test] Parameter name: SafeHandle cannot be null.<br />
[12:16:17][xunit-test]    at System.StubHelpers.StubHelpers.SafeHandleAddRef(SafeHandle pHandle, Boolean&amp; success)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.Interop.CryptCreateHash(SafeProvHandle hProv, Int32 algId, SafeKeyHandle hKey, CryptCreateHashFlags dwFlags, SafeHashHandle&amp; phHash)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.CreateHashHandle(SafeProvHandle hProv, Byte[] hash, Int32 calgHash)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.VerifySign(SafeProvHandle hProv, SafeKeyHandle hKey, Int32 calgKey, Int32 calgHash, Byte[] hash, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.Security.Cryptography.RSACryptoServiceProvider.VerifyData(Byte[] buffer, Object halg, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.RSACryptoServiceProviderProxy.VerifyData(Byte[] signingInput, Object hash, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.AsymmetricSignatureProvider.Verify(Byte[] input, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)<br />
[12:16:17][xunit-test] System.ArgumentNullException: Value cannot be null.<br />
[12:16:17][xunit-test] Parameter name: SafeHandle cannot be null.<br />
[12:16:17][xunit-test]    at System.StubHelpers.StubHelpers.SafeHandleAddRef(SafeHandle pHandle, Boolean&amp; success)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.Interop.CryptCreateHash(SafeProvHandle hProv, Int32 algId, SafeKeyHandle hKey, CryptCreateHashFlags dwFlags, SafeHashHandle&amp; phHash)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.CreateHashHandle(SafeProvHandle hProv, Byte[] hash, Int32 calgHash)<br />
[12:16:17][xunit-test]    at Internal.NativeCrypto.CapiHelper.VerifySign(SafeProvHandle hProv, SafeKeyHandle hKey, Int32 calgKey, Int32 calgHash, Byte[] hash, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.Security.Cryptography.RSACryptoServiceProvider.VerifyData(Byte[] buffer, Object halg, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.AsymmetricSignatureProvider.Verify(Byte[] input, Byte[] signature)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm)<br />
[12:16:17][xunit-test]    at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)<br />
[12:16:17][xunit-test] &#x27;.<br />
[12:16:17][xunit-test] token: &#x27;{&quot;typ&quot;:&quot;JWT&quot;,&quot;alg&quot;:&quot;RS256&quot;,&quot;x5t&quot;:&quot;kriMPdmBvx68skT8-mPAB3BseeA&quot;}.{&quot;aud&quot;:&quot;c99497aa-3ee2-4707-b8a8-c33f51323fef&quot;,&quot;iss&quot;:&quot;https://sts.windows.net/4afbc689-805b-48cf-a24c-d4aa3248a248/&quot;,&quot;iat&quot;:1422395763,&quot;nbf&quot;:1422395763,&quot;exp&quot;:1422399663,&quot;ver&quot;:&quot;1.0&quot;,&quot;tid&quot;:&quot;4afbc689-805b-48cf-a24c-d4aa3248a248&quot;,&quot;amr&quot;:[&quot;pwd&quot;],&quot;oid&quot;:&quot;f876abeb-d6b5-44e4-9716-6266ac0181a8&quot;,&quot;upn&quot;:&quot;user3@testgmail.onmicrosoft.com&quot;,&quot;sub&quot;:&quot;PUdhclP5PgIjSU9P1S-HelDaSFSf-mXV1Y60-K2vWqw&quot;,&quot;given_name&quot;:&quot;User3&quot;,&quot;family_name&quot;:&quot;User3&quot;,&quot;name&quot;:&quot;User3&quot;,&quot;unique_name&quot;:&quot;user3@testgmail.onmicrosoft.com&quot;,&quot;nonce&quot;:&quot;635579928639517715.OTRjOTVkM2EtMDRmYS00ZDE3LThhZGUtZWZmZGM4ODkzZGZkMDRlNDhkN2MtOWIwMC00ZmVkLWI5MTItMTUwYmQ4MzdmOWI0&quot;,&quot;c_hash&quot;:&quot;FGt3wcQADe0PY1Qx7O1r6g&quot;,&quot;pwd_exp&quot;:&quot;6693280&quot;,&quot;pwd_url&quot;:&quot;https://portal.microsoftonline.com/ChangePassword.aspx&quot;}&#x27;</div>
[12:16:17][xunit-test]                     <p class="location">Microsoft.IdentityModel.Logging.LogHelper.LogError(String message, Type exceptionType, Boolean throwException)</p>

[Praburaj]

@Tratcher @tushargupta51 could you guys re-enable this scenario once the bug is fixed?

aspnet/MusicStore@cedfd88

[Praburaj]

@brentschmaltz

[Praburaj]

@suhasj

[brentschmaltz]

@Praburaj I was out yesterday. When did this start happening?

[brentschmaltz]

Has the CLR team been contacted? This worked fine before

[suhasj]

This started on April 21 with Microsoft.IdentityModel.Protocol.Extensions 2.0.0-beta4-03310920 I am not sure if that package is the reason but bought it up as an FYI

[kevinchalet]

Ding dong. Any progress regarding this issue?

[brentschmaltz]

Was on vacation, anyone know of a clean repro?

[kevinchalet]

It depends on what you mean by "clean repro" 😄
You should be able to reproduce this issue by trying to validate any JWT token.

(this samples crashes on CoreCLR if you don't use the UnsafeJwtSecurityTokenHandler class: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/vNext/samples/Mvc/Mvc.Server/Startup.cs#L205)

[brentschmaltz]

OH my, this is not good. Thanks.

[kevinchalet]

@brentschmaltz no news from the CLR team? 😢