-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.NET 8 behaves differently for JwtBearerOptions in AddJwtBearer #52075
Comments
For those who fall into this problem: The good thing is now you can remove the package "System.IdentityModel.Tokens.Jwt", Forever. |
Hello Team, I have the same issue, after upgrading from .Net 7 to .Net 8, the following code does not work as expected:
Before I can get roles like After upgrading, the roles is empty. I use the following code to debug:
With .Net 7 it's like: But with .Net 8 it's like: It seems Could you please check? thanks in advance. |
We did make a breaking change announcement for the switch from We recommend updating your code to utilize the newer, more-optimized types. But if that's not possible, you can set If there's something that is no longer possible with the new types, please file an issue at https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet. If you have suggestions for how to improve the breaking change announcement, you can suggest edits at https://github.com/dotnet/docs/blob/main/docs/core/compatibility/aspnet-core/8.0/securitytoken-events.md |
Hi @halter73 , thanks for the hint, after I adding But I would like follow the new approach, could you let me know with the new approach, how to map the custom named claim like in my case? Thanks in advance! |
I found the solution myself:
with
and the UPDATE: Please see my comments below, my issue can also be fixed by |
This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes. See our Issue Management Policies for more information. |
Seems that |
Thanks @aodpi , after I add |
@jinweijie Another solution I found is to change from I think it's related to this breaking change. |
We are having the same problem with @igaobingbing maybe you have figured out something regarding this? |
Same issue here. |
I'm adding this comment as it might help others.... The problem in our case was that the |
I'm using the
Here is my configuration: builder.Services.AddAuthentication(
options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(
options =>
{
// define the authority for the OpenID connect calls
options.Authority = "OidcAuthority url";
// define the audience to which this service belongs.
options.Audience = "audience";
options.TokenValidationParameters.ValidIssuers = ["issuer1", "issuer2"];
}); I could make it work with the suggested "downgrade": builder.Services.AddAuthentication(
options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(
options =>
{
// define the authority for the OpenID connect calls
options.Authority = "OidcAuthority url";
// define the audience to which this service belongs.
options.Audience = "audience";
options.UseSecurityTokenValidators = true;
options.TokenValidationParameters.ValidIssuers = ["issuer1", "issuer2"];
options.TokenValidationParameters.SignatureValidator = (token, _) => new JwtSecurityToken(token); // mock to bypass validation
}); However, I would prefer to use the .Net 8 new way but I have no clue how it can be configured to allow my 2 issuers. |
Hello everyone, I fixed the problem by adding
|
Everything on this issue is leading to this comment, but I'm failing to see how it's related. In our case, we're not down-casting any properties to builder.Services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = builder.Configuration["IdentitySettings:Domain"];
options.Audience = builder.Configuration["IdentitySettings:Audience"];
//Added to resolve HTTP 401
options.TokenValidationParameters.SignatureValidator = (token, _) => new JsonWebToken(token);
}); I'd love some clarity on this breaking change, because the fix of |
I have the same situation, my code is as follows:
The error Bearer error="invalid_token", error_description="The signature key was not found" was resolved by it and I can not find any explanation why anywhere why this is needed. |
With the latest IdentityModel packages, If that's not it, feel free to open a new issue with a link to a full repro project hosted on GitHub either here or at https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/. |
Looks like this was it, but it's such an easy gotcha. We'd manually brought in System.IdentityModel.Tokens.Jwt 7.5.0 to resolve CVE-2024-21319, but Microsoft.AspNetCore.Authentication.JwtBearer 8.0.3 only brings in Microsoft.IdentityModel.Protocols.OpenIdConnect 7.1.2. Updating Microsoft.IdentityModel.Protocols.OpenIdConnect to 7.5.1 resolves the chain and removes the need for the SignatureValidator assignment. |
It just doesn't work for me in .NET 8. Invalid_token when i try authenticate but why? my jwt service: {
} program.cs: builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
|
Is there an existing issue for this?
Describe the bug
Upgrading an api project with authorization around JWT Bearer tokens from .NET 7 to .NET 8 has some behaviour changes and I can't find any information about it, so I'm guessing it's a bug.
It seems the
AddJwtBearer
and theJwtBearerOptions
behave differently now and there is no way to bypass Signature validation like before.More specifically, the
ValidateIssuerSigningKey
set tofalse
along with theTokenValidationParameters.SignatureValidator = (token, _) => new JwtSecurityToken(token); // mock to bypass validation
does not work and produces a Unauthorized 401 error withinvalid_signature
.Example
Expected Behavior
The expected behavior is not to produce a 401 with invalid signature error when explicitly configured
ValidateIssuerSigningKey
tofalse
and provided aTokenValidationParameters.SignatureValidator = (token, _) => new JwtSecurityToken(token);
without checking signature.Steps To Reproduce
Add Bearer authentication scheme and try to bypass signature validation
Exceptions (if any)
No exceptions, just 401 due to invalid signature when it should be bypassing signature validation.
.NET Version
8.0.100
Anything else?
No response
The text was updated successfully, but these errors were encountered: