SecurityTokenMalformedException after updating to .NET 8 #52286
Comments
|
Looks like a duplicate of #52099. |
|
Based on #52099 I went to Security token events return a JsonWebToken and added @martincostello Any ideas why the recommended option does not work? |
|
I'm afraid not - maybe it's a bug in IdentityModel. See #52099 (comment). |
|
@martincostello can you guide me to a sample code that shows me how to rewrite my entire security to match .NET 8? I mean, instead of me trying to make .NET 8 work for my old way, I want to upgrade to the new |
|
Sorry, I'm not aware of such a sample - someone from the ASP.NET Core team should be able to help you when they come online later today. |
Tratcher
added
area-auth
|
@Nefcanto would it be possible to obtain a sample token that is failing? |
|
@brentschmaltz we're using Keycloak, and we tested its token using jwt.io, and it was valid. I can create a test user and create a token to paste here. Actually I had pasted a token in the original post and it's in the edit history. Can you see it? |
|
@martincostello @Nefcanto #52099 is clearly an issue which needs to be address. |
|
@martincostello I was able to obtain the token from history. |
|
@martincostello i was able to create a new JsonWebToken using the jwt i found, so the jwt is indeed well-formed. |
|
@brentschmaltz thank you for helping. I think it's an internal thing related to the .NET itself. We don't have |
|
I'm running into the exact same error. |
dotnet-policy-service
bot
added
the
pending-ci-rerun
wtgodbe
removed
the
pending-ci-rerun
dotnet-policy-service
bot
added
the
pending-ci-rerun
wtgodbe
removed
the
pending-ci-rerun
|
I faced the same problem, and now I will describe my solution to the problem. If you try to validate the token using the standard means that the library implies, you will get an error. builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,,
};
});I decided this because the main method of token validation, which the library assumes, produces a similar error when trying to validate a valid JWT token. var jwtTokenString = "paste_your_correct_token_here";
var validationParams = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,
};
var tokenHandler = new JwtSecurityTokenHandler();
await tokenHandler.ValidateTokenAsync(jwtTokenString, validationParams);
// Exception: IDX14100: JWT is not well formed, there are no dots (.)Based on what I was able to find on the Internet, the problem manifests itself on .NET Core 8.0, and it can be solved if you use an older version of The validator code that I wrote: public class BearerTokenHandler : TokenHandler
{
private readonly JwtSecurityTokenHandler _tokenHandler = new();
public override Task<TokenValidationResult> ValidateTokenAsync(string token, TokenValidationParameters validationParameters)
{
try
{
_tokenHandler.ValidateToken(token, validationParameters, out var validatedToken);
if (validatedToken is not JwtSecurityToken jwtSecurityToken)
return Task.FromResult(new TokenValidationResult() { IsValid = false });
return Task.FromResult(new TokenValidationResult
{
IsValid = true,
ClaimsIdentity = new ClaimsIdentity(jwtSecurityToken.Claims, JwtBearerDefaults.AuthenticationScheme),
// If you do not add SecurityToken to the result, then our validator will fire, return a positive result,
// but the authentication, in general, will fail.
SecurityToken = jwtSecurityToken,
});
}
catch (Exception e)
{
return Task.FromResult(new TokenValidationResult
{
IsValid = false,
Exception = e,
});
}
}
}In the end, you only need to connect your own validator. builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,
};
options.TokenHandlers.Add(new BearerTokenHandler()); // <---
});Thus, we bypassed the error and did not use the deprecated Write your thoughts on this, and excuse my English (I used a translator). |
|
Just to add a couple of thoughts here, as I'm battling with JWT authentication since upgrading to 8.x this week. There doesn't seem to be any complete end to end official examples of how to implement JWT using the newer The breaking changes from 7.x -> 8.x were documented, with workarounds (that did not work) and did not contain enough information for users to create an updated end to end solution. Coupled with the difficulty in debugging the built in solution and the end result is a large number of developers creating workarounds and custom implementations for a complex security protocol, which is supposed to be standardised to stop buggy "roll your owns". I'll be reverting to 7.x after creating my own 8.x implementation, only to find it can't validate a perfectly valid token (as confirmed by jwt.io). Dead ends everywhere SMH. |
|
I should provide an example for repro; |
|
also getting the inner exception is more accurate on this - in my case, the issue being the several fields (such as |
|
I was able to solve this by updating this code to and here is all dependencies package relate to jwt |
|
I was able to solve this along @migajek lines:
I was setting the issued at (iat) claim using |
I am struggling with this issue. I checked in nuget and I have 8.0.2. So I am guessing this is not fixed yet? In my case, my PWA WASM blazor app talks fine with jwt to my server API. The problem is I have javascript code too in the PWA, but when I post the exact same jwt string in that, i get an auth error. Have quadruple checked and all looks good. If I remove the [Authorize] from my controller, the javascript works fine. I have tried with and without "Bearer " in front of token, still doesn't work. So I am guessing there is something wrong in the format of the header, maybe it changed, but since I have .NET 8 on pwa and the server API, they cancel each other out by both writing and understanding bad header syntax, but the header on the javascript doesn't work because it's correct. |
|
Just to update, I finally figured out my issue. It seemed that when I retrieve the token string from localstorage in javascript, it comes out with a double quote at start and finish. It seems the PWA retrieving from local storage doesn't get that. So I simply added code in my javascript to remove double quotes from the string: Hopefully this might help someone else. |
|
Thanks everyone for all your input. It looks like too many though related things have been discussed here, and it's not clear at this point what is pending to be done and if there is any pending issue remaining here. |
mkArtakMSFT
added
the
Needs: Author Feedback
|
I seem to be running into this as well. I have a server that is running OpenIdDict and I have multiple applications all running .net 6.0 authenticating against it without any issues. I upgraded one of them to .net 8.0 and am now getting the following errors. |
I am seeing that sub is an array in my case as it looks like it was supplied twice. This didn't cause any issue previously but now seems to throw the exception |
|
Not sure if it's the exact same issue, but I was able to resolve this by adding the I originally only had |
|
same issue happened to me |
dotnet-policy-service
bot
added
Status: No Recent Activity
and removed
Status: No Recent Activity
labels
|
Certainly! When upgrading from .NET 6 to .NET 8, I encountered an issue related to setting the "issued at" (iat) claim. Initially, I was using
|
|
This is a really nasty issue. Our tokens (which validated fine in jwt.io) were failing to validate for seemingly no reason after upgrading from dotnet 7 to dotnet 8. Even with {
"Logging": {
"LogLevel": {
"Microsoft.AspNetCore.Authentication": "Information",
}
}
}We were able to see the following incredibly misleading message: This was despite the fact that our tokens definitely had dots. I even double-checked to make sure it wasn't some weird unicode character that just looked like a dot. Searching the internet for Stackoverflow suggested setting builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(opts =>
{
opts.UseSecurityTokenValidators = true;
});However, the docs suggest this isn't as performant as the default of @natelowry 's solution of installing I think some sort of check needs to be added on startup to make sure that the appropriate package is installed when |
Thanks, it's work in my project |
@dzerenus This works fine, having a custom validator solves the problem. Thanks for sharing. It is important to point out though that the SecurityToken should be the validatedToken. That is |
and others
Is there an existing issue for this?
Describe the bug
I know #52191 is about the same error. But in my case, my JWT is created via Keycloak and I can verify it at https://jwt.io/.
This is the error I get after upgrading to .NET 8 and upgrading my package reference to
8.0.0:Expected Behavior
No response
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: