SecurityTokenMalformedException after updating to .NET 8

[Nefcanto]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I know #52191 is about the same error. But in my case, my JWT is created via Keycloak and I can verify it at https://jwt.io/.

This is the error I get after upgrading to .NET 8 and upgrading my package reference to 8.0.0:

info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
      Failed to validate the token.
      Microsoft.IdentityModel.Tokens.SecurityTokenMalformedException: IDX14100: JWT is not well formed, there are no dots (.).
      The token needs to be in JWS or JWE Compact Serialization Format. (JWS): 'EncodedHeader.EndcodedPayload.EncodedSignature'. (JWE): 'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag'.
       ---> System.ArgumentException: IDX14102: Unable to decode the header '[Security Artifact of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/SecurityArtifactLogging.]' as Base64Url encoded string.
       ---> System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. (Parameter 'IDX10820: Invalid character found in Base64UrlEncoding. Character: '32', Encoding: 'Bearer eyJhbGciOiJSUzI1NiI8OeCv-m8PNIUHSFy39iLfOw3vkcA'.')

Expected Behavior

No response

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

[martincostello]

Looks like a duplicate of #52099.

[Nefcanto]

Based on #52099 I went to Security token events return a JsonWebToken and added options.UseSecurityTokenValidators = true; to my code. But it had no effect. This is my code:

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(jwtOptions =>
        {
            jwtOptions.UseSecurityTokenValidators = true;
            jwtOptions.Authority = @$"{ApiConfig.GetSetting("KeycloakUrl").Trim('/')}/realms/{ApiConfig.GetSetting("Realm")}";
            jwtOptions.Audience = "account";
            jwtOptions.Events = new JwtBearerEvents()
            {
                OnAuthenticationFailed = c =>
                {
                    c.NoResult();

                    Logger.LogException(c.Exception);

                    c.Response.StatusCode = 500;
                    c.Response.ContentType = "text/plain";
                    if (ApiConfig.IsDeveloping)
                    {
                        return c.Response.WriteAsync(c.Exception.ToString());
                    }
                    return c.Response.WriteAsync("An error occured processing your authentication.");
                },
                OnTokenValidated = c =>
                {
                    if (c.Principal.IsInRole("SuperAdmin"))
                    {
                        c.HttpContext.Items["IsSuperAdmin"] = true;
                    }
                    return System.Threading.Tasks.Task.CompletedTask;
                }
            };
        });

@martincostello Any ideas why the recommended option does not work?

[martincostello]

I'm afraid not - maybe it's a bug in IdentityModel. See #52099 (comment).

[Nefcanto]

@martincostello can you guide me to a sample code that shows me how to rewrite my entire security to match .NET 8? I mean, instead of me trying to make .NET 8 work for my old way, I want to upgrade to the new JsonWebToken. But I can't find a page on the docs with a sample on what should I change.

[martincostello]

Sorry, I'm not aware of such a sample - someone from the ASP.NET Core team should be able to help you when they come online later today.

[davidfowl]

cc @brentschmaltz

[brentschmaltz]

@Nefcanto would it be possible to obtain a sample token that is failing?
What IdentityProvider is creating the token?
Normally tokens contain sensitive information, can a token be crafted without sensitive information?

[Nefcanto]

@brentschmaltz we're using Keycloak, and we tested its token using jwt.io, and it was valid. I can create a test user and create a token to paste here. Actually I had pasted a token in the original post and it's in the edit history. Can you see it?

[brentschmaltz]

@martincostello @Nefcanto #52099 is clearly an issue which needs to be address.

[brentschmaltz]

@martincostello I was able to obtain the token from history.

[brentschmaltz]

@martincostello i was able to create a new JsonWebToken using the jwt i found, so the jwt is indeed well-formed.
The error message ids (IDX10820, IDX14102) indicate an error in parsing the jwt header.
The error message contains: 'Bearer eyJhbGciOiJSUzI1NiI8OeCv-m8PNIUHSFy39iLfOw3vkcA', which seems to indicate the token passed to IdentityModel has the prefix 'Bearer '.

[Nefcanto]

@brentschmaltz thank you for helping. I think it's an internal thing related to the .NET itself. We don't have Bearer hardcoded anywhere in our code.