ASP.NET Core - OIDC middleware - IDX10500: Signature validation failed

Last Friday I had some fun investigating the following problem:

We have a frontend Angular application(FrontEnd) with a corresponding backend API(Backend1). This backend API calls another backend(Backend2). All communication is secured through a combination of OIDC, oAuth and IdentityServer.

So what’s the problem; when the backend1 API calls the backend2 API the security handshake fails with the following error message:

"Bearer" was not authenticated. Failure message: "IDX10500: Signature validation failed. No security keys were provided to validate the signature."

Here are the steps I took to find and fix the issue:

Backend2 API

I started by taking a look at the Backend2 API logs but this brought no new information:

2019-01-04 08:40:35.377 +01:00 [Information] Starting up

2019-01-04 08:40:36.416 +01:00 [Information] "Bearer" was not authenticated. Failure message: "IDX10500: Signature validation failed. No security keys were provided to validate the signature."

Failed to validate the token "<removed>".

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': '8d9d5c2a95ebf3ee923f8f7c4cc2a5a4',

token: '{"alg":"RS256","typ":"JWT","kid":"8d9d5c2a95ebf3ee923f8f7c4cc2a5a4"}.{"nbf":1546523279,"exp":1546609679,"iss":"https://identityserver","aud":["https://identityserver/resources","backend2api"],"client_id":"8fb9780a-eb1d-4ac1-ba43-dac70d08645d","jti":"07185c41f7b6f06523e85e32cab2a977","scope":["backend2api"]}'.

   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)

   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)

   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__6.MoveNext()

2019-01-03 14:48:03.806 +01:00 [Information] "Bearer" was not authenticated. Failure message: "IDX10501: Signature validation failed. Unable to match 'kid': '8d9d5c2a95ebf3ee923f8f7c4cc2a5a4',

token: '{\"alg\":\"RS256\",\"typ\":\"JWT\",\"kid\":\"8d9d5c2a95ebf3ee923f8f7c4cc2a5a4\"}.{\"nbf\":1546523279,\"exp\":1546609679,\"iss\":\"https://identityserver\",\"aud\":[\"https://identityserver/resources\",\"backend2api\"],\"client_id\":\"8fb9780a-eb1d-4ac1-ba43-dac70d08645d\",\"jti\":\"07185c41f7b6f06523e85e32cab2a977\",\"scope\":[\"backend2api\"]}'."

IdentityServer

Then I had a look at the Identity Server logs.

2019-01-04 09:11:14.169 +01:00 [DBG] Start token request.

2019-01-04 09:11:14.169 +01:00 [DBG] Start client validation

2019-01-04 09:11:14.169 +01:00 [DBG] Start parsing Basic Authentication secret

2019-01-04 09:11:14.170 +01:00 [DBG] Parser found secret: BasicAuthenticationSecretParser

2019-01-04 09:11:14.170 +01:00 [DBG] Secret id found: 8fb9780a-eb1d-4ac1-ba43-dac70d08645d

2019-01-04 09:11:14.181 +01:00 [DBG] client configuration validation for client 8fb9780a-eb1d-4ac1-ba43-dac70d08645d succeeded.

2019-01-04 09:11:14.181 +01:00 [DBG] Secret validator success: HashedSharedSecretValidator

2019-01-04 09:11:14.181 +01:00 [DBG] Client validation success

2019-01-04 09:11:14.181 +01:00 [DBG] Start token request validation

2019-01-04 09:11:14.181 +01:00 [DBG] Start client credentials token request validation

2019-01-04 09:11:14.199 +01:00 [DBG] 8fb9780a-eb1d-4ac1-ba43-dac70d08645d credentials token request validation success

2019-01-04 09:11:14.199 +01:00 [INF] Token request validation success

{

"ClientId": "8fb9780a-eb1d-4ac1-ba43-dac70d08645d",

"ClientName": "FrontendApp",

"GrantType": "client_credentials",

"Scopes": "backend2api",

"Raw": {

"grant_type": "client_credentials",

"scope": "backend2api"

}

}

2019-01-04 09:11:14.199 +01:00 [DBG] Getting claims for access token for client: 8fb9780a-eb1d-4ac1-ba43-dac70d08645d

2019-01-04 09:11:14.202 +01:00 [DBG] Token request success.

Here I noticed 2 things:

The frontend app correctly called the IdentityServer and received the necessary tokens
I couldn’t find a call from the backend2

It was the second item that lead me to the solution. What I would expect is that the backend2api calls IdentityServer to validate the token. However no call was done. So I opened up the backend API solution and had a look at the configuration.

I noticed that all IdentityServer related configuration was found in the AppSettings.development.json:

However inside the web.config the ASP.NET Development Environment wasn’t set correctly. This resulted in the fact that the settings were not loaded. As the backend2 api was not able to validate the token(due to missing configuration), it throwed the IDX10500: Signature validation failed error message.

A more specific error message would have been handy but we found the root cause. Pfew!

Kubernetes–Limit your environmental impact

Reducing the carbon footprint and CO2 emission of our (cloud) workloads, is a responsibility of all of us. If you are running a Kubernetes cluster, have a look at Kube-Green . kube-green is a simple Kubernetes operator that automatically shuts down (some of) your pods when you don't need them. A single pod produces about 11 Kg CO2eq per year( here the calculation). Reason enough to give it a try! Installing kube-green in your cluster The easiest way to install the operator in your cluster is through kubectl. We first need to install a cert-manager: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml Remark: Wait a minute before you continue as it can take some time before the cert-manager is up & running inside your cluster. Now we can install the kube-green operator: kubectl apply -f https://github.com/kube-green/kube-green/releases/latest/download/kube-green.yaml Now in the namespace where we want t...

The art of simplicity

Search This Blog