ASP.NET Core - OIDC middleware - IDX10500: Signature validation failed

Last Friday I had some fun investigating the following problem:

We have a frontend Angular application(FrontEnd) with a corresponding backend API(Backend1). This backend API calls another backend(Backend2). All communication is secured through a combination of OIDC, oAuth and IdentityServer.

So what’s the problem; when the backend1 API calls the backend2 API the security handshake fails with the following error message:

"Bearer" was not authenticated. Failure message: "IDX10500: Signature validation failed. No security keys were provided to validate the signature."

Here are the steps I took to find and fix the issue:

Backend2 API

I started by taking a look at the Backend2 API logs but this brought no new information:

2019-01-04 08:40:35.377 +01:00 [Information] Starting up

2019-01-04 08:40:36.416 +01:00 [Information] "Bearer" was not authenticated. Failure message: "IDX10500: Signature validation failed. No security keys were provided to validate the signature."

Failed to validate the token "<removed>".

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': '8d9d5c2a95ebf3ee923f8f7c4cc2a5a4',

token: '{"alg":"RS256","typ":"JWT","kid":"8d9d5c2a95ebf3ee923f8f7c4cc2a5a4"}.{"nbf":1546523279,"exp":1546609679,"iss":"https://identityserver","aud":["https://identityserver/resources","backend2api"],"client_id":"8fb9780a-eb1d-4ac1-ba43-dac70d08645d","jti":"07185c41f7b6f06523e85e32cab2a977","scope":["backend2api"]}'.

   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)

   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)

   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__6.MoveNext()

2019-01-03 14:48:03.806 +01:00 [Information] "Bearer" was not authenticated. Failure message: "IDX10501: Signature validation failed. Unable to match 'kid': '8d9d5c2a95ebf3ee923f8f7c4cc2a5a4',

token: '{\"alg\":\"RS256\",\"typ\":\"JWT\",\"kid\":\"8d9d5c2a95ebf3ee923f8f7c4cc2a5a4\"}.{\"nbf\":1546523279,\"exp\":1546609679,\"iss\":\"https://identityserver\",\"aud\":[\"https://identityserver/resources\",\"backend2api\"],\"client_id\":\"8fb9780a-eb1d-4ac1-ba43-dac70d08645d\",\"jti\":\"07185c41f7b6f06523e85e32cab2a977\",\"scope\":[\"backend2api\"]}'."

IdentityServer

Then I had a look at the Identity Server logs.

2019-01-04 09:11:14.169 +01:00 [DBG] Start token request.

2019-01-04 09:11:14.169 +01:00 [DBG] Start client validation

2019-01-04 09:11:14.169 +01:00 [DBG] Start parsing Basic Authentication secret

2019-01-04 09:11:14.170 +01:00 [DBG] Parser found secret: BasicAuthenticationSecretParser

2019-01-04 09:11:14.170 +01:00 [DBG] Secret id found: 8fb9780a-eb1d-4ac1-ba43-dac70d08645d

2019-01-04 09:11:14.181 +01:00 [DBG] client configuration validation for client 8fb9780a-eb1d-4ac1-ba43-dac70d08645d succeeded.

2019-01-04 09:11:14.181 +01:00 [DBG] Secret validator success: HashedSharedSecretValidator

2019-01-04 09:11:14.181 +01:00 [DBG] Client validation success

2019-01-04 09:11:14.181 +01:00 [DBG] Start token request validation

2019-01-04 09:11:14.181 +01:00 [DBG] Start client credentials token request validation

2019-01-04 09:11:14.199 +01:00 [DBG] 8fb9780a-eb1d-4ac1-ba43-dac70d08645d credentials token request validation success

2019-01-04 09:11:14.199 +01:00 [INF] Token request validation success

{

"ClientId": "8fb9780a-eb1d-4ac1-ba43-dac70d08645d",

"ClientName": "FrontendApp",

"GrantType": "client_credentials",

"Scopes": "backend2api",

"Raw": {

"grant_type": "client_credentials",

"scope": "backend2api"

}

}

2019-01-04 09:11:14.199 +01:00 [DBG] Getting claims for access token for client: 8fb9780a-eb1d-4ac1-ba43-dac70d08645d

2019-01-04 09:11:14.202 +01:00 [DBG] Token request success.

Here I noticed 2 things:

The frontend app correctly called the IdentityServer and received the necessary tokens
I couldn’t find a call from the backend2

It was the second item that lead me to the solution. What I would expect is that the backend2api calls IdentityServer to validate the token. However no call was done. So I opened up the backend API solution and had a look at the configuration.

I noticed that all IdentityServer related configuration was found in the AppSettings.development.json:

However inside the web.config the ASP.NET Development Environment wasn’t set correctly. This resulted in the fact that the settings were not loaded. As the backend2 api was not able to validate the token(due to missing configuration), it throwed the IDX10500: Signature validation failed error message.

A more specific error message would have been handy but we found the root cause. Pfew!

DevToys–A swiss army knife for developers

As a developer there are a lot of small tasks you need to do as part of your coding, debugging and testing activities. DevToys is an offline windows app that tries to help you with these tasks. Instead of using different websites you get a fully offline experience offering help for a large list of tasks. Many tools are available. Here is the current list: Converters JSON <> YAML Timestamp Number Base Cron Parser Encoders / Decoders HTML URL Base64 Text & Image GZip JWT Decoder Formatters JSON SQL XML Generators Hash (MD5, SHA1, SHA256, SHA512) UUID 1 and 4 Lorem Ipsum Checksum Text Escape / Unescape Inspector & Case Converter Regex Tester Text Comparer XML Validator Markdown Preview Graphic Color B

The art of simplicity

Search This Blog