ASP.NET Core - OIDC middleware - IDX10500: Signature validation failed

Last Friday I had some fun investigating the following problem:

We have a frontend Angular application(FrontEnd) with a corresponding backend API(Backend1). This backend API calls another backend(Backend2). All communication is secured through a combination of OIDC, oAuth and IdentityServer.

So what’s the problem; when the backend1 API calls the backend2 API the security handshake fails with the following error message:

"Bearer" was not authenticated. Failure message: "IDX10500: Signature validation failed. No security keys were provided to validate the signature."

Here are the steps I took to find and fix the issue:

Backend2 API

I started by taking a look at the Backend2 API logs but this brought no new information:

2019-01-04 08:40:35.377 +01:00 [Information] Starting up

2019-01-04 08:40:36.416 +01:00 [Information] "Bearer" was not authenticated. Failure message: "IDX10500: Signature validation failed. No security keys were provided to validate the signature."

Failed to validate the token "<removed>".

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': '8d9d5c2a95ebf3ee923f8f7c4cc2a5a4',

token: '{"alg":"RS256","typ":"JWT","kid":"8d9d5c2a95ebf3ee923f8f7c4cc2a5a4"}.{"nbf":1546523279,"exp":1546609679,"iss":"https://identityserver","aud":["https://identityserver/resources","backend2api"],"client_id":"8fb9780a-eb1d-4ac1-ba43-dac70d08645d","jti":"07185c41f7b6f06523e85e32cab2a977","scope":["backend2api"]}'.

   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)

   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)

   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__6.MoveNext()

2019-01-03 14:48:03.806 +01:00 [Information] "Bearer" was not authenticated. Failure message: "IDX10501: Signature validation failed. Unable to match 'kid': '8d9d5c2a95ebf3ee923f8f7c4cc2a5a4',

token: '{\"alg\":\"RS256\",\"typ\":\"JWT\",\"kid\":\"8d9d5c2a95ebf3ee923f8f7c4cc2a5a4\"}.{\"nbf\":1546523279,\"exp\":1546609679,\"iss\":\"https://identityserver\",\"aud\":[\"https://identityserver/resources\",\"backend2api\"],\"client_id\":\"8fb9780a-eb1d-4ac1-ba43-dac70d08645d\",\"jti\":\"07185c41f7b6f06523e85e32cab2a977\",\"scope\":[\"backend2api\"]}'."

IdentityServer

Then I had a look at the Identity Server logs.

2019-01-04 09:11:14.169 +01:00 [DBG] Start token request.

2019-01-04 09:11:14.169 +01:00 [DBG] Start client validation

2019-01-04 09:11:14.169 +01:00 [DBG] Start parsing Basic Authentication secret

2019-01-04 09:11:14.170 +01:00 [DBG] Parser found secret: BasicAuthenticationSecretParser

2019-01-04 09:11:14.170 +01:00 [DBG] Secret id found: 8fb9780a-eb1d-4ac1-ba43-dac70d08645d

2019-01-04 09:11:14.181 +01:00 [DBG] client configuration validation for client 8fb9780a-eb1d-4ac1-ba43-dac70d08645d succeeded.

2019-01-04 09:11:14.181 +01:00 [DBG] Secret validator success: HashedSharedSecretValidator

2019-01-04 09:11:14.181 +01:00 [DBG] Client validation success

2019-01-04 09:11:14.181 +01:00 [DBG] Start token request validation

2019-01-04 09:11:14.181 +01:00 [DBG] Start client credentials token request validation

2019-01-04 09:11:14.199 +01:00 [DBG] 8fb9780a-eb1d-4ac1-ba43-dac70d08645d credentials token request validation success

2019-01-04 09:11:14.199 +01:00 [INF] Token request validation success

{

"ClientId": "8fb9780a-eb1d-4ac1-ba43-dac70d08645d",

"ClientName": "FrontendApp",

"GrantType": "client_credentials",

"Scopes": "backend2api",

"Raw": {

"grant_type": "client_credentials",

"scope": "backend2api"

}

}

2019-01-04 09:11:14.199 +01:00 [DBG] Getting claims for access token for client: 8fb9780a-eb1d-4ac1-ba43-dac70d08645d

2019-01-04 09:11:14.202 +01:00 [DBG] Token request success.

Here I noticed 2 things:

The frontend app correctly called the IdentityServer and received the necessary tokens
I couldn’t find a call from the backend2

It was the second item that lead me to the solution. What I would expect is that the backend2api calls IdentityServer to validate the token. However no call was done. So I opened up the backend API solution and had a look at the configuration.

I noticed that all IdentityServer related configuration was found in the AppSettings.development.json:

However inside the web.config the ASP.NET Development Environment wasn’t set correctly. This resulted in the fact that the settings were not loaded. As the backend2 api was not able to validate the token(due to missing configuration), it throwed the IDX10500: Signature validation failed error message.

A more specific error message would have been handy but we found the root cause. Pfew!

Cleaner switch expressions with pattern matching in C#

Ever find yourself mapping multiple string values to the same result? Being a C# developer for a long time, I sometimes forget that the C# has evolved so I still dare to chain case labels or reach for a dictionary. Of course with pattern matching this is no longer necessary. With pattern matching, you can express things inline, declaratively, and with zero repetition. A small example I was working on a small script that should invoke different actions depending on the environment. As our developers were using different variations for the same environment e.g. "tst" alongside "test" , "prd" alongside "prod" . We asked to streamline this a long time ago, but as these things happen, we still see variations in the wild. This brought me to the following code that is a perfect example for pattern matching: The or keyword here is a logical pattern combinator , not a boolean operator. It matches if either of the specified pattern...

The art of simplicity

Search This Blog