SecurityTokenInvalidSignatureException: IDX10500: Signature validation failed. No security keys were provided to validate the signature

0
votes

I am setting up the OIDC for my application using FusionAuth (https://fusionauth.io). I am using Microsoft.AspNetCore.Authentication.OpenIdConnect in my .NET core application. After doing the authentication in FusionAuth, it redirect me to /signin-oidc on my application (a GET request on service provider). Am I missing any configuration on FusionAuth side?

FusionAuth running at: http://localhost:9011

My app: http://localhost:5000

My app gets redirected to FusionAuth for login: http://localhost:9011/oauth2/authorize?client_id=75e33455-f1c5-4e29-8863-53ec28364839&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fsignin-oidc&response_type=code&scope=openid%20profile&response_mode=form_post&nonce=636903160481984640.YzMwZWI3ZTEtNzAxOS00MjFhLWIyNGMtYWY5ZGNkODlkY2VjYTNhYjdjMzEtYWMxYy00YThmLWJkYWItYmFiNWY2N2JjMDVk&state=CfDJ8NIq6JMx7khEv5e0kR0710VXenotl3FeHBvCCXUYDrzRVK6Kr7d36hcNMfABQ6pQYZuZQX71QtDFnVH7AczDgHW_8MDNMLFJfy5rF4xIJu2JTPVx3DH2fRp7FOo3ILoAfJfn4b-LnD7Q7zFBx8JO872BME5NXaS6NXiRlUiQQzcb44UNxS8Yn0yVgoQUJLV-iJXCuFlDwtN2z74c8aNhEYJbMiM9GyqiprpqI3p_WocjAyvSAxc7dddkHo7uxD-pBkrldI_v8Z-kVsTwCyBCfCBpKKOIFYvLBfpBcoVjqcSYHfI9GybutW9P4MxeWc2wtykOdBiqcF18ZCN-2yqLSWE&x-client-SKU=ID_NET&x-client-ver=2.1.4.0

After login redirects to: http://localhost:5000/signin-oidc?code=vctVvqZo9zBMHrG9TkY5PZxjW1eqVgTCWnyHY55k3cg&state=CfDJ8NIq6JMx7khEv5e0kR0710VXenotl3FeHBvCCXUYDrzRVK6Kr7d36hcNMfABQ6pQYZuZQX71QtDFnVH7AczDgHW_8MDNMLFJfy5rF4xIJu2JTPVx3DH2fRp7FOo3ILoAfJfn4b-LnD7Q7zFBx8JO872BME5NXaS6NXiRlUiQQzcb44UNxS8Yn0yVgoQUJLV-iJXCuFlDwtN2z74c8aNhEYJbMiM9GyqiprpqI3p_WocjAyvSAxc7dddkHo7uxD-pBkrldI_v8Z-kVsTwCyBCfCBpKKOIFYvLBfpBcoVjqcSYHfI9GybutW9P4MxeWc2wtykOdBiqcF18ZCN-2yqLSWE&userState=Authenticated

I expect that I login to http://localhost:5000 , but I get following error instead.

SecurityTokenInvalidSignatureException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.

2
openid-connect
From a quick search it looks like you might be using the .NET JWT library or their OIDC integration. Can you update the question to help clarify what libraries you are using for the OIDC integration?voidmain
@BrianPontarelli thanks! done with edit.ajinkya shidhore

2 Answers

0
votes

It looks like this library requires a public key in order to validate that the JWT that FusionAuth returns from the token endpoint is valid. I'm not a DotNet expert, but from some searching around, the OpenIdConnectOptions object is where you configure everything for OIDC. There is a property called SecurityTokenValidator that you can add keys to and that might be the best place to start.

Another solution would be to tell the ASP.net Core OIDC library to use the userinfo API instead of the JWT stored in the id_token. This will cause DotNet to call back to FusionAuth's userinfo API and then FusionAuth will handle all of the validation for you and respond with the OIDC claims from the JWT. The property GetClaimsFromUserInfoEndpoint on the OpenIdConnectOptions object looks like it enables this. I couldn't figure out how to tell DotNet the URL of the userinfo API though. Here's an example of that configuration:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)  
{

    app.UseStaticFiles();

    app.UseIdentity();

    app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
        {
            ClientId = Configuration["ClientId"],
            ClientSecret = Configuration["ClientSecret"],
            Authority = Configuration["Authority"],
            ResponseType = OpenIdConnectResponseType.Code,
            GetClaimsFromUserInfoEndpoint = true
        });

    app.UseMvc(routes =>
    {
        routes.MapRoute(
            name: "default",
            template: "{controller=Home}/{action=Index}/{id?}");
    });
}

I got that code from this blog post:

https://andrewlock.net/an-introduction-to-openid-connect-in-asp-net-core/

You might need to do some additional searching and reading up on the DotNet OIDC integration to get this all working. There isn't a lot of information out there, but a few people have written blogs on this topic that might help.

0
votes

Finally got the solution

services.AddOpenIdConnect(options => {
    ...
    options.TokenValidationParameters.IssuerSigningKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(Encoding.ASCII.GetBytes("lOB8KJK2gKn2c6ZFJIKpVqLM-gHa6WmFvSJfHWUKscs"));
    ...
}

I missed adding the key from FusionAuth to my application, which is used to verify the token.