JWT validation works in .NET Core, fails in .NET Framework

0
votes

Similar to the problem mentioned here, I have an issue where JWT validation works when running on .NET Core 2.2 (on macOS and on Windows) but fails to run on .NET Framework 4.7.2; there, it throws an exception:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: 'IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey , KeyId: '. Exceptions caught: ''. token: '{"typ":"JWT","alg":"RS256"}.{"sub":"username","scope":"examplescope","roles":["examplerole"],"iss":"https://example.com/","exp":1556788122,"iat":1555316893}'.'
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) in C:\agent1_work\109\s\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line 979
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) in C:\agent1_work\109\s\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line 722
at JWTTest.Program.Main(String[] args) in C:\Users\User\source\repos\JWTTest\JWTTestCore\Program.cs:line 35

Test program:

using System;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Security.Cryptography;
using Microsoft.IdentityModel.Logging;
using Microsoft.IdentityModel.Tokens;

namespace JWTTest {
    class Program {
        static void Main(string[] args) {
            // Validation parameters
            //var rsa = new RSACryptoServiceProvider(); // this works in .NET Core on macOS but not on Windows ...
            var rsa = RSA.Create();
            rsa.KeySize = 2048;
            rsa.ImportParameters(new RSAParameters {
                  Modulus = Convert.FromBase64String("AM/Nh9cX8U+8ZeOcKyodBcZun1dgQysFZWLplOof9SpHt45vmh7gy3FxhLQEj2NrhV44AiymRxr1mmZ7K9K105MfDe/QAAFBy715/NHmKZxH7QvypiiPMf2jwpb+n/Ss0oUZ68zPSfO9aZwhUBWO+J7NBnWEwoq3Bxda5IQPMRkMohD5VZ0IPvUotcg6k7cOoRamvOiDyVQ58uVx+Wd+vucdVo6uT/kMKlBZoahU/hnREfNZojf0lAkzcxOlZcKbms/+Mu8vb/jeZSGYZpykL0c3ohGJ49NteFIXggx8AH6E8ROpijq2NeA7AK3Y+33LEJmSwOdNnZ1ZaY515AqeN/S+ay4Ra15V91qdu4ph1B+G5aKV3rcu0v1Y6/eG5dgHPIBRaf7sGVG7rCDOgrfbjaEdNvqX1TgNnmfogZElFt2qs5VVWKE5zEuOEkOngTEuvlJAsTgh/Uw/OS7vinbSmtGXFhKS2teatITyuNALaPeFAdA9qz9c90IJs9vbf9Uf9FFWvfrer9lhDhLUuehKJTt8vBtoqea46nf3IGthLeiGQmrVSEytoTGW67gGpVo8Xd+iat5ilhciNWX1/rscv66cg0S1IK7A/oXqWJO/WNq6EzFxI/f/0klMrcC8M5qioiiwNMvpAj/6KDZSxoII+rS9RDz/E0xWprkErrIa7aVv"),
                  Exponent = Convert.FromBase64String("AQAB")
            });
            var validationParameters = new TokenValidationParameters {
                ClockSkew = TimeSpan.FromMinutes(1),
                ValidateAudience = false,
                ValidateIssuer = true,
                ValidIssuer = "https://example.com/",
                IssuerSigningKey = new RsaSecurityKey(rsa)
            };

            // Verify token
            IdentityModelEventSource.ShowPII = true;
            JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
            var token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VybmFtZSIsInNjb3BlIjoiZXhhbXBsZXNjb3BlIiwicm9sZXMiOlsiZXhhbXBsZXJvbGUiXSwiaXNzIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS8iLCJleHAiOjE1NTY3ODgxMjIsImlhdCI6MTU1NTMxNjg5M30.XHowlwvKX73I2KqKFInaadAGZNtj7UVvjh1EuodnttlUOmC59Q6XPSwrKkATLqicl46c7ItYGl75Mj5PVy03tOXXlxgsgoP81t1WM08QeHlrbPvay1aSFqcj7JcnX6fu9qiXzRhhh2XYw5UrT8-R3kIQMQA7d4cnT6Z1oeoHzV38ywi3rv3BapwuFtrFmSXHHsQMcTUK_Whf-5CEPj6O9CEdCXKFh05McGZDBoYBgZpn7d2H2EJNV9KhsasafsD7TVs6w3myOfc3HaqtHhFDUmpzwmWZdzn-i0zSxz1qussd9ovDaf03zkd7OWtau9_44T1KkWVK8GlAxuXnuPmCuh76ELQjpNqQerRL-F4EYkUwUJEQHFf2IolpCx4i2pDkzyax-fL4ZwjsncWNUJdXyex3Pk-OcSD11lJl0UWRE5gh-pOeEd1Ybhxu4z42Vet1rAM3VWXXyJQzAz2diVTJIbvaG3uq4-HxoBTkvfpXLj_2RN_oSTkyD8JoBIHQtMT1h7eZhHbxFLsxLoGNQVWJmyU_BPCs282m41n2Jd4ezR1M1XlLUixk8v1M1Rjxg3s7c8Q_PezmXzv3IrK8ftrmfb73uBwTxJukOeFk3yC7e7ZLhYJsBlJsyeGfJF8ayNSjxwkrXJN3JVZMOzZCQNnl3zc8AL6gjloFFlhgB5nlxJU";
            // exception is thrown on the next line:
            var user = handler.ValidateToken(token, validationParameters, out SecurityToken validatedToken);

            foreach (var role in user.Claims.Where(c => c.Type == ClaimTypes.Role)) {
                Console.WriteLine("Role: " + role.Value);
            }
        }
    }
}

The JWT is generated with this Java library but I'm not sure if that matters; according to jwt.io it is valid. (The link says invalid signature, but that's a bug in the website; just add a newline at the end of the public key to trigger the verification.) I've tried tokens generated by RS256 and RS512 algorithms but that doesn't make a difference.

I'm not sure if it depends on the Visual Studio setup;

  • macOS Mojave 10.14.4; Visual Studio for Mac 7.7.3 (build 43); .NET Core SDK version 2.2.105 (works)
  • Windows 10, Version 1809; Visual Studio 2017, v15.9.11
    • .NET Core SDK 2.2.106 (works)
    • .NET Framework 4.7.2 (doesn't work)
1
c#.net.net-corejwt
I'm not sure, but I've noticed one things: Convert.FromBase64String("AM/Nh9cX8...") is a byte[513], should it be byte[512]?vasily.sib
I'm not sure about that either, but this is a stripped down version of the problem. In reality I'm using this library which retrieves the signing keys based on an OIDC discovery document.Glorfindel
Try this ... The Answer claim to work in Windows and linux and might be the solution to your problem stackoverflow.com/questions/54585148/…Narendran Pandian
Thanks! I've seen that question while doing research. It turns out that it fixes the .NET Core on Windows problem, but unfortunately the .NET Framework issue still persists :(Glorfindel

1 Answers

1
votes

No the Java libray should not be the problem. The issue is mentioned in the same link you attached. You need to override and use custom key verification since there is some kind of error attached with RSA decryptions in the library.

Take a look at this and this for more info [again its the same link you attached from].

The issue was referenced into another issue and it was closed. Possibly it should be fixed, unless some packages are not updated or in the version mentioned there.