Authentication fails for Asp.Net Core Web API running on Windows Server 2016

1
votes

Every request that hits my Asp.Net Core Web API is rejected as 401 unauthorized, despite it working as expected on my local development environment.

I've configured the Asp.Net Core web API to authenticate incoming requests using Bearer tokens signed by a certificate installed on my server running Windows Server 2016.

I've made sure the incoming tokens include the expected payload and have been signed using the correct certificate.

The certificate is retrieved by it's thumbprint which I'm storing in my Asp.Net Core application's appsettings.json file.

Here's an extract of the appsettings.json file:

{
  ...
  "Auth": {
    "Issuer": "{allowed_issuer}",
    "Audience": "{allowed_audience}",
    "Certificate": {
      "Thumbprint": "​{allowed_thumbprint}"
    }
  },
  ...
}
1
c#asp.netasp.net-corewindows-server-2016

1 Answers

2
votes

After significant debugging I discovered that the issue was caused by a rouge zero-width space character which was accidentally included when I copied my certificate thumbprint into the appsettings.json file. The issue didn't occur locally because I was using a development version of the appsettings file which coincidentally didn't include the extra character.

If you use the arrow keys to navigate through the text in the example JSON file I shared, right at the start of the thumbprint string there is an extra character you have to tap through.

The character is completely invisible using any text editor, even VS Code with hidden characters (e.g. line breaks) enabled. I'm sure there's a setting somewhere to display them but not one that I've got enabled.

It turns out that this invisible character originated from the Certificate Manager Console, where I copied the thumbprint from. It seems Microsoft have patched this in a later version of Certificate Manager but it's still an issue in my Windows Server 2016.

I'm sharing my findings in hopes that others are spared the pain of investigating this nightmarish issue.