The signature key was not found

I’m trying to deploy my application in two locations with two different APIs. For some reason, auth0 doesn’t like when I pull values from my appsettings.json. This only appears to be an issue when the audience is https.

// appsettings.json

{
...
    "Auth": {
      "Authority": "https://authority.auth0.com/",
      "Audience": "https://my.audience.net"
    }
  }
}

It works if I ignore hardcode the URLs in my Startup.cs…

    services
    .AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    }).AddJwtBearer(options =>
    {
        options.Authority = "https://authority.auth0.com/";
        options.Audience = "https://my.audience.net";
    });

…but not when I try to get them

    services
    .AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    }).AddJwtBearer(options =>
    {
        options.Authority = Configuration["Auth:Authority"];
        options.Audience = Configuration["Auth:Audience"];
    });

I’ve also tried:
Configuration.GetValue(“Auth:Authority”);

My debugger shows the values correctly, but this causes auth0 to give me a 401 from the application and the message Bearer error=“invalid_token”, error_description=“The signature is invalid”

Any suggestions? I’d like to have an appsettings.json and appsettings.someOtherPlace.json for different deployemnts for now.

@daniel.breen this is kind of strange I agree. I am curious are you having issues with one over the other, meaning can you pull Authority from app settings and not audience? Or do neither of them work? Very odd that it only cares/breaks when audience is https AND pulling from configuration.

Have you tried the obvious things like doing:

var authority = Configuration["Auth:Authority"];
var audience = Configuration["Auth:Audience"];

services
    .AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    }).AddJwtBearer(options =>
    {
        options.Authority = authority;
        options.Audience = audience;
    });

Honestly, I’ve not seen an issue like this before. I have sent this to some other engineers on my side to see if anyone has seen this or has some ideas.

@daniel.breen can you provide me some more details? Can you provide the JWT (without the signature xxx.yyy pieces)? Or send me the decoded header and payload of the JWT. I want to see the contents of this so I can compare it to the configuration of your middleware.

My debugger shows the values correctly, but this causes auth0 to give me a 401 from the application and the message Bearer error=“invalid_token”, error_description=“The signature is invalid”

This is a bit interesting.

Authority doesn’t seem to matter. I have another tenant that is just http that I use for development and that works fine with Configuration["Auth:Audience"]. Feel free to browse the repo:

The above link is to the development branch. Kno2 is the master branch.

Interesting… I decoded the token and the signature is to my development tenant. It doesn’t seem to care if I completely replace both of my appsettings files with the production tenant auth & audience. It’s like it’s caching the development settings that I originally had, even if I change the values in appsettings.Development.json

	{
 typ: "JWT",
 alg: "RS256",
 kid: "***"
}.
{
 iss: "https://toucantesting.auth0.com/",
 sub: "***",
 aud: [
  "http://api.toucantesting.com",
  "https://toucantesting.auth0.com/userinfo"
 ],
 iat: 1527691533,
 exp: 1527777923,
 azp: "***",
 scope: "openid profile"
}.

So it looks like the issue is a .net issue, not an auth0 issue.

@sgmeyer

Thanks for your time. It turned out to be the Startup constructor

        public Startup(IHostingEnvironment env)
        {
            var builder = new ConfigurationBuilder()
                .SetBasePath(env.ContentRootPath)
                .AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
                .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true, reloadOnChange: true)
                .AddEnvironmentVariables();
            Configuration = builder.Build();
        }

It would revert back to my appsettings.Development.json auth section. I ended up created another environment: appsettings.Production.json and putting the auth section in question in there.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.