I’m working on an ASP.NET Core API that uses Auth0 for authentication and authorization. I’ve run into an issue where my API successfully validates tokens generated using the Client Credentials Flow, but fails to validate tokens obtained via the Authorization Code Flow. The error I’m getting is:
Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenDecryptionFailedException: IDX10609: Decryption failed. No Keys tried: token: 'null'.
at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.ValidateDecryption(...)
at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.DecryptJwtToken(...)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.DecryptToken(...)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWEAsync(...)
What I’ve Tried So Far:
-
Authentication Configuration:
In my
Startup.cs
(orDependencyInjection.cs
), I’ve configured JWT Bearer authentication as follows:services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => { options.Authority = $"https://{domain}/"; options.Audience = audience; options.RequireHttpsMetadata = false; options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = "sub", RoleClaimType = "https://schemas.labx.com/roles", ValidIssuer = $"https://{domain}/", ValidateIssuer = true, ValidateAudience = true, ValidateLifetime = true, ValidateIssuerSigningKey = true, ClockSkew = TimeSpan.Zero }; });
- Note: I previously had
AddAuth0WebAppAuthentication
configured, but I’ve removed it since it’s meant for cookie-based authentication in web apps, not for APIs.
- Note: I previously had
-
Ensured Tokens Are Signed, Not Encrypted:
- In the Auth0 Dashboard, under APIs > My API > Settings, I’ve set the Signing Algorithm to RS256.
- In my Application’s settings under Advanced Settings > OAuth, I’ve ensured that JSON Web Token (JWT) Encryption is disabled.
-
Obtained New Access Tokens:
- Generated new tokens using both the Client Credentials Flow and the Authorization Code Flow.
- Used jwt.io to decode the tokens.
- Client Credentials Token: Decodes successfully, and my API validates it without issues.
- Authorization Code Token: Decodes successfully (indicating it’s signed, not encrypted), but my API fails to validate it, throwing the
SecurityTokenDecryptionFailedException
.
-
Enabled Detailed Logging and PII:
-
Added
IdentityModelEventSource.ShowPII = true;
to see more detailed error messages. -
Configured logging in
appsettings.Development.json
:{ "Logging": { "LogLevel": { "Default": "Debug", "Microsoft": "Debug", "Microsoft.IdentityModel": "Debug", "Microsoft.AspNetCore.Authentication": "Debug" } } }
-
-
Checked Middleware Order:
-
Confirmed that
UseAuthentication()
andUseAuthorization()
are correctly ordered inProgram.cs
:app.UseRouting(); app.UseAuthentication(); app.UseAuthorization(); app.MapControllers();
-
Issue Details:
- Client Credentials Tokens Work: My API successfully validates tokens from the client credentials flow.
- Authorization Code Tokens Fail: When using tokens from the authorization code flow, the API throws a decryption failed exception.
Error Message:
Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenDecryptionFailedException: IDX10609: Decryption failed. No Keys tried: token: 'null'.
at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.ValidateDecryption(...)
at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.DecryptJwtToken(...)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.DecryptToken(...)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWEAsync(...)
Questions:
- Why is my API trying to decrypt a token that appears to be signed and not encrypted?
- Is there a configuration issue that’s causing the API to treat the token as encrypted?
- Has anyone faced a similar issue where tokens from the authorization code flow fail validation in the API, even though they are correctly signed?
- Are there any additional settings in Auth0 or my application that I should check or adjust?
Any guidance or suggestions would be greatly appreciated!
Thank you in advance for your help.