OWIN Web Auth Identifier Bug

derek.williams · March 13, 2018, 8:32pm

Currently following this article (https://auth0.com/docs/quickstart/backend/webapi-owin/01-authorization) to use the token issued from Auth0 to authorize my C# Web Api. It is currently not working with error 'Cannot convert from string to System.IdentityModel.Tokens.SecurityKeyIdentifier. Here is the code:

using Microsoft.AspNetCore.Builder;
using Microsoft.IdentityModel.Tokens;
using System.Configuration;
using Owin;
using Microsoft.Owin.Security.Jwt;
using Microsoft.Owin.Security;
using Auth0.Owin;
using Microsoft.Owin;

[assembly: OwinStartup(typeof(repAPI.Startup))]
namespace repAPI
{
public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.MapSignalR();
        var domain = $"https://{ConfigurationManager.AppSettings["auth0:Domain"]}/";
        var apiIdentifier = ConfigurationManager.AppSettings["auth0:ApiIdentifier"];

        var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidAudience = apiIdentifier,
                    ValidIssuer = domain,
                    IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier) //this line is having problems
                }
            });           
    }

}
}

craigsch · March 23, 2018, 7:53pm

I am having the exact problem. Have you made any headway towards the resolution? It seems like it might be an out of date library.

jerdog · March 23, 2018, 8:25pm

I have pinged this to the appropriate team and will get back with you

development1 · March 27, 2018, 1:46am

Has this been resolved ? I have the exact issue

jerrie1 · March 27, 2018, 3:04am

@derek.williams @craigsch @development1 This is a dependency issue which, according to my current investigations, appear to be out outside of our control.

Underlying problem appears to be incompatibility with System.IdentityModel.Tokens.Jwt 5.x, which is what the OWIN 4.x libs depend on.

Bottom line is, you need to use OWIN 3.x and specifically System.IdentityModel.Tokens.Jwt 4.x

I will see that we add a big notice on the Quickstart regarding this.

@jerdog Can you please keep an eye out on these symptoms, specifically when using OWIN Web API, as other may run into it as well?

Please see Webapi Owin Example is not Working - #2 by jerrie1

system · March 28, 2018, 3:04am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

bojanz27 · April 16, 2018, 2:33pm

I have existing WebAPI project with .NET framework 4.6.1

Trying to setup Auth0 by following through QuickStart https://manage.auth0.com/#/applications/maSXtxq0pWJZU9UgITR7khaBOmtrNPxW/quickstart

However, this example does not seem to be compatible with latest versions of packages

Microsoft.Owin.Security.Jwt (runtime version v4.0.30319, version 4.0.30319)
Auth0.OpenIdConnectSigningKeyResolver (runtime version v4.0.30319, version 4.0.0.0)

The problem seems to be that the signature of IssuerSigningKeyResolver has been changed - specifically the ‘identifier’ parameter is no longer of type SecurityKeyIdentifier, but instead a string…so the following does not work:

...
IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier)
...

Is there an up to date example?

jerdog · April 16, 2018, 11:59pm

@bojanz27 I just moved your post over to here - as mentioned in post 5 above, this is a dependency issue which is outside of our control: