Auth0 Home Blog Docs

OWIN Web Auth Identifier Bug

jwt
auth0
api

#1

Currently following this article (https://auth0.com/docs/quickstart/backend/webapi-owin/01-authorization) to use the token issued from Auth0 to authorize my C# Web Api. It is currently not working with error 'Cannot convert from string to System.IdentityModel.Tokens.SecurityKeyIdentifier. Here is the code:

using Microsoft.AspNetCore.Builder;
using Microsoft.IdentityModel.Tokens;
using System.Configuration;
using Owin;
using Microsoft.Owin.Security.Jwt;
using Microsoft.Owin.Security;
using Auth0.Owin;
using Microsoft.Owin;

[assembly: OwinStartup(typeof(repAPI.Startup))]
namespace repAPI
{
public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.MapSignalR();
        var domain = $"https://{ConfigurationManager.AppSettings["auth0:Domain"]}/";
        var apiIdentifier = ConfigurationManager.AppSettings["auth0:ApiIdentifier"];

        var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidAudience = apiIdentifier,
                    ValidIssuer = domain,
                    IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier) //this line is having problems
                }
            });           
    }

}
}

WebAPI 2 QuickStart sample not compatible with WebAPI 2 (.NET 4.6.1)
#2

I am having the exact problem. Have you made any headway towards the resolution? It seems like it might be an out of date library.


#3

I have pinged this to the appropriate team and will get back with you


#4

Has this been resolved ? I have the exact issue


#5

@derek.williams @craigsch @development1 This is a dependency issue which, according to my current investigations, appear to be out outside of our control.

Underlying problem appears to be incompatibility with System.IdentityModel.Tokens.Jwt 5.x, which is what the OWIN 4.x libs depend on.

Bottom line is, you need to use OWIN 3.x and specifically System.IdentityModel.Tokens.Jwt 4.x

I will see that we add a big notice on the Quickstart regarding this.

@jeremy.meiss Can you please keep an eye out on these symptoms, specifically when using OWIN Web API, as other may run into it as well?

Please see Webapi Owin Example is not Working


#6

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.


#7

#8

I have existing WebAPI project with .NET framework 4.6.1

Trying to setup Auth0 by following through QuickStart https://manage.auth0.com/#/applications/maSXtxq0pWJZU9UgITR7khaBOmtrNPxW/quickstart

However, this example does not seem to be compatible with latest versions of packages

Microsoft.Owin.Security.Jwt (runtime version v4.0.30319, version 4.0.30319)
Auth0.OpenIdConnectSigningKeyResolver (runtime version v4.0.30319, version 4.0.0.0)

The problem seems to be that the signature of IssuerSigningKeyResolver has been changed - specifically the ‘identifier’ parameter is no longer of type SecurityKeyIdentifier, but instead a string…so the following does not work:

...
IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier)
...

Is there an up to date example?


#9

@bojanz27 I just moved your post over to here - as mentioned in post 5 above, this is a dependency issue which is outside of our control: