Hi,
I’m in the process of converting a good old ASP.NET MVC app to ASP.NET Core 2.2. It’s a SPA app where the user logs in using Auth0 javascript libs in the frontend. But when calls are made to my API backend the result is 401 Unauthorized on the calls I’ve annotated with [Authorize]. The following error message is logged:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey , KeyId
I’ve doublechecked that issuer/audience/secret config is the same across old and new solution. Jwt.io says signature is verified when I try pasting bearer token and secret onto the site.
The setup in Startup.cs is like this:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = Configuration["Auth0:Issuer"],
ValidAudience = Configuration["Auth0:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Auth0:Secret"]))
};
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
Compared to the setup in my old app:
private static void ConfigureSecurity(IAppBuilder app)
{
var issuer = CloudConfigurationManager.GetSetting("issuer");
var audience = CloudConfigurationManager.GetSetting("audience");
var secretSetting = CloudConfigurationManager.GetSetting("secret");
var secret = TextEncodings.Base64Url.Decode(secretSetting);
// Api controllers with an [Authorize] attribute will be validated with JWT
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] {audience},
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
}
});
}
Has anyone got any tips on how to resolve?