Porting ASP.NET MVC app to Core, problems with Auth0 jwt auth


I’m in the process of converting a good old ASP.NET MVC app to ASP.NET Core 2.2. It’s a SPA app where the user logs in using Auth0 javascript libs in the frontend. But when calls are made to my API backend the result is 401 Unauthorized on the calls I’ve annotated with [Authorize]. The following error message is logged:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey , KeyId

I’ve doublechecked that issuer/audience/secret config is the same across old and new solution. Jwt.io says signature is verified when I try pasting bearer token and secret onto the site.

The setup in Startup.cs is like this:

        public void ConfigureServices(IServiceCollection services)
            services.AddAuthentication(options =>
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            .AddJwtBearer(options =>
                options.RequireHttpsMetadata = false;

                options.TokenValidationParameters = new TokenValidationParameters
                    ValidateIssuer = true,
                    ValidateAudience = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,
                    ValidIssuer = Configuration["Auth0:Issuer"],
                    ValidAudience = Configuration["Auth0:Audience"],
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Auth0:Secret"]))


Compared to the setup in my old app:

private static void ConfigureSecurity(IAppBuilder app)
            var issuer = CloudConfigurationManager.GetSetting("issuer");
            var audience = CloudConfigurationManager.GetSetting("audience");
            var secretSetting = CloudConfigurationManager.GetSetting("secret");
            var secret = TextEncodings.Base64Url.Decode(secretSetting);

            // Api controllers with an [Authorize] attribute will be validated with JWT
                new JwtBearerAuthenticationOptions
                    AuthenticationMode = AuthenticationMode.Active,
                    AllowedAudiences = new[] {audience},
                    IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
                        new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)

Has anyone got any tips on how to resolve?

1 Like

I am wondering if this is because your new app is configured to use an asymmetric security key. It looks like your app is expecting a symmetric key. Can you go to the advanced settings and take a look at whether it is using rs256 or hs256. This will be in applications > your app > settings > advanced settings > OAuth > JsonWebToken Signature Algorithm

It is currently using HS256

Managed to get it working!

I started digging more into how the old solution used the secret and turned my attention to the line

var secret = TextEncodings.Base64Url.Decode(secretSetting);

I searched around what it was actually doing and found this on StackOverflow: https://stackoverflow.com/a/42716638/2857770

So instead of setting IssuerSigningKey as I was doing previously:

IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Auth0:Secret"]))

I copied the code from Stackoverflow (Decode and Pad method) and set IssuerSigningKey like this:

IssuerSigningKey = new SymmetricSecurityKey(Decode(Configuration["Auth0:Secret"]))

Now my API returns 200 OK.

1 Like

Glad you got it working!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.