Porting ASP.NET MVC app to Core, problems with Auth0 jwt auth

kristwa · August 21, 2019, 9:34pm

Hi,

I’m in the process of converting a good old ASP.NET MVC app to ASP.NET Core 2.2. It’s a SPA app where the user logs in using Auth0 javascript libs in the frontend. But when calls are made to my API backend the result is 401 Unauthorized on the calls I’ve annotated with [Authorize]. The following error message is logged:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey , KeyId

I’ve doublechecked that issuer/audience/secret config is the same across old and new solution. Jwt.io says signature is verified when I try pasting bearer token and secret onto the site.

The setup in Startup.cs is like this:

        public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddJwtBearer(options =>
            {
                options.RequireHttpsMetadata = false;

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    ValidateAudience = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,
                    ValidIssuer = Configuration["Auth0:Issuer"],
                    ValidAudience = Configuration["Auth0:Audience"],
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Auth0:Secret"]))
                };
            });

            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
        }

Compared to the setup in my old app:

private static void ConfigureSecurity(IAppBuilder app)
        {
            var issuer = CloudConfigurationManager.GetSetting("issuer");
            var audience = CloudConfigurationManager.GetSetting("audience");
            var secretSetting = CloudConfigurationManager.GetSetting("secret");
            var secret = TextEncodings.Base64Url.Decode(secretSetting);

            // Api controllers with an [Authorize] attribute will be validated with JWT
            app.UseJwtBearerAuthentication(
                new JwtBearerAuthenticationOptions
                {
                    AuthenticationMode = AuthenticationMode.Active,
                    AllowedAudiences = new[] {audience},
                    IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
                    {
                        new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
                    }
                });
        }

Has anyone got any tips on how to resolve?

dan.woda · August 22, 2019, 6:16pm

I am wondering if this is because your new app is configured to use an asymmetric security key. It looks like your app is expecting a symmetric key. Can you go to the advanced settings and take a look at whether it is using rs256 or hs256. This will be in applications > your app > settings > advanced settings > OAuth > JsonWebToken Signature Algorithm

kristwa · August 22, 2019, 7:34pm

It is currently using HS256

kristwa · August 22, 2019, 8:03pm

Managed to get it working!

I started digging more into how the old solution used the secret and turned my attention to the line

var secret = TextEncodings.Base64Url.Decode(secretSetting);

I searched around what it was actually doing and found this on StackOverflow: arrays - TextEncodings.Base64Url.Decode vs Convert.FromBase64String - Stack Overflow

So instead of setting IssuerSigningKey as I was doing previously:

IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Auth0:Secret"]))

I copied the code from Stackoverflow (Decode and Pad method) and set IssuerSigningKey like this:

IssuerSigningKey = new SymmetricSecurityKey(Decode(Configuration["Auth0:Secret"]))

Now my API returns 200 OK.

dan.woda · August 27, 2019, 4:08pm

Glad you got it working!

dan.woda · September 11, 2019, 4:11pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.