Closed
Description
Describe the bug
When using multiple jwt authentication schemes, the last scheme always falls in 401 with Bearer error="invalid_token", error_description="The signature key was not found" and Bearer error="invalid_token", error_description="The signature is invalid" x2 in 3 separate WWW-Authenticate headers.
To Reproduce
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 1"))
.AddJwtBearer("Staging", ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 2"))
.AddJwtBearer("Prod",ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 3"));
services.AddAuthorization(options =>
{
var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
JwtBearerDefaults.AuthenticationScheme,
"Staging", "Prod");
defaultAuthorizationPolicyBuilder =
defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
}); public static Action<JwtBearerOptions> CreateJwtBearer(IHostEnvironment env, AuthenticationSettings settings,
string authority)
{
return options =>
{
options.Authority = authority;
options.RequireHttpsMetadata = settings.RequireHttpsMetadata;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "sub",
ValidateIssuer = true,
ValidateAudience = false,
ValidateLifetime = true,
RequireSignedTokens = true,
ValidateIssuerSigningKey = true
};
};
}The first two schemes work but the Prod scheme doesn't. If I put the Prod scheme before the Staging scheme, Prod works and Staging doesn't.
Exceptions (if any)
Further technical details
- ASP.NET Core version 3.1.401