Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple jwt authentication schemes can't validate signature key #26002

Closed
bernard-arnaud opened this issue Sep 17, 2020 · 5 comments
Closed

Multiple jwt authentication schemes can't validate signature key #26002

bernard-arnaud opened this issue Sep 17, 2020 · 5 comments
Assignees
@HaoK
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer

Comments

@bernard-arnaud
Copy link

Describe the bug

When using multiple jwt authentication schemes, the last scheme always falls in 401 with Bearer error="invalid_token", error_description="The signature key was not found" and Bearer error="invalid_token", error_description="The signature is invalid" x2 in 3 separate WWW-Authenticate headers.

To Reproduce

            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 1"))
                .AddJwtBearer("Staging", ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 2"))
                .AddJwtBearer("Prod",ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 3"));

            services.AddAuthorization(options =>
            {
                var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
                    JwtBearerDefaults.AuthenticationScheme,
                    "Staging", "Prod");
                defaultAuthorizationPolicyBuilder =
                    defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
                options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
            });
        public static Action<JwtBearerOptions> CreateJwtBearer(IHostEnvironment env, AuthenticationSettings settings,
            string authority)
        {
            return options =>
            {
                options.Authority = authority;
                options.RequireHttpsMetadata = settings.RequireHttpsMetadata;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = "sub",
                    ValidateIssuer = true,
                    ValidateAudience = false,
                    ValidateLifetime = true,
                    RequireSignedTokens = true,
                    ValidateIssuerSigningKey = true
                };
            };
        }

The first two schemes work but the Prod scheme doesn't. If I put the Prod scheme before the Staging scheme, Prod works and Staging doesn't.

Exceptions (if any)

Further technical details

  • ASP.NET Core version 3.1.401
@bernard-arnaud
Copy link
Author

In debug console I have this error :

Prod was not authenticated. Failure message: IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'AT20180509', InternalId: 'f1dd2f4d-16ac-455e-8c1a-d4bf1e631739'.
, KeyId: AT20180509

@Tratcher Tratcher added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Sep 17, 2020
@blowdart
Copy link
Contributor

blowdart commented Sep 17, 2020
edited
Loading

@HaoK does multiple auth of the same type fail fast, or would removing the default scheme work (and adding a default challenge to have challenge work?)

@bernard-arnaud
Copy link
Author

bernard-arnaud commented Sep 21, 2020
edited
Loading

Removing the default scheme and replacing it by a challenge still produces the error, if that's what you mean.

           JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
            services.AddAuthentication()
                .AddJwtBearer("Dev", ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 1"))
                .AddJwtBearer("Staging", ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 2"))
                .AddJwtBearer("Prod",ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 3"));

            services.AddAuthorization(options =>
            {
                var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
                    "Dev", "Staging", "Prod");
                defaultAuthorizationPolicyBuilder =
                    defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
                options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
            });

@HaoK
Copy link
Member

HaoK commented Sep 21, 2020

Multiple schemes of the same name will fail fast, that's the only thing we guard against. In this case, they are called Dev/Staging/Prod so they are all logically different. You are allowed to have 3 JwtBearers configured.

@bernard-arnaud
Copy link
Author

The problem was caused by an internal package which had the wrong version of Microsoft.AspNetCore.Authentication.JwtBearer in its dependencies.
Using Microsoft.AspNetCore.Authentication.JwtBearer in 3.1.7 worked.
Thank you for your time, closing this issue.

@ghost ghost locked as resolved and limited conversation to collaborators Oct 22, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@HaoK HaoK

Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@blowdart @Tratcher @HaoK @bernard-arnaud