[Bug] Access token validation fails after upgrading Microsoft.IdentityModel.JsonWebTokens from 7.2.0 to 7.3.0

[cieciurm]

Which version of Microsoft.IdentityModel are you using?
Note that to get help, you need to run the latest version.

Microsoft.IdentityModel.JsonWebTokens 7.3.0

Where is the issue?

• M.IM.JsonWebTokens
• M.IM.KeyVaultExtensions
• M.IM.Logging
• M.IM.ManagedKeyVaultSecurityKey
• M.IM.Protocols
• M.IM.Protocols.OpenIdConnect
• M.IM.Protocols.SignedHttpRequest
• M.IM.Protocols.WsFederation
• M.IM.TestExtensions
• M.IM.Tokens
• M.IM.Tokens.Saml
• M.IM.Validators
• M.IM.Xml
• S.IM.Tokens.Jwt
• Other (please describe)

Is this a new or an existing app?

The app is in production and I have upgraded to a new version of Microsoft.IdentityModel.JsonWebTokens.

Repro

I have a regular ASP.NET Core app using JWT authentication:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = Configuration.GetValue<string>("Identity:Authority");
        options.Audience = Configuration.GetValue<string>("Identity:Audience");
        options.RequireHttpsMetadata = true;

    })

We are using IdentityServer 4 (which is compliant with OIDC and OAuth2) as identity provider issuing access tokens.

Expected behavior
Access token should be validated successfully after the update of Microsoft.IdentityModel.JsonWebTokens from version 7.2.0 to 7.3.0

Actual behavior
Access token is rejected and the error message says:

The signature key was not found

Additional context / logs / screenshots / links to code
I am sharing partial screenshot of JWT due to security reasons.

I can provide full JWT via secure channel.

[brentschmaltz]

@cieciurm is there a 'kid' in the JWT?

[cieciurm]

Hi @brentschmaltz

No, we don't issue this claim.
Is it validated?
If yes, can this validation be disabled?

Based on RFC I can see it is optional.

[cieciurm]

Hi again @brentschmaltz,

Apologies, but I haven't checked thoroughly enough - I assumed that you meant a kid claim inside the token payload.

We do have a kid claim in the JWT header:

Then I'm really curious what could be causing the validation error.

I am getting the following error in HTTP header:

Bearer error="invalid_token",error_description="The signature key was not found"

I added breakpoints on both OnAuthenticationFailed and OnChallenge in JwtBearerEvents and got the following errors respectively.

OnAuthenticationFailed:

OnChallenge

I compared kid from the JWT header against the data exposed by Well Known endpoint in Identity Server.
Under /.well-known/openid-configuration/jwks I can see a matching key by kid. So it should be discovered when validating the signature.

Only thing that makes me wonder is whether there are any character limitations for kid value?
I can see that mine starts with an underscore.

Thanks in advance :)

[cieciurm]

Hi again @brentschmaltz,

Any chance you had time to look into this?

Thanks!

[cieciurm]

Hi again @brentschmaltz,

Any chance you had time to look into this?

Thanks!

[cieciurm]

Hi @brentschmaltz,

Any update?

Thanks

[cieciurm]

Hi @brentschmaltz (cc @jennyf19 @pmaytak)

Any update?
Thanks

[AndersAbel]

One reason this can occur is if there are different versions of Microsoft.IdentityModel.* packages pulled into the same application. There's a guide for how to diagnose over at https://docs.duendesoftware.com/identityserver/troubleshooting/#microsoftidentitymodel-versions.

And by the way, IdentityServer 4 is out of support. I would recommend upgrading to a supported version of Duende IdentityServer (commercial license) or migrate to another provider.

[cieciurm]

Hi @AndersAbel,

Thanks for chiming in, I will take a look.