K
Kinde7mo ago
LIFE

Unable to retrieve claims & identity from token

Recently i have been unable to retrieve organization and claims in general from a setup that has been working. I am using .NET with React 
builder.Services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = jwtIssuer;
        options.Audience = jwtAudience;
        options.MapInboundClaims = false;
        options.TokenValidationParameters.NameClaimType = "sub";
        options.TokenValidationParameters = new TokenValidationParameters
        {
            RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
        };
    });
builder.Services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = jwtIssuer;
        options.Audience = jwtAudience;
        options.MapInboundClaims = false;
        options.TokenValidationParameters.NameClaimType = "sub";
        options.TokenValidationParameters = new TokenValidationParameters
        {
            RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
        };
    });
i am now trying this to no avail 
builder.Services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = jwtIssuer;
        options.Audience = jwtAudience;
        options.MapInboundClaims = false;
        options.TokenValidationParameters.NameClaimType = "sub";
        options.IncludeErrorDetails = true;
        options.TokenValidationParameters = new TokenValidationParameters
        {
            RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = jwtIssuer,
            ValidAudience = jwtAudience,
            IssuerSigningKey = new SymmetricSecurityKey(
                Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"] ?? "")
            )
        };
    });
builder.Services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = jwtIssuer;
        options.Audience = jwtAudience;
        options.MapInboundClaims = false;
        options.TokenValidationParameters.NameClaimType = "sub";
        options.IncludeErrorDetails = true;
        options.TokenValidationParameters = new TokenValidationParameters
        {
            RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = jwtIssuer,
            ValidAudience = jwtAudience,
            IssuerSigningKey = new SymmetricSecurityKey(
                Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"] ?? "")
            )
        };
    });
as mentioned, this setup has been working, but suddenly stopped working. When inspecting the token everything seems to be working fine and i can see the claims in jwt.io
No description
15 Replies
LIFE
LIFEOP7mo ago
i failed to mention that it currently works in production, but not locally. But it has worked locally too
Oli - Kinde
Oli - Kinde7mo ago
Hi @LIFE, Good to hear from you and sorry that you are experiencing this issue. My .NET expert team mate is on leave today but is back tomorrow. I can see from your message that it works in production but not locally. So is it okay if I only get my team mate to look into this issue tomorrow?
LIFE
LIFEOP7mo ago
yes, no hurry. Thank you Oli!
Oli - Kinde
Oli - Kinde7mo ago
Hey LIFE, My team mate was looking into this issue today and it didnt seem straightforward. He will continue to look into this issue on Monday.
LIFE
LIFEOP7mo ago
I see, thanks for the update!
Oli - Kinde
Oli - Kinde7mo ago
Still looking into this issue @LIFE Apologies for the inconvenience.
LIFE
LIFEOP7mo ago
Not a problem :)
LIFE
LIFEOP7mo ago
No description
LIFE
LIFEOP7mo ago
No description
No description
No description
LIFE
LIFEOP7mo ago
could it be related to: https://stackoverflow.com/a/78063798/3712531
What should happen next is that your .NET API calls the discovery endpoint at the path .well-known/openid-configuration. Then the jwks_uri value is stored.
And that the .NET API is unable to find the jwks?
leo_kinde
leo_kinde7mo ago
Hi @LIFE , I haven't been quite able to replicate this. What version of .NET are you targeting and what version of Microsoft.AspNetCore.Authentication.JwtBearer are you using?
LIFE
LIFEOP7mo ago
  <ItemGroup>
      <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.3" />
      <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.3">
        <PrivateAssets>all</PrivateAssets>
        <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      </PackageReference>
      <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="8.0.3" />
      <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.3">
        <PrivateAssets>all</PrivateAssets>
        <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      </PackageReference>
      <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.2" />
      <PackageReference Include="Swashbuckle.Core" Version="5.6.0" />
      <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.5.2" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.4" />
    <PackageReference Include="Microsoft.AspNetCore.SpaProxy">
      <Version>8.*-*</Version>
    </PackageReference>
    <PackageReference Include="Microsoft.OpenApi" Version="1.6.14" />
    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
    <PackageReference Include="Twilio" Version="7.0.4" />
  </ItemGroup>
  <ItemGroup>
      <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.3" />
      <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.3">
        <PrivateAssets>all</PrivateAssets>
        <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      </PackageReference>
      <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="8.0.3" />
      <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.3">
        <PrivateAssets>all</PrivateAssets>
        <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      </PackageReference>
      <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.2" />
      <PackageReference Include="Swashbuckle.Core" Version="5.6.0" />
      <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.5.2" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.4" />
    <PackageReference Include="Microsoft.AspNetCore.SpaProxy">
      <Version>8.*-*</Version>
    </PackageReference>
    <PackageReference Include="Microsoft.OpenApi" Version="1.6.14" />
    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
    <PackageReference Include="Twilio" Version="7.0.4" />
  </ItemGroup>
leo_kinde
leo_kinde7mo ago
Thank you for the information, unfortunately I am not able to replicate the same issue. In the default configuration a request will be made to the OpenID configuration endpoint and then following another request to the JWKS endpoint. Outbound request tracing could be useful to see if the request are being made. Configuring JwtBearer there are also options Backchannel and BackchannelHttpHandler that can be configured to interact with the outbound HTTP client. You can inspect these endpoints in browser to confirm connectivity from your local machine: - https://alkolas.kinde.com/.well-known/openid-configuration - https://alkolas.kinde.com/.well-known/jwks You mentioned it works in production, it might be worth doing a comparison of configuration between the two environments for any difference that may be causing issues. It may also be worth starting a new project with just the essential code and see if it works in your local environment to try and isolate whether the issue relates to the local environment or that specific project.
leo_kinde
leo_kinde7mo ago
Actually, I just noticed in your project is System.IdentityModel.Tokens.Jwt version 7.5.2, when I install this I can reproduce the problem. If I downgrade to 7.1.2 (which is referenced in Microsoft.AspNetCore.Authentication.JwtBearer), it works again. The only related reference I have been able to find is this: https://stackoverflow.com/a/78442187 I hope this helps.
Stack Overflow
IDX10500: Signature validation failed. No security keys were provid...
I have the following code and when I call the api endpoint I get error Bearer was not authenticated. Failure message: IDX10500: Signature validation failed. No security keys were provided to valida...
LIFE
LIFEOP7mo ago
Thank you! Yeah it was Microsoft.AspNetCore.Authentication.JwtBearer which was causing the issue. Sorry to drag you in this, automatically assumed it was a kinde related problem. Really appreciate the help
Want results from more Discord servers?
Add your server