Error: The signature key was not found

sergiubucur · November 6, 2017, 12:03pm

Hi. I’m trying to do the server setup as described here https://developer.okta.com/quickstart/#/widget/dotnet/aspnetcore. In my ASP.NET Core 2.0 solution I added the following:

services.AddAuthentication(sharedOptions =>
        {
            sharedOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            sharedOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(options => {
            options.Authority = "https://[my okta url].com/oauth2/default";
            options.Audience = "api://default";
        });

and:

app.UseAuthentication();

In my FE app I’m sending the access token as:

config.headers.Authorization = "Bearer " + auth.oktaSignIn.tokenManager.get("accessToken").accessToken;

When I try to make a request to a route decorated with the Authorize attribute, I get 401 Unauthorized with the following error:

Bearer error="invalid_token", error_description="The signature key was not found"

I’m using the default authorization server.

tom · November 6, 2017, 3:51pm

I’m glad to see you are using the default authorization server.

Check a couple things for me:

Are you setting the issuer in your widget / auth js?
If you are, is the issuer the same as your default authorization server?
Double check that the [my okta url] is correct

If you want to do some troubleshooting, you can drop the access token JWT into jsonwebtoken.io and get the kid field from the jwt header. After you get the kid, you can check your authorization server’s keys by going to https://[my okta org].com/oauth2/default/v1/keys

This will give you the list of public keys by ID.

Hope this information helps you troubleshoot. Let me know if you still have problems!

sergiubucur · November 6, 2017, 6:06pm

Hi Tom. Indeed I wasn’t setting the authParams.issuer property in the widget config. Setting that fixed the problem.

Thank you!

tom · November 6, 2017, 6:31pm

Awesome - glad that fixed it!

plusinfinite · July 31, 2018, 2:58pm

Hi Tom,

https://[myorg].okta.com/oauth2/default/v1/keys returns an error for me, {“errorCode”:“E0000006”,“errorSummary”:“You do not have permission to perform the requested action”,“errorLink”:“E0000006”,“errorId”:“oaeCYHjg3K4Tlut8L2a4hcFZw”,“errorCauses”:}, and I am getting the same error as described above, any suggestions?

Thank you!

tom · July 31, 2018, 6:27pm

How did you create your org? Was it developer.okta.com? Or is this an IT Product org?

plusinfinite · August 1, 2018, 2:21pm

It is an IT Product org created by the client we are integrating for. We opened a case and figured out fairly quickly that they did not have API Management Access purchased, hence the suite of issues we encountered.

It would be really helpful if it would be clear in the documentation that these scenarios work only for developer accounts or enterprise accounts with API Management Access purchased. Also, the “Unlimited OAuth 2.0 authorization servers” verbiage in the API Management Access is misleading, it creates the impression that a limited level exists, while it does not.

ynpp · September 6, 2018, 7:35am

I am facing the same issue.How did you manage to get it working.

prajal5 · September 6, 2018, 8:23am

Does it mean we can’t create an Authorization Server for an IT Product org?

plusinfinite · September 10, 2018, 2:18pm

We did not get it to work. We figured out what we did not have the “API Management Access” purchased on the IT product org account we were using, so that authentication token could not be used because an authorization server is not available unless you have an IT product org account with “API Management Access” or a developer account.

plusinfinite · September 10, 2018, 2:20pm

You can create an authorization server for an IT product org if you have purchased “API Management Access” as well, otherwise you cannot. The documentation is somewhat misleading.

ynpp · September 12, 2018, 2:17am

I’ve contacted developer support and I was advised “not to validate the token” from our .net code.
And need to call the /v1/userinfo end point to get user info.

I did below steps and got it working in .net core 2.0. Unfortunately our existing application is using core 1.0 and no SET method for SecurityTokenValidator.

New Validator Class

public class CustomSecurityValidator : ISecurityTokenValidator

override the ValidateToken method to not validate the token

Startup.cs
2. options.SecurityTokenValidator = new CustomSecurityValidator();
3. OnTokenValidated event, call /v1/userinfo end point manually and add the user info to ctx.Principal

Hope the above useful to someone.

It will be good if OKTA .net core middleware can handle this scenario.

kedar.paritkar · August 10, 2019, 6:55am

@ynpp Can you provide this implementation on github?

system · January 23, 2024, 7:19pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.